Package: nfs-utils Version: 1:2.6.2-1+b1 Severity: normal Dear Maintainer,
Under certain conditions, blkmapd can crash due to calling free() on a pointer that wasn't malloc()ed. The reproducer I list below using a debian sid VM went as far as isolating it to having LVM Logical Volumes on SCSI disks, but this does not exclude other scenarios. The struct bl_serial *serial structure is allocated via bl_create_scsi_string() which does a malloc for it, but the code later on was doing a free() on the data element of this structure and only then on the structure itself. That first free() is incorrect, as the data element was never malloc()ed separatedly. This was first brought up by lixiaokeng via https://www.spinics.net/lists/linux-nfs/msg87598.html, but not acknowledged back then. Here is a reproducer using a VM. It assumes you can add a SCSI disk to it, which in my steps below is /dev/sdb. # apt install nfs-kernel-server lvm2 # systemctl stop nfs-blkmapd.service # pvcreate /dev/sdb # vgcreate vg0 /dev/sdb # lvcreate -ntest -L100M vg0 # blkmapd -f blkmapd: open pipe file /run/rpc_pipefs/nfs/blocklayout failed: No such file or directory double free or corruption (out) Aborted Note the message about blocklayout is not relevant for this bug. In gdb: (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44 #1 0x00007ffff7c895df in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78 #2 0x00007ffff7c3da02 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff7c28469 in __GI_abort () at ./stdlib/abort.c:79 #4 0x00007ffff7c7d888 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7db66fb "%s\n") at ../sysdeps/posix/libc_fatal.c:155 #5 0x00007ffff7c9322a in malloc_printerr (str=str@entry=0x7ffff7db9340 "double free or corruption (out)") at ./malloc/malloc.c:5659 #6 0x00007ffff7c95198 in _int_free (av=0x7ffff7df4c60 <main_arena>, p=0x555555567ad0, have_lock=<optimized out>, have_lock@entry=0) at ./malloc/malloc.c:4583 #7 0x00007ffff7c978df in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3386 #8 0x000055555555745e in bl_add_disk (filepath=0x7fffffffd2b0 "/dev/dm-0") at ./utils/blkmapd/device-discovery.c:245 #9 bl_discover_devices () at ./utils/blkmapd/device-discovery.c:276 #10 0x00005555555567cd in main (argc=<optimized out>, argv=<optimized out>) at ./utils/blkmapd/device-discovery.c:558 The crash is caused by this erroneous free on a pointer that is not malloc()ed: https://salsa.debian.org/kernel-team/nfs-utils/-/blob/master/utils/blkmapd/device-discovery.c#L245 I sent a ping to upstream again[1], and in Ubuntu for now I'll just remove the faulty free(serial->data) in the 3 places in that function. 1. https://lore.kernel.org/linux-nfs/CANYNYEG=utJ2pe+FtMWh8O+dz63R2wbzOC7ZVrvoqD=u04w...@mail.gmail.com/T/#u
