RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 723438 - rpc.mountd can segfault with showmount - REFERENCE TO PATCH THAT FIXES THIS
Summary: rpc.mountd can segfault with showmount - REFERENCE TO PATCH THAT FIXES THIS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nfs-utils
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Steve Dickson
QA Contact: yanfu,wang
URL:
Whiteboard:
: 730000 (view as bug list)
Depends On:
Blocks: 1020655
TreeView+ depends on / blocked
 
Reported: 2011-07-20 07:15 UTC by Steven Capper
Modified: 2018-11-28 19:39 UTC (History)
5 users (show)

Fixed In Version: nfs-utils-1.2.3-8.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1020655 (view as bug list)
Environment:
Last Closed: 2011-12-06 18:54:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Legacy) 60829 0 None None None Never
Red Hat Product Errata RHSA-2011:1534 0 normal SHIPPED_LIVE Low: nfs-utils security, bug fix, and enhancement update 2011-12-06 01:01:48 UTC

Description Steven Capper 2011-07-20 07:15:26 UTC 
Description of problem:

There is a problem with rpc.mountd such that if the /var/lib/nfs/rmtab file changes (i.e. more client machines have mounted an NFS share) and showmount is run both before and after the change; rpc.mountd will consequently segfault.

Version-Release number of selected component (if applicable):
nfs-utils-1.2.3-7.el6

How reproducible:
Easily

Steps to Reproduce:
1. Ensure that there are entries listed in showmount, and execute showmount (on its own with no arguments) at least once.
2. sudo touch /var/lib/nfs/rmtab - (or get another client to mount the NFS server)
3. Run showmount again.
  
Actual results:
A segfault in rpc.mountd with a stacktace similar to:
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen.S:54
#1  0x00007fdc3ebfc227 in xdr_string (xdrs=0x7fdc4085f148, cpp=0x7fdc4085fe30, maxsize=255) at xdr.c:673
#2  0x00007fdc3f4617ce in xdr_name (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:83
#3  0x00007fdc3f4618d9 in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085fe30) at mount_xdr.c:103
#4  0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085a5a0, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#5  0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085a5a0, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#6  0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#7  0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085a590) at mount_xdr.c:107
#8  0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085d050, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#9  0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085d050, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#10 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#11 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085d040) at mount_xdr.c:107
#12 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085e420, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#13 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085e420, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#14 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#15 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085e410) at mount_xdr.c:107
#16 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085e480, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#17 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085e480, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#18 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#19 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085e470) at mount_xdr.c:107
#20 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085e4c0, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#21 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085e4c0, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#22 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#23 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085e4b0) at mount_xdr.c:107
#24 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085d970, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#25 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085d970, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#26 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#27 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085d960) at mount_xdr.c:107

...

#365 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085f5c0, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#366 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#367 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085f5b0) at mount_xdr.c:107
#368 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc40862300, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#369 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc40862300, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#370 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#371 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc408622f0) at mount_xdr.c:107
#372 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fffc46e28a0, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#373 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fffc46e28a0, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#374 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#375 0x00007fdc3ebf9867 in svc_vc_reply (xprt=<value optimized out>, msg=<value optimized out>) at svc_vc.c:669
#376 0x00007fdc3ebf65a0 in svc_sendreply (xprt=<value optimized out>, xdr_results=<value optimized out>, xdr_location=<value optimized out>) at svc.c:405
#377 0x00007fdc3f464ad2 in rpc_dispatch (rqstp=0x7fffc46e2940, transp=0x7fdc4085a680, dtable=<value optimized out>, nvers=<value optimized out>, argp=0x7fffc46e2890, resp=0x7fffc46e28a0) at rpcdispatch.c:61
#378 0x00007fdc3f45af5c in mount_dispatch (rqstp=0x7fffc46e2940, transp=0x7fdc4085a680) at mount_dispatch.c:82
#379 0x00007fdc3ebf6301 in svc_getreq_common (fd=<value optimized out>) at svc.c:681
#380 0x00007fdc3f45e4de in my_svc_getreqset () at svc_run.c:84
#381 my_svc_run () at svc_run.c:119
#382 0x00007fdc3f459d73 in main (argc=<value optimized out>, argv=<value optimized out>) at mountd.c:893


Expected results:
The NFS client mounts to be shown.

