Project

General

Profile

Bug #6374

mount(1M) dumps core in check_fields()

Added by James Dickens about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cmd - userland programs
Start date:
2015-10-22
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

This is a omnios bloody box.

  1. truss mount -o vers=3 lenovo:/shotglass/torrent /sgt
    execve("/sbin/mount", 0x08047DC8, 0x08047DE0) argc = 5
    sysinfo(SI_MACHINE, "i86pc", 257) = 6
    mmap(0x00000000, 32, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEFB0000
    mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEFA0000
    mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEF90000
    mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEF80000
    memcntl(0xFEFB5000, 48456, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
    memcntl(0x08050000, 8848, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
    resolvepath("/lib/ld.so.1", "/lib/ld.so.1", 1023) = 12
    resolvepath("/sbin/mount", "/sbin/mount", 1023) = 11
    sysconfig(_CONFIG_PAGESIZE) = 4096
    stat64("/sbin/mount", 0x08047A5C) = 0
    open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
    stat64("/lib/libc.so.1", 0x0804727C) = 0
    resolvepath("/lib/libc.so.1", "/lib/libc.so.1", 1023) = 14
    open("/lib/libc.so.1", O_RDONLY) = 3
    mmapobj(3, MMOBJ_INTERPRET, 0xFEF80AE8, 0x080472E8, 0x00000000) = 0
    close(3) = 0
    mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEE10000
    memcntl(0xFEE20000, 253116, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
    mmap(0x00010000, 24576, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON|MAP_ALIGN, -1, 0) = 0xFEE00000
    getcontext(0x0804789C)
    getrlimit(RLIMIT_STACK, 0x08047894) = 0
    getpid() = 1401 [1400]
    lwp_private(0, 1, 0xFEE02A40) = 0x000001C3
    setustack(0xFEE02AA0)
    lwp_cond_broadcast(0xFEE100FC) = 0
    lwp_cond_broadcast(0xFEF8062C) = 0
    sysi86(SI86FPSTART, 0xFEF73E4C, 0x0000133F, 0x00001F80) = 0x00000001
    brk(0x08067280) = 0
    brk(0x08069280) = 0
    open("/etc/vfstab", O_RDONLY) = 3
    llseek(3, 0, SEEK_CUR) = 0
    fstat64(3, 0x080479F0) = 0
    fstat64(3, 0x080478F0) = 0
    ioctl(3, TCGETA, 0x080479AE) Err#25 ENOTTY
    read(3, " # d e v i c e\t\t d e v".., 512) = 511
    sysconfig(_CONFIG_PAGESIZE) = 4096
    llseek(3, 0, SEEK_CUR) = 511
    close(3) = 0
    resolvepath("/sgt", "/sgt", 1024) = 4
    Incurred fault #6, FLTBOUNDS %pc = 0xFEE64A90
    siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
    Received signal #11, SIGSEGV [default]
    siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000

yes the directory exists

  1. mkdir /sgt
    mkdir: Failed to make directory "/sgt"; File exists

changing the mount point works

(lenovo is running ubuntu 14.04 with 0.6.5.2 ZFS on Linux if it matters)

  1. mount lenovo:/shotglass/torrent /shotglass-sgt
  2. df -h /shotglass-sgt/
    Filesystem Size Used Available Capacity Mounted on
    lenovo:/shotglass/torrent
    4.3T 4.3T 9.3G 100% /shotglass-sgt

Files

core.gz (700 KB) core.gz James Dickens, 2015-10-28 03:47 AM
#1

Updated by James Dickens about 5 years ago

/sgt is a regular directory. #

stat /sgt/
File: '/sgt/'
Size: 2 Blocks: 1 IO Block: 131072 directory
Device: 4150002h/68485122d Inode: 95143 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-10-21 18:25:40.607140920 -0500
Modify: 2015-10-21 18:25:40.607140920 -0500
Change: 2015-10-21 18:25:40.607140920 -0500
Birth: 2015-10-21 18:25:40.607140920 -0500
#2

Updated by James Dickens about 5 years ago

core dump enclosed

#3

Updated by Marcel Telka about 5 years ago

James Dickens wrote:

core dump enclosed

Where is the core dump?

