This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 139993 - nfsd simultaneous restarts causes memory corruption
nfsd simultaneous restarts causes memory corruption
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Dickson
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-19 01:17 EST by Need Real Name
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 15:13:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed patch (1.17 KB, patch)
2004-11-19 01:20 EST, Need Real Name
no flags Details | Diff

  None (edit)
Description Need Real Name 2004-11-19 01:17:03 EST
Description of problem:
The global variable nfsd_serv is not protected in the routines
nfsd_svc() and nfsd(). If simultaneous processes are executing in
these routines, the allocated memory associated with this variable can
be accessed after it is freed and memory corruption can result.

Version-Release number of selected component (if applicable):
2.4.21-4.EL

How reproducible:
Running competing 'service nfs restart' routines will result in some
Oops or panic within an hour or so.

Steps to Reproduce:
1.Run several competing 'service nfs restart' routines
2.
3.
  
Actual results:
Various Oops and panics

Expected results:
No Oops or panics.

Additional info:
Will attach suggested patch
Comment 1 Need Real Name 2004-11-19 01:20:58 EST
Created attachment 107034 [details]
Proposed patch
Comment 2 Need Real Name 2004-11-19 12:57:05 EST
Example panic caused by this bug on kernel 2.4.21-20.EL:

Unable to handle kernel NULL pointer dereference at virtual address
00000018
 printing eip:
c89ce0bd
*pde = 07012067
*pte = 00000000
Oops: 0000
nfs nfsd lockd sunrpc lp parport autofs4 audit e100 floppy sg
microcode ext3 jbd lpfc sd_mod scsi_mod  
CPU:    0
EIP:    0060:[<c89ce0bd>]    Not tainted
EFLAGS: 00010293

EIP is at nfsd_svc [nfsd] 0x5d (2.4.21-20.EL/i686)
eax: 00000008   ebx: 00000008   ecx: 00000246   edx: 00000000
esi: 00000000   edi: 00000801   ebp: 00000000   esp: c402bebc
ds: 0068   es: 0068   ss: 0068
Process rpc.nfsd (pid: 32299, stackpage=c402b000)
Stack: c89e2050 00000006 00000801 bfffb710 ffffffea 0000000c c89ce93c
00000801 
       00000008 0000000c c01601e5 c74df500 fffffffe 00000000 00000000
c4c8a000 
       00000001 00000001 00000000 c004c380 fffffffe c3c8600d 00000007
376450f3 
Call Trace:   [<c89e2050>] nfssvc_boot [nfsd] 0x0 (0xc402bebc)
[<c89ce93c>] handle_sys_nfsservctl [nfsd] 0x18c (0xc402bed4)
[<c01601e5>] path_release [kernel] 0x15 (0xc402bee4)
[<c0160d69>] path_lookup [kernel] 0x39 (0xc402bf30)
[<c01611de>] open_namei [kernel] 0x7e (0xc402bf40)
[<c0152a13>] filp_open [kernel] 0x43 (0xc402bf70)
[<c016df5e>] sys_nfsservctl [kernel] 0x5e (0xc402bfac)

Code: 8b 4a 18 29 c8 8d 58 01 85 db 7e 2a 8d b4 26 00 00 00 00 89

Kernel panic: Fatal exception
Comment 3 Steve Dickson 2005-01-06 19:31:40 EST
Just wondering, are you starting multiple  rpc.nfsd daemons?
Comment 4 Need Real Name 2005-01-06 19:36:02 EST
Not intentionally, except to reproduce this bug.
Comment 5 Need Real Name 2005-01-06 19:39:12 EST
Somehow, bugzilla removed the QA contact with my last comment, so I'm
restoring...
Comment 6 RHEL Product and Program Management 2007-10-19 15:13:48 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.