Bug 730000

Summary: segfault in nfs-utils-1.2.3-7.el6 when showmount -a is run after umount
Product: Red Hat Enterprise Linux 6 Reporter: Jon Magrini <jmagrini>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED DUPLICATE QA Contact: yanfu,wang <yanwang>
Severity: medium Docs Contact:
Priority: high    
Version: 6.1CC: dwysocha, ron.cronenwett
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-11 22:01:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
coredump details
none
kbase none

Description Jon Magrini 2011-08-11 14:00:23 UTC
Created attachment 517813 [details]
coredump details

Description of problem:
rpc.mountd segfault on NFSv3 server after "umount" followed by "showmount -a" on client system

Version-Release number of selected component (if applicable):

NFS Server:

kernel: 2.6.32-131.6.1.el6.x86_64
arch: x86_64
nfs: 
nfs-utils-1.2.3-7.el6.x86_64
nfs4-acl-tools-0.3.3-5.el6.x86_64
nfs-utils-lib-1.1.5-3.el6.x86_64

# cat /etc/exports 
/san_disk *(rw,fsid=0,sync,all_squash,anonuid=500,anongid=500)

[root@bignasty ~]# showmount -e 
Export list for bignasty.usersys.redhat.com:
/san_disk *


Client: 

kernel: 2.6.32-131.6.1.el6.x86_64
arch: x86_64
nfs: 
nfs-utils-lib-1.1.5-3.el6.x86_64
nfs4-acl-tools-0.3.3-5.el6.x86_64
nfs-utils-1.2.3-7.el6.x86_64

How reproducible:
repeatable

Steps to Reproduce:
1. Create nfs export on server
2. Client mounts export
mount -t nfs <ip>:/san_disk -o nfsvers=3,nolock /mnt/nfs_share/
3. On client, run showmount -a <server_ip>
4. On client, unmount /mnt/nfs_share
5. On client, run showmount -a <server_ip>
6. segfault occurs on nfs server

More Details: 
Server: 
# cat /etc/exports 
/san_disk *(rw,fsid=0,sync,all_squash,anonuid=500,anongid=500)

# showmount -e 
Export list for <nfs_server>:
/san_disk *

Client: 
# mount -t nfs <server_ip>:/san_disk -o nfsvers=3,nolock /mnt/nfs_share/
# mount
...
<ip>:/san_disk on /mnt/nfs_share type nfs (rw,nfsvers=3,nolock,addr=<server_ip>)

# showmount -a <server_ip>
All mount points on <server_ip>:
<client_ip>:/san_disk

# umount /mnt/nfs_share/
# showmount -a <server_ip>
rpc mount dump: RPC: Unable to receive; errno = Connection reset by peer
  
Actual results:
Aug 11 09:09:57 bignasty rpc.mountd[3785]: Version 1.2.3 starting
Aug 11 09:12:22 bignasty rpc.mountd[3785]: authenticated mount request from <client_ip>:873 for /san_disk (/san_disk)
Aug 11 09:12:48 bignasty rpc.mountd[3785]: authenticated unmount request from <client_ip>:1023 for /san_disk (/san_disk)
Aug 11 09:13:11 bignasty kernel: __ratelimit: 414 callbacks suppressed
Aug 11 09:13:11 bignasty kernel: rpc.mountd[3785] general protection ip:7f886cfc886f sp:7fff57180fd8 error:0 in libc-2.12.so[7f886cea2000+187000]
Aug 11 09:13:11 bignasty abrt[4065]: saved core dump of pid 3785 (/usr/sbin/rpc.mountd) to /var/spool/abrt/ccpp-1313068391-3785.new/coredump (761856 bytes)
Aug 11 09:13:11 bignasty abrtd: Directory 'ccpp-1313068391-3785' creation detected
Aug 11 09:13:11 bignasty abrtd: Crash is in database already (dup of /var/spool/abrt/ccpp-1313021207-29619)
Aug 11 09:13:11 bignasty abrtd: Deleting crash ccpp-1313068391-3785 (dup of ccpp-1313021207-29619), sending dbus signal

Expected results:
no segfault, and command exists cleanly.

Comment 2 Jon Magrini 2011-08-11 14:05:24 UTC
Created attachment 517816 [details]
kbase

Comment 3 Dave Wysochanski 2011-08-11 14:07:03 UTC
Just verified that the patch from fedora bug 669065 is not in
nfs-utils-1.2.3-7.el6, so this should be a simple backport of that one-line
patch:

diff -rNup nfs-utils-1.2.3_orig/utils/mountd/rmtab.c
nfs-utils-1.2.3/utils/mountd/rmtab.c
--- nfs-utils-1.2.3/utils/mountd/rmtab.c 2010-09-28 14:24:16.000000000 +0200
+++ nfs-utils-1.2.3/utils/mountd/rmtab.c 2011-01-12 14:44:22.320000000 +0100
@@ -205,6 +205,7 @@ mountlist_list(void)
  }
  if (stb.st_mtime != last_mtime) {
   mountlist_freeall(mlist);
+  mlist=NULL;
   last_mtime = stb.st_mtime;

   setrmtabent("r");

Comment 4 Steve Dickson 2011-08-11 22:01:30 UTC

*** This bug has been marked as a duplicate of bug 723438 ***