Bug 1188498 - recursive bind mount crashes find when auto-mounted
Summary: recursive bind mount crashes find when auto-mounted
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: findutils
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:e48e975488568af384da257193a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-03 04:05 UTC by Michael Chapman
Modified: 2016-05-11 15:42 UTC (History)
7 users (show)

Fixed In Version: findutils-4.5.12-8.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-19 18:02:20 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: backtrace (4.41 KB, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details
File: cgroup (190 bytes, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details
File: core_backtrace (1.70 KB, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details
File: dso_list (811 bytes, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details
File: environ (2.23 KB, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details
File: limits (1.29 KB, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details
File: maps (4.15 KB, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details
File: open_fds (224 bytes, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details
File: proc_pid_status (902 bytes, text/plain)
2015-02-03 04:05 UTC, Michael Chapman
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 890223 0 unspecified CLOSED [abrt] coreutils-8.15-9.fc17: leave_dir: Process /usr/bin/du was killed by signal 6 (SIGABRT) 2021-02-22 00:41:40 UTC

Internal Links: 890223

Description Michael Chapman 2015-02-03 04:05:36 UTC
Description of problem:
find raises SIGABRT if it hits a currently-unmounted, autofs filesystem (e.g. created with a systemd automount unit) that is a bind mount back up into the directory tree being traversed.

For instance, say we have /tmp/a a tmpfs filesystem, with /tmp/a/b an automounted bind mount back to /tmp/a:

> systemctl cat tmp-a.mount
# /etc/systemd/system/tmp-a.mount
[Mount]
What=tmpfs
Where=/tmp/a
Type=tmpfs

> systemctl cat tmp-a-b.mount
# /etc/systemd/system/tmp-a-b.mount
[Mount]
What=/tmp/a
Where=/tmp/a/b
Type=tmpfs
Options=bind

> systemctl cat tmp-a-b.automount
# /etc/systemd/system/tmp-a-b.automount
[Automount]
Where=/tmp/a/b

We start the mount point /tmp/a, but only the automount unit for /tmp/a/b:

> systemctl start tmp-a.mount tmp-a-b.automount

If find is then run on /tmp/a it crashes:

> find /tmp/a
/tmp/a
/tmp/a/b
/tmp/a/b/b
Aborted (core dumped)

I suspect that find is calling stat on /tmp/a/b (which *does not* mount the filesystem) before descending into it (which does mount it), and the directory's characteristics changing underneath it is confusing it.

Version-Release number of selected component:
findutils-4.5.12-7.fc21

Additional info:
reporter:       libreport-2.3.0
backtrace_rating: 4
cmdline:        find /tmp/a
crash_function: leave_dir
executable:     /usr/bin/find
kernel:         3.18.3-201.fc21.x86_64
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (4 frames)
 #2 leave_dir at fts-cycle.c:136
 #3 fts_read at fts.c:1096
 #4 find at ftsfind.c:573
 #5 process_all_startpoints at ftsfind.c:635

Comment 1 Michael Chapman 2015-02-03 04:05:38 UTC
Created attachment 987371 [details]
File: backtrace

Comment 2 Michael Chapman 2015-02-03 04:05:39 UTC
Created attachment 987372 [details]
File: cgroup

Comment 3 Michael Chapman 2015-02-03 04:05:40 UTC
Created attachment 987373 [details]
File: core_backtrace

Comment 4 Michael Chapman 2015-02-03 04:05:41 UTC
Created attachment 987374 [details]
File: dso_list

Comment 5 Michael Chapman 2015-02-03 04:05:42 UTC
Created attachment 987375 [details]
File: environ

Comment 6 Michael Chapman 2015-02-03 04:05:43 UTC
Created attachment 987376 [details]
File: limits

Comment 7 Michael Chapman 2015-02-03 04:05:45 UTC
Created attachment 987377 [details]
File: maps

Comment 8 Michael Chapman 2015-02-03 04:05:46 UTC
Created attachment 987378 [details]
File: open_fds

Comment 9 Michael Chapman 2015-02-03 04:05:47 UTC
Created attachment 987379 [details]
File: proc_pid_status

Comment 10 Kamil Dudka 2015-02-10 12:02:30 UTC
This must be a file system bug -- two distinct directories end up with the same dev/ino pair, which AFAIK should never happen:

$ stat --printf "%d\t%i\t%n\n" /tmp/a{,/b{,/b,},}
16      1126487 /tmp/a
21      1142349 /tmp/a/b
16      1142347 /tmp/a/b/b
16      1126487 /tmp/a/b
16      1126487 /tmp/a

Comment 11 Michael Chapman 2015-02-10 14:37:57 UTC
I would've thought any bind mount would do that.

Whether or not that's the case, I'm sure that's not the problem here. With a regular (non-automounted) bind mount, find handles this situation correctly, reporting  "File system loop detected" when descending into the bind mount. The problem only manifests itself if the bind mount is *added* while find is running.

The automount is just a useful way to do this at exactly the right time to trigger the race condition. I strongly suspect that the bug could be hit by a well-timed mount(2) even in the absence of autofs.

Comment 12 Kamil Dudka 2015-02-10 15:31:07 UTC
(In reply to Michael Chapman from comment #11)
> I would've thought any bind mount would do that.

Indeed.  I did not realize it was the bind mount what caused the problem.

Comment 13 Kamil Dudka 2015-02-11 15:56:54 UTC
I have proposed a patch upstream:

http://article.gmane.org/gmane.comp.lib.gnulib.bugs/34867

Comment 14 Kamil Dudka 2015-02-16 13:44:42 UTC
fixed in findutils-4.5.14-3.fc23 and findutils-4.5.14-3.fc22

Comment 15 Fedora Update System 2015-02-16 14:25:22 UTC
findutils-4.5.12-8.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/findutils-4.5.12-8.fc21

Comment 16 Fedora Update System 2015-02-17 08:08:50 UTC
Package findutils-4.5.12-8.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing findutils-4.5.12-8.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2177/findutils-4.5.12-8.fc21
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2015-02-19 18:02:20 UTC
findutils-4.5.12-8.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Kamil Dudka 2015-02-24 13:01:45 UTC
upstream commit:

http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=60af6a36


Note You need to log in before you can comment on or make changes to this bug.