From serge@jbj.org  Mon Sep  8 19:29:11 1997
Received: from serge.jbj.org (serge.JBJ.ORG [198.178.231.60])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA25698
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 8 Sep 1997 19:29:09 -0700 (PDT)
Received: (from serge@localhost) by serge.jbj.org (8.8.6/8.6.12) id WAA04878; Mon, 8 Sep 1997 22:29:07 -0400 (EDT)
Message-Id: <199709090229.WAA04878@serge.jbj.org>
Date: Mon, 8 Sep 1997 22:29:07 -0400 (EDT)
From: Serge Pashenkov <serge@jbj.org>
Reply-To: serge@jbj.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: df on a stale file system panics
X-Send-Pr-Version: 3.2

>Number:         4501
>Category:       kern
>Synopsis:       df on a stale file system panics
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep  8 19:30:01 PDT 1997
>Closed-Date:    Fri Oct 17 21:16:29 MEST 1997
>Last-Modified:  Fri Oct 17 21:17:07 MEST 1997
>Originator:     Serge Pashenkov
>Release:        FreeBSD 2.2-STABLE i386
>Organization:
>Environment:

	2.2 stable circa Sep 8

>Description:

	on a server export something like /mnt with something mounted
	there (floppy would be just fine),
	mount it on 2.2 stable client,
	unmount /mnt on the server.

	Now, simple df panics the client.

>How-To-Repeat:

	see description.

>Fix:
	
	nfs_statfs() does not parse the packet quite right in case of a 
	stale file handle. Local variable register struct nfs_statfs *sfp;
	is assigned 0 and never reassigned the real value, but still
	gets used as a pointer later.

	I'm not sure how to really fix the problem for I don't quite
	frok nfsm_ macros, but following is a prop which just checks for
	0 value of sfp. It fixes the panic, and actually I see no problems
	with that, but probably right fix is in the nfsm_ ...

RCS file: /spare/ncvs/src/sys/nfs/nfs_vfsops.c,v
retrieving revision 1.30.2.4
diff -c -r1.30.2.4 nfs_vfsops.c
*** nfs_vfsops.c        1997/05/14 08:19:29     1.30.2.4
--- nfs_vfsops.c        1997/09/02 13:49:13
***************
*** 245,250 ****
--- 245,256 ----
                nfsm_postop_attr(vp, retattr);
        if (!error)
                nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));
+ 
+       if (sfp == NULL) {
+               error = ESTALE;
+               goto nfsmout;
+       }
+ 
  #ifdef __NetBSD__
  #ifdef COMPAT_09
        sbp->f_type = 2;

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: joerg 
State-Changed-When: Fri Oct 17 14:16:52 MEST 1997 
State-Changed-Why:  

A slightly different fix has been merged from -current in rev 
1.30.2.5.  Please try whether this would also fix your problem. 
State-Changed-From-To: feedback->closed 
State-Changed-By: joerg 
State-Changed-When: Fri Oct 17 21:16:29 MEST 1997 
State-Changed-Why:  

Fix confirmed. 
>Unformatted:
