Segfault in fuse_unregister_module

rwmjones commented 2 years ago

A Fedora user reported a crash in fuse_unregister_module when it calls free. The original bug report is here: https://bugzilla.redhat.com/show_bug.cgi?id=2002526

We do have a detailed stack trace:

warning: Can't open file /usr/lib/locale/locale-archive during file-backed mapping note processing
[New LWP 14448]
[New LWP 14451]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `sshfs geirho@login.uio.no: UiO -o password_stdin,reconnect,modules=iconv'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fc601814789 in __GI___libc_free (mem=0x55df3d27ae27) at malloc.c:3288
3288      if (chunk_is_mmapped (p))                       /* release mmapped memory. */
[Current thread is 1 (Thread 0x7fc601704740 (LWP 14448))]
----------PYTHON-START--------
Undefined command: "py-bt".  Try "help".
Undefined command: "py-list".  Try "help".
Undefined command: "py-locals".  Try "help".
----------PYTHON--END---------

Thread 1 (Thread 0x7fc601704740 (LWP 14448)):
#0  0x00007fc601814789 in __GI___libc_free (mem=0x55df3d27ae27) at malloc.c:3288
        ar_ptr = <optimized out>
        p = <optimized out>
        hook = 0x0
        err = <optimized out>
#1  0x00007fc601abb3ea in fuse_unregister_module (m=<optimized out>) at ../lib/fuse.c:246
        mp = <optimized out>
        mp = <optimized out>
#2  fuse_put_module (m=0x55da60807480) at ../lib/fuse.c:349
        __PRETTY_FUNCTION__ = "fuse_put_module"
#3  0x00007fc601abbb17 in fuse_fs_destroy (fs=0x55da60818940) at ../lib/fuse.c:2672
No locals.
#4  0x00007fc601abffe9 in fuse_lib_destroy (data=0x55da60807270) at ../lib/fuse.c:2681
        f = 0x55da60807270
#5  0x00007fc601acbe66 in fuse_session_destroy (se=0x55da60818ab0) at ../lib/fuse_lowlevel.c:2714
        llp = <optimized out>
#6  0x00007fc601ac9bb4 in fuse_destroy (f=0x55da60807270) at ../lib/fuse.c:5102
        i = <optimized out>
        __PRETTY_FUNCTION__ = "fuse_destroy"
#7  0x000055da6024386b in main (argc=<optimized out>, argv=<optimized out>) at ../sshfs.c:4411
        res = 0
        args = {argc = 1, argv = 0x55da60807110, allocated = 1}
        tmp = <optimized out>
        fsname = <optimized out>
        sftp_server = <optimized out>
        fuse = 0x55da60807270
        se = 0x55da60818ab0
        i = <optimized out>

