Bug 139993

Summary: nfsd simultaneous restarts causes memory corruption
Product: Red Hat Enterprise Linux 3 Reporter: Need Real Name <phelps>
Component: kernelAssignee: Steve Dickson <steved>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: petrides, riel
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-19 19:13:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch none

Description Need Real Name 2004-11-19 06:17:03 UTC 
Description of problem:
The global variable nfsd_serv is not protected in the routines
nfsd_svc() and nfsd(). If simultaneous processes are executing in
these routines, the allocated memory associated with this variable can
be accessed after it is freed and memory corruption can result.

Version-Release number of selected component (if applicable):
2.4.21-4.EL

How reproducible:
Running competing 'service nfs restart' routines will result in some
Oops or panic within an hour or so.

Steps to Reproduce:
1.Run several competing 'service nfs restart' routines
2.
3.
  
Actual results:
Various Oops and panics

Expected results:
No Oops or panics.

Additional info:
Will attach suggested patch
Comment 1 Need Real Name 2004-11-19 06:20:58 UTC 
Created attachment 107034 [details]
Proposed patch
Comment 2 Need Real Name 2004-11-19 17:57:05 UTC 
Example panic caused by this bug on kernel 2.4.21-20.EL:

Unable to handle kernel NULL pointer dereference at virtual address
00000018
 printing eip:
c89ce0bd
*pde = 07012067
*pte = 00000000
Oops: 0000
nfs nfsd lockd sunrpc lp parport autofs4 audit e100 floppy sg
microcode ext3 jbd lpfc sd_mod scsi_mod  
CPU:    0
EIP:    0060:[<c89ce0bd>]    Not tainted
EFLAGS: 00010293

EIP is at nfsd_svc [nfsd] 0x5d (2.4.21-20.EL/i686)
eax: 00000008   ebx: 00000008   ecx: 00000246   edx: 00000000
esi: 00000000   edi: 00000801   ebp: 00000000   esp: c402bebc
ds: 0068   es: 0068   ss: 0068
Process rpc.nfsd (pid: 32299, stackpage=c402b000)
Stack: c89e2050 00000006 00000801 bfffb710 ffffffea 0000000c c89ce93c
00000801 
       00000008 0000000c c01601e5 c74df500 fffffffe 00000000 00000000
c4c8a000 
       00000001 00000001 00000000 c004c380 fffffffe c3c8600d 00000007
376450f3 
Call Trace:   [<c89e2050>] nfssvc_boot [nfsd] 0x0 (0xc402bebc)
[<c89ce93c>] handle_sys_nfsservctl [nfsd] 0x18c (0xc402bed4)
[<c01601e5>] path_release [kernel] 0x15 (0xc402bee4)
[<c0160d69>] path_lookup [kernel] 0x39 (0xc402bf30)
[<c01611de>] open_namei [kernel] 0x7e (0xc402bf40)
[<c0152a13>] filp_open [kernel] 0x43 (0xc402bf70)
[<c016df5e>] sys_nfsservctl [kernel] 0x5e (0xc402bfac)

Code: 8b 4a 18 29 c8 8d 58 01 85 db 7e 2a 8d b4 26 00 00 00 00 89

Kernel panic: Fatal exception
Comment 3 Steve Dickson 2005-01-07 00:31:40 UTC 
Just wondering, are you starting multiple  rpc.nfsd daemons?
Comment 4 Need Real Name 2005-01-07 00:36:02 UTC 
Not intentionally, except to reproduce this bug.
Comment 5 Need Real Name 2005-01-07 00:39:12 UTC 
Somehow, bugzilla removed the QA contact with my last comment, so I'm
restoring...
Comment 6 RHEL Program Management 2007-10-19 19:13:48 UTC 
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.