netbsd-bugs: kern/5591: NFS client crash when rebooting with NFS server off the air

Subject: kern/5591: NFS client crash when rebooting with NFS server off the air
To: None <gnats-bugs@gnats.netbsd.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: netbsd-bugs
Date: 06/14/1998 19:56:14

>Number:         5591
>Category:       kern
>Synopsis:       NFS client crash when rebooting with NFS server off the air
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 14 13:05:00 1998
>Last-Modified:
>Originator:     Bill Sommerfeld
>Organization:
	
>Release:        199604?? (1.3E)
>Environment:
	
	i386, NetBSD 1.4 as of mid-april.
	(this occurred on zygorthian-space-raiders.mit.edu)

>Description:
	While doing some other debugging, i observed a panic in
	nfs_reply dereferencing a null pointer during a reboot.

	The system in question had NFS-mounted a filesystem from a
	server which was completely down at the time of the reboot.

	It printed "syncing disks..done\n", and then dropped into DDB
	with a memory fault.

	I was pursuing other bugs at the time and did not have a
	chance to completely analyze the panic, but i got the
	following info (this is reconstructed from memory so it may
	not be 100% accurate); I'm saving it in a PR so that this
	doesn't get lost and so someone who cares about NFS
	can fix it if they want to..

The faulting instruction was:

0xf01a16e2 <nfs_reply+158>:	movl   0x8(%eax),%ecx

where %eax was zero.

the source line corresponding to this appears to be:

697			dpos = mtod(md, caddr_t);

I believe this is consistent with `md' being NULL; it appears that the
only way to get to that line of code with md==NULL is if nfs_receive
returns NULL in md but doesn't return an error.  nfs_receive has code
to avoid doing this in the TCP case, but there doesn't seem to be
comparable code for the UDP side..

I haven't dug far enough to determine under which circumstances a UDP
soreceive would return a NULL mbuf but not return an error.

>How-To-Repeat:
	uncertain.
	nfs-mount a server.
	shoot the server in the head
	reboot
	get unlucky.

>Fix:
	uncertain; perhaps copy the 
			if (!error && *mp == NULL)
				error = EPIPE;
	code from the TCP case into the UDP case in nfs_receive..
>Audit-Trail:
>Unformatted: