Bug 1595618
| Summary: | bcache: segfault due to double free in radix_tree_insert | ||
|---|---|---|---|
| Product: | [Community] LVM and device-mapper | Reporter: | Marian Csontos <mcsontos> |
| Component: | lvm2 | Assignee: | Joe Thornber <thornber> |
| lvm2 sub component: | Other | QA Contact: | cluster-qe <cluster-qe> |
| Status: | POST --- | Docs Contact: | |
| Severity: | unspecified | ||
| Priority: | unspecified | CC: | agk, heinzm, jbrassow, msnitzer, prajnoha, tasleson, zkabelac |
| Version: | 2.02.180 | Flags: | rule-engine:
lvm-technical-solution?
mcsontos: lvm-test-coverage+ |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is from upstream master branch. The same test in stable branch succeeds. The last working commit was: 42f7caf1c267a5b75ee38ea77a7e2fd7c582e704 The first failing: 18528180d9f588e265747f4710a8767756454b4c Lot's of code changed since this report. |
vgcreate in test/shell/vgcreate-many-pvs.sh coredumping. Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: 125 [ 0:02] ## Checking coredump: /core_files/core.5228 generated by /srv/buildbot/lvm2-slave/RHEL_5_x_x86_64_KVM/build/tools/lvm. 126 [ 0:03] ## GDB: [New Thread 5228] 127 [ 0:03] ## GDB: [Thread debugging using libthread_db enabled] 128 [ 0:03] ## GDB: Core was generated by `/srv/buildbot/lvm2-slave/RHEL_5_x_x86_64_KVM/build/tools/lvm vgcreate -s 512K L'. 129 [ 0:03] ## GDB: Program terminated with signal 6, Aborted. 130 [ 0:03] ## GDB: #0 0x00002b225ca0ffc5 in raise (sig=<value optimized out>) 131 [ 0:03] ## GDB: at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 132 [ 0:03] ## GDB: 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); 133 [ 0:03] ## GDB: #0 0x00002b225ca0ffc5 in raise (sig=<value optimized out>) 134 [ 0:03] ## GDB: at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 135 [ 0:03] ## GDB: pid = <value optimized out> 136 [ 0:03] ## GDB: selftid = 0 137 [ 0:03] ## GDB: #1 0x00002b225ca11a70 in abort () at abort.c:88 138 [ 0:03] ## GDB: act = {__sigaction_handler = {sa_handler = 0x7fff2929caa8, 139 [ 0:03] ## GDB: sa_sigaction = 0x7fff2929caa8}, sa_mask = {__val = { 140 [ 0:03] ## GDB: 140733883980320, 140733883980176, 140733883980368, 455266533376, 141 [ 0:03] ## GDB: 140733883980384, 140733883999837, 60, 47426583930790, 3, 142 [ 0:03] ## GDB: 140733883980372, 12, 47426583930794, 2, 140733883980366, 2, 143 [ 0:03] ## GDB: 47426583931786}}, sa_flags = 1, sa_restorer = 0x2b225cb027a6} 144 [ 0:03] ## GDB: sigs = {__val = {32, 0 <repeats 15 times>}} 145 [ 0:03] ## GDB: #2 0x00002b225ca4994b in __libc_message (do_abort=2, 146 [ 0:03] ## GDB: fmt=0x2b225cb03808 "*** glibc detected *** %s: %s: 0x%s ***\n") 147 [ 0:03] ## GDB: at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 148 [ 0:03] ## GDB: