On 01/12/2011 12:31 PM, sdrb wrote:
Hello,
Recently I tried to upgrade nfs-utils to the newest nfs-utils 1.2.3.
During tests I noticed that in some circumstances rpc.mountd
crashes with segmentation fault.
I'm testing it with 2.6.36 linux kernel.
Configuration of nfs-server:
server# cat /etc/exports
/export *(rw)
/tmp/nfs *(rw)
The scenario how to reproduce the issue:
server# rpc.mountd -F -d all
server# showmount -a 127.0.0.1
host# umount /mnt/nfs2 ; mount -t nfs server:/tmp/nfs /mnt/nfs2 -o
nfsvers=3,nolock
server# showmount -a 127.0.0.1
and after spawning showmount for the second time I got two segmentation
faults: at showmount and at rpc.mountd.
Here is output from rpc.mountd:
rpc.mountd: Received DUMP request from 127.0.0.1
rpc.mountd: Received NULL request from host
rpc.mountd: Received UMNT(/tmp/nfs) request from host
rpc.mountd: authenticated unmount request from host:844 for /tmp/nfs
(/tmp/nfs)
rpc.mountd: Received NULL request from host
rpc.mountd: Received NULL request from host
rpc.mountd: Received MNT3(/tmp/nfs) request from host
rpc.mountd: authenticated mount request from host:729 for /tmp/nfs
(/tmp/nfs)
rpc.mountd: nfsd_fh: inbuf '* 7
\x0ab4100000000000dd2efb04e753f0980000000000000000'
rpc.mountd: nfsd_fh: found 0x1f13380 path /tmp/nfs
rpc.mountd: Received DUMP request from 127.0.0.1
Segmentation fault
.
To gather more info I run rpc.mountd in gdb:
Starting program: /usr/sbin/rpc.mountd -F
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b6f7a2 in xdr_string_internal () from /lib64/libc.so.6
#0 0x00007ffff7b6f7a2 in xdr_string_internal () from /lib64/libc.so.6
#1 0x0000000000409eee in xdr_name (xdrs=<value optimized out>,
objp=<value optimized out>) at mount_xdr.c:83
(...)
Seems like two procedures (xdr_mountlist and xdr_mountbody) call one
another infinitely until they fill the stack completely and then
segfault occures.
Is it known problem?
Maybe I misconfigured or missed something?
I've investigated a little the sources and I noticed that probably there
should be some pointer NULL-ed in mountlist_list() procedure like in
patch I've attached.
Anyone can confirm that such a fix is ok?
diff -rNup nfs-utils-1.2.3_orig/utils/mountd/rmtab.c nfs-utils-1.2.3/utils/mountd/rmtab.c
--- nfs-utils-1.2.3/utils/mountd/rmtab.c 2010-09-28 14:24:16.000000000 +0200
+++ nfs-utils-1.2.3/utils/mountd/rmtab.c 2011-01-12 14:44:22.320000000 +0100
@@ -205,6 +205,7 @@ mountlist_list(void)
}
if (stb.st_mtime != last_mtime) {
mountlist_freeall(mlist);
+ mlist=NULL;
last_mtime = stb.st_mtime;
setrmtabent("r");
