Bug 881729
Summary: | logsys: Race between logsys_format_set and log_printf_to_logs functions | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Friesse <jfriesse> | ||||||
Component: | corosync | Assignee: | Jan Friesse <jfriesse> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Cluster QE <mspqa-list> | ||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 6.3 | CC: | jkortus, lnovich, sdake | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | corosync-1.4.1-16.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: |
Cause:
Corosync logging system is reconfigured
Consequence:
Corosync can crash (with extremely low probability) with NULL pointer access
Fix:
Add proper locking of formatting variable
Result:
Corosync don't crash
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-11-21 04:32:03 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 656433 [details]
Proposed patch - part 2 - Avoid deadlock
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1531.html |
Created attachment 654285 [details] Proposed patch Description of problem: When logsys_format_set is called, it can set format to NULL and if logsys thread is actually reading it, corosync can segfault (NULL pointer access). Version-Release number of selected component (if applicable): All How reproducible: 0.00000000000001% Steps to Reproduce: 1. Start corosync 2. Cause intensive logging of corosync (run cpgbench) 3. run corosync-objctl -w logging.fileline=on; corosync-objctl -w logging.fileline=off in cycle or reliable with change in code: - Add sleep in logsys_format_set function between lines if (format_buffer) { free(format_buffer); format_buffer = NULL; and format_buffer = strdup(format ? format : "%p [%6s] %b"); if (format_buffer == NULL) { ret = -1; Actual results: Corosync segfault Expected results: No segfault Additional info: For QA: Without change of code, I was unable to reproduce problem. Problem can be found by analysis of code. It was also reproduced by community (it's community patch). So it's worth to recommend bug as SanityOnly.