[SRU] double free of mpp->dmi in free_multipath()
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| multipath-tools (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Natty |
Invalid
|
High
|
Unassigned | ||
Bug Description
I obtained a coredump from a system where natty's multipathd had crashed and received the following backtrace:
0 0x00007f802925da75 in *__GI_raise (sig=<value optimized out>)
at ../nptl/
#1 0x00007f80292615c0 in *__GI_abort () at abort.c:92
#2 0x00007f80292974fb in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/
#3 0x00007f80292a15b6 in malloc_printerr (action=3,
str=
ptr=<value optimized out>) at malloc.c:6266
#4 0x00007f80292a7e83 in *__GI___libc_free (mem=<value optimized out>)
at malloc.c:3738
#5 0x00000000004173a5 in xfree (p=0x147bcb0) at memory.c:52
#6 0x00000000004286cd in free_multipath (mpp=0x14ce1b0, free_paths=0)
at structs.c:172
#7 0x0000000000429285 in remove_map (mpp=0x14ce1b0, vecs=0x147b620,
stop_waiter=0, purge_vec=1) at structs_vec.c:141
#8 0x0000000000404e06 in ev_add_path (devname=0x16fae48 "sdi", vecs=0x147b620)
at main.c:438
#9 0x0000000000404913 in uev_add_path (dev=0x16fabc0, vecs=0x147b620)
at main.c:327
#10 0x000000000040584c in uev_trigger (uev=0x7f801c00
trigger_
#11 0x000000000042b679 in service_uevq () at uevent.c:77
#12 0x000000000042b714 in uevq_thread (et=0x0) at uevent.c:101
---Type <return> to continue, or q <return> to quit---
#13 0x00007f8029e579ca in start_thread () from /lib/libpthread
#14 0x00007f802931070d in clone ()
at ../sysdeps/
#15 0x0000000000000000 in ?? ()
So it looks like we are trying to free a non-NULL value here:
if (mpp->dmi)
FREE(mpp->dmi);
What's suspicious is that, after freeing that, we don't set it to NULL.
I took a look at upstream git, and found that they do now set it to NULL after freeing it. This was part of the following commit:
commit b7ca0eaae6ccd8d
Author: Hannes Reinecke <email address hidden>
Date: Wed Jan 28 09:24:10 2009 +0100
Plug memory leaks
Running the internal memory checker revealed quite some memory
leaks.
Signed-off-by: Hannes Reinecke <email address hidden>
Note that this change is already included in oneiric.
Related branches
- Chase Douglas (community): Approve
- dann frazier: Pending requested
- Ubuntu branches: Pending requested
- Scott Moser: Pending requested
-
Diff: 142 lines (+122/-0)3 files modifieddebian/changelog (+6/-0)
debian/patches/1006--plug-memory-leaks.patch (+115/-0)
debian/patches/series (+1/-0)
- dann frazier: Needs Resubmitting
- Scott Moser: Approve
- Ubuntu branches: Pending requested
-
Diff: 246 lines (+218/-0)4 files modifieddebian/changelog (+13/-0)
debian/patches/0013-adjust-prioritizer-open-flags-to-avoid-sg-io-side-ef.patch (+88/-0)
debian/patches/1006--plug-memory-leaks.patch (+115/-0)
debian/patches/series (+2/-0)
| description: | updated |
| summary: |
- double free of mpp->dmi in free_multipath() + [SRU] double free of mpp->dmi in free_multipath() |
| Dave Walker (davewalker) wrote | #1 |
| Dave Walker (davewalker) wrote | #2 |
| Changed in multipath-tools (Ubuntu): | |
| status: | New → Fix Released |
| Changed in multipath-tools (Ubuntu Natty): | |
| importance: | Undecided → High |
| status: | New → Confirmed |
| Marc Deslauriers (mdeslaur) wrote | #3 |
| Martin Pitt (pitti) wrote | #4 |
| dino99 (9d9) wrote | #5 |
| Changed in multipath-tools (Ubuntu Natty): | |
| status: | Confirmed → Invalid |
@dann, please can you confirm that this is fixed in Oneiric.
Thanks.