[Bugs] [Bug 1697971] Segfault in FUSE process, potential use after free

bugzilla at redhat.com bugzilla at redhat.com
Thu Mar 5 15:53:32 UTC 2020 

https://bugzilla.redhat.com/show_bug.cgi?id=1697971

Xavi Hernandez <jahernan at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED



--- Comment #29 from Xavi Hernandez <jahernan at redhat.com> ---
Finally I've been able to cause the same issue with master branch. I've needed
to add artificial delays and use gfapi to trigger the bug, but the race is
there and under certain workloads it could manifest.

The backtrace I've got is the same:

(gdb) bt
#0  0x00007ffff7f77e74 in pthread_mutex_lock () from /lib64/libpthread.so.0
#1  0x00007ffff0fb5145 in ob_fd_free (ob_fd=0x7fffd40063d0) at
open-behind.c:214
#2  0x00007ffff0fb5b18 in ob_inode_wake (this=this at entry=0x7fffe4018fb0,
ob_fds=ob_fds at entry=0x7ffff062ded0) at open-behind.c:361
#3  0x00007ffff0fb5ed1 in open_all_pending_fds_and_resume
(this=this at entry=0x7fffe4018fb0, inode=0x4b12b8, stub=0x7fffd400f138) at
open-behind.c:453
#4  0x00007ffff0fb61c3 in ob_rename (frame=frame at entry=0x7fffd4007c28,
this=0x7fffe4018fb0, src=src at entry=0x7fffcc0025f0,
dst=dst at entry=0x7fffcc002630, xdata=xdata at entry=0x0) at open-behind.c:1057
#5  0x00007ffff0f927a3 in mdc_rename (frame=frame at entry=0x7fffd4007da8,
this=0x7fffe401abc0, oldloc=oldloc at entry=0x7fffcc0025f0,
newloc=newloc at entry=0x7fffcc002630, xdata=xdata at entry=0x0) at md-cache.c:1848
#6  0x00007ffff7cf5c7c in default_rename_resume (frame=0x7fffcc001bf8,
this=0x7fffe401c7d0, oldloc=0x7fffcc0025f0, newloc=0x7fffcc002630, xdata=0x0)
at defaults.c:1897
#7  0x00007ffff7c77785 in call_resume (stub=0x7fffcc0025a8) at call-stub.c:2392
#8  0x00007ffff0f82700 in iot_worker (data=0x7fffe402e970) at io-threads.c:232
#9  0x00007ffff7f754e2 in start_thread () from /lib64/libpthread.so.0
#10 0x00007ffff7ea46d3 in clone () from /lib64/libc.so.6

The issue is caused by a missing reference on an fd. I'll fix it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the Bugs mailing list