Crashes occasionally on boot due to a bad free() call
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cgmanager (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned |
Bug Description
=======
SRU Justification:
Impact: cgmanager crashes
Detailed explanation: The close handler calls nih_free(io), which can result in calling the error handler. The error handler dereferences the data struct. Therefore the data struct must be freed after calling nih_free(io).
Test case: This is a hard to reproduce, timing-related bug. Reboot a vm with cgmanager installed 30 times, running the cgmanager test-suite each time. Check the logs for a cgmanager crash.
Regression potential: Freeing the io struct before the data struct should be safe and cause no regressions.
=======
In testing the split greeter silo, I'm seeing an occasional (1 in 20 boots?) crash in cgmanager, which sometimes also causes problems starting a pam session for the greeter.
Here's the stacktrace I've got:
#0 __libc_do_syscall ()
at ../ports/
#1 0xb6e870fe in __GI_raise (sig=sig@entry=6)
at ../nptl/
#2 0xb6e89956 in __GI_abort () at abort.c:89
#3 0xb6eadde0 in __libc_message (do_abort=
fmt=0xb6f2f2b8 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/
#4 0xb6eb498e in malloc_printerr (action=1,
str=0xb6f2f450 "free(): corrupted unsorted chunks", ptr=<optimized out>)
at malloc.c:4996
#5 0xb6eb53b4 in _int_free (av=<optimized out>, p=<optimized out>,
have_lock=0) at malloc.c:3840
#6 0xb6f8ccae in nih_alloc_
#7 nih_free (ptr=0xb73502b8) at alloc.c:332
#8 0xb6fe8b5a in scm_sock_close (data=0xb7354978, io=0xb73502b8)
at frontend.c:114
#9 0xb6fe8d48 in sock_scm_reader (data=0xb7354978, io=0xb73502b8,
buf=0xb7352910 "p", len=1) at frontend.c:177
#10 0xb6f91324 in nih_io_watcher (io=0xb73502b8, watch=0xb734c760,
events=
#11 0xb6f90090 in nih_io_handle_fds (readfds=
writefds=
at io.c:237
#12 0xb6f9322a in nih_main_loop () at main.c:586
#13 0xb6fdea6c in main (argc=4, argv=0xbed9ada4) at cgmanager.c:933
Related branches
description: | updated |
I forgot to add the bug number to the upload.
cgmanager (0.26-0ubuntu3) utopic; urgency=medium
* debian/ patches/ 0002-fix- crash-on- free.patch:
- Fix possible crash when freeing an IO channel