From dwmalone@maths.tcd.ie  Mon Feb  8 14:41:15 1999
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA17882
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 8 Feb 1999 14:41:14 -0800 (PST)
          (envelope-from dwmalone@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa09349@salmon.maths.tcd.ie>; 8 Feb 99 22:41:13 +0000 (GMT)
Message-Id: <9902082241.aa09104@walton.maths.tcd.ie>
Date: Mon, 8 Feb 99 22:41:12 +0000 (GMT)
From: dwmalone@maths.tcd.ie
Sender: dwmalone@maths.tcd.ie
Reply-To: dwmalone@maths.tcd.ie
To: FreeBSD-gnats-submit@freebsd.org
Subject: NFS cross device links cause vrele: negative ref cnt
X-Send-Pr-Version: 3.2

>Number:         9970
>Category:       kern
>Synopsis:       NFS cross device links cause vrele: negative ref cnt
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb  8 14:50:00 PST 1999
>Closed-Date:    Sat Feb 13 00:05:23 PST 1999
>Last-Modified:  Sat Feb 13 00:06:29 PST 1999
>Originator:     David Malone
>Release:        FreeBSD 2.2.7-STABLE i386
>Organization:
School of Mathematics, Trinity College, Dublin.
>Environment:

FreeBSD-3.0 or FreeBSD-4.0.

>Description:

The vrele: negative reference count problem that we have been seeing is
caused by attempting a cross device link to a directory on an nfs
filesystem. The machine may not panic for a while until the last real
reference is gone.

This is quite dramatic as anyone with write access to a nfs filesystem
can kill the machine!

This problem was introduced in version 1.108 of nfs_vnops.c.
In version 1.84 some of the vrele, etc were removed when there
was a change in filesystem behavior. The fact that the man page
for VOP_LINK(9) still says that you should release the directory
obviously doesn't help.

>How-To-Repeat:

cd /tmp
touch hello
ln hello /nfs/filesystem	(Repeat until *BOOM*)

>Fix:

The following seems to fix the problem, but the VOP_* man pages
should also be updated by someone who understands the changes
about the time of 1.84.

--- nfs_vnops.c.orig	Mon Feb  8 22:09:51 1999
+++ nfs_vnops.c	Mon Feb  8 22:11:48 1999
@@ -1686,7 +1686,6 @@
 
 	if (vp->v_mount != tdvp->v_mount) {
 		VOP_ABORTOP(tdvp, cnp);
-		vput(tdvp);
 		return (EXDEV);
 	}
 
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Sat Feb 13 00:05:23 PST 1999 
State-Changed-Why:  
committed fix to nfs_link() code as suggested, after auditing code 
and determining that the man page for VOP_LINK was wrong and also 
comparing nfs_link() against ufs_link(). 
>Unformatted:
