Bug 723438 – rpc.mountd can segfault with showmount - REFERENCE TO PATCH THAT FIXES THIS

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 723438 - rpc.mountd can segfault with showmount - REFERENCE TO PATCH THAT FIXES THIS

Summary:	rpc.mountd can segfault with showmount - REFERENCE TO PATCH THAT FIXES THIS

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nfs-utils (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Steve Dickson
QA Contact:	yanfu,wang
Docs Contact:

URL:
Whiteboard:
Keywords:	Regression

Duplicates:	730000 (view as bug list)
Depends On:
Blocks:	1020655
	Show dependency tree / graph

Reported:	2011-07-20 03:15 EDT by Steven Capper
Modified:	2013-10-18 02:06 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	nfs-utils-1.2.3-8.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Clones:	1020655 (view as bug list)
Environment:
Last Closed:	2011-12-06 13:54:00 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Legacy)	60829	None	None	None	Never
Red Hat Product Errata	RHSA-2011:1534	normal	SHIPPED_LIVE	Low: nfs-utils security, bug fix, and enhancement update	2011-12-05 20:01:48 EST

Groups: None (edit)

Description Steven Capper 2011-07-20 03:15:26 EDT

Description of problem:

There is a problem with rpc.mountd such that if the /var/lib/nfs/rmtab file changes (i.e. more client machines have mounted an NFS share) and showmount is run both before and after the change; rpc.mountd will consequently segfault.

Version-Release number of selected component (if applicable):
nfs-utils-1.2.3-7.el6

How reproducible:
Easily

Steps to Reproduce:
1. Ensure that there are entries listed in showmount, and execute showmount (on its own with no arguments) at least once.
2. sudo touch /var/lib/nfs/rmtab - (or get another client to mount the NFS server)
3. Run showmount again.
  
Actual results:
A segfault in rpc.mountd with a stacktace similar to:
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen.S:54
#1  0x00007fdc3ebfc227 in xdr_string (xdrs=0x7fdc4085f148, cpp=0x7fdc4085fe30, maxsize=255) at xdr.c:673
#2  0x00007fdc3f4617ce in xdr_name (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:83
#3  0x00007fdc3f4618d9 in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085fe30) at mount_xdr.c:103
#4  0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085a5a0, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#5  0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085a5a0, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#6  0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#7  0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085a590) at mount_xdr.c:107
#8  0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085d050, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#9  0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085d050, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#10 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#11 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085d040) at mount_xdr.c:107
#12 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085e420, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#13 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085e420, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#14 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#15 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085e410) at mount_xdr.c:107
#16 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085e480, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#17 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085e480, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#18 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#19 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085e470) at mount_xdr.c:107
#20 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085e4c0, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#21 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085e4c0, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#22 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#23 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085e4b0) at mount_xdr.c:107
#24 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc4085d970, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#25 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085d970, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#26 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#27 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085d960) at mount_xdr.c:107

...

#365 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc4085f5c0, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#366 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#367 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc4085f5b0) at mount_xdr.c:107
#368 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fdc40862300, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#369 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fdc40862300, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#370 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#371 0x00007fdc3f46190c in xdr_mountbody (xdrs=0x7fdc4085f148, objp=0x7fdc408622f0) at mount_xdr.c:107
#372 0x00007fdc3ebfd5f0 in xdr_reference (xdrs=0x7fdc4085f148, pp=0x7fffc46e28a0, size=<value optimized out>, proc=<value optimized out>) at xdr_reference.c:91
#373 0x00007fdc3ebfd731 in xdr_pointer (xdrs=0x7fdc4085f148, objpp=0x7fffc46e28a0, obj_size=24, xdr_obj=0x7fdc3f4618c0 <xdr_mountbody>) at xdr_reference.c:138
#374 0x00007fdc3f4617a5 in xdr_mountlist (xdrs=<value optimized out>, objp=<value optimized out>) at mount_xdr.c:93
#375 0x00007fdc3ebf9867 in svc_vc_reply (xprt=<value optimized out>, msg=<value optimized out>) at svc_vc.c:669
#376 0x00007fdc3ebf65a0 in svc_sendreply (xprt=<value optimized out>, xdr_results=<value optimized out>, xdr_location=<value optimized out>) at svc.c:405
#377 0x00007fdc3f464ad2 in rpc_dispatch (rqstp=0x7fffc46e2940, transp=0x7fdc4085a680, dtable=<value optimized out>, nvers=<value optimized out>, argp=0x7fffc46e2890, resp=0x7fffc46e28a0) at rpcdispatch.c:61
#378 0x00007fdc3f45af5c in mount_dispatch (rqstp=0x7fffc46e2940, transp=0x7fdc4085a680) at mount_dispatch.c:82
#379 0x00007fdc3ebf6301 in svc_getreq_common (fd=<value optimized out>) at svc.c:681
#380 0x00007fdc3f45e4de in my_svc_getreqset () at svc_run.c:84
#381 my_svc_run () at svc_run.c:119
#382 0x00007fdc3f459d73 in main (argc=<value optimized out>, argv=<value optimized out>) at mountd.c:893


