Crashes occasionally on boot due to a bad free() call

Bug #1322798 reported by Michael Terry on 2014-05-24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cgmanager (Ubuntu)

Bug Description

SRU Justification:
Impact: cgmanager crashes
Detailed explanation: The close handler calls nih_free(io), which can result in calling the error handler. The error handler dereferences the data struct. Therefore the data struct must be freed after calling nih_free(io).
Test case: This is a hard to reproduce, timing-related bug. Reboot a vm with cgmanager installed 30 times, running the cgmanager test-suite each time. Check the logs for a cgmanager crash.
Regression potential: Freeing the io struct before the data struct should be safe and cause no regressions.

In testing the split greeter silo, I'm seeing an occasional (1 in 20 boots?) crash in cgmanager, which sometimes also causes problems starting a pam session for the greeter.

Here's the stacktrace I've got:

#0 __libc_do_syscall ()
    at ../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:44
#1 0xb6e870fe in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb6e89956 in __GI_abort () at abort.c:89
#3 0xb6eadde0 in __libc_message (do_abort=<optimized out>,
    fmt=0xb6f2f2b8 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4 0xb6eb498e in malloc_printerr (action=1,
    str=0xb6f2f450 "free(): corrupted unsorted chunks", ptr=<optimized out>)
    at malloc.c:4996
#5 0xb6eb53b4 in _int_free (av=<optimized out>, p=<optimized out>,
    have_lock=0) at malloc.c:3840
#6 0xb6f8ccae in nih_alloc_context_free (ctx=0xb73502a0) at alloc.c:490
#7 nih_free (ptr=0xb73502b8) at alloc.c:332
#8 0xb6fe8b5a in scm_sock_close (data=0xb7354978, io=0xb73502b8)
    at frontend.c:114
#9 0xb6fe8d48 in sock_scm_reader (data=0xb7354978, io=0xb73502b8,
    buf=0xb7352910 "p", len=1) at frontend.c:177
#10 0xb6f91324 in nih_io_watcher (io=0xb73502b8, watch=0xb734c760,
    events=NIH_IO_READ) at io.c:961
#11 0xb6f90090 in nih_io_handle_fds (readfds=readfds@entry=0xbed9aa18,
    writefds=writefds@entry=0xbed9aa98, exceptfds=exceptfds@entry=0xbed9ab18)
    at io.c:237
#12 0xb6f9322a in nih_main_loop () at main.c:586
#13 0xb6fdea6c in main (argc=4, argv=0xbed9ada4) at cgmanager.c:933

Michael Terry (mterry) wrote :

I forgot to add the bug number to the upload.

cgmanager (0.26-0ubuntu3) utopic; urgency=medium

  * debian/patches/0002-fix-crash-on-free.patch:
    - Fix possible crash when freeing an IO channel

Changed in cgmanager (Ubuntu):
status: New → Fix Released
Serge Hallyn (serge-hallyn) wrote :

Thanks, Michael! Based on the patch this must also affect trusty, so marking it as such.

Changed in cgmanager (Ubuntu):
importance: Undecided → High
Changed in cgmanager (Ubuntu Trusty):
importance: Undecided → High
status: New → Confirmed
description: updated

Hello Michael, or anyone else affected,

Accepted cgmanager into trusty-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at . Thank you in advance!

Changed in cgmanager (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: added: verification-needed
Stéphane Graber (stgraber) wrote :

Been running this in the LXC CI environment (thousands of cgroup creation/deletion per hour) without a problem for a week, marking as tested.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cgmanager - 0.24-0ubuntu7

cgmanager (0.24-0ubuntu7) trusty-proposed; urgency=medium

  [ Michael Terry ]
  * debian/patches/0007-fix-crash-on-free.patch: (LP: #1322798)
    - Fix possible crash when freeing an IO channel
 -- Serge Hallyn <email address hidden> Tue, 27 May 2014 12:33:21 -0500

Changed in cgmanager (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for cgmanager has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers