--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,
I think I've found the cause of kern/18013 (NFS kernel crash):
an extra PNBUF_PUT() call, on a objet which has already been returned to
the pool.
In the MKNOD case of nfsrv_create(), there is a call PNBUF_PUT() on something
that has already been freed by VOP_MKNOD() as SAVESTART is not set.
I think this PNBUF_PUT() should have been removed in nfs_serv.c 1.60,
before 1.60 is was there to free the pathname buf allocated by the
lookup() call after VOP_MKNOD.

Can someone confirm ?
At last with the attached patch I can't reprpoduce the panics reported in
kern/18013 any more

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--

--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="diff.nfs2"

Index: nfs_serv.c
===================================================================
RCS file: /cvsroot/syssrc/sys/nfs/nfs_serv.c,v
retrieving revision 1.62
diff -u -r1.62 nfs_serv.c
--- nfs_serv.c	2001/11/10 10:59:09	1.62
+++ nfs_serv.c	2002/09/26 17:35:20
@@ -1415,7 +1415,6 @@
 			if (error) {
 				nfsm_reply(0);
 			}
-			PNBUF_PUT(nd.ni_cnd.cn_pnbuf);
 			if (nd.ni_cnd.cn_flags & ISSYMLINK) {
 				vrele(nd.ni_dvp);
 				vput(nd.ni_vp);

--mYCpIKhGyMATD0i+--