Project

General

Profile

Actions

Bug #393

closed

Invalid nd_hostservlist contents crash mountd

Added by Albert Lee over 11 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
lib - userland libraries
Start date:
2010-11-02
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

In some cases mount crashes in do_logging_queue:

> $C
fe34ffa8 do_logging_queue+0x49(80615a0, 8060998, fe34ffc8, 8055e0a)
fe34ffc8 logging_svc+0x52(0, fef60000, fe34ffe8, feedd72e)
fe34ffe8 libc_hwcap2.so.1`_thrp_setup+0x9b(fede1a40)
fe34fff8 libc_hwcap2.so.1`_lwp_start(fede1a40, 0, 0, 0, 0, 0)
> ::regs
%cs = 0x0043            %eax = 0x4d580000 
%ds = 0x004b            %ebx = 0x00000000 
%ss = 0x004b            %ecx = 0x00000000 
%es = 0x004b            %edx = 0xfef61014 libc_hwcap2.so.1`libc_malloc_lock+0xc
%fs = 0x0000            %esi = 0x080615a0 
%gs = 0x01c3            %edi = 0x00000000 

 %eip = 0x08055d3d do_logging_queue+0x49
 %ebp = 0xfe34ffa8
%kesp = 0x00000000

%eflags = 0x00010246
  id=0 vip=0 vif=0 ac=0 vm=0 rf=1 nt=0 iopl=0x0
  status=<of,df,IF,tf,sf,ZF,af,PF,cf>
> do_logging_queue+0x49::dis
do_logging_queue+0x2f:          pushl  %eax
do_logging_queue+0x30:          pushl  0x10(%esi)
do_logging_queue+0x33:          call   +0xad8   <getclientsnames_lazy>
do_logging_queue+0x38:          addl   $0x10,%esp
do_logging_queue+0x3b:          testl  %eax,%eax
do_logging_queue+0x3d:          je     +0x4     <do_logging_queue+0x43>
do_logging_queue+0x3f:          xorl   %ebx,%ebx
do_logging_queue+0x41:          jmp    +0x8     <do_logging_queue+0x4b>
do_logging_queue+0x43:          movl   -0x1c(%ebp),%eax
do_logging_queue+0x46:          movl   0x4(%eax),%eax
do_logging_queue+0x49:          movl   (%eax),%ebx
do_logging_queue+0x4b:          subl   $0x4,%esp
do_logging_queue+0x4e:          pushl  0xc(%esi)
do_logging_queue+0x51:          pushl  0x4(%esi)
do_logging_queue+0x54:          pushl  %ebx
do_logging_queue+0x55:          call   -0x11f6  <PLT:audit_mountd_mount>
do_logging_queue+0x5a:          addl   $0x10,%esp
do_logging_queue+0x5d:          movl   0x8(%esi),%eax
do_logging_queue+0x60:          testl  %eax,%eax
do_logging_queue+0x62:          je     +0xd     <do_logging_queue+0x71>
do_logging_queue+0x64:          subl   $0x8,%esp

This corresponds with http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/fs.d/nfs/mountd/mountd.c#304
host = clnames->h_hostservs[0].h_host;

With some debug info:
Nov  2 15:42:09 server nfs4cbd[1511]: [ID 867284 daemon.notice] nfsv4 cannot determine local hostname binding for transport tcp - delegations will not be available on this transport
Nov  2 15:42:39 server mountd[1453]: [ID 175181 daemon.error] lq->ld_netid = tcp
Nov  2 15:42:39 server mountd[1453]: [ID 589989 daemon.error] Could not find DNS entry for tcp
Nov  2 15:42:39 server mountd[1453]: [ID 708950 daemon.error] clnames = 0x8071998
Nov  2 15:42:39 server mountd[1453]: [ID 589525 daemon.error] clnames->h_cnt = 4
Nov  2 15:42:39 server mountd[1453]: [ID 318296 daemon.error] clnames->h_hostservs = 0x4d580000

0x4d580000 is unmapped, so getclientsnames_lazy is screwing up.


Related issues

Has duplicate illumos gate - Bug #1878: mountd crashes during unsuccessful NFS mountClosed2011-12-10

Actions
Actions

Also available in: Atom PDF