The following reply was made to PR bin/37236; it has been noted by GNATS.

From: Matthias Scheler <tron@zhadum.org.uk>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: PR/37236 CVS commit: src/usr.sbin/rpc.lockd
Date: Wed, 31 Oct 2007 21:55:26 +0000

 On Sat, Oct 27, 2007 at 09:45:25PM +0100, Matthias Scheler wrote:
 > It seems that the list of locks got corrupted:
 > 
 > (gdb) print lcklst_head
 > $1 = {lh_first = 0x60030210}
 > (gdb) print *(struct file_lock *)0x60030210
 > Cannot access memory at address 0x60030210
 
 I had another crash with an unmodified version of "rpc.lockd":
 
 (gdb) where
 #0  0xbbb825b8 in strcmp () from /usr/lib/libc.so.12
 #1  0x0804c8ef in unlock (lck=0xbfbfe834, flags=2) at lockd_lock.c:387
 #2  0x0804b4d8 in nlm4_unlock_msg_4_svc (arg=0xbfbfe82c, rqstp=0xbfbfe8e8)
     at lock_proc.c:1044
 #3  0x0804995d in nlm_prog_4 (rqstp=0xbfbfe8e8, transp=0x8063080)
     at nlm_prot_svc.c:469
 #4  0xbbb3ef48 in svc_getreq_common () from /usr/lib/libc.so.12
 #5  0xbbb3f04f in svc_getreqset () from /usr/lib/libc.so.12
 #6  0xbbae368b in svc_run () from /usr/lib/libc.so.12
 #7  0x0804a434 in main (argc=Cannot access memory at address 0x0
 ) at lockd.c:211
 (gdb) up
 #1  0x0804c8ef in unlock (lck=0xbfbfe834, flags=2) at lockd_lock.c:387
 387                     if (strcmp(fl->client_name, lck->caller_name) ||
 (gdb) print fl
 $1 = (struct file_lock *) 0x0
 
 This time the loop in unlock() was executed although fl is NULL. The
 crash looks like a race between sigchild_handler() and one of the
 dispatch procedures. That should however not happen because of the
 calls to siglock() and sigunlock().
 
 	Kind regards
 
 -- 
 Matthias Scheler                                  http://zhadum.org.uk/