[Bug 292049] Lock resource exhaustion can lead to system degradation

Tue, 30 Dec 2025 09:59:30 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292049

            Bug ID: 292049
           Summary: Lock resource exhaustion can lead to system
                    degradation
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: [email protected]
          Reporter: [email protected]
 Attachment #266656 text/plain
         mime type:

Created attachment 266656
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=266656&action=edit
Proof of concept

The attached sample program can exhaust system resources by endlessly creating
locks. A user with system access can quickly degrade the system's performance.
Although this takes longer than for a local user, a remote user accessing an
NFSv3 lockd‑enabled share can also exhaust the remote system's resources.

# kernel stack without NFSv3 (local)
kernel`lf_advlock+0x45
kernel`vop_stdadvlock+0x191
kernel`VOP_ADVLOCK+0x3a
kernel`kern_fcntl+0xd17
kernel`kern_fcntl_freebsd+0xa3
kernel`amd64_syscall+0x126
kernel`0xffffffff8105080b

# user stack without NFSv3 (local)
libsys.so.7`_fcntl+0xa
a.out`main+0x11a
libc.so.7`__libc_start1+0x12f
a.out`_start+0x24
`0x1a4a59003008

# kernel stack with NFSv3
kernel`lf_advlock+0x45
kernel`vop_stdadvlock+0x175
kernel`VOP_ADVLOCK_APV+0x51
kernel`nlm_do_lock+0x365
kernel`nlm4_lock_4_svc+0x11
kernel`nlm_prog_4+0x26c
kernel`svc_run_internal+0xaa8
kernel`svc_run+0x280
kernel`sys_nlm_syscall+0x75c
kernel`amd64_syscall+0x169
kernel`0xffffffff810bf9ab

# user stack with NFSv3
libsys.so.7`nlm_syscall+0xa
libc.so.7`__libc_start1+0x12f
rpc.lockd`_start+0x21
`0x59ca90603008

# rc.conf
mountd_enable="YES"
nfs_server_enable="YES"
nfsv4_server_enable="NO"
rpcbind_enable="YES"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"

# sysctl.conf
vfs.nfsd.server_min_nfsvers=3
vfs.nfsd.server_max_nfsvers=3

For convenience, the client machine mounting the NFSv3 share had more system
memory than the remote NFSv3 server. If necessary, multiple instances of the
sample program can be run on the client machine to speed up lock acquisition.

I was unable to cause system degradation with NFSv4. I believe this is limited
by vfs.nfsd.v4statelimit.

OpenBSD and NetBSD may already enforce some limits, although I have not tested
this.

OpenBSD:
https://man.openbsd.org/sysctl.2#KERN_MAXLOCKSPERUID~2
https://github.com/openbsd/src/blob/8f537029576d9ea2ca0aba908b4f5e7fe29aeacf/sys/kern/kern_sysctl.c#L393
https://github.com/openbsd/src/blob/8f537029576d9ea2ca0aba908b4f5e7fe29aeacf/sys/kern/vfs_lockf.c#L156-L189

NetBSD:
https://github.com/NetBSD/src/blob/7ef4a0317b218d1df5ce1956f4cc84392e0bb9a8/sys/kern/vfs_lockf.c#L118-L128
https://github.com/NetBSD/src/blob/7ef4a0317b218d1df5ce1956f4cc84392e0bb9a8/sys/kern/vfs_lockf.c#L191-L215

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to