bin/54222: mount_portal(8) invalid free() after src/sbin/mount_portal/puffs_portal.c,-r1.9

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/54222: mount_portal(8) invalid free() after src/sbin/mount_portal/puffs_portal.c,-r1.9
From: leot%NetBSD.org@localhost
Date: Wed, 22 May 2019 20:15:00 +0000 (UTC)

>Number:         54222
>Category:       bin
>Synopsis:       mount_portal(8) invalid free after src/sbin/mount_portal/puffs_portal.c,-r1.9
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 22 20:15:00 +0000 2019
>Originator:     Leonardo Taccari
>Release:        NetBSD 8.99.38
>Organization:
UniversitÃ  Politecnica delle Marche
>Environment:
System: NetBSD abacus 8.99.38 NetBSD 8.99.38 (GENERIC) #1: Mon May 6 14:13:15 CEST 2019 leot@abacus:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
	mount_portal(8) crashes due an invalid free (trying to free
	0x5a5a5a5a5a5a5a5a).
>How-To-Repeat:
	Given the following portal.conf:
	
	# cat portal.conf
	e/      rfilter e/      echo %s

	...then mounting it:

	# mount_portal /tmp/m/portal.conf /tmp/m/p

	...and then doing:

	% head -1 /tmp/m/p/e/bar

	should be enough to reproduce it (invalid free() in
	portal_node_reclaim()).

	If we attach gdb, set a breakpoint to potral_node_reclaim() and then
	doing `head -1 /tmp/m/p/e/bar':

	# gdb -p `pgrep mount_portal`
	GNU gdb (GDB) 8.0.1
	[...]
	(gdb) b portal_node_reclaim
	Breakpoint 1 at 0x1aa403040: file /usr/src/sbin/mount_portal/puffs_portal.c, line 805.
	(gdb) c
	Continuing.
	[Switching to LWP 1 of process 29602]

	[... `head -1 /tmp/m/p/e/bar' is invoked and the breakpoint hitted ...]

	Thread 1 "" hit Breakpoint 1, portal_node_reclaim (pu=0x7ed8ec7ab000, opc=0x7ed8ec7b7020)
	    at /usr/src/sbin/mount_portal/puffs_portal.c:805
	805     {
	(gdb) bt
	#0  portal_node_reclaim (pu=0x7ed8ec7ab000, opc=0x7ed8ec7b7020) at /usr/src/sbin/mount_portal/puffs_portal.c:805
	#1  0x00000001aa403528 in portal_node_getattr (pu=0x7ed8ec7ab000, opc=0x7ed8ec7b7020, va=0x7ed8ec7aa090, pcr=0x7ed8ec7aa038)
	    at /usr/src/sbin/mount_portal/puffs_portal.c:593
	#2  0x00007ed8ec008d50 in dispatch (pcc=pcc@entry=0x7ed8ec740000) at /usr/src/lib/libpuffs/dispatcher.c:483
	#3  0x00007ed8ec009495 in puffs__ml_dispatch (pu=0x7ed8ec7ab000, pb=0x7ed8ec795050) at /usr/src/lib/libpuffs/dispatcher.c:64
	#4  0x00007ed8ec00b90e in puffs__framev_input (pu=pu@entry=0x7ed8ec7ab000, fctrl=0x7ed8ec7ab5f8, fio=fio@entry=0x7ed8ec79d060)
	    at /usr/src/lib/libpuffs/framebuf.c:699
	#5  0x00007ed8ec00d80b in puffs__theloop (pcc=<optimized out>) at /usr/src/lib/libpuffs/puffs.c:909
	#6  0x00007ed8eb86b3a0 in ?? () from /lib/libc.so.12
	Backtrace stopped: Cannot access memory at address 0x7ed8ec780000
	(gdb) c
	Continuing.

	Thread 1 "" hit Breakpoint 1, portal_node_reclaim (pu=0x7ed8ec7ab000, opc=0x7ed8ec7b7020)
	    at /usr/src/sbin/mount_portal/puffs_portal.c:805
	805     {
	(gdb) bt
	#0  portal_node_reclaim (pu=0x7ed8ec7ab000, opc=0x7ed8ec7b7020) at /usr/src/sbin/mount_portal/puffs_portal.c:805
	#1  0x00007ed8ec008e3b in dispatch (pcc=pcc@entry=0x7ed8ec740000) at /usr/src/lib/libpuffs/dispatcher.c:876
	#2  0x00007ed8ec009495 in puffs__ml_dispatch (pu=0x7ed8ec7ab000, pb=0x7ed8ec795050) at /usr/src/lib/libpuffs/dispatcher.c:64
	#3  0x00007ed8ec00b90e in puffs__framev_input (pu=pu@entry=0x7ed8ec7ab000, fctrl=0x7ed8ec7ab5f8, fio=fio@entry=0x7ed8ec79d060)
	    at /usr/src/lib/libpuffs/framebuf.c:699
	#4  0x00007ed8ec00d80b in puffs__theloop (pcc=<optimized out>) at /usr/src/lib/libpuffs/puffs.c:909
	#5  0x00007ed8eb86b3a0 in ?? () from /lib/libc.so.12
	Backtrace stopped: Cannot access memory at address 0x7ed8ec780000
	(gdb) c
	Continuing.
	<jemalloc>: /usr/src/external/bsd/jemalloc/lib/../dist/src/rtree.c:205: Failed assertion: "!dependent || leaf != NULL"

