1595618 – bcache: segfault due to double free in radix_tree_insert

Bug 1595618 - bcache: segfault due to double free in radix_tree_insert

Summary: bcache: segfault due to double free in radix_tree_insert

Keywords:
Status:	POST
Alias:	None
Product:	LVM and device-mapper
Classification:	Community
Component:	lvm2
Sub Component:
Version:	2.02.180
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Joe Thornber
QA Contact:	cluster-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-27 08:37 UTC by Marian Csontos
Modified:	2023-08-10 15:41 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	rule-engine: lvm-technical-solution? mcsontos: lvm-test-coverage+

Attachments	(Terms of Use)

Description Marian Csontos 2018-06-27 08:37:16 UTC

vgcreate in test/shell/vgcreate-many-pvs.sh coredumping.


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

125 [ 0:02] ## Checking coredump: /core_files/core.5228 generated by /srv/buildbot/lvm2-slave/RHEL_5_x_x86_64_KVM/build/tools/lvm.
126 [ 0:03] ## GDB:	[New Thread 5228]
127 [ 0:03] ## GDB:	[Thread debugging using libthread_db enabled]
128 [ 0:03] ## GDB:	Core was generated by `/srv/buildbot/lvm2-slave/RHEL_5_x_x86_64_KVM/build/tools/lvm vgcreate -s 512K L'.
129 [ 0:03] ## GDB:	Program terminated with signal 6, Aborted.
130 [ 0:03] ## GDB:	#0  0x00002b225ca0ffc5 in raise (sig=<value optimized out>)
131 [ 0:03] ## GDB:	    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
132 [ 0:03] ## GDB:	64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
133 [ 0:03] ## GDB:	#0  0x00002b225ca0ffc5 in raise (sig=<value optimized out>)
134 [ 0:03] ## GDB:	    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
135 [ 0:03] ## GDB:	        pid = <value optimized out>
136 [ 0:03] ## GDB:	        selftid = 0
137 [ 0:03] ## GDB:	#1  0x00002b225ca11a70 in abort () at abort.c:88
138 [ 0:03] ## GDB:	        act = {__sigaction_handler = {sa_handler = 0x7fff2929caa8, 
139 [ 0:03] ## GDB:	            sa_sigaction = 0x7fff2929caa8}, sa_mask = {__val = {
140 [ 0:03] ## GDB:	              140733883980320, 140733883980176, 140733883980368, 455266533376, 
141 [ 0:03] ## GDB:	              140733883980384, 140733883999837, 60, 47426583930790, 3, 
142 [ 0:03] ## GDB:	              140733883980372, 12, 47426583930794, 2, 140733883980366, 2, 
143 [ 0:03] ## GDB:	              47426583931786}}, sa_flags = 1, sa_restorer = 0x2b225cb027a6}
144 [ 0:03] ## GDB:	        sigs = {__val = {32, 0 <repeats 15 times>}}
145 [ 0:03] ## GDB:	#2  0x00002b225ca4994b in __libc_message (do_abort=2, 
146 [ 0:03] ## GDB:	    fmt=0x2b225cb03808 "*** glibc detected *** %s: %s: 0x%s ***\n")
147 [ 0:03] ## GDB:	    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
148 [ 0:03] ## GDB:	        ap = {{gp_offset = 40, fp_offset = 48, 
149 [ 0:03] ## GDB:	            overflow_arg_area = 0x7fff2929a3b0, 
150 [ 0:03] ## GDB:	            reg_save_area = 0x7fff2929a2c0}}
151 [ 0:03] ## GDB:	        ap_copy = {{gp_offset = 16, fp_offset = 48, 
152 [ 0:03] ## GDB:	            overflow_arg_area = 0x7fff2929a3b0, 
153 [ 0:03] ## GDB:	            reg_save_area = 0x7fff2929a2c0}}
