reproducable iscsid crash

Jasper Lievisse Adriaanse Fri, 14 Nov 2014 04:47:14 -0800

Hi,

While playing with iscsid against a Synology NAS I noticed this reproducable 
crash.
My iscsid.conf:
--8<--
target "LUN-1" {
        enabled
        normal
        targetaddr 192.168.178.9
        targetname "iqn.2000-01.com.synology:jabba.Target-1.55f50797a0"
}
--8<--


$ sudo iscsid -d -v
startup
< now issue iscsictl reload from another terminal, which returns "command 
successful" >
session_fsm[LUN-1]: INIT ev start timeout 0
sess_fsm[LUN-1]: INIT ev start
new connection to 192.168.178.9:3260
conn_fsm[LUN-1]: FREE ev connect
conn_fsm[LUN-1]: new state XPT_WAIT
sess_fsm[LUN-1]: new state FREE
sess_fsm: done
conn_fsm[LUN-1]: XPT_WAIT ev connected
conn_fsm[LUN-1]: new state IN_LOGIN
bad param TargetPortalGroupTag=0: too small
SET_NUM: TargetPortalGroupTag = 0
conn_parse_kvp: errors found
conn_fail
conn_fsm[LUN-1]: IN_LOGIN ev fail
c_do_fail
session_fsm[LUN-1]: FREE ev connection fail timeout 0
conn_fsm[LUN-1]: new state FREE
iscsid(20532) in free(): error: double free 0x14c3e4abe100
[1]    20532 abort      sudo iscsid -d -v
$

Now I don't even know if my config is correct, but this double free doesn't
look quite correct either:

# gdb /usr/sbin/iscsid
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd5.6"...
(gdb) run -d -v
Starting program: /usr/sbin/iscsid -d -v
startup
session_fsm[LUN-1]: INIT ev start timeout 0
sess_fsm[LUN-1]: INIT ev start
new connection to 192.168.178.9:3260
conn_fsm[LUN-1]: FREE ev connect
conn_fsm[LUN-1]: new state XPT_WAIT
sess_fsm[LUN-1]: new state FREE
sess_fsm: done
conn_fsm[LUN-1]: XPT_WAIT ev connected
conn_fsm[LUN-1]: new state IN_LOGIN
bad param TargetPortalGroupTag=0: too small
SET_NUM: TargetPortalGroupTag = 0
conn_parse_kvp: errors found
conn_fail
conn_fsm[LUN-1]: IN_LOGIN ev fail
c_do_fail
session_fsm[LUN-1]: FREE ev connection fail timeout 0
conn_fsm[LUN-1]: new state FREE

Program received signal SIGBUS, Bus error.
0x0000085ce04084b1 in pdu_free_queue (channel=0x85f60ca1a90) at 
/usr/src/usr.sbin/iscsid/pdu.c:224
224                     TAILQ_REMOVE(channel, p, entry);
(gdb) bt
#0  0x0000085ce04084b1 in pdu_free_queue (channel=0x85f60ca1a90) at 
/usr/src/usr.sbin/iscsid/pdu.c:224
#1  0x0000085ce04034d8 in conn_task_cleanup (c=0x85f670f4000, t=0x85f60ca1a80)
    at /usr/src/usr.sbin/iscsid/connection.c:244
#2  0x0000085ce040610e in initiator_login_cb (c=0x85f670f4000, 
arg=0x85f60ca1a80, p=0x85f5ffaa580)
    at /usr/src/usr.sbin/iscsid/initiator.c:448
#3  0x0000085ce040a331 in task_pdu_cb (c=0x85f670f4000, p=0x85f5ffaa580) at 
/usr/src/usr.sbin/iscsid/task.c:130
#4  0x0000085ce0408d3e in pdu_parse (c=0x85f670f4000) at 
/usr/src/usr.sbin/iscsid/pdu.c:396
#5  0x0000085ce04031b8 in conn_dispatch (fd=10, event=2, arg=0x85f670f4000)
    at /usr/src/usr.sbin/iscsid/connection.c:150
#6  0x0000085fb5dd6148 in event_base_loop (base=0x85eef3ac400, flags=Variable 
"flags" is not available.
) at /usr/src/lib/libevent/event.c:350
#7  0x0000085ce040691f in main (argc=0, argv=0x7f7ffffd0430) at 
/usr/src/usr.sbin/iscsid/iscsid.c:151
(gdb) bt full
#0  0x0000085ce04084b1 in pdu_free_queue (channel=0x85f60ca1a90) at 
/usr/src/usr.sbin/iscsid/pdu.c:224
        p = (struct pdu *) 0xdfdfdfdfdfdfdfdf
#1  0x0000085ce04034d8 in conn_task_cleanup (c=0x85f670f4000, t=0x85f60ca1a80)
    at /usr/src/usr.sbin/iscsid/connection.c:244
No locals.
#2  0x0000085ce040610e in initiator_login_cb (c=0x85f670f4000, 
arg=0x85f60ca1a80, p=0x85f5ffaa580)
    at /usr/src/usr.sbin/iscsid/initiator.c:448
        tl = (struct task_login *) 0x85f60ca1a80
        lresp = (struct iscsi_pdu_login_response *) 0x85f276b7f40
        buf = (u_char *) 0x85f60ca1400 "AuthMethod"
        kvp = (struct kvp *) 0x85f847b7f00
        n = 68
        size = 67
#3  0x0000085ce040a331 in task_pdu_cb (c=0x85f670f4000, p=0x85f5ffaa580) at 
/usr/src/usr.sbin/iscsid/task.c:130
        t = (struct task *) 0x85f60ca1a80
        ipdu = (struct iscsi_pdu *) 0x85f276b7f40
        itt = 961191139
#4  0x0000085ce0408d3e in pdu_parse (c=0x85f670f4000) at 
/usr/src/usr.sbin/iscsid/pdu.c:396
        p = (struct pdu *) 0x85f5ffaa580
        ipdu = (struct iscsi_pdu *) 0x85f276b7f40
        ahb = 0x0
        db = 0x85f60ca1400 "AuthMethod"
        ahslen = 0
        dlen = 67
        off = 0
        n = 68
        j = 5
#5  0x0000085ce04031b8 in conn_dispatch (fd=10, event=2, arg=0x85f670f4000)
    at /usr/src/usr.sbin/iscsid/connection.c:150
        c = (struct connection *) 0x85f670f4000
        n = 116
#6  0x0000085fb5dd6148 in event_base_loop (base=0x85eef3ac400, flags=Variable 
"flags" is not available.
) at /usr/src/lib/libevent/event.c:350
        evsel = (const struct eventop *) 0x85fb5fd90a0
        evbase = (void *) 0x85fc5793000
        tv = {tv_sec = 0, tv_usec = 0}
        tv_p = Variable "tv_p" is not available.
(gdb) The program is running.  Exit anyway? (y or n) y

Notice frame #0:
#0  0x0000085ce04084b1 in pdu_free_queue (channel=0x85f60ca1a90) at 
/usr/src/usr.sbin/iscsid/pdu.c:224
        p = (struct pdu *) 0xdfdfdfdfdfdfdfdf

-- 
jasper

reproducable iscsid crash

Reply via email to