kern/164261: [patch] fix panic with NFS served from NULLFS

Eygene Ryabinkin rea at
Tue Jan 17 20:40:15 UTC 2012

>Number:         164261
>Category:       kern
>Synopsis:       [patch] fix panic with NFS served from NULLFS
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 17 20:40:14 UTC 2012
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 10.0-CURRENT amd64
Code Labs

System: FreeBSD 10.0-CURRENT, FreeBSD 9.0-STABLE


When one exports NULLFS filesystems via NFS, he can face kernel
panics if external clients use readdir+ feature and are accessing
same directories simultaneously.

The example of the backtrace can be obtained at
This backtrace is from 9.x as of December 2011.

The real problem is that the thread that loses the race in
null_nodeget (/sys/fs/nullfs/null_subr.c) will put the native lock
(vp->v_vnlock = &vp->v_lock) to the nullfs vnode that should be
destroyed (because the thread lost the race).  And null_reclaim
(/sys/fs/nullfs/null_vnops.c) will try to lock vnode's v_lock in the
exclusive mode.  This will lead to panic, because v_vnlock is already
locked at the time of VOP_RECLAIM processing and we have v_vnlock that
points to v_lock.  Bingo!


section "How to reproduce".


will fix the problem (in reality, the first patch is just some

I had tested this patch on my 10-CURRENT machine; tomorrow I intend
to test in on the 9.x production NFS server with 300-400 clients.

More information about the freebsd-bugs mailing list