154 [ 0:03] ## GDB:	        fd = 106
155 [ 0:03] ## GDB:	        list = 0x7fff29299b20
156 [ 0:03] ## GDB:	        nlist = 690592896
157 [ 0:03] ## GDB:	        cp = 0x6b <Address 0x6b out of bounds>
158 [ 0:03] ## GDB:	        written = 6
159 [ 0:03] ## GDB:	#3  0x00002b225ca514af in malloc_printerr (av=0x2b225cd349e0, 
160 [ 0:03] ## GDB:	    p=0x2b22614dd0d0, have_lock=0) at malloc.c:6232
161 [ 0:03] ## GDB:	No locals.
162 [ 0:03] ## GDB:	#4  _int_free (av=0x2b225cd349e0, p=0x2b22614dd0d0, have_lock=0)
163 [ 0:03] ## GDB:	    at malloc.c:4759
164 [ 0:03] ## GDB:	        size = <value optimized out>
165 [ 0:03] ## GDB:	        fb = <value optimized out>
166 [ 0:03] ## GDB:	        nextchunk = 0x2b22614dd4e0
167 [ 0:03] ## GDB:	        nextsize = 140733883983184
168 [ 0:03] ## GDB:	        prevsize = <value optimized out>
169 [ 0:03] ## GDB:	        bck = <value optimized out>
170 [ 0:03] ## GDB:	        fwd = <value optimized out>
171 [ 0:03] ## GDB:	        errstr = 0x2b225cb038f8 "double free or corruption (out)"
172 [ 0:03] ## GDB:	        locked = 1
173 [ 0:03] ## GDB:	#5  0x00002b225ca557ab in __libc_free (mem=<value optimized out>)
174 [ 0:03] ## GDB:	    at malloc.c:3670
175 [ 0:03] ## GDB:	        ar_ptr = 0x146c
176 [ 0:03] ## GDB:	        p = 0xffffffffffffffff
177 [ 0:03] ## GDB:	#6  0x00002b225af23bea in _insert_node48 (rt=0x2b2260800bc0, v=0x2b2260800bc8, 
178 [ 0:03] ## GDB:	    kb=0x7fff2929a550 "\a", ke=0x7fff2929a55c "\"+", rv=<value optimized out>)
179 [ 0:03] ## GDB:	    at base/data-struct/radix-tree.c:402
180 [ 0:03] ## GDB:	        n256 = 0x2b22614dc070
181 [ 0:03] ## GDB:	        n48 = 0x2b22614dd0e0
182 [ 0:03] ## GDB:	#7  _insert (rt=0x2b2260800bc0, v=0x2b2260800bc8, kb=0x7fff2929a550 "\a", 
183 [ 0:03] ## GDB:	    ke=0x7fff2929a55c "\"+", rv=<value optimized out>)
184 [ 0:03] ## GDB:	    at base/data-struct/radix-tree.c:475
185 [ 0:03] ## GDB:	No locals.
186 [ 0:03] ## GDB:	#8  0x00002b225af23cdd in radix_tree_insert (rt=0x2b2260800bc0, 
187 [ 0:03] ## GDB:	    kb=<value optimized out>, ke=0x7fff2929a55c "\"+", rv=...)
188 [ 0:03] ## GDB:	    at base/data-struct/radix-tree.c:558
189 [ 0:03] ## GDB:	        lr = {v = 0x2b2260800bc8, kb = 0x7fff2929a550 "\a"}
190 [ 0:03] ## GDB:	#9  0x00002b225aef35b5 in _block_insert (cache=0x2b2260800b00, fd=7, i=0, 
191 [ 0:03] ## GDB:	    can_wait=false) at device/bcache.c:505
192 [ 0:03] ## GDB:	No locals.
193 [ 0:03] ## GDB:	#10 _new_block (cache=0x2b2260800b00, fd=7, i=0, can_wait=false)
194 [ 0:03] ## GDB:	    at device/bcache.c:759
195 [ 0:03] ## GDB:	        b = 0x2b22614cd060
196 [ 0:03] ## GDB:	#11 0x00002b225aef4272 in bcache_prefetch (cache=0x2b2260800b00, fd=7, i=0)
197 [ 0:03] ## GDB:	    at device/bcache.c:965
198 [ 0:03] ## GDB:	        b = <value optimized out>
199 [ 0:03] ## GDB:	#12 0x00002b225aef4587 in _update_bytes (u=0x7fff2929a610, fd=7, 
200 [ 0:03] ## GDB:	    start=<value optimized out>, len=4096) at device/bcache-utils.c:112
201 [ 0:03] ## GDB:	        cache = 0x2b2260800b00
202 [ 0:03] ## GDB:	        bb = 0
203 [ 0:03] ## GDB:	        be = 1
204 [ 0:03] ## GDB:	        block_size = 131072
205 [ 0:03] ## GDB:	        block_offset = 4096
206 [ 0:03] ## GDB:	#13 0x00002b225aef46bc in bcache_zero_bytes (cache=<value optimized out>, 
207 [ 0:03] ## GDB:	    fd=5228, start=6, len=18446744073709551615) at device/bcache-utils.c:226
208 [ 0:03] ## GDB:	        u = {cache = 0x2b2260800b00, 
209 [ 0:03] ## GDB:	          partial_fn = 0x2b225aef48cf <_zero_partial>, 
210 [ 0:03] ## GDB:	          whole_fn = 0x2b225aef4866 <_zero_whole>, data = 0x0}
211 [ 0:03] ## GDB:	#14 0x00002b225ae8fce1 in dev_write_zeros (dev=0x2b22607da9e8, start=4096, 
212 [ 0:03] ## GDB:	    len=4096) at label/label.c:1254
213 [ 0:03] ## GDB:	No locals.
214 [ 0:03] ## GDB:	#15 0x00002b225ae8951a in _text_pv_add_metadata_area (
215 [ 0:03] ## GDB:	    fmt=<value optimized out>, pv=0x2b22607dd4b0, pe_start_locked=0, 
216 [ 0:03] ## GDB:	    mda_index=0, mda_size=<value optimized out>, mda_ignored=0)
217 [ 0:03] ## GDB:	    at format_text/format-text.c:2096
218 [ 0:03] ## GDB:	        fid = <value optimized out>
219 [ 0:03] ## GDB:	        pvid = 0x2b22607dd4b0 "8ce8W4C7VPYqDubqtYnilCQDBfebuxXN"
220 [ 0:03] ## GDB:	        ba_size = 0
221 [ 0:03] ## GDB:	        pe_start = <value optimized out>
222 [ 0:03] ## GDB:	        first_unallocated = <value optimized out>
223 [ 0:03] ## GDB:	        alignment = 1048576
224 [ 0:03] ## GDB:	        alignment_offset = <value optimized out>
225 [ 0:03] ## GDB:	        disk_size = 35651584
226 [ 0:03] ## GDB:	        mda_start = <value optimized out>
227 [ 0:03] ## GDB:	        limit = <value optimized out>
228 [ 0:03] ## GDB:	        tmp_mda_size = <value optimized out>
229 [ 0:03] ## GDB:	        zero_len = 4096
230 [ 0:03] ## GDB:	        page_size = <value optimized out>
231 [ 0:03] ## GDB:	        mda = <value optimized out>
232 [ 0:03] ## GDB:	        limit_name = 0x2b225af68ff5 "disk size"
233 [ 0:03] ## GDB:	        limit_applied = <value optimized out>
234 [ 0:03] ## GDB:	#16 0x00002b225aeb6c0a in pv_create (cmd=<value optimized out>, 
235 [ 0:03] ## GDB:	    dev=0x2b22607da9e8, pva=0x7fff2929a948) at metadata/metadata.c:1488
236 [ 0:03] ## GDB:	        fmt = 0x2b22607dd0e0
237 [ 0:03] ## GDB:	        mem = 0x2b22607dd090
238 [ 0:03] ## GDB:	        pv = 0x2b22607dd4b0
239 [ 0:03] ## GDB:	        mda_index = 0
240 [ 0:03] ## GDB:	        pvl = <value optimized out>
241 [ 0:03] ## GDB:	        size = <value optimized out>
242 [ 0:03] ## GDB:	        data_alignment = 0
243 [ 0:03] ## GDB:	        data_alignment_offset = 0
244 [ 0:03] ## GDB:	        pvmetadatacopies = 1
245 [ 0:03] ## GDB:	        pvmetadatasize = 255
246 [ 0:03] ## GDB:	        metadataignore = 0
247 [ 0:03] ## GDB:	#17 0x00002b225ae576b5 in pvcreate_each_device (cmd=0x2b22607b65e0, 
248 [ 0:03] ## GDB:	    handle=0x2b22614d10b0, pp=0x7fff2929a920) at toollib.c:5710
249 [ 0:03] ## GDB:	        pd = <value optimized out>
250 [ 0:03] ## GDB:	        pd2 = 0x2b22614d1238
251 [ 0:03] ## GDB:	        prompt = <value optimized out>
252 [ 0:03] ## GDB:	        prompt2 = <value optimized out>
