Package: sshfs
Version: 3.7.1+repack-1
Severity: important
Dear Maintainer,
the following steps crash sshfs with SIGSEGV when a file is open while
the folder containing it is renamed.
Steps to reproduce:
#!/usr/bin/python3
import os
os.mkdir('old_name')
f = open('old_name/f', 'w')
os.rename('old_name', 'new_name')
f.close() # crashes here
Output from gdb:
user@media:~/sshfs/sshfs-fuse-3.7.1+repack/build$ gdb -ex r --args sshfs
mia.arbitrary.ch:/ /home/user/b -f -d -o max_conns=2
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sshfs...
Reading symbols from
/usr/lib/debug/.build-id/0c/1ef7b947ed8cfbdddaa25f2bf189b9bf14347e.debug...
Starting program: /usr/bin/sshfs mia.arbitrary.ch:/ /home/user/b -f -d
-o max_conns=2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
SSHFS version 3.7.1
[Detaching after fork from child process 15132]
[Detaching after fork from child process 15134]
executing <ssh> <-x> <-a> <-oClearAllForwardings=yes> <-2>
<mia.arbitrary.ch> <-s> <sftp>
Server version: 3
Extension: posix-ren...@openssh.com <1>
Extension: stat...@openssh.com <2>
Extension: fstat...@openssh.com <2>
Extension: hardl...@openssh.com <1>
Extension: fs...@openssh.com <1>
Extension: lsets...@openssh.com <1>
[New Thread 0x7ffff7be1700 (LWP 15136)]
[New Thread 0x7ffff72de700 (LWP 15137)]
[New Thread 0x7ffff69db700 (LWP 15138)]
[00001] LSTAT
[00001] ATTRS 41bytes (3ms)
[00002] LSTAT
[00002] ATTRS 41bytes (2ms)
[00003] LSTAT
[00003] ATTRS 41bytes (1ms)
[00004] LSTAT
[00004] ATTRS 41bytes (1ms)
[00005] LSTAT
[00005] STATUS 33bytes (3ms)
[00006] LSTAT
[00006] STATUS 33bytes (3ms)
[00007] MKDIR
[00007] STATUS 28bytes (2ms)
[00008] LSTAT
[00008] ATTRS 41bytes (2ms)
[00009] LSTAT
[00009] STATUS 33bytes (1ms)
[00010] OPEN
[00011] LSTAT
[00010] HANDLE 17bytes (1ms)
[00011] ATTRS 41bytes (1ms)
[00012] FSTAT
[00012] ATTRS 41bytes (1ms)
[Detaching after fork from child process 15140]
executing <ssh> <-x> <-a> <-oClearAllForwardings=yes> <-2>
<mia.arbitrary.ch> <-s> <sftp>
Server version: 3
Extension: posix-ren...@openssh.com <1>
Extension: stat...@openssh.com <2>
Extension: fstat...@openssh.com <2>
Extension: hardl...@openssh.com <1>
Extension: fs...@openssh.com <1>
Extension: lsets...@openssh.com <1>
[New Thread 0x7ffff61da700 (LWP 15142)]
[00013] LSTAT
[00013] STATUS 33bytes (1ms)
[00014] EXTENDED
[00014] STATUS 28bytes (1ms)
[New Thread 0x7ffff59d9700 (LWP 15143)]
[00015] CLOSE
Thread 2 "sshfs" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7be1700 (LWP 15136)]
--Type <RET> for more, q to quit, c to continue without paging--c
0x0000555555560423 in sshfs_release (path=0x7ffff0000f60
"/media/_unsorted/_in/new_name/f", fi=0x7ffff7be0d30) at ../sshfs.c:2890
2890 ce->refcount--;
(gdb) t 2
[Switching to thread 2 (Thread 0x7ffff7be1700 (LWP 15136))]
#0 0x0000555555560423 in sshfs_release (path=0x7ffff0000f60
"/media/_unsorted/_in/new_name/f",
fi=0x7ffff7be0d30) at ../sshfs.c:2890
2890 ce->refcount--;
(gdb) bt
#0 0x0000555555560423 in sshfs_release (path=0x7ffff0000f60
"/media/_unsorted/_in/new_name/f",
fi=0x7ffff7be0d30) at ../sshfs.c:2890
#1 0x00007ffff7f82cba in fuse_do_release (f=0x555555571080, ino=6,
path=0x7ffff0000f60 "/media/_unsorted/_in/new_name/f", fi=<optimized
out>) at ../lib/fuse.c:3142
#2 0x00007ffff7f85cb6 in fuse_lib_release (req=0x7ffff0001fb0, ino=6,
fi=0x7ffff7be0d30) at ../lib/fuse.c:4121
#3 0x00007ffff7f8c8c6 in do_release (req=<optimized out>,
nodeid=<optimized out>, inarg=<optimized out>)
at ../lib/fuse_lowlevel.c:1455
#4 0x00007ffff7f8ea73 in fuse_session_process_buf_int
(se=0x555555571460, buf=buf@entry=0x555555591bb0,
ch=<optimized out>) at ../lib/fuse_lowlevel.c:2666
#5 0x00007ffff7f8a383 in fuse_do_work (data=0x555555591b90) at
../lib/fuse_loop_mt.c:163
#6 0x00007ffff7f5cea7 in start_thread (arg=<optimized out>) at
pthread_create.c:477
#7 0x00007ffff7d5ddef in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) print ce
$1 = <optimized out>
(gdb) print ce->refcount
value has been optimized out
(gdb) list
2885 chunk_put_locked(sf->readahead);
2886 if (sshfs.max_conns > 1) {
2887 pthread_mutex_lock(&sshfs.lock);
2888 sf->conn->file_count--;
2889 ce = g_hash_table_lookup(sshfs.conntab, path);
2890 ce->refcount--;
2891 if(ce->refcount == 0) {
2892 g_hash_table_remove(sshfs.conntab, path);
2893 g_free(ce);
2894 }
Output from dmesg:
[15894.745037] sshfs[11446]: segfault at 0 ip 00005ce63a6cd423 sp
00007579c9fc9c20 error 6 in sshfs[5ce63a6c5000+b000]
Looks to me like `ce` on line 2890 shown above is NULL.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.13-1.fc25.qubes.x86_64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sshfs depends on:
ii fuse3 3.10.1-3
ii libc6 2.31-9
ii libfuse3-3 3.10.1-3
ii libglib2.0-0 2.66.6-2
ii openssh-client 1:8.4p1-3
sshfs recommends no packages.
sshfs suggests no packages.
-- no debconf information