Expected results:
The NFS client mounts to be shown.

Additional info:
A patch fixes this problem and can be found at:
http://www.spinics.net/lists/linux-nfs/msg18987.html

I have tested this in a home brew RPM and found that it fixes the issue.

Comment 1 Steven Capper 2011-07-20 03:18:05 EDT

Ah, I see that the "assigned to" matches the thread post author :-).

Comment 5 Steve Dickson 2011-08-11 18:01:30 EDT

*** Bug 730000 has been marked as a duplicate of this bug. ***

Comment 7 yanfu,wang 2011-08-29 02:42:49 EDT

reproduced on RHEL6.1 with below package:
# uname -a
Linux nec-em26.rhts.eng.bos.redhat.com 2.6.32-131.0.15.el6.x86_64 #1 SMP Tue May 10 15:42:40 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa|grep nfs-utils
nfs-utils-1.2.3-7.el6.x86_64
nfs-utils-lib-1.1.5-3.el6.x86_64

client:
[root@amd-tilapia-01 ~]# mount -t nfs nec-em26.rhts.eng.bos.redhat.com:/tmp /mnt
[root@amd-tilapia-01 ~]# mount
/dev/mapper/vg_amdtilapia01-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
/dev/mapper/vg_amdtilapia01-lv_home on /home type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nec-em26.rhts.eng.bos.redhat.com:/tmp on /mnt type nfs (rw,addr=10.16.67.8)
[root@amd-tilapia-01 ~]# cat /var/lib/nfs/rmtab 
(check server:
[root@nec-em26 ~]# cat /var/lib/nfs/rmtab 
10.16.67.10:/tmp:0x00000001 ====> new entry added, so the /var/lib/nfs/rmtab file of server changed)
[root@amd-tilapia-01 ~]# showmount -a nec-em26.rhts.eng.bos.redhat.com
All mount points on nec-em26.rhts.eng.bos.redhat.com:
10.16.67.10:/tmp
10.16.67.8:/tmp
[root@amd-tilapia-01 ~]# umount /mnt
[root@amd-tilapia-01 ~]# showmount -a nec-em26.rhts.eng.bos.redhat.com
rpc mount dump: RPC: Unable to receive; errno = Connection reset by peer

server:
[root@nec-em26 ~]# dmesg|tail
SELinux: initialized (dev 0:14, type nfs), uses genfs_contexts
SELinux: initialized (dev 0:14, type nfs), uses genfs_contexts
nfsd: last server has exited, flushing export cache
NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
NFSD: starting 90-second grace period
rpc.mountd[3651]: segfault at 7fff5bcbfff8 ip 00007f34a92c26d1 sp 00007fff5bcc0000 error 6 in libc-2.12.so[7f34a9240000+187000]
nfsd: last server has exited, flushing export cache
NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
NFSD: starting 90-second grace period
rpc.mountd[3868]: segfault at 7f00706d7420 ip 00007fa80236386f sp 00007fff72937508 error 4 in libc-2.12.so[7fa80223d000+187000]

[root@nec-em26 ~]# /etc/init.d/nfs status
rpc.svcgssd is stopped
rpc.mountd dead but subsys locked        ====> note rpc.mountd is dead
nfsd (pid 3648 3647 3646 3645 3644 3643 3642 3641) is running...
rpc.rquotad (pid 3635) is running...

Additional info:
[root@nec-em26 ~]# cat /etc/exports 
/tmp *(rw,fsid=0,sync,all_squash,anonuid=500,anongid=500)


Verified on nfs-utils-1.2.3-8.el6 with the same test steps, showmount could let the NFS client mounts to be shown after /var/lib/nfs/rmtab file changes and rpc.mountd no segfault now.

Comment 9 errata-xmlrpc 2011-12-06 13:54:00 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1534.html

Note You need to log in before you can comment on or make changes to this bug.