	Thread 1 "" received signal SIGABRT, Aborted.
	0x00007ed8eb9a4f9a in _lwp_kill () from /lib/libc.so.12
	(gdb) bt
	#0  0x00007ed8eb9a4f9a in _lwp_kill () from /lib/libc.so.12
	#1  0x00007ed8eb9a4bc7 in abort () at /usr/src/lib/libc/stdlib/abort.c:74
	#2  0x00007ed8eb8de8f2 in rtree_child_leaf_tryread (elm=<optimized out>, dependent=<optimized out>)
	    at /usr/src/external/bsd/jemalloc/lib/../dist/src/rtree.c:205
	#3  0x00007ed8eb8deb9c in je_rtree_leaf_elm_lookup_hard (tsdn=<optimized out>, rtree=0x7ed8ebc1d6a0 <je_extents_rtree>,
	    rtree_ctx=0x7ed8ec7c6068, rtree_ctx@entry=0x7ed8ec77fe04, key=6510615555426900570, key@entry=139470145322456,
	    dependent=dependent@entry=true, init_missing=init_missing@entry=false)
	    at /usr/src/external/bsd/jemalloc/lib/../dist/src/rtree.c:292
	#4  0x00007ed8eb932f5b in rtree_leaf_elm_lookup (rtree=<optimized out>, init_missing=false, dependent=true,
	    key=key@entry=139470145322456, rtree_ctx=rtree_ctx@entry=0x7ed8ec77fe04, tsdn=tsdn@entry=0x7ed8ec77fddc)
	    at /usr/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/rtree.h:381
	#5  rtree_read (rtree=<optimized out>, dependent=true, key=key@entry=139470145322456, rtree_ctx=rtree_ctx@entry=0x7ed8ec77fe04,
	    tsdn=tsdn@entry=0x7ed8ec77fddc) at /usr/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/rtree.h:406
	#6  rtree_szind_slab_read (tsdn=tsdn@entry=0x7ed8ec7c6040, rtree_ctx=rtree_ctx@entry=0x7ed8ec7c6068,
	    key=key@entry=6510615555426900570, r_szind=r_szind@entry=0x7ed8ec77fdd8, r_slab=r_slab@entry=0x7ed8ec77fddc, dependent=true,
	    rtree=<optimized out>) at /usr/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/rtree.h:458
	#7  0x00007ed8eb9368c6 in ifree (tsd=0x7ed8ec7c6040, ptr=0x5a5a5a5a5a5a5a5a, tcache=0x7ed8ec7c6200, slow_path=<optimized out>)
	    at /usr/src/external/bsd/jemalloc/lib/../dist/src/jemalloc.c:2239
	#8  0x00007ed8eb93a255 in free (ptr=0x5a5a5a5a5a5a5a5a) at /usr/src/external/bsd/jemalloc/lib/../dist/src/jemalloc.c:2433
	#9  0x00000001aa403063 in portal_node_reclaim (pu=<optimized out>, opc=0x7ed8ec7b7020) at /usr/src/sbin/mount_portal/puffs_portal.c:812
	#10 0x00007ed8ec008e3b in dispatch (pcc=pcc@entry=0x7ed8ec740000) at /usr/src/lib/libpuffs/dispatcher.c:876
	#11 0x00007ed8ec009495 in puffs__ml_dispatch (pu=0x7ed8ec7ab000, pb=0x7ed8ec795050) at /usr/src/lib/libpuffs/dispatcher.c:64
	#12 0x00007ed8ec00b90e in puffs__framev_input (pu=pu@entry=0x7ed8ec7ab000, fctrl=0x7ed8ec7ab5f8, fio=fio@entry=0x7ed8ec79d060)
	    at /usr/src/lib/libpuffs/framebuf.c:699
	#13 0x00007ed8ec00d80b in puffs__theloop (pcc=<optimized out>) at /usr/src/lib/libpuffs/puffs.c:909
	#14 0x00007ed8eb86b3a0 in ?? () from /lib/libc.so.12
	Backtrace stopped: Cannot access memory at address 0x7ed8ec780000

>Fix:
	No idea ATM, sorry.  As a possible workaround reverting
	puffs_portal.c to -r1.8 avoids that.

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: kern/54223: -current 190522 panic: kernel diagnostic assertion "umap->refcount != 0" (/dev/kmem access)
Previous by Thread: Re: PR/50168 Frequent lockups and panics with NetBSD 7/amd64, may be ipfilter-related
Next by Thread: Re: bin/54222: mount_portal(8) invalid free() after src/sbin/mount_portal/puffs_portal.c,-r1.9
Indexes:

Home | Main Index | Thread Index | Old Index