253 [ 0:03] ## GDB:	        pv = <value optimized out>
254 [ 0:03] ## GDB:	        orphan_vg = 0x0
255 [ 0:03] ## GDB:	        remove_duplicates = {n = 0x7fff2929a820, p = 0x7fff2929a820}
256 [ 0:03] ## GDB:	        arg_sort = {n = 0x7fff2929a810, p = 0x7fff2929a810}
257 [ 0:03] ## GDB:	        rescan_devs = {n = 0x2b22614d7b30, p = 0x2b22614d8790}
258 [ 0:03] ## GDB:	        pvl = <value optimized out>
259 [ 0:03] ## GDB:	        vgpvl = <value optimized out>
260 [ 0:03] ## GDB:	        devl = <value optimized out>
261 [ 0:03] ## GDB:	        pv_name = 0x2b22614d11e8 "@TESTDIR@/dev/mapper/@PREFIX@pv2"
262 [ 0:03] ## GDB:	        must_use_all = 256
263 [ 0:03] ## GDB:	        i = <value optimized out>
264 [ 0:03] ## GDB:	#18 0x00002b225ae5b3bb in vgcreate (cmd=0x2b22607b65e0, 
265 [ 0:03] ## GDB:	    argc=<value optimized out>, argv=0x7fff2929cb08) at vgcreate.c:110
266 [ 0:03] ## GDB:	        handle = 0x0
267 [ 0:03] ## GDB:	        pp = {pv_names = 0x7fff2929cb10, pv_count = 100, zero = 1, 
268 [ 0:03] ## GDB:	          force = PROMPT, yes = 0, restorefile = 0x0, uuid_str = 0x0, pva = {
269 [ 0:03] ## GDB:	            size = 0, data_alignment = 0, data_alignment_offset = 0, 
270 [ 0:03] ## GDB:	            label_sector = 1, pvmetadatacopies = 1, pvmetadatasize = 255, 
271 [ 0:03] ## GDB:	            metadataignore = 0, id = {uuid = '\000' <repeats 31 times>}, 
272 [ 0:03] ## GDB:	            idp = 0x0, ba_start = 0, ba_size = 0, 
273 [ 0:03] ## GDB:	            pe_start = 18446744073709551615, extent_count = 0, 
274 [ 0:03] ## GDB:	            extent_size = 0}, prompts = {n = 0x7fff2929a9c8, 
275 [ 0:03] ## GDB:	            p = 0x7fff2929a9c8}, arg_devices = {n = 0x7fff2929a9d8, 
276 [ 0:03] ## GDB:	            p = 0x7fff2929a9d8}, arg_process = {n = 0x7fff2929a9e8, 
277 [ 0:03] ## GDB:	            p = 0x7fff2929a9e8}, arg_confirm = {n = 0x7fff2929a9f8, 
278 [ 0:03] ## GDB:	            p = 0x7fff2929a9f8}, arg_create = {n = 0x2b22614d10d8, 
279 [ 0:03] ## GDB:	            p = 0x2b22614d5db0}, arg_remove = {n = 0x7fff2929aa18, 
280 [ 0:03] ## GDB:	            p = 0x7fff2929aa18}, arg_fail = {n = 0x7fff2929aa28, 
281 [ 0:03] ## GDB:	            p = 0x7fff2929aa28}, pvs = {n = 0x2b22614d87b0, 
282 [ 0:03] ## GDB:	            p = 0x2b22614d87b0}, orphan_vg_name = 0x0, is_remove = 0, 
283 [ 0:03] ## GDB:	          preserve_existing = 1, check_failed = 0}
284 [ 0:03] ## GDB:	        vp_new = {vg_name = 0x7fff2929e6ab "@PREFIX@vg", 
285 [ 0:03] ## GDB:	          extent_size = 1024, max_pv = 0, max_lv = 0, alloc = ALLOC_NORMAL, 
286 [ 0:03] ## GDB:	          clustered = 11042, vgmetadatacopies = 0, system_id = 0x0, 
287 [ 0:03] ## GDB:	          lock_type = 0x2b225af25a45 "none", 
288 [ 0:03] ## GDB:	          lock_args = 0x3 <Address 0x3 out of bounds>}
289 [ 0:03] ## GDB:	        vp_def = {vg_name = 0x7fff2929e6ab "@PREFIX@vg", 
290 [ 0:03] ## GDB:	          extent_size = 8192, max_pv = 0, max_lv = 0, alloc = ALLOC_NORMAL, 
291 [ 0:03] ## GDB:	          clustered = 0, vgmetadatacopies = 0, system_id = 0x0, 
292 [ 0:03] ## GDB:	          lock_type = 0x2b225af18b99 "\211\302\205\300x\a\211\300H9\303w\005\272\377\377\377\377\211\320H\201\304\320", 
