Subject: kern/34959: panic when reading a file in a NFS-exported tmpfs volume
To: None <,,>
From: None <>
List: netbsd-bugs
Date: 11/01/2006 11:40:00
>Number:         34959
>Category:       kern
>Synopsis:       panic when reading a file in a NFS-exported tmpfs volume
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 01 11:40:00 +0000 2006
>Originator:     Julio M. Merino Vidal
>Release:        NetBSD 4.99.3
System: NetBSD testing 4.99.3 NetBSD 4.99.3 (DEVEL) #29: Wed Nov 1 09:57:20 CET 2006 jmmv@dawn:/home/jmmv/NetBSD/obj/home/jmmv/NetBSD/src/sys/arch/i386/compile/DEVEL i386
Architecture: i386
Machine: i386
	It is posible to cause a crash on a NFS server that exports a tmpfs
	volume.  The problem is very easy to reproduce and appears when
	reading a file after creating it.  Even though it seems to be
	non-deterministic, but repeating the create and read sequence several
	times (3 or 4 seem to be enough) will surely expose it.
	Note that if the first read succeeds, subsequent reads will not
	cause the crash; you need to recreate the file.

	The panic looks like this:

	uvm_fault(0xca06a620, 0x30000000, 1) -> 0xe
	kernel: supervisor trap page fault, code=0
	Stopped in pid 306.1 (nfsd) at  netbsd:uvm_loanuobjpages+0xd3:  movl    0x1c(%eax),%ebx
	db> bt
	uvm_loanuobjpages(caac9bb0,0,0,1,c05e0a54) at netbsd:uvm_loanuobjpages+0xd3
	nfsrv_read(caac0ec4,c05c9400,ca06d2e4,caaa5ab4,ca060f3c) at netbsd:nfsrv_read+0xd6c
	nfssvc_nfsd(caaa5b0c,804a2c0,ca06d2e4,0,ca9afec4) at netbsd:nfssvc_nfsd+0x4de
	sys_nfssvc(ca06d2e4,caaa5c48,caaa5c68,caaa5ce0,bfbff000) at netbsd:sys_nfssvc+0x2ba
	syscall_plain() at netbsd:syscall_plain+0xae
	--- syscall (number 155) ---

	Mount a tmpfs file system and export it through NFS:

	In fstab:
	tmpfs /mnt/tmpfs tmpfs rw
	localhost:/mnt/tmpfs /mnt/remote nfs rw,noauto

	In exports:
	/mnt/tmpfs localhost -maproot=root

	Now the test:
	mount /tmp/remote
	cd /mnt/remote
	for f in $(jot 100); do
	    echo foo >b
	    cat b
	    rm b
	Currently unknown.