Project

General

Profile

Bug #1486

segfault in rpc.mountd while mounting a nfs share

Added by Dieter Bloms over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Base libraries
Target version:
Start date:
12/03/2012
Due date:
% Done:

100%

Estimated time:
Affected versions:

Description

I've installed a fresh alpinelinux 2.5.0 64bit as domU and installed all packages from 02.12.2012.
The nfs server wa sstarted successfully and I can see the shares with showmount.
When I try to m ount a share the mount command hangs and I see a segfault of rpc.mountd:

--snip--
rpc.mountd929: segfault at 6ce59661b6b8 ip 00006cdd963f4d96 sp 00007c35b8f72880 error 4 in libuClibc-0.9.33.2.so[6cdd963a9000+6b000]
--snip--

After that I have rebuild the nfs-utils package with DEBUG=1 environment to get debug symbols for the backtrace.
I attached some files with output of dmesg, the bugtrace, the exports file ...

If you need any further information, don't hesitate to contact me ;)

backtrace (2.11 KB) backtrace backtrace from gdb Dieter Bloms, 12/03/2012 02:37 PM
dmesg (9.55 KB) dmesg dmesg output Dieter Bloms, 12/03/2012 02:37 PM
exports (916 Bytes) exports exports of the share Dieter Bloms, 12/03/2012 02:37 PM

Associated revisions

Revision 95e73982 (diff)
Added by Natanael Copa over 5 years ago

main/nfs-utils: fix for wrong getaddrinfo assumptions

The nfs-utils assumes getaddrinfo(AI_NUMERICHOST) never fills in
ai_canonname, but it appears to do on uclibc. It also assumes that if it
filled in, it will be allocated separately and that freeaddrinfo() will
free it. This is not what uclibc does.

This patch should fix a potensial memleak on nfs server and probably it
will fix nfs server on x86_64

ref #1486

Revision d62c4efd (diff)
Added by Natanael Copa over 5 years ago

main/nfs-utils: fix for wrong getaddrinfo assumptions

The nfs-utils assumes getaddrinfo(AI_NUMERICHOST) never fills in
ai_canonname, but it appears to do on uclibc. It also assumes that if it
filled in, it will be allocated separately and that freeaddrinfo() will
free it. This is not what uclibc does.

This patch should fix a potensial memleak on nfs server and probably it
will fix nfs server on x86_64

ref #1486
(cherry picked from commit 95e73982d6b68780a74a677f0fada23e6392e2fc)

Revision 4b87ac9b (diff)
Added by Natanael Copa over 5 years ago

main/nfs-utils: fix previous patch

fixes #1486

(cherry picked from commit 84ad0cd074a4f7e337d0f4f0d4b1fea5a24bea5f)

History

#1 Updated by Natanael Copa over 5 years ago

I remember that right after the 2.4 release, we pulled in uclibc from edge by mistake and uclibc from edge was updated to 0.9.33.2. And this issues showed up. As far as I understand this only affects x86_64.

I am fairly confident that one of the commits between v0.9.33.1 and v0.9.33.2 introduces this error:
http://git.uclibc.org/uClibc/log/?h=v0.9.33.2

We should build uclibc with debugging and generate a new backtrace.

#2 Updated by Natanael Copa over 5 years ago

The nfs-utils code seems to do a free() "just in case", which I think is wrong. Also, .ai_socktype is not initialized which might cause problems.

Can you try this patch for nfs-utils?

--- ./support/export/hostname.c.orig
+++ ./support/export/hostname.c
@@ -101,6 +101,7 @@
                .ai_protocol    = (int)IPPROTO_UDP,
                .ai_flags       = AI_NUMERICHOST,
                .ai_family      = AF_UNSPEC,
+               .ai_socktype    = 0,
        };
        struct sockaddr_in sin;
        int error, inet4;
@@ -350,7 +351,6 @@
         * getaddrinfo(AI_NUMERICHOST) never fills in ai_canonname
         */
        if (ai != NULL) {
-               free(ai->ai_canonname);         /* just in case */
                ai->ai_canonname = strdup(buf);
                if (ai->ai_canonname == NULL) {
                        freeaddrinfo(ai);

#3 Updated by Natanael Copa over 5 years ago

Natanael Copa wrote:

The nfs-utils code seems to do a free() "just in case", which I think is wrong. Also, .ai_socktype is not initialized which might cause problems.

Can you try this patch for nfs-utils?
[...]

I think it assumes too much. uclibc will indeed set ai_canonname, but it will not be allocated separately. It means that nfs server is currently leaking memory due to the strdup that never gets freed.

This patch should be better:

--- ./support/export/hostname.c.orig
+++ ./support/export/hostname.c
@@ -101,6 +101,7 @@
                .ai_protocol    = (int)IPPROTO_UDP,
                .ai_flags       = AI_NUMERICHOST,
                .ai_family      = AF_UNSPEC,
+               .ai_socktype    = 0,
        };
        struct sockaddr_in sin;
        int error, inet4;
@@ -382,7 +383,9 @@

        /*
         * getaddrinfo(AI_NUMERICHOST) never fills in ai_canonname
+        * ...well, it does on uclibc.
         */
+#ifndef __UCLIBC__
        if (ai != NULL) {
                ai->ai_canonname = strdup(buf);
                if (ai->ai_canonname == NULL) {
@@ -390,6 +393,7 @@
                        ai = NULL;
                }
        }
+#endif

        return ai;
 }

#4 Updated by Natanael Copa over 5 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#5 Updated by Natanael Copa over 5 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF