Bug 881729
| Summary: | logsys: Race between logsys_format_set and log_printf_to_logs functions | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Friesse <jfriesse> | ||||||
| Component: | corosync | Assignee: | Jan Friesse <jfriesse> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Cluster QE <mspqa-list> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 6.3 | CC: | jkortus, lnovich, sdake | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | corosync-1.4.1-16.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Cause:
Corosync logging system is reconfigured
Consequence:
Corosync can crash (with extremely low probability) with NULL pointer access
Fix:
Add proper locking of formatting variable
Result:
Corosync don't crash
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-11-21 04:32:03 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 656433 [details]
Proposed patch - part 2 - Avoid deadlock
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1531.html |
Created attachment 654285 [details] Proposed patch Description of problem: When logsys_format_set is called, it can set format to NULL and if logsys thread is actually reading it, corosync can segfault (NULL pointer access). Version-Release number of selected component (if applicable): All How reproducible: 0.00000000000001% Steps to Reproduce: 1. Start corosync 2. Cause intensive logging of corosync (run cpgbench) 3. run corosync-objctl -w logging.fileline=on; corosync-objctl -w logging.fileline=off in cycle or reliable with change in code: - Add sleep in logsys_format_set function between lines if (format_buffer) { free(format_buffer); format_buffer = NULL; and format_buffer = strdup(format ? format : "%p [%6s] %b"); if (format_buffer == NULL) { ret = -1; Actual results: Corosync segfault Expected results: No segfault Additional info: For QA: Without change of code, I was unable to reproduce problem. Problem can be found by analysis of code. It was also reproduced by community (it's community patch). So it's worth to recommend bug as SanityOnly.