293 [ 0:03] ## GDB:	          lock_args = 0x3000000030 <Address 0x3000000030 out of bounds>}
294 [ 0:03] ## GDB:	        vg = <value optimized out>
295 [ 0:03] ## GDB:	        tag = <value optimized out>
296 [ 0:03] ## GDB:	        vg_name = 0x7fff2929e6ab "@PREFIX@vg"
297 [ 0:03] ## GDB:	        current_group = <value optimized out>
298 [ 0:03] ## GDB:	#19 0x00002b225ae3f29e in lvm_run_command (cmd=0x2b22607b65e0, argc=101, 
299 [ 0:03] ## GDB:	    argv=<value optimized out>) at lvmcmdline.c:2995
300 [ 0:03] ## GDB:	        config_string_cft = <value optimized out>
301 [ 0:03] ## GDB:	        config_profile_command_cft = <value optimized out>
302 [ 0:03] ## GDB:	        config_profile_metadata_cft = <value optimized out>
303 [ 0:03] ## GDB:	        ret = <value optimized out>
304 [ 0:03] ## GDB:	        locking_type = <value optimized out>
305 [ 0:03] ## GDB:	        nolocking = 0
306 [ 0:03] ## GDB:	        readonly = 0
307 [ 0:03] ## GDB:	        monitoring = -1
308 [ 0:03] ## GDB:	        arg_new = <value optimized out>
309 [ 0:03] ## GDB:	        arg = <value optimized out>
310 [ 0:03] ## GDB:	        i = <value optimized out>
311 [ 0:03] ## GDB:	        skip_hyphens = <value optimized out>
312 [ 0:03] ## GDB:	        refresh_done = <value optimized out>
313 [ 0:03] ## GDB:	#20 0x00002b225ae4031a in lvm2_main (argc=104, argv=0x7fff2929caf0)
314 [ 0:03] ## GDB:	    at lvmcmdline.c:3524
315 [ 0:03] ## GDB:	        base = <value optimized out>
316 [ 0:03] ## GDB:	        ret = <value optimized out>
317 [ 0:03] ## GDB:	        alias = 0
318 [ 0:03] ## GDB:	        custom_fds = {out = -1, err = -1, report = -1}
319 [ 0:03] ## GDB:	        cmd = 0x2b22607b65e0
320 [ 0:03] ## GDB:	        run_shell = 0
321 [ 0:03] ## GDB:	        run_script = 0
322 [ 0:03] ## GDB:	        run_name = <value optimized out>
323 [ 0:03] ## GDB:	        run_command_name = <value optimized out>
324 [ 0:03] ## GDB:	#21 0x00002b225ae62c31 in main (argc=5228, argv=0x146c) at lvm.c:22
325 [ 0:03] ## GDB:	No locals.
326 [ 0:03] ## GDB:	59	    if (__builtin_expect (pid <= 0, 0))
327 [ 0:03] ## GDB:	60	      pid = (pid & INT_MAX) == 0 ? selftid : -pid;
328 [ 0:03] ## GDB:	61	#endif
329 [ 0:03] ## GDB:	62	
330 [ 0:03] ## GDB:	63	#if __ASSUME_TGKILL
331 [ 0:03] ## GDB:	64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
332 [ 0:03] ## GDB:	65	#else
333 [ 0:03] ## GDB:	66	# ifdef __NR_tgkill
334 [ 0:03] ## GDB:	67	  int res = INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
335 [ 0:03] ## GDB:	68	  if (res != -1 || errno != ENOSYS)

Comment 1 Marian Csontos 2018-06-27 08:38:28 UTC

This is from upstream master branch. The same test in stable branch succeeds.

Comment 2 Marian Csontos 2018-06-27 08:50:46 UTC

The last working commit was: 42f7caf1c267a5b75ee38ea77a7e2fd7c582e704
The first failing: 18528180d9f588e265747f4710a8767756454b4c

Comment 3 Joe Thornber 2019-10-08 09:11:27 UTC

Lot's of code changed since this report.

Note You need to log in before you can comment on or make changes to this bug.