From owner-freebsd-current@FreeBSD.ORG  Fri Oct 26 02:48:55 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B630D16A420
	for <freebsd-current@freebsd.org>; Fri, 26 Oct 2007 02:48:55 +0000 (UTC)
	(envelope-from anderson@freebsd.org)
Received: from ns.trinitel.com (186.161.36.72.static.reverse.ltdomains.com
	[72.36.161.186])
	by mx1.freebsd.org (Postfix) with ESMTP id 780FF13C4BC
	for <freebsd-current@freebsd.org>; Fri, 26 Oct 2007 02:48:55 +0000 (UTC)
	(envelope-from anderson@freebsd.org)
Received: from proton.local
	(r74-193-81-203.pfvlcmta01.grtntx.tl.dh.suddenlink.net
	[74.193.81.203]) (authenticated bits=0)
	by ns.trinitel.com (8.14.1/8.14.1) with ESMTP id l9Q2mrMa064526
	for <freebsd-current@freebsd.org>; Thu, 25 Oct 2007 21:48:54 -0500 (CDT)
	(envelope-from anderson@freebsd.org)
Message-ID: <4721558D.1040804@freebsd.org>
Date: Thu, 25 Oct 2007 21:48:45 -0500
From: Eric Anderson <anderson@freebsd.org>
User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728)
MIME-Version: 1.0
To: freebsd-current@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=failed
	version=3.1.8
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on ns.trinitel.com
Subject: panic: ffs_read: uio->uio_offset < 0  (NFS related)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2007 02:48:55 -0000

It appears that NFS cookies that are large, with bits past the 32bit 
range can be munged because the cookies type used is only 32bit when NFS 
cookies can be 64bit.  This can cause NFS problems at the least, and in 
the worst case, cause a kernel panic on the NFS server (see subject) if 
the result is a negative offset, which gets passed down directly into 
the underlying file system's readdir (in this case) function.  For UFS 
this causes a panic.

It looks like the two cookie variables need to be 64 bit types, but that 
would also require changing the VOP_READDIR arguments to also be 64bit, 
and that's a big change.

One way to stop the panic at least it to return BAD_COOKIE on cookies 
that would panic the box, since it is rare that a client would get that 
kind of cookie anyhow.

Thoughts?

Eric

Note that the code even comments on the 64bit need:

http://fxr.googlebit.com/source/sys/nfsserver/nfs_serv.c?v=8-CURRENT#L3450