[Bug 829061] Re: double free of mpp->dmi in free_multipath()

dann frazier dann.frazier at canonical.com
Thu Aug 18 22:12:50 UTC 2011 

** Description changed:

- I obtained a coredump from a system where multipathd had crashed and
- received the following backtrace:
+ I obtained a coredump from a system where natty's multipathd had crashed
+ and received the following backtrace:
  
  0 0x00007f802925da75 in *__GI_raise (sig=<value optimized out>)
-     at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
+     at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
  #1 0x00007f80292615c0 in *__GI_abort () at abort.c:92
  #2 0x00007f80292974fb in __libc_message (do_abort=<value optimized out>,
-     fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
+     fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
  #3 0x00007f80292a15b6 in malloc_printerr (action=3,
-     str=0x7f8029374c70 "double free or corruption (fasttop)",
-     ptr=<value optimized out>) at malloc.c:6266
+     str=0x7f8029374c70 "double free or corruption (fasttop)",
+     ptr=<value optimized out>) at malloc.c:6266
  #4 0x00007f80292a7e83 in *__GI___libc_free (mem=<value optimized out>)
-     at malloc.c:3738
+     at malloc.c:3738
  #5 0x00000000004173a5 in xfree (p=0x147bcb0) at memory.c:52
  #6 0x00000000004286cd in free_multipath (mpp=0x14ce1b0, free_paths=0)
-     at structs.c:172
+     at structs.c:172
  #7 0x0000000000429285 in remove_map (mpp=0x14ce1b0, vecs=0x147b620,
-     stop_waiter=0, purge_vec=1) at structs_vec.c:141
+     stop_waiter=0, purge_vec=1) at structs_vec.c:141
  #8 0x0000000000404e06 in ev_add_path (devname=0x16fae48 "sdi", vecs=0x147b620)
-     at main.c:438
+     at main.c:438
  #9 0x0000000000404913 in uev_add_path (dev=0x16fabc0, vecs=0x147b620)
-     at main.c:327
+     at main.c:327
  #10 0x000000000040584c in uev_trigger (uev=0x7f801c009940,
-     trigger_data=0x147b620) at main.c:684
+     trigger_data=0x147b620) at main.c:684
  #11 0x000000000042b679 in service_uevq () at uevent.c:77
  #12 0x000000000042b714 in uevq_thread (et=0x0) at uevent.c:101
  ---Type <return> to continue, or q <return> to quit---
  #13 0x00007f8029e579ca in start_thread () from /lib/libpthread.so.0
  #14 0x00007f802931070d in clone ()
-     at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
+     at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
  #15 0x0000000000000000 in ?? ()
  
  So it looks like we are trying to free a non-NULL value here:
  
-  if (mpp->dmi)
-   FREE(mpp->dmi);
+  if (mpp->dmi)
+   FREE(mpp->dmi);
  
  What's suspicious is that, after freeing that, we don't set it to NULL.
  
  I took a look at upstream git, and found that they do now set it to NULL
  after freeing it. This was part of the following commit:
  
  commit b7ca0eaae6ccd8dca60df3e2ee93220eadd691ee
  Author: Hannes Reinecke <hare at suse.de>
  Date: Wed Jan 28 09:24:10 2009 +0100
  
-     Plug memory leaks
+     Plug memory leaks
  
-     Running the internal memory checker revealed quite some memory
-     leaks.
+     Running the internal memory checker revealed quite some memory
+     leaks.
  
-     Signed-off-by: Hannes Reinecke <hare at suse.de>
+     Signed-off-by: Hannes Reinecke <hare at suse.de>
+ 
+ Note that this change is already included in oneiric.

** Summary changed:

- double free of mpp->dmi in free_multipath()
+ [SRU] double free of mpp->dmi in free_multipath()

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to multipath-tools in Ubuntu.
https://bugs.launchpad.net/bugs/829061

Title:
  [SRU] double free of mpp->dmi in free_multipath()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/multipath-tools/+bug/829061/+subscriptions

More information about the Ubuntu-server-bugs mailing list