Report from Matthias Andree: kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000000c kernel: printing eip: kernel: c01abbb0 kernel: *pde = 00000000 kernel: Oops: 0000 [#1] kernel: Modules linked in: softdog autofs4 nfsd exportfs thermal processor fan button battery ac w83627h f i2c_sensor i2c_isa i2c_viapro i2c_core usbserial ipt_REDIRECT ipt_multiport parport_pc ipt_recent lp i pt_REJECT ipt_LOG ipt_limit ipt_state parport iptable_filter iptable_mangle 8021q ipv6 joydev sg st sr_m od ide_cd cdrom tun ip_nat_ftp iptable_nat ip_tables ip_conntrack_ftp ip_conntrack via_agp agpgart ehci_ hcd uhci_hcd ext3 jbd evdev sd_mod scsi_mod via_rhine mii 3c59x usbcore xfs kernel: CPU: 0 kernel: EIP: 0060:[<c01abbb0>] Not tainted VLI kernel: EFLAGS: 00010246 (2.6.8-24.23-default SL92_BRANCH-20060608133134) kernel: EIP is at nlmclnt_mark_reclaim+0x50/0x70 kernel: eax: 00000000 ebx: d61298b4 ecx: d61298b8 edx: d6129b20 kernel: esi: de59abe0 edi: 0000000a ebp: c03710f4 esp: d59dbf5c kernel: ds: 007b es: 007b ss: 0068 kernel: Process lockd (pid: 5029, threadinfo=d59da000 task=dcf24aa0) kernel: Stack: de59abe0 000000af c01abc40 de59abe0 d59dbf8c c01ad499 000000af dfeba800 kernel: c0371a78 c01b26a0 dfebaa00 c01b25f4 cb030002 2aa3d981 00000000 00000000 kernel: dfebaa40 c02f2781 d5201014 00000001 00000001 dfebaa64 dfebaa40 c0371348 kernel: Call Trace: kernel: [<c01abc40>] nlmclnt_recovery+0x70/0xc0 kernel: [<c01ad499>] nlm_host_rebooted+0x109/0x110 kernel: [<c01b26a0>] nsmsvc_decode_stat_chge+0x0/0x80 kernel: [<c01b25f4>] nsmsvc_proc_notify+0x34/0x50 kernel: [<c02f2781>] svc_process+0x531/0x820 kernel: [<c01ad949>] lockd+0x119/0x230 kernel: [<c01ad830>] lockd+0x0/0x230 kernel: [<c0104255>] kernel_thread_helper+0x5/0x10 kernel: Code: c2 0f 18 00 90 81 f9 6c ce 36 c0 74 34 8d 59 fc 8b 43 24 8b 40 08 8b 40 08 8b 80 94 00 00 00 81 78 38 69 69 00 00 75 d3 8b 43 54 <39> 70 0c 75 cb 8b 43 50 a8 01 74 c4 83 c8 02 89 43 50 8b 11 eb The oops is from a SuSE 9.2 kernel, but a Red Hat kernel should be also vulnerable to this issue. While this is a simple NULL pointer dereference, it seems to deadlock the NFS lockd and so allows a denial of service attack.
*** This bug has been marked as a duplicate of 210128 ***
My mistake, didn't realize this was on z-stream proposed. Might have been better to clone the other BZ that contains the patch.
committed in stream rhel‑4.5.z build 55.0.1
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0488.html