#4

Updated by Marcel Telka about 5 years ago

  • Status changed from New to Feedback

To work on this we need the core file, or at least the crash stack.

#5

Updated by James Dickens about 5 years ago

lets try uploading again.

#6

Updated by Marcel Telka about 5 years ago

From the core file:

> ::status
debugging core file of mount (32-bit) from fileserv1
initial argv: mount -o vers=3 lenovo:/shotglass/torrent /sgt
threading model: native threads
status: process terminated by SIGSEGV (Segmentation Fault), addr=0
> ::stack
libc.so.1`strlen+0x30(0, 80680b0, 8047c78, 8047e34)
main+0x869(8047d8c, fef74688, 8047dc8, 8052793, 5, 8047dd4)
_start+0x83(5, 8047ea4, 8047eaa, 8047ead, 8047eb4, 8047ece)
>
#7

Updated by Marcel Telka about 5 years ago

  • Subject changed from NFS client core dumped on mount to mount(1M) dumps core in check_fields()
  • Category changed from nfs - NFS server and client to cmd - userland programs
  • Status changed from Feedback to In Progress
  • Assignee set to Marcel Telka

The segfault happened because the fstype was NULL when check_fields() was called here:

509    if (check_fields(fstype, mountp))
510        exit(1);

The problem is reproducible using these steps, for example:

# rm /etc/dfs/fstypes
# echo "" > /etc/dfs/fstypes
# mount -o vers=3 t1:/export /mnt
Segmentation Fault (core dumped)
# echo "::status ; ::stack " | mdb core
debugging core file of mount (32-bit) from t2
file: /sbin/mount
initial argv: mount -o vers=3 t1:/export /mnt
threading model: native threads
status: process terminated by SIGSEGV (Segmentation Fault), addr=0
libc.so.1`strlen+0x30(0, 80680b0, 8047cc8, 8047e78)
main+0x869(8047ddc, fef746a8, 8047e18, 8052767, 5, 8047e24)
_start+0x83(5, 8047ee8, 8047eee, 8047ef1, 8047ef8, 8047f03)
#

This problem is not NFS specific.

#8

Updated by Marcel Telka about 5 years ago

The other way how to reproduce the problem is to setup a filesystem in vfstab without specifying the FS type field, for example:

# echo "/dev/blabla - /mnt - - no -" >> /etc/vfstab 
# mount /mnt
Segmentation Fault (core dumped)
# echo "::status ; ::stack " | mdb core
debugging core file of mount (32-bit) from t2
file: /sbin/mount
initial argv: mount /mnt
threading model: native threads
status: process terminated by SIGSEGV (Segmentation Fault), addr=0
libc.so.1`strlen+0x30(0, 80680a0, 8047ce8, 8047e8c)
main+0x869(8047dfc, fef746a8, 8047e38, 8052767, 2, 8047e44)
_start+0x83(2, 8047efc, 8047f02, 0, 8047f07, 8047f0b)
#
#9

Updated by Marcel Telka about 5 years ago

  • Status changed from In Progress to Pending RTI
#10

Updated by Electric Monk about 5 years ago

  • Status changed from Pending RTI to Closed
  • % Done changed from 0 to 100

git commit 96ca3711e9e66e902935bf99eacbc420596e8f22

commit  96ca3711e9e66e902935bf99eacbc420596e8f22
Author: Marcel Telka <marcel.telka@nexenta.com>
Date:   2015-11-12T18:04:52.000Z

    6374 mount(1M) dumps core in check_fields()
    Reviewed by: Jason King <jason.brian.king@gmail.com>
    Reviewed by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
    Approved by: Dan McDonald <danmcd@omniti.com>

Also available in: Atom PDF