Bug 139993 - nfsd simultaneous restarts causes memory corruption
Summary: nfsd simultaneous restarts causes memory corruption
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel   
(Show other bugs)
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Steve Dickson
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2004-11-19 06:17 UTC by Need Real Name
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-19 19:13:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (1.17 KB, patch)
2004-11-19 06:20 UTC, Need Real Name
no flags Details | Diff

Description Need Real Name 2004-11-19 06:17:03 UTC
Description of problem:
The global variable nfsd_serv is not protected in the routines
nfsd_svc() and nfsd(). If simultaneous processes are executing in
these routines, the allocated memory associated with this variable can
be accessed after it is freed and memory corruption can result.

Version-Release number of selected component (if applicable):

How reproducible:
Running competing 'service nfs restart' routines will result in some
Oops or panic within an hour or so.

Steps to Reproduce:
1.Run several competing 'service nfs restart' routines
Actual results:
Various Oops and panics

Expected results:
No Oops or panics.

Additional info:
Will attach suggested patch

Comment 1 Need Real Name 2004-11-19 06:20:58 UTC
Created attachment 107034 [details]
Proposed patch

Comment 2 Need Real Name 2004-11-19 17:57:05 UTC
Example panic caused by this bug on kernel 2.4.21-20.EL:

Unable to handle kernel NULL pointer dereference at virtual address
 printing eip:
*pde = 07012067
*pte = 00000000
Oops: 0000
nfs nfsd lockd sunrpc lp parport autofs4 audit e100 floppy sg
microcode ext3 jbd lpfc sd_mod scsi_mod  
CPU:    0
EIP:    0060:[<c89ce0bd>]    Not tainted
EFLAGS: 00010293

EIP is at nfsd_svc [nfsd] 0x5d (2.4.21-20.EL/i686)
eax: 00000008   ebx: 00000008   ecx: 00000246   edx: 00000000
esi: 00000000   edi: 00000801   ebp: 00000000   esp: c402bebc
ds: 0068   es: 0068   ss: 0068
Process rpc.nfsd (pid: 32299, stackpage=c402b000)
Stack: c89e2050 00000006 00000801 bfffb710 ffffffea 0000000c c89ce93c
       00000008 0000000c c01601e5 c74df500 fffffffe 00000000 00000000
       00000001 00000001 00000000 c004c380 fffffffe c3c8600d 00000007
Call Trace:   [<c89e2050>] nfssvc_boot [nfsd] 0x0 (0xc402bebc)
[<c89ce93c>] handle_sys_nfsservctl [nfsd] 0x18c (0xc402bed4)
[<c01601e5>] path_release [kernel] 0x15 (0xc402bee4)
[<c0160d69>] path_lookup [kernel] 0x39 (0xc402bf30)
[<c01611de>] open_namei [kernel] 0x7e (0xc402bf40)
[<c0152a13>] filp_open [kernel] 0x43 (0xc402bf70)
[<c016df5e>] sys_nfsservctl [kernel] 0x5e (0xc402bfac)

Code: 8b 4a 18 29 c8 8d 58 01 85 db 7e 2a 8d b4 26 00 00 00 00 89

Kernel panic: Fatal exception

Comment 3 Steve Dickson 2005-01-07 00:31:40 UTC
Just wondering, are you starting multiple  rpc.nfsd daemons?

Comment 4 Need Real Name 2005-01-07 00:36:02 UTC
Not intentionally, except to reproduce this bug.

Comment 5 Need Real Name 2005-01-07 00:39:12 UTC
Somehow, bugzilla removed the QA contact with my last comment, so I'm

Comment 6 RHEL Product and Program Management 2007-10-19 19:13:48 UTC
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.