Bug #5440
bad free at checkauth+0x1a2()
Start date:
2014-12-17
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
Description
panic[cpu10]/thread=ffffff2682975c40: vmem_hash_delete(ffffff25d6c0d000, ffffff0118d878b0, 8359543808): bad free vpanic() vmem_hash_delete+0x9b(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400) vmem_xfree+0x4b(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400) vmem_free+0x23(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400) kmem_free+0x128(ffffff0118d878b0, 1f2448400) checkauth+0x1a2(ffffff267c912100, ffffff0118d87ca0, ffffff26966ae2b0, 1, 0, ffffff0118d87bb4) common_dispatch+0x28d(ffffff0118d87ca0, ffffff267d077400, 2, 4, fffffffff85a1016, ffffffffc020e060) rfs_dispatch+0x2d(ffffff0118d87ca0, ffffff267d077400) svc_getreq+0x1c1(ffffff267d077400, ffffff262b011460) svc_run+0xe0(ffffff2693b1f918) svc_do_run+0x8e(1) nfssys+0xf1(e, fdba0fbc) _sys_sysenter_post_swapgs+0x149()
Root cause:
There is an assumption in the checkauth() implementation that the nfsauth_access() call will always initialize both ngids and gids. This is almost always true with one exception (line 1138):
1133 if (i >= exi->exi_export.ex_seccnt) { 1134 /* 1135 * Flavor not found, but use AUTH_NONE if it exists 1136 */ 1137 if (authnone_entry == -1) 1138 return (NFSAUTH_DENIED); 1139 flavor = AUTH_NONE; 1140 mapaccess = NFSAUTH_MAPNONE; 1141 i = authnone_entry; 1142 }
In this case the nfsauth_access() return with uninitialized both ngids and gids.
Related issues
Updated by Electric Monk about 6 years ago
- Status changed from Pending RTI to Closed
- % Done changed from 0 to 100
git commit 9e835c7628dd0e7764a8341a1774a878dc0b024f
commit 9e835c7628dd0e7764a8341a1774a878dc0b024f Author: Marcel Telka <marcel.telka@nexenta.com> Date: 2014-12-17T16:25:16.000Z 5440 bad free at checkauth+0x1a2() Reviewed by: Jan Kryl <jan.kryl@nexenta.com> Reviewed by: Josef 'Jeff' Sipek <josef.sipek@nexenta.com> Reviewed by: Jason King <jason.brian.king@gmail.com> Approved by: Dan McDonald <danmcd@omniti.com>