From owner-freebsd-bugs Mon Jan 7 20:50:10 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id F36BF37B41F for ; Mon, 7 Jan 2002 20:50:00 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g084o0M29439; Mon, 7 Jan 2002 20:50:00 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C7F0337B400 for ; Mon, 7 Jan 2002 20:47:19 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g084lJW29086; Mon, 7 Jan 2002 20:47:19 -0800 (PST) (envelope-from nobody) Message-Id: <200201080447.g084lJW29086@freefall.freebsd.org> Date: Mon, 7 Jan 2002 20:47:19 -0800 (PST) From: Umesh Krishnaswamy To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/33672: telnetd and mount_mfs signal handlers call exit() which can hang process. Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 33672 >Category: misc >Synopsis: telnetd and mount_mfs signal handlers call exit() which can hang process. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 07 20:50:00 PST 2002 >Closed-Date: >Last-Modified: >Originator: Umesh Krishnaswamy >Release: 4.2 >Organization: Juniper Networks >Environment: FreeBSD arisia.juniper.net 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Tue Apr 10 19:09:01 PDT 2001 root@:/usr/src/sys/compile/ARISIA i386 >Description: We have observed multiple telnetd hangs with the following backtrace. #0 0x88055ed4 in nanosleep () at ./i386/reloc.c:248 #1 0x88054bb1 in wlock_acquire (lock=0x88067000) at ./i386/lockdflt.c:194 #2 0x880539d2 in rtld_exit () at rtld.c:1408 #3 0x88128fc4 in exit (status=1) at ./../libc/stdlib/exit.c:71 #4 0x804bdbd in cleanup () <-- telnetd() SIGCHLD signal handler #5 0xbfbfffa4 in ?? () #6 0x88054372 in symlook_default (name=0x8048c45 "logout", hash=120972996, refobj=0x88065000, defobj_out=0xbfbff5d4, in_plt=1 '\001') at rtld.c:1827 #7 0x88052ea4 in find_symdef (symnum=50, refobj=0x88065000, defobj_out=0xbfbff5fc, in_plt=1 '\001') at rtld.c:837 #8 0x88052787 in _rtld_bind (obj=0x88065000, reloff=512) at rtld.c:430 #9 0x880521e9 in _rtld_bind_start () from /usr/libexec/ld-elf.so.1 #10 0x804d11f in telnet () #11 0x804c879 in doit () #12 0x804c35f in main () #13 0x804966d in _start () (gdb) p lockinfo $2 = {context = 0x0, thelock = 0x88067000, rcount = 1, wcount = 0, lock_create = 0x880549ec , rlock_acquire = 0x88054b1c , wlock_acquire = 0x88054b5c , rlock_release = 0x88054be4 , wlock_release = 0x88054bf4 , lock_destroy = 0x88054a38 , context_destroy = 0} (gdb) x/x lockinfo.thelock 0x88067000: 0x00000002 When the signal comes in, telnetd was trying to resolve a symbol and had acquired a read lock in rtld_bind. Hence the reader count of 1. The signal handler calls exit, which vectors to rtld_exit which tries to acquire a write lock and gets locked out against itself. One fix is to call _exit() in the signal handler. Turns out OpenBSD did the same fix 2 months ago in telnetd. Not sure how many other apps need such a fix. For 4.2, mount_mfs also needs a patch. >How-To-Repeat: This is a tough one. Need to hit the right test case (which I do not have access to). After that it is reproducible. >Fix: Here is a patch. RCS file: /home/ncvs/src/libexec/telnetd/sys_term.c,v retrieving revision 1.36 diff -u -p -r1.36 sys_term.c --- sys_term.c 2001/12/03 12:41:18 1.36 +++ sys_term.c 2002/01/08 04:42:31 @@ -1180,5 +1180,5 @@ cleanup(int sig __unused) (void)chmod(line, 0666); (void)chown(line, 0, 0); (void) shutdown(net, 2); - exit(1); + _exit(1); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message