Date: Mon, 3 Jun 2002 15:31:08 -0500 (CDT) From: Damon Anton Permezel <dap@damon.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: dap@damon.com Subject: kern/38872: nfs code ignores possibility of MGET(M_WAIT) failure Message-ID: <200206032031.g53KV8U5030907@damon.com>
next in thread | raw e-mail | index | archive | help
>Number: 38872
>Category: kern
>Synopsis: nfs code ignores possibility of MGET(M_WAIT) failure
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jun 03 13:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Damon Anton Permezel
>Release: FreeBSD 4.6-RC i386
>Organization:
>Environment:
System: FreeBSD damon.com 4.6-RC FreeBSD 4.6-RC #0: Sun Jun 2 13:52:20 CDT 2002 dap@damon.com:/usr/obj/usr/src/sys/GENERIC i386
>Description:
When the system runs out of mbufs, NFS access can cause fault
due to NULL mbuf pointer being dereferenced.
>How-To-Repeat:
Run out of mbufs.
Use NFS.
>Fix:
Grep for all calls to MGET.*M_WAIT in the kernel, paying attention
to the NFS code, and fix it so that it handles the NULL return case.
As an example, I keep running into:
(kgdb) where
#0 nfsm_reqh (vp=0xc8b85180, procid=0x4, hsiz=0x48, bposp=0xc8e5ebec)
at /usr/src/sys/nfs/nfs_subs.c:594
#1 0xc01e1a4d in nfs3_access_otw (vp=0xc8b85180, wmode=0x3f, p=0xc8dffbe0,
cred=0xc0d57200) at /usr/src/sys/nfs/nfs_vnops.c:292
#2 0xc01e1f6f in nfs_access (ap=0xc8e5ecc4)
at /usr/src/sys/nfs/nfs_vnops.c:392
#3 0xc01e4213 in nfs_lookup (ap=0xc8e5ed70) at vnode_if.h:247
#4 0xc018a099 in lookup (ndp=0xc8e5eec8) at vnode_if.h:52
#5 0xc0189b94 in namei (ndp=0xc8e5eec8) at /usr/src/sys/kern/vfs_lookup.c:153
#6 0xc01925a7 in vn_open (ndp=0xc8e5eec8, fmode=0x1, cmode=0x54c)
at /usr/src/sys/kern/vfs_vnops.c:138
#7 0xc018e6b0 in open (p=0xc8dffbe0, uap=0xc8e5ef80)
at /usr/src/sys/kern/vfs_syscalls.c:1028
#8 0xc02416a1 in syscall2 (frame={tf_fs = 0x2f, tf_es = 0x2f, tf_ds = 0x2f,
tf_edi = 0x8185170, tf_esi = 0x105, tf_ebp = 0xbfbff75c,
tf_isp = 0xc8e5efd4, tf_ebx = 0x0, tf_edx = 0x105, tf_ecx = 0x81ac844,
tf_eax = 0x5, tf_trapno = 0x16, tf_err = 0x2, tf_eip = 0x282564e4,
tf_cs = 0x1f, tf_eflags = 0x283, tf_esp = 0xbfbff720, tf_ss = 0x2f})
at /usr/src/sys/i386/i386/trap.c:1167
MGET(mb, M_WAIT, MT_DATA);
if (hsiz >= MINCLSIZE)
MCLGET(mb, M_WAIT);
mb->m_len = 0;
where `mb' is NULL and mmbfree is NULL.
The function m_mballoc_wait() will only wait for mbuf_wait/hz seconds.
This is a bit of a shock to me, as M_WAIT used to mean wait for the mbuf,
not pause a bit and hope. Anyway, given that this is the current FreeBSD
implementation, the NFS code should handle it.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206032031.g53KV8U5030907>