Additional info:
A patch fixes this problem and can be found at:
http://www.spinics.net/lists/linux-nfs/msg18987.html

I have tested this in a home brew RPM and found that it fixes the issue.
Comment 1 Steven Capper 2011-07-20 07:18:05 UTC 
Ah, I see that the "assigned to" matches the thread post author :-).
Comment 5 Steve Dickson 2011-08-11 22:01:30 UTC 
*** Bug 730000 has been marked as a duplicate of this bug. ***
Comment 7 yanfu,wang 2011-08-29 06:42:49 UTC 
reproduced on RHEL6.1 with below package:
# uname -a
Linux nec-em26.rhts.eng.bos.redhat.com 2.6.32-131.0.15.el6.x86_64 #1 SMP Tue May 10 15:42:40 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa|grep nfs-utils
nfs-utils-1.2.3-7.el6.x86_64
nfs-utils-lib-1.1.5-3.el6.x86_64

client:
[root@amd-tilapia-01 ~]# mount -t nfs nec-em26.rhts.eng.bos.redhat.com:/tmp /mnt
[root@amd-tilapia-01 ~]# mount
/dev/mapper/vg_amdtilapia01-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
/dev/mapper/vg_amdtilapia01-lv_home on /home type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nec-em26.rhts.eng.bos.redhat.com:/tmp on /mnt type nfs (rw,addr=10.16.67.8)
[root@amd-tilapia-01 ~]# cat /var/lib/nfs/rmtab 
(check server:
[root@nec-em26 ~]# cat /var/lib/nfs/rmtab 
10.16.67.10:/tmp:0x00000001 ====> new entry added, so the /var/lib/nfs/rmtab file of server changed)
[root@amd-tilapia-01 ~]# showmount -a nec-em26.rhts.eng.bos.redhat.com
All mount points on nec-em26.rhts.eng.bos.redhat.com:
10.16.67.10:/tmp
10.16.67.8:/tmp
[root@amd-tilapia-01 ~]# umount /mnt
[root@amd-tilapia-01 ~]# showmount -a nec-em26.rhts.eng.bos.redhat.com
rpc mount dump: RPC: Unable to receive; errno = Connection reset by peer

server:
[root@nec-em26 ~]# dmesg|tail
SELinux: initialized (dev 0:14, type nfs), uses genfs_contexts
SELinux: initialized (dev 0:14, type nfs), uses genfs_contexts
nfsd: last server has exited, flushing export cache
NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
NFSD: starting 90-second grace period
rpc.mountd[3651]: segfault at 7fff5bcbfff8 ip 00007f34a92c26d1 sp 00007fff5bcc0000 error 6 in libc-2.12.so[7f34a9240000+187000]
nfsd: last server has exited, flushing export cache
NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
NFSD: starting 90-second grace period
rpc.mountd[3868]: segfault at 7f00706d7420 ip 00007fa80236386f sp 00007fff72937508 error 4 in libc-2.12.so[7fa80223d000+187000]

[root@nec-em26 ~]# /etc/init.d/nfs status
rpc.svcgssd is stopped
rpc.mountd dead but subsys locked        ====> note rpc.mountd is dead
nfsd (pid 3648 3647 3646 3645 3644 3643 3642 3641) is running...
rpc.rquotad (pid 3635) is running...

Additional info:
[root@nec-em26 ~]# cat /etc/exports 
/tmp *(rw,fsid=0,sync,all_squash,anonuid=500,anongid=500)


Verified on nfs-utils-1.2.3-8.el6 with the same test steps, showmount could let the NFS client mounts to be shown after /var/lib/nfs/rmtab file changes and rpc.mountd no segfault now.
Comment 9 errata-xmlrpc 2011-12-06 18:54:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1534.html
Note You need to log in before you can comment on or make changes to this bug.