Subject: kern/5591: NFS client crash when rebooting with NFS server off the air
To: None <firstname.lastname@example.org>
From: Bill Sommerfeld <email@example.com>
Date: 06/14/1998 19:56:14
>Synopsis: NFS client crash when rebooting with NFS server off the air
>Responsible: kern-bug-people (Kernel Bug People)
>Arrival-Date: Sun Jun 14 13:05:00 1998
>Originator: Bill Sommerfeld
>Release: 199604?? (1.3E)
i386, NetBSD 1.4 as of mid-april.
(this occurred on zygorthian-space-raiders.mit.edu)
While doing some other debugging, i observed a panic in
nfs_reply dereferencing a null pointer during a reboot.
The system in question had NFS-mounted a filesystem from a
server which was completely down at the time of the reboot.
It printed "syncing disks..done\n", and then dropped into DDB
with a memory fault.
I was pursuing other bugs at the time and did not have a
chance to completely analyze the panic, but i got the
following info (this is reconstructed from memory so it may
not be 100% accurate); I'm saving it in a PR so that this
doesn't get lost and so someone who cares about NFS
can fix it if they want to..
The faulting instruction was:
0xf01a16e2 <nfs_reply+158>: movl 0x8(%eax),%ecx
where %eax was zero.
the source line corresponding to this appears to be:
697 dpos = mtod(md, caddr_t);
I believe this is consistent with `md' being NULL; it appears that the
only way to get to that line of code with md==NULL is if nfs_receive
returns NULL in md but doesn't return an error. nfs_receive has code
to avoid doing this in the TCP case, but there doesn't seem to be
comparable code for the UDP side..
I haven't dug far enough to determine under which circumstances a UDP
soreceive would return a NULL mbuf but not return an error.
nfs-mount a server.
shoot the server in the head
uncertain; perhaps copy the
if (!error && *mp == NULL)
error = EPIPE;
code from the TCP case into the UDP case in nfs_receive..