From nobody Fri Mar 25 12:18:40 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EF2C01A3AACA for ; Fri, 25 Mar 2022 12:18:53 +0000 (UTC) (envelope-from guyyur@gmail.com) Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KQ1ND5XRxz4nH0; Fri, 25 Mar 2022 12:18:52 +0000 (UTC) (envelope-from guyyur@gmail.com) Received: by mail-ej1-x632.google.com with SMTP id bg10so15005300ejb.4; Fri, 25 Mar 2022 05:18:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=cROKKZaxvG7Etne02m3DxOq1Lv8T+e7avzldvHLAL9s=; b=dXJPYYJqB9ItsVjfjVG4o5ff5nL6sDvbZUXB7T514AtXJmUrTrshZ7QtCYvKNKDpNi qbOxFPpD9bu9E42mzMPZ/XM33KD2ZEu3Y4IKakg+66bS4OxsQ79YLdHSopl2T7N217u4 iU9RO0mhNgTe2DBs3xgZN3aNDRyLT/9Sha1+IhPdp3yQWdnaJMcUtIk2jRwIvruWarmv SRH0Rep9/lumxqoIQjVbrASq/MoYXPN5UTEgnp9ubsjhMC6U4S1YZzp40ewb4tXZ8ihk HepB6B84y6Jc5vS2hqMp+dXHiyA4yqauXG1XYBc9LO32CRihPMweq23PUoPVXBbldx/+ K5+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=cROKKZaxvG7Etne02m3DxOq1Lv8T+e7avzldvHLAL9s=; b=yLxq6l9tkav2b/KHgvA6d0gh33kHm67CfOt+OU05iyc52wT4jKJXJ5e2tCak8iL7gn Vzmkg2S/AEBMEjEY6fu0MMfxvfakdkcDRKMcI01GDWMg0XV0PLU0L9wbqUHWG2hTs45D iuJXdmK4goWP+cJ5SWURFff6vJ27HxqpuK/PoPfHwC/St9Z34fUQwEZZel92XG1AIq4C RqjOPIJ4wWdfSATL09J3Le7GKXxoPHsKvcm/V+PQA4dvDCQ6yT02v0Wu9PlKwlFPQJGH CjOITJhw+3q0+1I3Ft08HgF6lPKOqcrvQ/BZ/CV92pRULcvs/JfHpilm+t6+mh0LY44b PA3A== X-Gm-Message-State: AOAM531ksZewRFmkiLTI3P4tZMZExMCukM+VXzlqLWGYJk8ow52ScLLT Xv+i5YexwqjKTvxkzARvwI/rBclg0rxAqlcgO1CrWY1QOp0= X-Google-Smtp-Source: ABdhPJyDVBIAV6MHMJ8jrqA1mVgpt5o/Jai7nmeGyrUvXQo3G02FqVN4QzfHrHOIxzyUq79zIKOnRdJd8JhMg/IyOXs= X-Received: by 2002:a17:907:72c3:b0:6df:91a4:32f4 with SMTP id du3-20020a17090772c300b006df91a432f4mr11244315ejc.638.1648210731493; Fri, 25 Mar 2022 05:18:51 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 From: Guy Yur Date: Fri, 25 Mar 2022 15:18:40 +0300 Message-ID: Subject: Interrupted fputc followed by fprintf in _IOLBF mode causes core dump To: freebsd-current , Konstantin Belousov , Mark Johnston Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4KQ1ND5XRxz4nH0 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=dXJPYYJq; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of guyyur@gmail.com designates 2a00:1450:4864:20::632 as permitted sender) smtp.mailfrom=guyyur@gmail.com X-Spamd-Result: default: False [-3.21 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.25)[-0.248]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.995]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::632:from]; NEURAL_HAM_SHORT(-0.97)[-0.968]; MLMMJ_DEST(0.00)[freebsd-current]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N Hi, dhcpcd on head (Mar 24) and 13.1-BETA2 crashes in fprintf/__sfvwrite. It doesn't crash if If I revert the __sflush/__sfvwrite commits: 86a16ada1ea608408cec370171d9f59353e97c77 and bafaa70b6f9098d83d074968c8e6747ecec1e118. Stack