Red Hat Bugzilla – Bug 139993
nfsd simultaneous restarts causes memory corruption
Last modified: 2007-11-30 17:07:05 EST
Description of problem:
The global variable nfsd_serv is not protected in the routines
nfsd_svc() and nfsd(). If simultaneous processes are executing in
these routines, the allocated memory associated with this variable can
be accessed after it is freed and memory corruption can result.
Version-Release number of selected component (if applicable):
Running competing 'service nfs restart' routines will result in some
Oops or panic within an hour or so.
Steps to Reproduce:
1.Run several competing 'service nfs restart' routines
Various Oops and panics
No Oops or panics.
Will attach suggested patch
Created attachment 107034 [details]
Example panic caused by this bug on kernel 2.4.21-20.EL:
Unable to handle kernel NULL pointer dereference at virtual address
*pde = 07012067
*pte = 00000000
nfs nfsd lockd sunrpc lp parport autofs4 audit e100 floppy sg
microcode ext3 jbd lpfc sd_mod scsi_mod
EIP: 0060:[<c89ce0bd>] Not tainted
EIP is at nfsd_svc [nfsd] 0x5d (2.4.21-20.EL/i686)
eax: 00000008 ebx: 00000008 ecx: 00000246 edx: 00000000
esi: 00000000 edi: 00000801 ebp: 00000000 esp: c402bebc
ds: 0068 es: 0068 ss: 0068
Process rpc.nfsd (pid: 32299, stackpage=c402b000)
Stack: c89e2050 00000006 00000801 bfffb710 ffffffea 0000000c c89ce93c
00000008 0000000c c01601e5 c74df500 fffffffe 00000000 00000000
00000001 00000001 00000000 c004c380 fffffffe c3c8600d 00000007
Call Trace: [<c89e2050>] nfssvc_boot [nfsd] 0x0 (0xc402bebc)
[<c89ce93c>] handle_sys_nfsservctl [nfsd] 0x18c (0xc402bed4)
[<c01601e5>] path_release [kernel] 0x15 (0xc402bee4)
[<c0160d69>] path_lookup [kernel] 0x39 (0xc402bf30)
[<c01611de>] open_namei [kernel] 0x7e (0xc402bf40)
[<c0152a13>] filp_open [kernel] 0x43 (0xc402bf70)
[<c016df5e>] sys_nfsservctl [kernel] 0x5e (0xc402bfac)
Code: 8b 4a 18 29 c8 8d 58 01 85 db 7e 2a 8d b4 26 00 00 00 00 89
Kernel panic: Fatal exception
Just wondering, are you starting multiple rpc.nfsd daemons?
Not intentionally, except to reproduce this bug.
Somehow, bugzilla removed the QA contact with my last comment, so I'm
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.