Date: Mon, 9 Jul 2007 16:52:01 GMT From: Rick Macklem <rick@cis.uoguelph.ca> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/114451: NFS server possible crash Message-ID: <200707091652.l69Gq1EI053494@www.freebsd.org> Resent-Message-ID: <200707091700.l69H09U4080509@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 114451
>Category: kern
>Synopsis: NFS server possible crash
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 09 17:00:08 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Rick Macklem
>Release: FreeBSD-CURRENT May snapshot
>Organization:
Univ of Guelph
>Environment:
FreeBSD nfsv4-laptop.cis.uoguelph.ca 7.0-CURRENT-200705 i386
>Description:
Looking at the code, it is pretty obvious that sys/nfsserver/nfs_serv.c would
crash in readdirplus if VFS_VGET() returns an error other than EOPNOTSUPP. See
the "patch" file.
>How-To-Repeat:
Probably doesn't occur in practice, since VFS_VGET() would not normally
return such an error.
>Fix:
See patch file. NB, I haven't actually tested this.
Patch attached with submission follows:
When working on my server port, I spotted the following in FreeBSD-CURRENT
(May 2007 snapshot) in sys/nfsserver/nfs_serv.c (lines 3596-3612)
/*
* Probe one of the directory entries to see if the filesystem
* supports VGET.
*/
if (VFS_VGET(vp->v_mount, dp->d_fileno, LK_EXCLUSIVE, &nvp) ==
EOPNOTSUPP) {
error = NFSERR_NOTSUPP;
vrele(vp);
vp = NULL;
free((caddr_t)cookies, M_TEMP);
free((caddr_t)rbuf, M_TEMP);
nfsm_reply(NFSX_V3POSTOPATTR);
nfsm_srvpostop_attr(getret, &at);
error = 0;
goto nfsmout;
}
vput(nvp);
*** nvp not set when VFS_VGET() returns an error other than
EOPNOTSUPP.
If you look at the above, it's pretty obvious that, if VFS_VGET() returns
an error other than EOPNOTSUPP, then it vputs crap.
Maybe should be something like (haven't actually tested this):
/*
* Probe one of the directory entries to see if the filesystem
* supports VGET.
*/
error = VFS_VGET(vp->v_mount, dp->d_fileno, LK_EXCLUSIVE, &nvp);
if (error == EOPNOTSUPP) {
error = NFSERR_NOTSUPP;
vrele(vp);
vp = NULL;
free((caddr_t)cookies, M_TEMP);
free((caddr_t)rbuf, M_TEMP);
nfsm_reply(NFSX_V3POSTOPATTR);
nfsm_srvpostop_attr(getret, &at);
error = 0;
goto nfsmout;
}
if (error)
error = 0;
else
vput(nvp);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707091652.l69Gq1EI053494>