ap = {{gp_offset = 40, fp_offset = 48, 149 [ 0:03] ## GDB: overflow_arg_area = 0x7fff2929a3b0, 150 [ 0:03] ## GDB: reg_save_area = 0x7fff2929a2c0}} 151 [ 0:03] ## GDB: ap_copy = {{gp_offset = 16, fp_offset = 48, 152 [ 0:03] ## GDB: overflow_arg_area = 0x7fff2929a3b0, 153 [ 0:03] ## GDB: reg_save_area = 0x7fff2929a2c0}} 154 [ 0:03] ## GDB: fd = 106 155 [ 0:03] ## GDB: list = 0x7fff29299b20 156 [ 0:03] ## GDB: nlist = 690592896 157 [ 0:03] ## GDB: cp = 0x6b <Address 0x6b out of bounds> 158 [ 0:03] ## GDB: written = 6 159 [ 0:03] ## GDB: #3 0x00002b225ca514af in malloc_printerr (av=0x2b225cd349e0, 160 [ 0:03] ## GDB: p=0x2b22614dd0d0, have_lock=0) at malloc.c:6232 161 [ 0:03] ## GDB: No locals. 162 [ 0:03] ## GDB: #4 _int_free (av=0x2b225cd349e0, p=0x2b22614dd0d0, have_lock=0) 163 [ 0:03] ## GDB: at malloc.c:4759 164 [ 0:03] ## GDB: size = <value optimized out> 165 [ 0:03] ## GDB: fb = <value optimized out> 166 [ 0:03] ## GDB: nextchunk = 0x2b22614dd4e0 167 [ 0:03] ## GDB: nextsize = 140733883983184 168 [ 0:03] ## GDB: prevsize = <value optimized out> 169 [ 0:03] ## GDB: bck = <value optimized out> 170 [ 0:03] ## GDB: fwd = <value optimized out> 171 [ 0:03] ## GDB: errstr = 0x2b225cb038f8 "double free or corruption (out)" 172 [ 0:03] ## GDB: locked = 1 173 [ 0:03] ## GDB: #5 0x00002b225ca557ab in __libc_free (mem=<value optimized out>) 174 [ 0:03] ## GDB: at malloc.c:3670 175 [ 0:03] ## GDB: ar_ptr = 0x146c 176 [ 0:03] ## GDB: p = 0xffffffffffffffff 177 [ 0:03] ## GDB: #6 0x00002b225af23bea in _insert_node48 (rt=0x2b2260800bc0, v=0x2b2260800bc8, 178 [ 0:03] ## GDB: kb=0x7fff2929a550 "\a", ke=0x7fff2929a55c "\"+", rv=<value optimized out>) 179 [ 0:03] ## GDB: at base/data-struct/radix-tree.c:402 180 [ 0:03] ## GDB: n256 = 0x2b22614dc070 181 [ 0:03] ## GDB: n48 = 0x2b22614dd0e0 182 [ 0:03] ## GDB: #7 _insert (rt=0x2b2260800bc0, v=0x2b2260800bc8, kb=0x7fff2929a550 "\a", 183 [ 0:03] ## GDB: ke=0x7fff2929a55c "\"+", rv=<value optimized out>) 184 [ 0:03] ## GDB: at base/data-struct/radix-tree.c:475 185 [ 0:03] ## GDB: No locals. 186 [ 0:03] ## GDB: #8 0x00002b225af23cdd in radix_tree_insert (rt=0x2b2260800bc0, 187 [ 0:03] ## GDB: kb=<value optimized out>, ke=0x7fff2929a55c "\"+", rv=...) 188 [ 0:03] ## GDB: at base/data-struct/radix-tree.c:558 189 [ 0:03] ## GDB: lr = {v = 0x2b2260800bc8, kb = 0x7fff2929a550 "\a"} 190 [ 0:03] ## GDB: #9 0x00002b225aef35b5 in _block_insert (cache=0x2b2260800b00, fd=7, i=0, 191 [ 0:03] ## GDB: can_wait=false) at device/bcache.c:505 192 [ 0:03] ## GDB: No locals. 