From owner-freebsd-bugs@FreeBSD.ORG  Thu May 13 08:30:21 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3F85C16A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 13 May 2004 08:30:21 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C05AF43D5E
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 13 May 2004 08:30:20 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i4DFUKA5022232	for <freebsd-bugs@freefall.freebsd.org>;
	Thu, 13 May 2004 08:30:20 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i4DFUKCQ022225;
	Thu, 13 May 2004 08:30:20 -0700 (PDT)
	(envelope-from gnats)
Resent-Date: Thu, 13 May 2004 08:30:20 -0700 (PDT)
Resent-Message-Id: <200405131530.i4DFUKCQ022225@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Bjoern Groenvall <bg@sics.se>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 82CEB16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 13 May 2004 08:25:39 -0700 (PDT)
Received: from brev.sics.se (brev.sics.se [193.10.64.200])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 38A4643D5A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 13 May 2004 08:25:38 -0700 (PDT)	(envelope-from bg@bg.sics.se)
Received: from bg.sics.se (bg.sics.se [193.10.66.124])
	by brev.sics.se (8.12.8/8.12.8) with ESMTP id i4DFPNXc006075;
        Thu, 13 May 2004 17:25:24 +0200
	env-to ()
	env-from (bg@bg.sics.se)
Received: from bg.sics.se (localhost [127.0.0.1])
	by bg.sics.se (8.12.9p2/8.12.9) with ESMTP id i4DFPPZO033617;
	Thu, 13 May 2004 17:25:25 +0200 (CEST)
	(envelope-from bg@bg.sics.se)
Received: (from bg@localhost)
	by bg.sics.se (8.12.9p2/8.12.9/Submit) id i4DFPOQr033616;
	Thu, 13 May 2004 17:25:24 +0200 (CEST)
	(envelope-from bg)
Message-Id: <200405131525.i4DFPOQr033616@bg.sics.se>
Date: Thu, 13 May 2004 17:25:24 +0200 (CEST)
From: Bjoern Groenvall <bg@sics.se>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
cc: bg@sics.se
Subject: kern/66611: Crashing NFS servers
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Bjoern Groenvall <bg@sics.se>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2004 15:30:21 -0000


>Number:         66611
>Category:       kern
>Synopsis:       Crashing NFS servers
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 13 08:30:20 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Bjoern Groenvall
>Release:        FreeBSD 5.2.1-RELEASE i386
>Organization:
SICS
>Environment:
FreeBSD filur.sics.se 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Wed Mar  3 17:14:07 CET 2004     bg@filur.sics.se:/usr/src/sys/i386/compile/FILUR  i386

The same bug is also present on atleast 4.7-RELEASE-p17 and
4.8-RELEASE.

>Description:

This bug seems to happen only on NFS servers!

At times, this happens several times a day, sometimes months can go by
without this ever happening. To avoid the problem a workaround is
attached at the bottom.

Under certain conditions tcp_usr_rcvd passes as NULL pointer
to tcp_output which will lead to a panic. Here is a backtrace
as printed on the console (typed in manually and stripped from
numerical information).

Stack backtrace:
backtrace
tcp_usr_rcvd
soreceive
nfsrv_rcv
sowakeup
soisdisconnected
tcp_discardcb
tcp_close
tcp_input
ip_input
netisr_processqueue
swi_net
ithread_loop
fork_exit
fork_trampoline
--- trap 0x1, eip = 0, esp = 0xd77c2d7c, ebp = 0 ---

>How-To-Repeat:

This seems to only happen on NFS servers. Don't know how to trigger
the bug.

>Fix:

No fix but a sample workaround.

--- sys/netinet/tcp_usrreq.c.orig	Fri Jan  9 13:32:36 2004
+++ sys/netinet/tcp_usrreq.c	Tue Feb 24 17:37:27 2004
@@ -619,6 +619,12 @@
 	const int inirw = INI_READ;
 
 	COMMON_START();
+	if (tp == 0) {
+		splx(s);
+		printf("tcp_usr_rcvd: tp == 0\n");
+		backtrace();
+		return EINVAL;
+	}
 	tcp_output(tp);
 	COMMON_END(PRU_RCVD);
 }

>Release-Note:
>Audit-Trail:
>Unformatted: