Date: Mon, 7 Jan 2002 20:47:19 -0800 (PST) From: Umesh Krishnaswamy <umesh@juniper.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/33672: telnetd and mount_mfs signal handlers call exit() which can hang process. Message-ID: <200201080447.g084lJW29086@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 33672
>Category: misc
>Synopsis: telnetd and mount_mfs signal handlers call exit() which can hang process.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 07 20:50:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Umesh Krishnaswamy
>Release: 4.2
>Organization:
Juniper Networks
>Environment:
FreeBSD arisia.juniper.net 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Tue Apr 10 19:09:01 PDT 2001 root@:/usr/src/sys/compile/ARISIA i386
>Description:
We have observed multiple telnetd hangs with the following backtrace.
#0 0x88055ed4 in nanosleep () at ./i386/reloc.c:248
#1 0x88054bb1 in wlock_acquire (lock=0x88067000) at ./i386/lockdflt.c:194
#2 0x880539d2 in rtld_exit () at rtld.c:1408
#3 0x88128fc4 in exit (status=1) at ./../libc/stdlib/exit.c:71
#4 0x804bdbd in cleanup () <-- telnetd() SIGCHLD signal handler
#5 0xbfbfffa4 in ?? ()
#6 0x88054372 in symlook_default (name=0x8048c45 "logout", hash=120972996,
refobj=0x88065000, defobj_out=0xbfbff5d4, in_plt=1 '\001') at rtld.c:1827
#7 0x88052ea4 in find_symdef (symnum=50, refobj=0x88065000,
defobj_out=0xbfbff5fc, in_plt=1 '\001') at rtld.c:837
#8 0x88052787 in _rtld_bind (obj=0x88065000, reloff=512) at rtld.c:430
#9 0x880521e9 in _rtld_bind_start () from /usr/libexec/ld-elf.so.1
#10 0x804d11f in telnet ()
#11 0x804c879 in doit ()
#12 0x804c35f in main ()
#13 0x804966d in _start ()
(gdb) p lockinfo
$2 = {context = 0x0, thelock = 0x88067000, rcount = 1, wcount = 0,
lock_create = 0x880549ec <lock_create>,
rlock_acquire = 0x88054b1c <rlock_acquire>,
wlock_acquire = 0x88054b5c <wlock_acquire>,
rlock_release = 0x88054be4 <rlock_release>,
wlock_release = 0x88054bf4 <wlock_release>,
lock_destroy = 0x88054a38 <lock_destroy>, context_destroy = 0}
(gdb) x/x lockinfo.thelock
0x88067000: 0x00000002
When the signal comes in, telnetd was trying to resolve a symbol and
had acquired a read lock in rtld_bind. Hence the reader count of
1. The signal handler calls exit, which vectors to rtld_exit which
tries to acquire a write lock and gets locked out against itself.
One fix is to call _exit() in the signal handler. Turns out OpenBSD did the same fix
2 months ago in telnetd. Not sure how many other apps need such a fix.
For 4.2, mount_mfs also needs a patch.
>How-To-Repeat:
This is a tough one. Need to hit the right test case (which I do not
have access to). After that it is reproducible.
>Fix:
Here is a patch.
RCS file: /home/ncvs/src/libexec/telnetd/sys_term.c,v
retrieving revision 1.36
diff -u -p -r1.36 sys_term.c
--- sys_term.c 2001/12/03 12:41:18 1.36
+++ sys_term.c 2002/01/08 04:42:31
@@ -1180,5 +1180,5 @@ cleanup(int sig __unused)
(void)chmod(line, 0666);
(void)chown(line, 0, 0);
(void) shutdown(net, 2);
- exit(1);
+ _exit(1);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201080447.g084lJW29086>