Hello,
I'm investigating a segmentation fault in the automounter, caused by invalid
memory access in lookup_prune_one_cache(). I'd appreciate your opinion
of the analysis below. The crash signature is:
#0 lookup_prune_one_cache (ap=0x55555569d1b0, mc=0x55555569d360,
age=1342705333) at lookup.c:1113
1113 rmdir_path(ap, path, this->dev);
(gdb) print this
$1 = (struct mapent *) 0x2aaaaccf49f0
(gdb) print *this
Cannot access memory at address 0x2aaaaccf49f0
>From lookup_prune_one_cache():
[line numbers are from the version that crashed, not the latest git]
1095 cache_writelock(mc);
1096 this = cache_lookup_distinct(mc, key); // lookup key in the hash
// table mc->hash
1097 if (!this) {
1098 cache_unlock(mc);
1099 goto next;
1100 }
1101
1102 if (valid) // here we know valid == 0
1103 cache_delete(mc, key);
1104 else if (!is_mounted(_PROC_MOUNTS, path, MNTS_AUTOFS)) {
// here we know the path is
// currently not mounted
1105 status = CHE_FAIL;
1106 if (this->ioctlfd == -1) // here "this" still points to
// valid memory
// if this->ioctl == -1, it deletes this key from
// the hash table and free the memory:
1107 status = cache_delete(mc, key);
1108 if (status != CHE_FAIL) {
1109 if (ap->type == LKP_INDIRECT) {
1110 if (ap->flags & MOUNT_FLAG_GHOST)
1111 rmdir_path(ap, path, ap->dev);
1112 } else
1113 rmdir_path(ap, path, this->dev); // crashes here:
// "this" points
// to freed mem.
1114 }
1115 }
1116 cache_unlock(mc);
I'd like to understand if using "this->dev" instead of "ap->dev" in the second
rmdir_path() call is indeed correct or if it should be "ap->dev" too.
Thanks,
Leonardo
Call traces:
Thread 7 (Thread 5587):
#0 do_sigwait (set=0x7fff8cbb3d80, sig=0x7fff8cbb3e9c) at
../nptl/sysdeps/unix/sysv/linux/../../../../../sysdeps/unix/sysv/linux/sigwait.c:65
#1 0x00002b404a2ceaed in __sigwait (set=0x7fff8cbb3d80, sig=0x7fff8cbb3e9c)
at ../nptl/sysdeps/unix/sysv/linux/../../../../../sysdeps/unix/sysv/linux/sigwait.c:100
#2 0x0000555555560b96 in statemachine (argc=<value optimized out>,
argv=<value optimized out>) at automount.c:1327
#3 main (argc=<value optimized out>, argv=<value optimized out>) at
automount.c:2142
Thread 6 (Thread 5588):
#0 0x00002b404a2cb517 in pthread_cond_timedwait@@GLIBC_2.3.2 () from
/lib64/libpthread.so.0
#1 0x0000555555573812 in alarm_handler (arg=<value optimized out>) at
alarm.c:206
#2 0x00002b404a2c7193 in start_thread (arg=<value optimized out>) at
pthread_create.c:306
#3 0x00002b404aa4d0dd in clone () from /lib64/libc.so.6
Thread 5 (Thread 5589):
#0 0x00002b404a2cb326 in pthread_cond_wait@@GLIBC_2.3.2 () from
/lib64/libpthread.so.0
#1 0x000055555556c913 in st_queue_handler (arg=<value optimized out>)
at state.c:1103
#2 0x00002b404a2c7193 in start_thread (arg=<value optimized out>) at
pthread_create.c:306
#3 0x00002b404aa4d0dd in clone () from /lib64/libc.so.6
Thread 4 (Thread 5592):
#0 0x00002b404aa44dc6 in __poll (fds=0x40822150, nfds=3, timeout=-1)
at ../sysdeps/unix/sysv/linux/poll.c:87
#1 0x000055555555f2a9 in get_pkt (arg=<value optimized out>) at automount.c:882
#2 handle_packet (arg=<value optimized out>) at automount.c:1019
#3 handle_mounts (arg=<value optimized out>) at automount.c:1551
#4 0x00002b404a2c7193 in start_thread (arg=<value optimized out>) at
pthread_create.c:306
#5 0x00002b404aa4d0dd in clone () from /lib64/libc.so.6
Thread 3 (Thread 5595):
#0 0x00002b404aa44dc6 in __poll (fds=0x41023150, nfds=3, timeout=-1)
at ../sysdeps/unix/sysv/linux/poll.c:87
#1 0x000055555555f2a9 in get_pkt (arg=<value optimized out>) at automount.c:882
#2 handle_packet (arg=<value optimized out>) at automount.c:1019
#3 handle_mounts (arg=<value optimized out>) at automount.c:1551
#4 0x00002b404a2c7193 in start_thread (arg=<value optimized out>) at
pthread_create.c:306
#5 0x00002b404aa4d0dd in clone () from /lib64/libc.so.6
Thread 2 (Thread 5596):
#0 0x00002b404aa44dc6 in __poll (fds=0x41824150, nfds=3, timeout=-1)
at ../sysdeps/unix/sysv/linux/poll.c:87
#1 0x000055555555f2a9 in get_pkt (arg=<value optimized out>) at automount.c:882
#2 handle_packet (arg=<value optimized out>) at automount.c:1019
#3 handle_mounts (arg=<value optimized out>) at automount.c:1551
#4 0x00002b404a2c7193 in start_thread (arg=<value optimized out>) at
pthread_create.c:306
#5 0x00002b404aa4d0dd in clone () from /lib64/libc.so.6
Thread 1 (Thread 32226):
#0 lookup_prune_one_cache (ap=0x55555569d1b0, mc=0x55555569d360,
age=1342705333) at lookup.c:1113
#1 0x000055555556bd97 in do_readmap (arg=<value optimized out>) at state.c:496
#2 0x00002b404a2c7193 in start_thread (arg=<value optimized out>) at
pthread_create.c:306
#3 0x00002b404aa4d0dd in clone () from /lib64/libc.so.6
The AutoFS version in question is 5.0.5 plus:
- all patches until autofs-5.0.5-fix-submount-shutdown-wait.patch
- autofs-5.0.5-auto-adjust-ldap-page-size.patch
- autofs-5.0.5-replace-gplv3-code.patch
- autofs-5.0.5-fix-paged-ldap-map-read.patch
- autofs-5.0.5-fix-next-task-list-update.patch
- autofs-5.0.5-fix-stale-map-read.patch
- autofs-5.0.5-fix-out-of-order-locking-in-readmap.patch
- autofs-5.0.5-invalid-ghost-dirs.patch
- autofs-5.0.5-fix-null-cache-deadlock.patch
- autofs-5.0.5-remove-master_mutex_unlock-leftover.patch
- autofs-5.0.5-fix-prune-cache-valid-check.patch
- autofs-5.0.5-fix-expire-race.patch
- autofs-5.0.5-fix-null-cache-clean.patch
- autofs-5.0.5-automount-man-page-correction.patch
- autofs-5.0.5-reset-negative-status-on-cache-prune.patch
- autofs-5.0.5-fix-map-source-check-in-file-lookup.patch
- autofs-5.0.5-fix-ldap-result-leaks.patch
- autofs-5.0.5-fix-paged-query-more-results-check.patch
- autofs-5.0.5-fix-result-null-check-in-read_one_map.patch
--
To unsubscribe from this list: send the line "unsubscribe autofs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
