Crashes occasionally on boot due to a bad free() call

Bug #1322798 reported by Michael Terry on 2014-05-24
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cgmanager (Ubuntu)
High
Unassigned
Trusty
High
Unassigned

Bug Description

============================================================================
SRU Justification:
Impact: cgmanager crashes
Detailed explanation: The close handler calls nih_free(io), which can result in calling the error handler. The error handler dereferences the data struct. Therefore the data struct must be freed after calling nih_free(io).
Test case: This is a hard to reproduce, timing-related bug. Reboot a vm with cgmanager installed 30 times, running the cgmanager test-suite each time. Check the logs for a cgmanager crash.
Regression potential: Freeing the io struct before the data struct should be safe and cause no regressions.
============================================================================

In testing the split greeter silo, I'm seeing an occasional (1 in 20 boots?) crash in cgmanager, which sometimes also causes problems starting a pam session for the greeter.

Here's the stacktrace I've got:

#0 __libc_do_syscall ()
    at ../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:44
#1 0xb6e870fe in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb6e89956 in __GI_abort () at abort.c:89
#3 0xb6eadde0 in __libc_message (do_abort=<optimized out>,
    fmt=0xb6f2f2b8 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4 0xb6eb498e in malloc_printerr (action=1,
    str=0xb6f2f450 "free(): corrupted unsorted chunks", ptr=<optimized out>)
    at malloc.c:4996
#5 0xb6eb53b4 in _int_free (av=<optimized out>, p=<optimized out>,
    have_lock=0) at malloc.c:3840
#6 0xb6f8ccae in nih_alloc_context_free (ctx=0xb73502a0) at alloc.c:490
#7 nih_free (ptr=0xb73502b8) at alloc.c:332
#8 0xb6fe8b5a in scm_sock_close (data=0xb7354978, io=0xb73502b8)
    at frontend.c:114
#9 0xb6fe8d48 in sock_scm_reader (data=0xb7354978, io=0xb73502b8,
    buf=0xb7352910 "p", len=1) at frontend.c:177
#10 0xb6f91324 in nih_io_watcher (io=0xb73502b8, watch=0xb734c760,
    events=NIH_IO_READ) at io.c:961
#11 0xb6f90090 in nih_io_handle_fds (readfds=readfds@entry=0xbed9aa18,
    writefds=writefds@entry=0xbed9aa98, exceptfds=exceptfds@entry=0xbed9ab18)
    at io.c:237
#12 0xb6f9322a in nih_main_loop () at main.c:586
#13 0xb6fdea6c in main (argc=4, argv=0xbed9ada4) at cgmanager.c:933

Michael Terry (mterry) wrote :

I forgot to add the bug number to the upload.

cgmanager (0.26-0ubuntu3) utopic; urgency=medium

  * debian/patches/0002-fix-crash-on-free.patch:
    - Fix possible crash when freeing an IO channel

Changed in cgmanager (Ubuntu):
status: New → Fix Released
Serge Hallyn (serge-hallyn) wrote :

Thanks, Michael! Based on the patch this must also affect trusty, so marking it as such.

Changed in cgmanager (Ubuntu):
importance: Undecided → High
Changed in cgmanager (Ubuntu Trusty):
importance: Undecided → High
status: New → Confirmed
description: updated

Hello Michael, or anyone else affected,

Accepted cgmanager into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cgmanager/0.24-0ubuntu7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cgmanager (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: added: verification-needed
Stéphane Graber (stgraber) wrote :

Been running this in the LXC CI environment (thousands of cgroup creation/deletion per hour) without a problem for a week, marking as tested.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cgmanager - 0.24-0ubuntu7

---------------
cgmanager (0.24-0ubuntu7) trusty-proposed; urgency=medium

  [ Michael Terry ]
  * debian/patches/0007-fix-crash-on-free.patch: (LP: #1322798)
    - Fix possible crash when freeing an IO channel
 -- Serge Hallyn <email address hidden> Tue, 27 May 2014 12:33:21 -0500

Changed in cgmanager (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for cgmanager has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers