Bug 869609
| Summary: | Segmentation fault in sync_deliver_fn | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Friesse <jfriesse> | ||||
| Component: | corosync | Assignee: | Jan Friesse <jfriesse> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Cluster QE <mspqa-list> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.4 | CC: | jkortus, sdake, tlavigne | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | corosync-1.4.1-13.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause:
Many corosync nodes are started at once
Consequence:
Corosync segfaults
Fix:
NULL pointer is not dereferenced
Result:
Corosync no longer segfaults
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-02-21 07:51:04 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 830799, 895654 | ||||||
| Attachments: |
|
||||||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0497.html |
Created attachment 632732 [details] Proposed patch Description of problem: sync_deliver_fn can segfault if following sequence of actions happen: - corosync is started - totem create membership - totem receive message (sync type) - totem delivers sync message to sync_deliver_fn but sync_confchg_fn was not yet called - sync_confchg_fn is called - sync_ring_id (which is NULL) is compared to message ring_id -> segfault Version-Release number of selected component (if applicable): Flatiron How reproducible: 0.00001% Steps to Reproduce: In Description Actual results: Segfault Expected results: No segfault Additional info: "Unit" Test: Same as in #863940. Reproducible in about 20-50 runs of "Unit" test. Backtrace should look like: Program terminated with signal 11, Segmentation fault. #0 sync_deliver_fn (nodeid=41658560, msg=0x7fd7840fc056, msg_len=<value optimized out>, endian_conversion_required=0) at sync.c:391 391 if (memcmp (&req_exec_sync_barrier_start->ring_id, sync_ring_id, Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.80.el6.x86_64 libgcc-4.4.6-4.el6.x86_64 libibverbs-1.1.6-4.el6.x86_64 librdmacm-1.0.15-2.el6.x86_64 nspr-4.9-1.el6.x86_64 nss-3.13.3-6.el6.x86_64 nss-util-3.13.3-2.el6.x86_64 zlib-1.2.3-27.el6.x86_64 (gdb) Thread 3 (Thread 0x7fd77ffff700 (LWP 14232)): #0 0x00007fd7877ee720 in sem_wait () from /lib64/libpthread.so.0 #1 0x0000000000407ce0 in corosync_exit_thread_handler (arg=0x0) at main.c:199 #2 0x00007fd7877e8851 in start_thread () from /lib64/libpthread.so.0 #3 0x00007fd78733267d in clone () from /lib64/libc.so.6 Thread 2 (Thread 0x7fd788455da0 (LWP 14231)): #0 0x00007fd787328fc3 in poll () from /lib64/libc.so.6 #1 0x0000000000409c1e in prioritized_timer_thread (data=<value optimized out>) at timer.c:127 #2 0x00007fd7877e8851 in start_thread () from /lib64/libpthread.so.0 #3 0x00007fd78733267d in clone () from /lib64/libc.so.6 Thread 1 (Thread 0x7fd788458700 (LWP 14229)): #0 sync_deliver_fn (nodeid=41658560, msg=0x7fd7840fc056, msg_len=<value optimized out>, endian_conversion_required=0) at sync.c:391 #1 0x00007fd78802fdfd in app_deliver_fn (nodeid=41658560, msg=0x1172404, msg_len=<value optimized out>, endian_conversion_required=0) at totempg.c:529 #2 totempg_deliver_fn (nodeid=41658560, msg=0x1172404, msg_len=<value optimized out>, endian_conversion_required=0) at totempg.c:641 #3 0x00007fd7880289d5 in messages_deliver_to_app (instance=0x7fd788402010, skip=0, end_point=<value optimized out>) at totemsrp.c:3793 #4 0x00007fd78802c50e in memb_state_operational_enter (instance=0x7fd788402010) at totemsrp.c:1739 #5 0x00007fd78802e986 in message_handler_orf_token (instance=0x7fd788402010, msg=<value optimized out>, msg_len=<value optimized out>, endian_conversion_needed=<value optimized out>) at totemsrp.c:3651 #6 0x00007fd7880254ff in rrp_deliver_fn (context=0x111bdb0, msg=0x1162bac, msg_len=71) at totemrrp.c:1736 #7 0x00007fd78801fe94 in net_deliver_fn (handle=<value optimized out>, fd=<value optimized out>, revents=<value optimized out>, data=0x11624e0) at totemudp.c:1284 #8 0x00007fd78801b1e2 in poll_run (handle=1197105576937521152) at coropoll.c:513 #9 0x0000000000406f69 in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at main.c:1869