Description of problem: The global variable nfsd_serv is not protected in the routines nfsd_svc() and nfsd(). If simultaneous processes are executing in these routines, the allocated memory associated with this variable can be accessed after it is freed and memory corruption can result. Version-Release number of selected component (if applicable): 2.4.21-4.EL How reproducible: Running competing 'service nfs restart' routines will result in some Oops or panic within an hour or so. Steps to Reproduce: 1.Run several competing 'service nfs restart' routines 2. 3. Actual results: Various Oops and panics Expected results: No Oops or panics. Additional info: Will attach suggested patch
Created attachment 107034 [details] Proposed patch
Example panic caused by this bug on kernel 2.4.21-20.EL: Unable to handle kernel NULL pointer dereference at virtual address 00000018 printing eip: c89ce0bd *pde = 07012067 *pte = 00000000 Oops: 0000 nfs nfsd lockd sunrpc lp parport autofs4 audit e100 floppy sg microcode ext3 jbd lpfc sd_mod scsi_mod CPU: 0 EIP: 0060:[<c89ce0bd>] Not tainted EFLAGS: 00010293 EIP is at nfsd_svc [nfsd] 0x5d (2.4.21-20.EL/i686) eax: 00000008 ebx: 00000008 ecx: 00000246 edx: 00000000 esi: 00000000 edi: 00000801 ebp: 00000000 esp: c402bebc ds: 0068 es: 0068 ss: 0068 Process rpc.nfsd (pid: 32299, stackpage=c402b000) Stack: c89e2050 00000006 00000801 bfffb710 ffffffea 0000000c c89ce93c 00000801 00000008 0000000c c01601e5 c74df500 fffffffe 00000000 00000000 c4c8a000 00000001 00000001 00000000 c004c380 fffffffe c3c8600d 00000007 376450f3 Call Trace: [<c89e2050>] nfssvc_boot [nfsd] 0x0 (0xc402bebc) [<c89ce93c>] handle_sys_nfsservctl [nfsd] 0x18c (0xc402bed4) [<c01601e5>] path_release [kernel] 0x15 (0xc402bee4) [<c0160d69>] path_lookup [kernel] 0x39 (0xc402bf30) [<c01611de>] open_namei [kernel] 0x7e (0xc402bf40) [<c0152a13>] filp_open [kernel] 0x43 (0xc402bf70) [<c016df5e>] sys_nfsservctl [kernel] 0x5e (0xc402bfac) Code: 8b 4a 18 29 c8 8d 58 01 85 db 7e 2a 8d b4 26 00 00 00 00 89 Kernel panic: Fatal exception
Just wondering, are you starting multiple rpc.nfsd daemons?
Not intentionally, except to reproduce this bug.
Somehow, bugzilla removed the QA contact with my last comment, so I'm restoring...
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.