[Bug 1695789] Re: multipath random crashes on use-after-free

Rafael David Tinoco rafael.tinoco at canonical.com
Tue Jun 20 12:35:22 UTC 2017 

** Tags added: sts-sponsor

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to multipath-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1695789

Title:
  multipath random crashes on use-after-free

Status in multipath-tools package in Ubuntu:
  In Progress

Bug description:
  It has brought to my attention that multipath in trusty has been
  crashing randomly. Some dumps were given to me and I was able to
  generate some others. I have also generated valgrind output to help me
  with these random crashes.

  Crashes:

  #0  malloc_consolidate (av=av at entry=0x7f5b58000020) at malloc.c:4149
  #1  0x00007f5b62df3cf8 in _int_malloc (av=0x7f5b58000020, bytes=16384) at malloc.c:3423
  #2  0x00007f5b62df66d0 in __GI___libc_malloc (bytes=16384) at malloc.c:2891
  #3  0x00007f5b638134d7 in dm_task_run () from /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1
  #4  0x00007f5b6314be5c in dm_map_present (str=0x7f5b58000990 "lun02") at devmapper.c:304
  #5  0x0000000000404ac7 in ev_add_map (dev=, alias=, vecs=) at main.c:257
  #6  0x0000000000000000 in ?? ()

  And:

  #0  0x00007f13a5933c37 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
  #1  0x00007f13a5937028 in __GI_abort () at abort.c:89
  #2  0x00007f13a59702a4 in __libc_message (do_abort=do_abort at entry=1, fmt=fmt at entry=0x7f13a5a81ef0 "") at ../sysdeps/posix/libc_fatal.c:175
  #3  0x00007f13a597c56e in malloc_printerr (ptr=<optimized out>, str=0x7f13a5a82020 "double free or corruption (out)", action=1) at malloc.c:4996
  #4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
  #5  0x00007f13a5cdbe86 in free_multipath (mpp=0x7f138c033d60, free_paths=0) at structs.c:174
  #6  0x00007f13a5cfe117 in _remove_map (mpp=0x7f138c033d60, vecs=0x8adaa0, stop_waiter=1, purge_vec=1) at structs_vec.c:143
  #7  0x00007f13a5cfe175 in remove_map_and_stop_waiter (mpp=0x7f138c033d60, vecs=0x8adaa0, purge_vec=1) at structs_vec.c:156
  #8  0x0000000000406b4d in mpvec_garbage_collector (vecs=<error reading variable: can't compute CFA for this frame>) at main.c:950
  ...
  #14 0x00000000004076b7 in checkerloop (ap=<error reading variable: can't compute CFA for this frame>) at main.c:1163

  Please follow my analysis in the subsequent comments.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/multipath-tools/+bug/1695789/+subscriptions

More information about the foundations-bugs mailing list