Trusty: multipathd SIGSEGV on path addition or removal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
multipath-tools (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Nish Aravamudan |
Bug Description
[Impact]
* In a system test that involves the repeated addition and removal of iSCSI targets that form multipath devices, multipathd exits with SIGSEGV.
[Test Case]
* Repeatedly add and remove iSCSI targets that are part of multipath devices. multipathd will segmentation fault without the fix.
[Regression Potential]
* The fixes in question for this are two use-after-free coding errors upstream. Both have been fixed upstream and this is a backport of the upstream fixes. There should be no functional change from this, purely a bugfix, so I believe the regression potential is very low.
---
In a system test that involves the repeated addition and removal of iSCSI
targets that form multipath devices, I am observing multipathd exiting with
SIGSEGV.
The issue is reproducible on Trusty with multipath-tools 0.4.9-3ubuntu7.13
as well as when built from source for 0.4.9-3ubuntu7.14.
The following is a typical backtrace from a resulting core file:
Core was generated by `/sbin/multipathd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 malloc_consolidate (av=av@
4151 malloc.c: No such file or directory.
(gdb) bt
#0 malloc_consolidate (av=av@
#1 0x00007fe0c6f82ce8 in _int_malloc (av=0x7fe0bc000020, bytes=16384) at malloc.c:3423
#2 0x00007fe0c6f856c0 in __GI___libc_malloc (bytes=16384) at malloc.c:2891
#3 0x00007fe0c79924d7 in dm_task_run () from /lib/x86_
#4 0x00007fe0c72d7e58 in dm_map_present (str=0x7fe0bc5a8730 "mpath10p1") at devmapper.c:304
#5 0x0000000000404a77 in ev_add_map (dev=0x7fe0c0019a53 "dm-13", alias=0x7fe0bc5
#6 0x0000000000404a3c in uev_add_map (uev=0x7fe0c001
#7 0x00000000004061ed in uev_trigger (uev=0x7fe0c001
#8 0x00007fe0c72f6939 in service_uevq (tmpq=0x7fe0c7f
#9 0x00007fe0c72f6b48 in uevent_dispatch (uev_trigger=
#10 0x0000000000406436 in uevqloop (ap=0x22da100) at main.c:814
#11 0x00007fe0c7bac184 in start_thread (arg=0x7fe0c7f9
#12 0x00007fe0c6ffd37d in clone () at ../sysdeps/
After debugging with valgrind/memcheck, I have traced the errors reported by
valgrind down to two use-after-free issues that have been resolved in the
upstream multipath-tools but are not included in multipath-tools
0.4.9-3ubuntu7.14.
The first was in commit 828d2fbaab304d1
resolves a bug in which the result value of realloc is assigned to the wrong
place, resulting in continued use of now-freed original block.
The second was in commit cb0f7127ba90ab5
resolves a bug in which a result value from udev_device_
used after the underlying struct udev_device has been released with
udev_unref_device. This also results in a use-after-free.
After applying these patches, running my system stress test no longer results
in SIGSEGV or errors detected by valgrind/memcheck.
I suggest that these two commits be backported.
description: | updated |
Changed in multipath-tools (Ubuntu): | |
status: | Incomplete → New |
status: | New → Triaged |
Changed in multipath-tools (Ubuntu Trusty): | |
assignee: | nobody → Nish Aravamudan (nacc) |
description: | updated |
The attachment "Patch #1 from upstream multipath-tools git" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]