Thread 2 (Thread 0x7fc5f30cf640 (LWP 14451)):
#0  __libc_read (nbytes=5, buf=0x7fc5e801ea00, fd=6) at ../sysdeps/unix/sysv/linux/read.c:26
        sc_ret = -512
        sc_cancel_oldtype = 0
        __arg3 = <optimized out>
        _a2 = <optimized out>
        sc_ret = <optimized out>
        __value = <optimized out>
        sc_ret = <optimized out>
        __arg1 = <optimized out>
        _a3 = <optimized out>
        resultvar = <optimized out>
        __arg2 = <optimized out>
        _a1 = <optimized out>
#1  __libc_read (fd=6, buf=0x7fc5e801ea00, nbytes=5) at ../sysdeps/unix/sysv/linux/read.c:24
No locals.
#2  0x000055da60246cee in read (__nbytes=5, __buf=0x7fc5e801ea00, __fd=<optimized out>) at /usr/include/bits/unistd.h:47
No locals.
#3  do_read (conn=0x55da60806f00, buf=<optimized out>, buf=<optimized out>) at ../sshfs.c:1365
        res = <optimized out>
        p = 0x7fc5e801ea00 "\036\200^\374\a"
        size = 5
#4  0x000055da602477a7 in sftp_read (conn=0x55da60806f00, type=0x7fc5f30cedef "i", buf=0x7fc5f30cee00) at ../sshfs.c:1385
        res = <optimized out>
        buf2 = {p = <optimized out>, len = <optimized out>, size = <optimized out>}
        len = <optimized out>
#5  0x000055da602478cd in process_one_request (conn=0x55da60806f00) at ../sshfs.c:1469
        buf = {p = 0x0, len = 0, size = 0}
        type = 105 'i'
        res = <optimized out>
        req = <optimized out>
        id = <optimized out>
        res = <optimized out>
        buf = {p = <optimized out>, len = <optimized out>, size = <optimized out>}
        type = <optimized out>
        req = <optimized out>
        id = <optimized out>
        was_over = <optimized out>
        now = {tv_sec = <optimized out>, tv_usec = <optimized out>}
        difftime = <optimized out>
        msgsize = <optimized out>
#6  process_requests (data_=0x55da60806f00) at ../sshfs.c:1551
        conn = 0x55da60806f00
#7  0x00007fc601a9a299 in start_thread (arg=0x7fc5f30cf640) at pthread_create.c:481
        ret = <optimized out>
        pd = 0x7fc5f30cf640
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140488162997824, -7345238641137078034, 140488180836574, 140488180836575, 0, 140488162997824, 7321619645797839086, 7321862386214580462}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#8  0x00007fc601888353 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
From                To                  Syms Read   Shared Object Library
0x00007fc601abacf0  0x00007fc601ad4c71  Yes         /lib64/libfuse3.so.3
0x00007fc601a98a70  0x00007fc601aa6aef  Yes         /lib64/libpthread.so.0
0x00007fc601975c90  0x00007fc601a034e2  Yes         /lib64/libglib-2.0.so.0
0x00007fc6017ae690  0x00007fc6018f99dd  Yes         /lib64/libc.so.6
0x00007fc601783270  0x00007fc6017841c9  Yes         /lib64/libdl.so.2
0x00007fc601b12090  0x00007fc601b36996  Yes         /lib64/ld-linux-x86-64.so.2
0x00007fc60170b3b0  0x00007fc601761942  Yes         /lib64/libpcre.so.1
0x00007fc5f337a5f0  0x00007fc5f338b945  Yes         /lib64/libgcc_s.so.1
$1 = 0x0
$2 = 0x0
rax            0x0                 0
rbx            0xffffffffffffff88  -120
rcx            0x0                 0
rdx            0x0                 0
rsi            0x55da60807         23045998599
rdi            0x55df3d27ae27      94417292078631
rbp            0x55da60807480      0x55da60807480
rsp            0x7ffea123b400      0x7ffea123b400
r8             0x55da60807620      94396410263072
r9             0x7fc60194ba60      140488406776416
r10            0x7fc60194be50      140488406777424
r11            0x202               514
r12            0x0                 0
r13            0x7fc601af1060      140488408502368
r14            0x0                 0
r15            0x55da60807270      94396410262128
rip            0x7fc601814789      0x7fc601814789 <__GI___libc_free+41>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
Dump of assembler code for function __GI___libc_free:
   0x00007fc601814760 <+0>: endbr64 
   0x00007fc601814764 <+4>: push   %rbp
   0x00007fc601814765 <+5>: push   %rbx
   0x00007fc601814766 <+6>: sub    $0x18,%rsp
   0x00007fc60181476a <+10>:    mov    0x136777(%rip),%rax        # 0x7fc60194aee8
   0x00007fc601814771 <+17>:    mov    (%rax),%rax
   0x00007fc601814774 <+20>:    test   %rax,%rax
   0x00007fc601814777 <+23>:    jne    0x7fc601814808 <__GI___libc_free+168>
   0x00007fc60181477d <+29>:    test   %rdi,%rdi
   0x00007fc601814780 <+32>:    je     0x7fc6018147cb <__GI___libc_free+107>
   0x00007fc601814782 <+34>:    mov    0x1366cf(%rip),%rbx        # 0x7fc60194ae58
=> 0x00007fc601814789 <+41>:    mov    -0x8(%rdi),%rax
   0x00007fc60181478d <+45>:    lea    -0x10(%rdi),%rsi
   0x00007fc601814791 <+49>:    mov    %fs:(%rbx),%ebp
   0x00007fc601814794 <+52>:    test   $0x2,%al
   0x00007fc601814796 <+54>:    jne    0x7fc6018147d8 <__GI___libc_free+120>
   0x00007fc601814798 <+56>:    mov    0x1365b1(%rip),%rdx        # 0x7fc60194ad50
   0x00007fc60181479f <+63>:    cmpq   $0x0,%fs:(%rdx)
