FreeBSD Mail Archives

Date:      Fri, 8 Nov 1996 00:41:13 +0100 (MET)
From:      Tor Egge <Tor.Egge@idt.ntnu.no>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/1974: amd crashes with signal 11
Message-ID:  <199611072341.AAA01663@ikke.idt.unit.no>
Resent-Message-ID: <199611072350.PAA28445@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help


>Number:         1974
>Category:       bin
>Synopsis:       amd crashes with signal 11
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov  7 15:50:02 PST 1996
>Last-Modified:
>Originator:     Tor Egge
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway
>Release:        FreeBSD 2.2-CURRENT i386
>Environment:

FreeBSD ikke.idt.unit.no 2.2-CURRENT FreeBSD 2.2-CURRENT #3: Sun Nov  3 06:22:40 MET 1996     root@ikke.idt.unit.no:/usr/src/sys-UP/compile/TEGGE  i386

-r-xr-xr-x   1 bin      bin         77824 Oct 24 01:30 /usr/sbin/amd*

and /etc/malloc.conf symlinked to AJ

>Description:

	Amd crashes with signal 11 when a filesystem mounted 
	by amd becomes unavailable.

(gdb) where
#0  0x2617 in afs_lookuppn (mp=0x57200, 
    fname=0x4d120 "s:=\"/etc/amd/mail\";type:=direct", 
    error_return=0xdfbfd730, op=1) at /usr/src/usr.sbin/amd/amd/afs_ops.c:1548
#1  0x2886 in dfs_readlink (mp=0x57200, error_return=0xdfbfd74c)
    at /usr/src/usr.sbin/amd/amd/afs_ops.c:1718
#2  0x88e4 in do_readlink (mp=0x57200, error_return=0xdfbfd76c, 
    attrpp=0xdfbfd768) at /usr/src/usr.sbin/amd/amd/nfs_subr.c:73
#3  0x8972 in nfsproc_getattr_2 (argp=0xdfbfd790, rqstp=0xdfbfdcc0)
    at /usr/src/usr.sbin/amd/amd/nfs_subr.c:134
#4  0x82c5 in nfs_program_2 (rqstp=0xdfbfdcc0, transp=0x4e180)
    at /usr/src/usr.sbin/amd/amd/../rpcx/nfs_prot_svc.c:189
#5  0x171de in svc_getreqset ()
#6  0x85fb in run_rpc () at /usr/src/usr.sbin/amd/amd/nfs_start.c:297
#7  0x8882 in mount_automounter (ppid=126)
    at /usr/src/usr.sbin/amd/amd/nfs_start.c:429
#8  0xcb15 in main (argc=21, argv=0xdfbfddb4)
    at /usr/src/usr.sbin/amd/amd/amd.c:340
(gdb) list 1540,1551
1540             */
1541            error = afs_bgmount(cp, error);
1542            reschedule_timeout_mp();
1543            if (!error) {
1544                    free(fname);
1545                    return new_mp;
1546            }
1547
1548            if (error && (cp->mp->am_mnt->mf_ops == &efs_ops))
1549                    cp->mp->am_error = error;
1550
1551            assign_error_mntfs(new_mp);


cp was freed by afs_bgmount and is used afterwards :-(

>How-To-Repeat:

	symlink /etc/malloc.conf to AJ, restart amd. Play
	havoc with your network (e.g. pull the plug) to trigger
	an EAGAIN error. 

>Fix:

	Don't use freed memory.

>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611072341.AAA01663>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation