Red Hat Bugzilla – Bug 1470193
Premature free() in sftp_readdir_async()
Last modified: 2017-07-13 10:25:06 EDT
Description of problem: Segfault of sshfs mount. Version-Release number of selected component (if applicable): fuse-sshfs-2.5-1.el7.x86_64 and earlier. How reproducible: Sometimes. Difficult. Steps to Reproduce: 1. Mount sshfs mount 2. Transfer data Actual results: Data transferred. Expected results: Segfault. Additional info: Upstream developer analysis: https://github.com/libfuse/sshfs/issues/7#issuecomment-314758425 My own valgrind-memcheck result: ==19702== Invalid read of size 4 ==19702== at 0x114AE6: sftp_readdir_async (sshfs.c:2092) ==19702== by 0x114AE6: sshfs_getdir (sshfs.c:2157) ==19702== by 0x1157F1: cache_getdir (cache.c:327) ==19702== by 0x4E42972: fuse_fs_readdir (fuse.c:2014) ==19702== by 0x4E42AAA: readdir_fill (fuse.c:3460) ==19702== by 0x4E42AAA: fuse_lib_readdir (fuse.c:3486) ==19702== by 0x4E496A5: do_readdir (fuse_lowlevel.c:1389) ==19702== by 0x4E4ABDA: fuse_ll_process_buf (fuse_lowlevel.c:2441) ==19702== by 0x4E47470: fuse_do_work (fuse_loop_mt.c:117) ==19702== by 0x55B2DC4: start_thread (pthread_create.c:308) ==19702== by 0x58BE76C: clone (clone.S:113) ==19702== Address 0x7e4c4c0 is 0 bytes inside a block of size 136 free'd ==19702== at 0x4C29CDD: free (vg_replace_malloc.c:530) ==19702== by 0x52C341D: g_free (gmem.c:189) ==19702== by 0x10E055: process_one_request (sshfs.c:1384) ==19702== by 0x10E055: process_requests (sshfs.c:1414) ==19702== by 0x55B2DC4: start_thread (pthread_create.c:308) ==19702== by 0x58BE76C: clone (clone.S:113) ==19702== Block was alloc'd at ==19702== at 0x4C2A975: calloc (vg_replace_malloc.c:711) ==19702== by 0x52C3365: g_malloc0 (gmem.c:124) ==19702== by 0x11027A: sftp_request_send (sshfs.c:1835) ==19702== by 0x1149B7: sftp_readdir_send (sshfs.c:2039) ==19702== by 0x1149B7: sftp_readdir_async (sshfs.c:2067) ==19702== by 0x1149B7: sshfs_getdir (sshfs.c:2157) ==19702== by 0x1157F1: cache_getdir (cache.c:327) ==19702== by 0x4E42972: fuse_fs_readdir (fuse.c:2014) ==19702== by 0x4E42AAA: readdir_fill (fuse.c:3460) ==19702== by 0x4E42AAA: fuse_lib_readdir (fuse.c:3486) ==19702== by 0x4E496A5: do_readdir (fuse_lowlevel.c:1389) ==19702== by 0x4E4ABDA: fuse_ll_process_buf (fuse_lowlevel.c:2441) ==19702== by 0x4E47470: fuse_do_work (fuse_loop_mt.c:117) ==19702== by 0x55B2DC4: start_thread (pthread_create.c:308) ==19702== by 0x58BE76C: clone (clone.S:113)
Upstream fix in commit cc5d6bbbc5b7e78296f5245988b9ba947076a1b8. https://github.com/libfuse/sshfs/commit/cc5d6bbbc5b7e78296f5245988b9ba947076a1b8
Looks like I flipped the "expected" and "actual" in my initial report. Expected result is that data transfers. Actual is the segfault. Though it looks like it only happens during listings of large directories.