Date: Mon, 3 Jun 2002 15:31:08 -0500 (CDT) From: Damon Anton Permezel <dap@damon.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: dap@damon.com Subject: kern/38872: nfs code ignores possibility of MGET(M_WAIT) failure Message-ID: <200206032031.g53KV8U5030907@damon.com>
next in thread | raw e-mail | index | archive | help
>Number: 38872 >Category: kern >Synopsis: nfs code ignores possibility of MGET(M_WAIT) failure >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jun 03 13:40:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Damon Anton Permezel >Release: FreeBSD 4.6-RC i386 >Organization: >Environment: System: FreeBSD damon.com 4.6-RC FreeBSD 4.6-RC #0: Sun Jun 2 13:52:20 CDT 2002 dap@damon.com:/usr/obj/usr/src/sys/GENERIC i386 >Description: When the system runs out of mbufs, NFS access can cause fault due to NULL mbuf pointer being dereferenced. >How-To-Repeat: Run out of mbufs. Use NFS. >Fix: Grep for all calls to MGET.*M_WAIT in the kernel, paying attention to the NFS code, and fix it so that it handles the NULL return case. As an example, I keep running into: (kgdb) where #0 nfsm_reqh (vp=0xc8b85180, procid=0x4, hsiz=0x48, bposp=0xc8e5ebec) at /usr/src/sys/nfs/nfs_subs.c:594 #1 0xc01e1a4d in nfs3_access_otw (vp=0xc8b85180, wmode=0x3f, p=0xc8dffbe0, cred=0xc0d57200) at /usr/src/sys/nfs/nfs_vnops.c:292 #2 0xc01e1f6f in nfs_access (ap=0xc8e5ecc4) at /usr/src/sys/nfs/nfs_vnops.c:392 #3 0xc01e4213 in nfs_lookup (ap=0xc8e5ed70) at vnode_if.h:247 #4 0xc018a099 in lookup (ndp=0xc8e5eec8) at vnode_if.h:52 #5 0xc0189b94 in namei (ndp=0xc8e5eec8) at /usr/src/sys/kern/vfs_lookup.c:153 #6 0xc01925a7 in vn_open (ndp=0xc8e5eec8, fmode=0x1, cmode=0x54c) at /usr/src/sys/kern/vfs_vnops.c:138 #7 0xc018e6b0 in open (p=0xc8dffbe0, uap=0xc8e5ef80) at /usr/src/sys/kern/vfs_syscalls.c:1028 #8 0xc02416a1 in syscall2 (frame={tf_fs = 0x2f, tf_es = 0x2f, tf_ds = 0x2f, tf_edi = 0x8185170, tf_esi = 0x105, tf_ebp = 0xbfbff75c, tf_isp = 0xc8e5efd4, tf_ebx = 0x0, tf_edx = 0x105, tf_ecx = 0x81ac844, tf_eax = 0x5, tf_trapno = 0x16, tf_err = 0x2, tf_eip = 0x282564e4, tf_cs = 0x1f, tf_eflags = 0x283, tf_esp = 0xbfbff720, tf_ss = 0x2f}) at /usr/src/sys/i386/i386/trap.c:1167 MGET(mb, M_WAIT, MT_DATA); if (hsiz >= MINCLSIZE) MCLGET(mb, M_WAIT); mb->m_len = 0; where `mb' is NULL and mmbfree is NULL. The function m_mballoc_wait() will only wait for mbuf_wait/hz seconds. This is a bit of a shock to me, as M_WAIT used to mean wait for the mbuf, not pause a bit and hope. Anyway, given that this is the current FreeBSD implementation, the NFS code should handle it. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206032031.g53KV8U5030907>