trace: 0 memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:314 #1 0x00000008221c300a in __sfvwrite (fp=, uio=0x8207ad338) at /usr/src/lib/libc/stdio/fvwrite.c:182 #2 0x00000008221cc631 in __sprint (fp=0x26fffe, uio=0x8207ad2d7, locale=) at /usr/src/lib/libc/stdio/vfprintf.c:166 #3 io_flush (iop=0x8207ad330, locale=) at /usr/src/lib/libc/stdio/printfcommon.h:157 #4 __vfprintf (fp=fp@entry=0x8222892d0, locale=locale@entry=0x822288ab8 <__xlocale_global_locale>, fmt0=, fmt0@entry=0x204182 "%s", ap=, ap@entry=0x8207ad4e0) at /usr/src/lib/libc/stdio/vfprintf.c:1033 #5 0x00000008221c8aea in vfprintf_l (fp=0x8222892d0, locale=0x822288ab8 <__xlocale_global_locale>, fmt0=0x204182 "%s", ap=0x8207ad4e0) at /usr/src/lib/libc/stdio/vfprintf.c:285 #6 0x0000000000222efa in vlogprintf_r (ctx=0x270820 <_logctx>, stream=0x8222892d0, fmt=0x204182 "%s", args=0x8207adad0) at logerr.c:186 ... (gdb) frame 5 #5 0x00000008221c8aea in vfprintf_l (fp=0x8222892d0, locale=0x822288ab8 <__xlocale_global_locale>, fmt0=0x204182 "%s", ap=0x8207ad4e0) at /usr/src/lib/libc/stdio/vfprintf.c:285 285 ret = __vfprintf(fp, locale, fmt0, ap); (gdb) p *fp $1 = {_p = 0x27084f <_logctx+47> "e21:3e7c\n42a/64\n", _r = 0, _w = -1025, _flags = 2057, _file = 2, _bf = {_base = 0x270820 <_logctx> "*\"", _size = 1024}, _lbfsize = -1024, _cookie = 0x8222892d0, _close = 0x8221c7b40 <__sclose>, _read = 0x8221c7af0 <__sread>, _seek = 0x8221c7b30 <__sseek>, _write = 0x8221c7b10 <__swrite>, _ub = {_base = 0x0, _size = 0}, _up = 0x0, _ur = 0, _ubuf = "\000\000", _nbuf = "", _lb = {_base = 0x0, _size = 0}, _blksize = 4096, _offset = 0, _fl_mutex = 0x0, _fl_owner = 0x0, _fl_count = 0, _orientation = -1, _mbstate = {__mbstate8 = '\000' , _mbstateL = 0}, _flags2 = 0} (gdb) frame 1 #1 0x00000008221c300a in __sfvwrite (fp=, uio=0x8207ad338) at /usr/src/lib/libc/stdio/fvwrite.c:182 182 COPY(w); (gdb) p w $4 = -1 The dhcpcd flow leading to the crash: 1. init with setvbuf _IOLBF on stderr https://github.com/NetworkConfiguration/dhcpcd/blob/master/src/logerr.c#L453 2. fputc with newline called on stderr but is interrupted https://github.com/NetworkConfiguration/dhcpcd/blob/master/src/logerr.c#L187 3. next event received, vfprintf is called on stderr and crashes https://github.com/NetworkConfiguration/dhcpcd/blob/master/src/logerr.c#L186 Simple program that eventually crashes: #include #include #include static void alrm(int signo __unused) { alarm(1); } char buf[1024]; /* use global to not corrupt stack trace in core dump */ int main() { struct sigaction sa; sa.sa_handler = alrm; sigemptyset(&sa.sa_mask); sa.sa_flags = 0; sigaction(SIGALRM, &sa, NULL); setvbuf(stderr, buf, _IOLBF, sizeof(buf)); alarm(1); while (!ferror(stderr)) { fputc('\n', stderr); } fprintf(stderr, "%s", "a"); return 0; } Regards, Guy Yur