   0x00007fc6018147a4 <+68>:    je     0x7fc601814848 <__GI___libc_free+232>
   0x00007fc6018147aa <+74>:    lea    0x13724f(%rip),%rdi        # 0x7fc60194ba00 <main_arena>
   0x00007fc6018147b1 <+81>:    test   $0x4,%al
   0x00007fc6018147b3 <+83>:    je     0x7fc6018147c1 <__GI___libc_free+97>
   0x00007fc6018147b5 <+85>:    mov    %rsi,%rax
   0x00007fc6018147b8 <+88>:    and    $0xfffffffffc000000,%rax
   0x00007fc6018147be <+94>:    mov    (%rax),%rdi
   0x00007fc6018147c1 <+97>:    xor    %edx,%edx
   0x00007fc6018147c3 <+99>:    call   0x7fc6018107d0 <_int_free>
   0x00007fc6018147c8 <+104>:   mov    %ebp,%fs:(%rbx)
   0x00007fc6018147cb <+107>:   add    $0x18,%rsp
   0x00007fc6018147cf <+111>:   pop    %rbx
   0x00007fc6018147d0 <+112>:   pop    %rbp
   0x00007fc6018147d1 <+113>:   ret    
   0x00007fc6018147d2 <+114>:   nopw   0x0(%rax,%rax,1)
   0x00007fc6018147d8 <+120>:   mov    0x136936(%rip),%edx        # 0x7fc60194b114 <mp_+52>
   0x00007fc6018147de <+126>:   test   %edx,%edx
   0x00007fc6018147e0 <+128>:   jne    0x7fc6018147f3 <__GI___libc_free+147>
   0x00007fc6018147e2 <+130>:   cmp    0x136907(%rip),%rax        # 0x7fc60194b0f0 <mp_+16>
   0x00007fc6018147e9 <+137>:   jbe    0x7fc6018147f3 <__GI___libc_free+147>
   0x00007fc6018147eb <+139>:   cmp    $0x2000000,%rax
   0x00007fc6018147f1 <+145>:   jbe    0x7fc601814818 <__GI___libc_free+184>
   0x00007fc6018147f3 <+147>:   mov    %rsi,%rdi
   0x00007fc6018147f6 <+150>:   call   0x7fc60180faa0 <munmap_chunk>
   0x00007fc6018147fb <+155>:   mov    %ebp,%fs:(%rbx)
   0x00007fc6018147fe <+158>:   add    $0x18,%rsp
   0x00007fc601814802 <+162>:   pop    %rbx
   0x00007fc601814803 <+163>:   pop    %rbp
   0x00007fc601814804 <+164>:   ret    
   0x00007fc601814805 <+165>:   nopl   (%rax)
   0x00007fc601814808 <+168>:   mov    0x28(%rsp),%rsi
   0x00007fc60181480d <+173>:   add    $0x18,%rsp
   0x00007fc601814811 <+177>:   pop    %rbx
   0x00007fc601814812 <+178>:   pop    %rbp
   0x00007fc601814813 <+179>:   jmp    *%rax
   0x00007fc601814815 <+181>:   nopl   (%rax)
   0x00007fc601814818 <+184>:   cmp    %rsi,0x13a4b1(%rip)        # 0x7fc60194ecd0 <dumped_main_arena_start>
   0x00007fc60181481f <+191>:   ja     0x7fc60181482a <__GI___libc_free+202>
   0x00007fc601814821 <+193>:   cmp    %rsi,0x13a4a0(%rip)        # 0x7fc60194ecc8 <dumped_main_arena_end>
   0x00007fc601814828 <+200>:   ja     0x7fc6018147f3 <__GI___libc_free+147>
   0x00007fc60181482a <+202>:   and    $0xfffffffffffffff8,%rax
   0x00007fc60181482e <+206>:   lea    (%rax,%rax,1),%rdx
   0x00007fc601814832 <+210>:   mov    %rax,0x1368b7(%rip)        # 0x7fc60194b0f0 <mp_+16>
   0x00007fc601814839 <+217>:   mov    %rdx,0x1368a0(%rip)        # 0x7fc60194b0e0 <mp_>
   0x00007fc601814840 <+224>:   nop
   0x00007fc601814841 <+225>:   jmp    0x7fc6018147f3 <__GI___libc_free+147>
   0x00007fc601814843 <+227>:   nopl   0x0(%rax,%rax,1)
   0x00007fc601814848 <+232>:   mov    0x136509(%rip),%rdx        # 0x7fc60194ad58
   0x00007fc60181484f <+239>:   mov    %rdi,(%rsp)
   0x00007fc601814853 <+243>:   cmpb   $0x0,%fs:(%rdx)
   0x00007fc601814857 <+247>:   jne    0x7fc6018147aa <__GI___libc_free+74>
   0x00007fc60181485d <+253>:   mov    %rsi,0x8(%rsp)
   0x00007fc601814862 <+258>:   call   0x7fc601813d30 <tcache_init>
   0x00007fc601814867 <+263>:   mov    (%rsp),%rdi
   0x00007fc60181486b <+267>:   mov    0x8(%rsp),%rsi
   0x00007fc601814870 <+272>:   mov    -0x8(%rdi),%rax
   0x00007fc601814874 <+276>:   jmp    0x7fc6018147aa <__GI___libc_free+74>
End of assembler dump.

rwmjones commented 2 years ago

I should add this was reported most recently against the latest version, 3.7.2

Nikratio commented 2 years ago

Thanks for taking the time to report this issue!

Unfortunately, this project does not currently have any active, regular contributors. As the maintainer, I try to review pull requests and make regular releases, but unfortunately I have no capacity to do significant development beyond that. Issue reports that do not come with a pull request or clearly have high impact on a large number of users are therefore likely to languish.

I understand that this is frustrating for users, but I hope you can also understand that any development work that I do on this project has to compete with spending time with my family, doing work that I get paid for, doing something recreational without a computer, or working on features/bugs that affect me personally. Most bugs and ideas - unfortunately including this one - loose out in this competition.

In other words, unless you plan to work on this yourself or can recruit someone who will, it's unlikely that anyone is going to do anything about it anytime soon.

This is just to calibrate expectations. I am grateful that you took the time and effort to report this! I'll leave this issue open to document the problem and who knows, maybe someone will pick it up after all :-).

libfuse / sshfs

Segfault in fuse_unregister_module #264