193 [ 0:03] ## GDB: #10 _new_block (cache=0x2b2260800b00, fd=7, i=0, can_wait=false) 194 [ 0:03] ## GDB: at device/bcache.c:759 195 [ 0:03] ## GDB: b = 0x2b22614cd060 196 [ 0:03] ## GDB: #11 0x00002b225aef4272 in bcache_prefetch (cache=0x2b2260800b00, fd=7, i=0) 197 [ 0:03] ## GDB: at device/bcache.c:965 198 [ 0:03] ## GDB: b = <value optimized out> 199 [ 0:03] ## GDB: #12 0x00002b225aef4587 in _update_bytes (u=0x7fff2929a610, fd=7, 200 [ 0:03] ## GDB: start=<value optimized out>, len=4096) at device/bcache-utils.c:112 201 [ 0:03] ## GDB: cache = 0x2b2260800b00 202 [ 0:03] ## GDB: bb = 0 203 [ 0:03] ## GDB: be = 1 204 [ 0:03] ## GDB: block_size = 131072 205 [ 0:03] ## GDB: block_offset = 4096 206 [ 0:03] ## GDB: #13 0x00002b225aef46bc in bcache_zero_bytes (cache=<value optimized out>, 207 [ 0:03] ## GDB: fd=5228, start=6, len=18446744073709551615) at device/bcache-utils.c:226 208 [ 0:03] ## GDB: u = {cache = 0x2b2260800b00, 209 [ 0:03] ## GDB: partial_fn = 0x2b225aef48cf <_zero_partial>, 210 [ 0:03] ## GDB: whole_fn = 0x2b225aef4866 <_zero_whole>, data = 0x0} 211 [ 0:03] ## GDB: #14 0x00002b225ae8fce1 in dev_write_zeros (dev=0x2b22607da9e8, start=4096, 212 [ 0:03] ## GDB: len=4096) at label/label.c:1254 213 [ 0:03] ## GDB: No locals. 214 [ 0:03] ## GDB: #15 0x00002b225ae8951a in _text_pv_add_metadata_area ( 215 [ 0:03] ## GDB: fmt=<value optimized out>, pv=0x2b22607dd4b0, pe_start_locked=0, 216 [ 0:03] ## GDB: mda_index=0, mda_size=<value optimized out>, mda_ignored=0) 217 [ 0:03] ## GDB: at format_text/format-text.c:2096 218 [ 0:03] ## GDB: fid = <value optimized out> 219 [ 0:03] ## GDB: pvid = 0x2b22607dd4b0 "8ce8W4C7VPYqDubqtYnilCQDBfebuxXN" 220 [ 0:03] ## GDB: ba_size = 0 221 [ 0:03] ## GDB: pe_start = <value optimized out> 222 [ 0:03] ## GDB: first_unallocated = <value optimized out> 223 [ 0:03] ## GDB: alignment = 1048576 224 [ 0:03] ## GDB: alignment_offset = <value optimized out> 225 [ 0:03] ## GDB: disk_size = 35651584 226 [ 0:03] ## GDB: mda_start = <value optimized out> 227 [ 0:03] ## GDB: limit = <value optimized out> 228 [ 0:03] ## GDB: tmp_mda_size = <value optimized out> 229 [ 0:03] ## GDB: zero_len = 4096 230 [ 0:03] ## GDB: page_size = <value optimized out> 231 [ 0:03] ## GDB: mda = <value optimized out> 232 [ 0:03] ## GDB: limit_name = 0x2b225af68ff5 "disk size" 233 [ 0:03] ## GDB: limit_applied = <value optimized out> 234 [ 0:03] ## GDB: #16 0x00002b225aeb6c0a in pv_create (cmd=<value optimized out>, 235 [ 0:03] ## GDB: dev=0x2b22607da9e8, pva=0x7fff2929a948) at metadata/metadata.c:1488 236 [ 0:03] ## GDB: fmt = 0x2b22607dd0e0 237 [ 0:03] ## GDB: mem = 0x2b22607dd090 238 [ 0:03] ## GDB: pv = 0x2b22607dd4b0 239 [ 0:03] ## GDB: mda_index = 0 240 [ 0:03] ## GDB: pvl = <value optimized out> 241 [ 0:03] ## GDB: size = <value optimized out> 242 [ 0:03] ## GDB: data_alignment = 0 243 [ 0:03] ## GDB: data_alignment_offset = 0 244 [ 0:03] ## GDB: pvmetadatacopies = 1 245 [ 0:03] ## GDB: pvmetadatasize = 255 