multipath crash generating core dump
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
multipath-tools (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* mutexes are being allocated from memory with no checks and, if allocation fails, it causes these kind of segfaults later in the code execution.
expect multipath daemon to crash and not run any checkers on path groups.
* not checking path groups, in an event of failure, the mpath won't change path prios.
* openstack relies on flushing device maps frequently when using iscsi.
[Test Case]
* i'm fixing this based on a dump analysis and not on reproduction.
* if you disallow memory overcommit - facilitating memory exhaustion - you would be able to reproduce that by stressing multipathd with paths being flushed, but that is theory only.
[Regression Potential]
* the patch is changing the locking mechanism for log thread, based on upstream commit.
* major change is to use the mutexes from stack instead of allocating from heap.
* multipath log thread could not work as designed.
* tested by reported and reported to be good.
* What releases are affected ?
The following releases already got the fix
- Xenial/
Note that Debian also has the fix.
Meaning that ONLY Trusty is affected by this bug.
* This SRU contained fixes for 2 LP bugs:
https:/
https:/
[Other Info]
It was brought to my attention that:
multipath-tools: 0.4.9-3ubuntu7.15
Faced a crash and generated a dump.
## multipath (trusty) crashed and its dump shows:
(gdb) bt full
#0 __GI___
type = 0
#1 0x00007f48700b606e in flush_logqueue () at log_pthread.c:39
empty = 0
#2 0x00007f48700b611b in log_thread (et=0x0) at log_pthread.c:57
No locals.
#3 0x00007f4870964184 in start_thread (arg=0x7f4870d8
__res = <optimized out>
pd = 0x7f4870d8b700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139949107623680, -32001636921528
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
#4 0x00007f486fdb537d in __ecvt_r (value=
at efgcvt_r.c:218
d = 0
f = 3.2378592100206
exponent = 1893250816
#5 0x0000000000000000 in ?? ()
No symbol table info available.
tags: | added: sts-sponsor |
tags: | removed: sts-sponsor |
description: | updated |
Changed in multipath-tools (Ubuntu Trusty): | |
assignee: | nobody → Rafael David Tinoco (inaddy) |
status: | New → In Progress |
importance: | Undecided → Medium |
Changed in multipath-tools (Ubuntu): | |
status: | In Progress → Fix Released |
assignee: | Rafael David Tinoco (inaddy) → nobody |
description: | updated |
Changed in multipath-tools (Ubuntu Trusty): | |
assignee: | Rafael David Tinoco (rafaeldtinoco) → nobody |
Changed in multipath-tools (Ubuntu): | |
milestone: | ubuntu-14.04.5 → none |
(gdb) bt pthread_ mutex_lock (mutex=0x0) at ../nptl/ pthread_ mutex_lock. c:66 b700) at pthread_ create. c:312 9.5328241243682 38e-130, ndigit=0, decpt=0x0, sign=0x0, buf=0x7f4870d8b9c0 "\220R\267pH\177", len=13994910762 3680) b700) at pthread_ create. c:312 cleanup_ buffer *cleanup; 1stblock[ 32]; cancelhandling; routine) (void *); protection_ data *tpp;
#0 __GI___
#1 0x00007f48700b606e in flush_logqueue () at log_pthread.c:39
#2 0x00007f48700b611b in log_thread (et=0x0) at log_pthread.c:57
#3 0x00007f4870964184 in start_thread (arg=0x7f4870d8
#4 0x00007f486fdb537d in __ecvt_r (value=
at efgcvt_r.c:218
#5 0x0000000000000000 in ?? ()
(gdb) frame 3
#3 0x00007f4870964184 in start_thread (arg=0x7f4870d8
warning: Source file is more recent than executable.
312 THREAD_SETMEM (pd, result, CALL_THREAD_FCT (pd));
(gdb) ptype pd
type = struct pthread {
union {
tcbhead_t header;
void *__padding[24];
};
list_t list;
pid_t tid;
pid_t pid;
void *robust_prev;
struct robust_list_head robust_head;
struct _pthread_
struct pthread_unwind_buf *cleanup_jmp_buf;
int cancelhandling;
int flags;
struct pthread_key_data specific_
struct pthread_key_data *specific[32];
_Bool specific_used;
_Bool report_events;
_Bool user_stack;
_Bool stopped_start;
int parent_
int lock;
int setxid_futex;
hp_timing_t cpuclock_offset;
struct pthread *joinid;
void *result;
struct sched_param schedparam;
int schedpolicy;
void *(*start_
void *arg;
td_eventbuf_t eventbuf;
struct pthread *nextevent;
struct _Unwind_Exception exc;
void *stackblock;
size_t stackblock_size;
size_t guardsize;
size_t reported_guardsize;
struct priority_
struct __res_state res;
char end_padding[];
} *