netbsd-bugs: kern/32671: panic trying to vnconfig an NFS file

Subject: kern/32671: panic trying to vnconfig an NFS file
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Simon Burge <simonb@wasabisystems.com>
List: netbsd-bugs
Date: 01/30/2006 20:25:01

>Number:         32671
>Category:       kern
>Synopsis:       panic trying to vnconfig an NFS file
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 30 20:25:01 +0000 2006
>Originator:     Simon Burge <simonb@wasabisystems.com>
>Release:        NetBSD 3.99.15, sources from 2006/01/28
>Organization:
Wasabi Systems
>Environment:
	NFS client is sbmips, NetBSD 3.99.15, sources from 2006/01/28
	NFS server is i386, NetBSD 3 branch, sources from 2005/09/06

>Description:
	Trying to vnconfig an NFS mounted file results in a NULL pointer
	dereference:

	rhone 1# cd /tmp
	rhone 2# if=/dev/zero of=foo bs=1m count=1
	rhone 3# vnconfig vnd0 foo
	bp = 0x87cb1be0		(these two printf's added to kernel to show
	bp->b_vp = 0x0		 bp and vp values)
	trap: TLB miss (load or instr. fetch) in kernel mode
	status=0x7f03, cause=0x8, epc=0x80085684, vaddr=0x0
	pid=404 cmd=vnd0 usp=0x0 ksp=0xcaec5dc8
	Stopped in pid 404.1 (vnd0) at  netbsd:nfs_asyncio+0x68:        lw      v1,72(v0)
	db> show buf 0x87cb1be0
	  vp 0x0 lblkno 0xdeadbeefdeadbeef blkno 0x0 dev 0xffffffff
	  error -559038737 flags 0x100054<ASYNC,BUSY,CALL,READ>
	  bufsize 0x200 bcount 0x200 resid 0x200
	  data 0x8714c000 saveaddr 0xdeadbeef dep 0x0
	  iodone 0x801b3e9c
	
	The trap address is at:

		nmp = VFSTONFS(bp->b_vp->v_mount);

	at the top of nfs_asyncio().  Note vp = NULL (the cause of the
	trap, and the sprinkling of "deadbeef" throughout the buf.

        I also just tried this on an x86 with sources from 2006/01/12
        and it fails the same way.  Jeff Rizzo tried a 3.99.13 amd64
        box from around late Nov/early Dec 2005 that doesn't have the
        problem, and an alpha with 2006/01/21 sources that does have the
        problem, so it looks like it was introduced sometime between
        late 2005 and early January.

>How-To-Repeat:
	cd <directory-that-is-nfs-mounted>
	dd if=/dev/zero of=foo bs=1m count=1
	vnconfig vnd0 foo

>Fix:
	None given.