netbsd-bugs: kern/1847: mount_nfs on exported directory will make system crash

Subject: kern/1847: mount_nfs on exported directory will make system crash
To: None <gnats-bugs@gnats.netbsd.org>
From: Tatoku Ogaito <tacha@nuclth12.phys.sci.osaka-u.ac.jp>
List: netbsd-bugs
Date: 12/18/1995 21:21:51
>Number:         1847
>Category:       kern
>Synopsis:       mount_nfs on exported directory will make system crash
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 18 07:35:07 1995
>Last-Modified:
>Originator:     Tatoku Ogaito
>Organization:
Tatoku Ogaito		| Email: tacha@tera.phys.sci.osaka-u.ac.jp
Department of Physics   | WWW:   http://tera.phys.sci.osaka-u.ac.jp/~tacha/
Faculty of Science      | Tel  : +81 6-850-5346
Osaka University  	| Fax  : +81 6-850-5529
>Release:        1.1
>Environment:
System: NetBSD tera.phys.sci.osaka-u.ac.jp 1.1 NetBSD 1.1 (TERA) #1: Mon Nov 27 17:09:29 GMT 1995 root@tera.phys.sci.osaka-u.ac.jp:/usr/src/current/src/sys/arch/i386/compile/TERA i386

>Description:
When you try to mount other machines disk on NFS exported directory
and access that directory, it will cause system crash.

>How-To-Repeat:
[tera]# cat /etc/exports
/usr/src   -maproot=0:9          NetBSD
[tera]# df
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a       49199     9843    36896    21%    /
/dev/sd0e      248047   146934    88710    62%    /usr
/dev/sd0f      198335   115041    73377    61%    /var
/dev/sd1e      473491   317585   132231    71%    /usr/local
/dev/sd1f      283991    60041   209750    22%    /usr/home
/dev/sd1g     1062209   935437    73662    93%    /usr/src
[tera]# umount /usr/src
[tera]# df
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a       49199     9843    36896    21%    /
/dev/sd0e      248047   146934    88710    62%    /usr
/dev/sd0f      198335   115041    73377    61%    /var
/dev/sd1e      473491   317585   132231    71%    /usr/local
/dev/sd1f      283991    60041   209750    22%    /usr/home
[tera]# mount mega:/usr/src /usr/src
[tera]# df
Filesystem        1K-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a             49199     9846    36893    21%    /
/dev/sd0e            248047   146934    88710    62%    /usr
/dev/sd0f            198335   115052    73366    61%    /var
/dev/sd1e            473491   317585   132231    71%    /usr/local
/dev/sd1f            283991    60041   209750    22%    /usr/home
mega:/usr/src       1035982   371082   613100    38%    /usr/src
[tera]# cd /usr/src
vm_fault(f87d8e00, deadb000,3,0) ->1
kernel: page fault trap, code=0
stopped at _nqnfs_clientlease + 0x36: movl %ebx, 0xc(%eax)
db> trace
_nqnfs_clientlease(f87dd900,f87dd800,1,1,30d552bc,52b8770,30d551f5) at _nqnfs_clientlease + 0x36
_nfs_request(f877b080,f87b4b80,1,f87d8d00,f87bf480) at _nfs_request + 0x752
_nfs_getattr(f9d78e0c,0,f9d78ee8,0,f9d78ec4) at _nfs_getattr + 0x15b
_vn_stat(f877b080,f9d78ee8,f87d8d00,f7bfb1dc,f87d8d00) at _vn_stat + 0x40
_sys_stat(f87d8d00,f9d78f88,f9d78f80,0,77368) at _sys_stat + 0x5f
_sys_call() at _syscall + 0x1f9
--- syscall(number188) ---
0x4da28:

Kernel debugger messages are ten-finger copy.

>Fix:
>Audit-Trail:
>Unformatted: