Marcel Telka wrote: > Hi all, > > > The bug: > -------- > > 6672480 NFSv2 and NFSv3 client panic in nfs_async_inactive() when mounted > with rsize=0 > > > Problem description: > -------------------- > > Commands like > # mount -o vers=3,rsize=0 server:/export/dir /mnt > or > # mount -o vers=2,rsize=0 server:/export/dir /mnt > > will immediatelly panic the machine when kmem_flags is set. > NFSv4 is not affected. > > > Root cause: > ----------- > > NFSv3: > > nfs3_mount() calls nfs_setopts() and this function failed (returned non zero). > Then nfs3_mount() freed mi of a vnode using nfs_free_mi() call. After that the > nfs3_mount() tried to release the vnode using vn_rele(). Unfortunatelly, the > vn_rele() is accessing mi (previously freed) of the vnode. > > NFSv2: > > The root cause is same as for NFSv3, with one exception: All is happening in > nfs_mount() instead of nfs3_mount(). > > Detailed root cause analysis (>30k chars) is available at > http://cr.opensolaris.org/~aragorn/6672480.analysis > > > The fix: > -------- > > The fix move VN_RELE() call before the nfs_free_mi() call in both nfs3_mount() > and nfs_mount() functions. For example, the similar order of calls is already > in nfs3rootvp(). > > The webrev is available at <http://cr.opensolaris.org/~aragorn/6672480/>. > Please note it contains a lot of formatting fixes so as a starting point I > recommend the real fix at > <http://cr.opensolaris.org/~aragorn/6672480.realfix>. > >
I would have preferred that the real fix also be a full webrev. It is nice to be able to look at the full context. BTW - thanks for thinking of isolating the changes. Have you scanned for other instances of this cleanup code? In any event, I approve of the changes. > The finale: > ----------- > > Please review my fix. Should you have any questions just ask. > > > Thank you. > >