246 [ 0:03] ## GDB: metadataignore = 0 247 [ 0:03] ## GDB: #17 0x00002b225ae576b5 in pvcreate_each_device (cmd=0x2b22607b65e0, 248 [ 0:03] ## GDB: handle=0x2b22614d10b0, pp=0x7fff2929a920) at toollib.c:5710 249 [ 0:03] ## GDB: pd = <value optimized out> 250 [ 0:03] ## GDB: pd2 = 0x2b22614d1238 251 [ 0:03] ## GDB: prompt = <value optimized out> 252 [ 0:03] ## GDB: prompt2 = <value optimized out> 253 [ 0:03] ## GDB: pv = <value optimized out> 254 [ 0:03] ## GDB: orphan_vg = 0x0 255 [ 0:03] ## GDB: remove_duplicates = {n = 0x7fff2929a820, p = 0x7fff2929a820} 256 [ 0:03] ## GDB: arg_sort = {n = 0x7fff2929a810, p = 0x7fff2929a810} 257 [ 0:03] ## GDB: rescan_devs = {n = 0x2b22614d7b30, p = 0x2b22614d8790} 258 [ 0:03] ## GDB: pvl = <value optimized out> 259 [ 0:03] ## GDB: vgpvl = <value optimized out> 260 [ 0:03] ## GDB: devl = <value optimized out> 261 [ 0:03] ## GDB: pv_name = 0x2b22614d11e8 "@TESTDIR@/dev/mapper/@PREFIX@pv2" 262 [ 0:03] ## GDB: must_use_all = 256 263 [ 0:03] ## GDB: i = <value optimized out> 264 [ 0:03] ## GDB: #18 0x00002b225ae5b3bb in vgcreate (cmd=0x2b22607b65e0, 265 [ 0:03] ## GDB: argc=<value optimized out>, argv=0x7fff2929cb08) at vgcreate.c:110 266 [ 0:03] ## GDB: handle = 0x0 267 [ 0:03] ## GDB: pp = {pv_names = 0x7fff2929cb10, pv_count = 100, zero = 1, 268 [ 0:03] ## GDB: force = PROMPT, yes = 0, restorefile = 0x0, uuid_str = 0x0, pva = { 269 [ 0:03] ## GDB: size = 0, data_alignment = 0, data_alignment_offset = 0, 270 [ 0:03] ## GDB: label_sector = 1, pvmetadatacopies = 1, pvmetadatasize = 255, 271 [ 0:03] ## GDB: metadataignore = 0, id = {uuid = '\000' <repeats 31 times>}, 272 [ 0:03] ## GDB: idp = 0x0, ba_start = 0, ba_size = 0, 273 [ 0:03] ## GDB: pe_start = 18446744073709551615, extent_count = 0, 274 [ 0:03] ## GDB: extent_size = 0}, prompts = {n = 0x7fff2929a9c8, 275 [ 0:03] ## GDB: p = 0x7fff2929a9c8}, arg_devices = {n = 0x7fff2929a9d8, 276 [ 0:03] ## GDB: p = 0x7fff2929a9d8}, arg_process = {n = 0x7fff2929a9e8, 277 [ 0:03] ## GDB: p = 0x7fff2929a9e8}, arg_confirm = {n = 0x7fff2929a9f8, 278 [ 0:03] ## GDB: p = 0x7fff2929a9f8}, arg_create = {n = 0x2b22614d10d8, 279 [ 0:03] ## GDB: p = 0x2b22614d5db0}, arg_remove = {n = 0x7fff2929aa18, 280 [ 0:03] ## GDB: p = 0x7fff2929aa18}, arg_fail = {n = 0x7fff2929aa28, 281 [ 0:03] ## GDB: p = 0x7fff2929aa28}, pvs = {n = 0x2b22614d87b0, 282 [ 0:03] ## GDB: p = 0x2b22614d87b0}, orphan_vg_name = 0x0, is_remove = 0, 283 [ 0:03] ## GDB: preserve_existing = 1, check_failed = 0} 284 [ 0:03] ## GDB: vp_new = {vg_name = 0x7fff2929e6ab "@PREFIX@vg", 285 [ 0:03] ## GDB: extent_size = 1024, max_pv = 0, max_lv = 0, alloc = ALLOC_NORMAL, 286 [ 0:03] ## GDB: clustered = 11042, vgmetadatacopies = 0, system_id = 0x0, 287 [ 0:03] ## GDB: lock_type = 0x2b225af25a45 "none", 288 [ 0:03] ## GDB: lock_args = 0x3 <Address 0x3 out of bounds>} 289 [ 0:03] ## GDB: vp_def = {vg_name = 0x7fff2929e6ab "@PREFIX@vg", 290 [ 0:03] ## GDB: extent_size = 8192, max_pv = 0, max_lv = 0, alloc = ALLOC_NORMAL, 291 [ 0:03] ## GDB: clustered = 0, vgmetadatacopies = 0, system_id = 0x0, 292 [ 0:03] ## GDB: lock_type = 0x2b225af18b99 "\211\302\205\300x\a\211\300H9\303w\005\272\377\377\377\377\211\320H\201\304\320", 293 [ 0:03] ## GDB: lock_args = 0x3000000030 <Address 0x3000000030 out of bounds>} 294 [ 0:03] ## GDB: vg = <value optimized out> 295 [ 0:03] ## GDB: tag = <value optimized out> 296 [ 0:03] ## GDB: vg_name = 0x7fff2929e6ab "@PREFIX@vg" 297 [ 0:03] ## GDB: current_group = <value optimized out> 298 [ 0:03] ## GDB: #19 0x00002b225ae3f29e in lvm_run_command (cmd=0x2b22607b65e0, argc=101, 299 [ 0:03] ## GDB: argv=<value optimized out>) at lvmcmdline.c:2995 300 [ 0:03] ## GDB: config_string_cft = <value optimized out> 301 [ 0:03] ## GDB: config_profile_command_cft = <value optimized out> 302 [ 0:03] ## GDB: config_profile_metadata_cft = <value optimized out> 303 [ 0:03] ## GDB: ret = <value optimized out> 304 [ 0:03] ## GDB: locking_type = <value optimized out> 305 [ 0:03] ## GDB: nolocking = 0 306 [ 0:03] ## GDB: readonly = 0 307 [ 0:03] ## GDB: monitoring = -1 308 [ 0:03] ## GDB: arg_new = <value optimized out> 309 [ 0:03] ## GDB: arg = <value optimized out> 310 [ 0:03] ## GDB: i = <value optimized out> 311 [ 0:03] ## GDB: skip_hyphens = <value optimized out> 312 [ 0:03] ## GDB: refresh_done = <value optimized out> 313 [ 0:03] ## GDB: #20 0x00002b225ae4031a in lvm2_main (argc=104, argv=0x7fff2929caf0) 314 [ 0:03] ## GDB: at lvmcmdline.c:3524 315 [ 0:03] ## GDB: base = <value optimized out> 316 [ 0:03] ## GDB: ret = <value optimized out> 317 [ 0:03] ## GDB: alias = 0 318 [ 0:03] ## GDB: custom_fds = {out = -1, err = -1, report = -1} 319 [ 0:03] ## GDB: cmd = 0x2b22607b65e0 320 [ 0:03] ## GDB: run_shell = 0 321 [ 0:03] ## GDB: run_script = 0 322 [ 0:03] ## GDB: run_name = <value optimized out> 323 [ 0:03] ## GDB: run_command_name = <value optimized out> 324 [ 0:03] ## GDB: #21 0x00002b225ae62c31 in main (argc=5228, argv=0x146c) at lvm.c:22 325 [ 0:03] ## GDB: No locals. 326 [ 0:03] ## GDB: 59 if (__builtin_expect (pid <= 0, 0)) 327 [ 0:03] ## GDB: 60 pid = (pid & INT_MAX) == 0 ? selftid : -pid; 328 [ 0:03] ## GDB: 61 #endif 329 [ 0:03] ## GDB: 62 330 [ 0:03] ## GDB: 63 #if __ASSUME_TGKILL 331 [ 0:03] ## GDB: 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); 332 [ 0:03] ## GDB: 65 #else 333 [ 0:03] ## GDB: 66 # ifdef __NR_tgkill 334 [ 0:03] ## GDB: 67 int res = INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); 335 [ 0:03] ## GDB: 68 if (res != -1 || errno != ENOSYS)