Whenever I generate the package (for trusty) including those patches I'm able to
generate a core dump indicating a possible double-free or null-dereference related
to a path removal (that is why I can reproduce with the test case). Unfortunately
it usually explodes inside malloc() or somewhere in glibc.
Using valgrind I was able to verify some free() errors:
==30415== Invalid free() / delete / delete[] / realloc()
==30415== at 0x4C2BDEC: free (vg_replace_malloc.c:473)
==30415== by 0x54E243C: vector_del_slot (vector.c:95)
==30415== by 0x550A516: _remove_map (structs_vec.c:139)
==30415== by 0x550A5C3: _remove_maps (structs_vec.c:170)
==30415== by 0x550A64B: remove_maps (structs_vec.c:181)
==30415== by 0x40713F: configure (main.c:1153)
==30415== by 0x407A74: child (main.c:1419)
==30415== by 0x40837D: main (main.c:1618)
And they are exactly aligned to a core dump (multipathd) I got from another user.
(wrong free was coming from _remove_map).
We have a problem on multipath-tools. I created 2 hosts:
iscsi-server
iscsi-client
With 4 NICs in between them and with a simple multibus multipath.
With that I was able to check that there is a regression in multipath-tools.
It looks like the patches brought from upstream:
0017-multipath- get-right- sysfs-value- for-checker_ timeout. patch handle- offlined- paths.patch fix-scsi- timeout- code.patch make-tgt_ node_name- work-for- iscsi-devices. patch cleanup- dev_loss_ tmo-issues. patch for-setting- 0-to-fast_ io_fail. patch fast_io_ fail-capping. patch enable- getting- uevents- through- libudev. patch devpath- as-argument- for-sysfs- functions. patch -remove- references- to-sysfs_ device. patch -use-struct- path-as- argument- for-event- pro.patch global- udev-reference- pointer- to-config. patch udev-enumeratio n-during- discovery. patch struct- udev_device- during- discovery. patch debugging- output- when-synchroniz ing-path- states. patch struct- udev_device- instead- of-sysdev. patch Fixup-cciss- discovery. patch udev-devices- during- discovery. patch all-references- to-hand- craftes- sysfs-code. patch libudev- cleanup- and-bugfixes. patch check-if- a-device- belongs- to-multipath. patch and-wwids_ file-multipath. conf-option. patch Check-blacklist s-as-soon- as-possible. patch wwids-file- cleanup- options. patch find_multipaths -option. patch keywords. patch libmultipath_ info_on_ 1st_path_ down_dbd131e. patch
0018-multipath-
#
# from here
#
0019-multipath-
0020-multipath-
0021-multipath-
0022-Fix-
0023-Fix-
0024-multipath-
0025-Use-
0026-multipathd
0027-multipathd
0028-Add-
0029-Use-
0030-use-
0031-More-
0032-Use-
0033-discovery-
0035-Use-
0036-Remove-
#
# to here
#
# 0037-multipath-
# 0038-multipath-
# 0039-multipath-
# 0040-multipath-
# 0041-add-
# 0042-add-
# 0043-alloc-
# lp1503305_
In the range 19-36 caused a regression.
Whenever I generate the package (for trusty) including those patches I'm able to
generate a core dump indicating a possible double-free or null-dereference related
to a path removal (that is why I can reproduce with the test case). Unfortunately
it usually explodes inside malloc() or somewhere in glibc.
Using valgrind I was able to verify some free() errors:
==30415== Invalid free() / delete / delete[] / realloc() malloc. c:473)
==30415== at 0x4C2BDEC: free (vg_replace_
==30415== by 0x54E243C: vector_del_slot (vector.c:95)
==30415== by 0x550A516: _remove_map (structs_vec.c:139)
==30415== by 0x550A5C3: _remove_maps (structs_vec.c:170)
==30415== by 0x550A64B: remove_maps (structs_vec.c:181)
==30415== by 0x40713F: configure (main.c:1153)
==30415== by 0x407A74: child (main.c:1419)
==30415== by 0x40837D: main (main.c:1618)
And they are exactly aligned to a core dump (multipathd) I got from another user.
(wrong free was coming from _remove_map).