From bg@bg.sics.se  Thu May 13 08:25:39 2004
Return-Path: <bg@bg.sics.se>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 82CEB16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 May 2004 08:25:39 -0700 (PDT)
Received: from brev.sics.se (brev.sics.se [193.10.64.200])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 38A4643D5A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 May 2004 08:25:38 -0700 (PDT)
	(envelope-from bg@bg.sics.se)
Received: from bg.sics.se (bg.sics.se [193.10.66.124])
	by brev.sics.se (8.12.8/8.12.8) with ESMTP id i4DFPNXc006075;
        Thu, 13 May 2004 17:25:24 +0200
	env-to ()
	env-from (bg@bg.sics.se)
Received: from bg.sics.se (localhost [127.0.0.1])
	by bg.sics.se (8.12.9p2/8.12.9) with ESMTP id i4DFPPZO033617;
	Thu, 13 May 2004 17:25:25 +0200 (CEST)
	(envelope-from bg@bg.sics.se)
Received: (from bg@localhost)
	by bg.sics.se (8.12.9p2/8.12.9/Submit) id i4DFPOQr033616;
	Thu, 13 May 2004 17:25:24 +0200 (CEST)
	(envelope-from bg)
Message-Id: <200405131525.i4DFPOQr033616@bg.sics.se>
Date: Thu, 13 May 2004 17:25:24 +0200 (CEST)
From: Bjoern Groenvall <bg@sics.se>
Reply-To: Bjoern Groenvall <bg@sics.se>
To: FreeBSD-gnats-submit@freebsd.org
Cc: bg@sics.se
Subject: Crashing NFS servers
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         66611
>Category:       kern
>Synopsis:       [nfs] Crashing NFS servers (with workaround)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kmacy
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 13 08:30:20 PDT 2004
>Closed-Date:    Fri Nov 16 08:31:37 UTC 2007
>Last-Modified:  Fri Nov 16 08:31:37 UTC 2007
>Originator:     Bjoern Groenvall
>Release:        FreeBSD 5.2.1-RELEASE i386
>Organization:
SICS
>Environment:
FreeBSD filur.sics.se 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Wed Mar  3 17:14:07 CET 2004     bg@filur.sics.se:/usr/src/sys/i386/compile/FILUR  i386

The same bug is also present on atleast 4.7-RELEASE-p17 and
4.8-RELEASE.

>Description:

This bug seems to happen only on NFS servers!

At times, this happens several times a day, sometimes months can go by
without this ever happening. To avoid the problem a workaround is
attached at the bottom.

Under certain conditions tcp_usr_rcvd passes as NULL pointer
to tcp_output which will lead to a panic. Here is a backtrace
as printed on the console (typed in manually and stripped from
numerical information).

Stack backtrace:
backtrace
tcp_usr_rcvd
soreceive
nfsrv_rcv
sowakeup
soisdisconnected
tcp_discardcb
tcp_close
tcp_input
ip_input
netisr_processqueue
swi_net
ithread_loop
fork_exit
fork_trampoline
--- trap 0x1, eip = 0, esp = 0xd77c2d7c, ebp = 0 ---

>How-To-Repeat:

This seems to only happen on NFS servers. Don't know how to trigger
the bug.

>Fix:

No fix but a sample workaround.

--- sys/netinet/tcp_usrreq.c.orig	Fri Jan  9 13:32:36 2004
+++ sys/netinet/tcp_usrreq.c	Tue Feb 24 17:37:27 2004
@@ -619,6 +619,12 @@
 	const int inirw = INI_READ;
 
 	COMMON_START();
+	if (tp == 0) {
+		splx(s);
+		printf("tcp_usr_rcvd: tp == 0\n");
+		backtrace();
+		return EINVAL;
+	}
 	tcp_output(tp);
 	COMMON_END(PRU_RCVD);
 }

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 01:24:21 UTC 2007 
State-Changed-Why:  

almost certainly stale 


Responsible-Changed-From-To: freebsd-bugs->kmacy 
Responsible-Changed-By: kmacy 
Responsible-Changed-When: Fri Nov 16 01:24:21 UTC 2007 
Responsible-Changed-Why:  

Highly likely to be stale. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66611 
State-Changed-From-To: feedback->closed 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 08:30:45 UTC 2007 
State-Changed-Why:  

submitter has not seen this in recent releases 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66611 
>Unformatted:

Is this still present on RELENG_6 or RELENG_7?
