Trusty & Vivid multipath-tools (multipathd) seg-fault core dump
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
multipath-tools (Ubuntu) |
Incomplete
|
High
|
Mathieu Trudel-Lapierre | ||
Precise |
Won't Fix
|
High
|
Louis Bouchard | ||
Trusty |
Fix Released
|
High
|
Louis Bouchard |
Bug Description
[SRU justification]
Without this patch, multipathd may exit in SEGV in trying to add a map that aleady exists
[Impact]
multipathd crashes with SIGSEGV
A typical trace of such a situation is a message similar to this one in /var/log/syslog :
multipathd: 360060160164034
[Fix]
Check if the map already exists and do a RELOAD in domap() instead of failing.
[Test Case]
Problem was encountered in a complex Openstack test environment where the following was done :
A test tool which runs which :
- first boots a number of virtual machines.
- then it creates a number of threads and in each thread it
creates volumes, takes snapshots of the volumes, and attaches the volumes to the initially booted virtual machines. After a short while the volumes are detached, and snapshots and volumes are deleted.
Running this tool overnight normally result in running in the multipathd SEGV situation.
[Regression]
This is a straight backport of the code being used in 0.5.0. No regression is to be expected.
It is important to note that the reproducer in the original description did not lead to such a problem.
[Original description of the problem]
We have a problem on multipath-tools.
Usually after a path removal and a re-scan, the multipathd process dies.
I created 2 hosts:
iscsi-server
iscsi-client
With 4 NICs in between them and with a simple multibus multipath. With that I was able to check that there is a regression in multipath-tools.
It looks like the patches brought from upstream:
0017-multipath-
0018-multipath-
#
# from here
#
0019-multipath-
0020-multipath-
0021-multipath-
0022-Fix-
0023-Fix-
0024-multipath-
0025-Use-
0026-multipathd
0027-multipathd
0028-Add-
0029-Use-
0030-use-
0031-More-
0032-Use-
0033-discovery-
0035-Use-
0036-Remove-
#
# to here
#
# 0037-multipath-
# 0038-multipath-
# 0039-multipath-
# 0040-multipath-
# 0041-add-
# 0042-add-
# 0043-alloc-
# lp1503305_
In the range 19-36 caused a regression.
Whenever I generate the package (for trusty) including those patches I'm able to generate a core dump indicating a possible double-free or null-dereference related to a path removal (that is why I can reproduce with the test case). Unfortunately it usually explodes inside malloc() or somewhere in glibc.
Using valgrind I was able to verify some free() errors:
==30415== Invalid free() / delete / delete[] / realloc()
==30415== at 0x4C2BDEC: free (vg_replace_
==30415== by 0x54E243C: vector_del_slot (vector.c:95)
==30415== by 0x550A516: _remove_map (structs_vec.c:139)
==30415== by 0x550A5C3: _remove_maps (structs_vec.c:170)
==30415== by 0x550A64B: remove_maps (structs_vec.c:181)
==30415== by 0x40713F: configure (main.c:1153)
==30415== by 0x407A74: child (main.c:1419)
==30415== by 0x40837D: main (main.c:1618)
And they are exactly aligned to a core dump (multipathd) I got from another user. (wrong free was coming from _remove_map).
Changed in multipath-tools (Ubuntu): | |
status: | New → In Progress |
Changed in multipath-tools (Ubuntu): | |
importance: | Undecided → High |
Changed in multipath-tools (Ubuntu Precise): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Louis Bouchard (louis-bouchard) |
tags: | added: patch |
Changed in multipath-tools (Ubuntu Trusty): | |
status: | New → In Progress |
assignee: | nobody → Louis Bouchard (louis-bouchard) |
importance: | Undecided → High |
tags: |
added: verification-done removed: verification-needed |
Changed in multipath-tools (Ubuntu Precise): | |
assignee: | Louis Bouchard (louis-bouchard) → Dragan S. (dragan-s) |
Changed in multipath-tools (Ubuntu Trusty): | |
assignee: | Louis Bouchard (louis-bouchard) → Dragan S. (dragan-s) |
Changed in multipath-tools (Ubuntu): | |
assignee: | Mathieu Trudel-Lapierre (cyphermox) → Dragan S. (dragan-s) |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
tags: |
added: verification-needed removed: verification-done |
This crash is from Trusty using my reproducer. It includes the dump.