From Tor.Egge@idt.ntnu.no  Thu Nov  7 15:41:25 1996
Received: from pat.idt.unit.no (pat.idt.unit.no [129.241.103.5])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA27776
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 7 Nov 1996 15:41:23 -0800 (PST)
Received: from ikke.idt.unit.no (ikke.idt.unit.no [129.241.111.65]) by pat.idt.unit.no (8.7.5/8.7.3) with ESMTP id AAA19902 for <FreeBSD-gnats-submit@freebsd.org>; Fri, 8 Nov 1996 00:41:14 +0100 (MET)
Received: (from tegge@localhost) by ikke.idt.unit.no (8.7.6/8.7.3) id AAA01663; Fri, 8 Nov 1996 00:41:13 +0100 (MET)
Message-Id: <199611072341.AAA01663@ikke.idt.unit.no>
Date: Fri, 8 Nov 1996 00:41:13 +0100 (MET)
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: Tor.Egge@idt.ntnu.no
To: FreeBSD-gnats-submit@freebsd.org
Subject: amd crashes with signal 11
X-Send-Pr-Version: 3.2

>Number:         1974
>Category:       bin
>Synopsis:       amd crashes with signal 11
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov  7 15:50:02 PST 1996
>Closed-Date:    Mon Nov 25 11:36:40 PST 1996
>Last-Modified:  Mon Nov 25 11:37:43 PST 1996
>Originator:     Tor Egge
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway
>Environment:

FreeBSD ikke.idt.unit.no 2.2-CURRENT FreeBSD 2.2-CURRENT #3: Sun Nov  3 06:22:40 MET 1996     root@ikke.idt.unit.no:/usr/src/sys-UP/compile/TEGGE  i386

-r-xr-xr-x   1 bin      bin         77824 Oct 24 01:30 /usr/sbin/amd*

and /etc/malloc.conf symlinked to AJ

>Description:

	Amd crashes with signal 11 when a filesystem mounted 
	by amd becomes unavailable.

(gdb) where
#0  0x2617 in afs_lookuppn (mp=0x57200, 
    fname=0x4d120 "s:=\"/etc/amd/mail\";type:=direct", 
    error_return=0xdfbfd730, op=1) at /usr/src/usr.sbin/amd/amd/afs_ops.c:1548
#1  0x2886 in dfs_readlink (mp=0x57200, error_return=0xdfbfd74c)
    at /usr/src/usr.sbin/amd/amd/afs_ops.c:1718
#2  0x88e4 in do_readlink (mp=0x57200, error_return=0xdfbfd76c, 
    attrpp=0xdfbfd768) at /usr/src/usr.sbin/amd/amd/nfs_subr.c:73
#3  0x8972 in nfsproc_getattr_2 (argp=0xdfbfd790, rqstp=0xdfbfdcc0)
    at /usr/src/usr.sbin/amd/amd/nfs_subr.c:134
#4  0x82c5 in nfs_program_2 (rqstp=0xdfbfdcc0, transp=0x4e180)
    at /usr/src/usr.sbin/amd/amd/../rpcx/nfs_prot_svc.c:189
#5  0x171de in svc_getreqset ()
#6  0x85fb in run_rpc () at /usr/src/usr.sbin/amd/amd/nfs_start.c:297
#7  0x8882 in mount_automounter (ppid=126)
    at /usr/src/usr.sbin/amd/amd/nfs_start.c:429
#8  0xcb15 in main (argc=21, argv=0xdfbfddb4)
    at /usr/src/usr.sbin/amd/amd/amd.c:340
(gdb) list 1540,1551
1540             */
1541            error = afs_bgmount(cp, error);
1542            reschedule_timeout_mp();
1543            if (!error) {
1544                    free(fname);
1545                    return new_mp;
1546            }
1547
1548            if (error && (cp->mp->am_mnt->mf_ops == &efs_ops))
1549                    cp->mp->am_error = error;
1550
1551            assign_error_mntfs(new_mp);


cp was freed by afs_bgmount and is used afterwards :-(

>How-To-Repeat:

	symlink /etc/malloc.conf to AJ, restart amd. Play
	havoc with your network (e.g. pull the plug) to trigger
	an EAGAIN error. 

>Fix:

	Don't use freed memory.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: joerg 
State-Changed-When: Sat Nov 9 04:40:39 MET 1996 
State-Changed-Why:  
Submitted a fix to the originator, requesting confirmation. 


From: Tor Egge <Tor.Egge@idt.ntnu.no>
To: FreeBSD-gnats-submit@freebsd.org
Cc:  Subject: Re: bin/1974: amd crashes with signal 11
Date: Sun, 10 Nov 1996 15:08:11 +0100

 This patch seems to fix the problem:
 
 Index: afs_ops.c
 ===================================================================
 RCS file: /export/akg1/cvs/src/usr.sbin/amd/amd/afs_ops.c,v
 retrieving revision 1.3
 diff -u -r1.3 afs_ops.c
 --- afs_ops.c	1995/06/27 11:07:23	1.3
 +++ afs_ops.c	1996/11/09 23:21:50
 @@ -1545,8 +1545,8 @@
  		return new_mp;
  	}
  
 -	if (error && (cp->mp->am_mnt->mf_ops == &efs_ops))
 -		cp->mp->am_error = error;
 +	if (error && (new_mp->am_mnt->mf_ops == &efs_ops))
 +		new_mp->am_error = error;
  
  	assign_error_mntfs(new_mp);
  
 
 
 - Tor Egge
State-Changed-From-To: feedback->closed 
State-Changed-By: phk 
State-Changed-When: Mon Nov 25 11:36:40 PST 1996 
State-Changed-Why:  
patch commited. 
>Unformatted:
