557104 – dmeventd crash if both snapshot and mirror monitoring DSO are used

Bug 557104 - dmeventd crash if both snapshot and mirror monitoring DSO are used

Summary: dmeventd crash if both snapshot and mirror monitoring DSO are used

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	lvm2
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Rockai
QA Contact:	Cluster QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-01-20 12:46 UTC by Milan Broz
Modified:	2013-03-01 04:09 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-30 09:01:34 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2010:0298	0	normal	SHIPPED_LIVE	lvm2 bug fix and enhancement update	2010-03-29 15:16:34 UTC

Description Milan Broz 2010-01-20 12:46:44 UTC

Description of problem:

Unsafe lvm2lib initialisation between two plugins cause memory corruption and dmeventd crash.

Version-Release number of selected component (if applicable):

lvm2-2.02.56-5.el5
device-mapper-1.02.39-1.el5

How reproducible:

1) run dmeventd in foreground mode "dmeventd -d" 

2)create VG with two mirrors and two snapshots, e.g.

# lvs vg_bar
  LV     VG     Attr   LSize Origin Snap%  Move Log        Copy%  Convert
  lv1    vg_bar owi-a- 4.00M
  lv1_s1 vg_bar swi-a- 4.00M lv1      0.20
  lv1_s2 vg_bar swi-a- 4.00M lv1      0.20
  lv2m   vg_bar mwi-a- 4.00M                    lv2m_mlog  100.00
  lv2m2  vg_bar mwi-a- 4.00M                    lv2m2_mlog 100.00

3) Activate and deactivate all volumes:
while :; do vgchange -a n vg_bar ; vgchange -a y vg_bar ; done

4) Enjoy the crash
# dmeventd -d     
You have a memory leak (not released memory pool):
 [0x9a5d458]                                      
 [0x9a5d478]                                      
 [0x9a5df48]                                      
 [0x9a5df68]                                      
 [0x9a83380]                                      
 [0x9a835a8]                                      
 [0x9a839d0]                                      
 [0x9a844d0]                                      
 [0x9a6c4c8]                                      
device-mapper: waitevent ioctl failed: Interrupted system call
You have a memory leak (not released memory pool):            
 [0x9a83380]                                                  
*** glibc detected *** dmeventd: realloc(): invalid next size: 0x09a73710 ***
======= Backtrace: =========                                                 
/lib/libc.so.6[0x7ff851]                                                     
/lib/libc.so.6(realloc+0xe6)[0x800276]                                       
/usr/lib/liblvm2cmd.so.2.02[0x1769be]                                        
/usr/lib/liblvm2cmd.so.2.02[0x176ad8]                                        
/usr/lib/liblvm2cmd.so.2.02[0x177845]                                        
/usr/lib/liblvm2cmd.so.2.02[0x1912f7]                                        
/usr/lib/liblvm2cmd.so.2.02(lvm2_init+0x1e)[0x19133e]                        
/lib/libdevmapper-event-lvm2mirror.so(register_device+0x9b)[0x6b3bbb]        
dmeventd[0x804aea9]
dmeventd(main+0xc93)[0x804be23]
/lib/libc.so.6(__libc_start_main+0xdc)[0x7a9e9c]

Expected results:

lvm2_init and lvm2_exit (and internal constructors/destructors) must use some kind od reference counting or globally allocated structs must be moved into command context.

Comment 2 Milan Broz 2010-01-27 13:40:49 UTC

Fix in upstream cvs -> POST.

Comment 3 Milan Broz 2010-01-27 15:01:53 UTC

Patch in lvm2-2_02_56-6_el5.

Comment 6 Corey Marthaler 2010-02-03 22:11:08 UTC

Is this message still expected in the latest rpms?

device-mapper: waitevent ioctl failed: Interrupted system call

Comment 7 Corey Marthaler 2010-02-03 22:30:10 UTC

The segfault in this bug is verified fixed in lvm2-2.02.56-6.el5. I also verified that multiple VGs containing multiple snaps/mirrors also works.

Waiting to put this into the VERIFIED state until the question in comment #6 is answered.

Comment 8 Milan Broz 2010-02-04 09:53:00 UTC

(In reply to comment #6)
> device-mapper: waitevent ioctl failed: Interrupted system call    

yes, it is expected.
dmeventd has one thread per monitored device, every thread waits for event (in dm-ioctl syscall). If the device is removed waiting is interrupted.
This warning should be probably more quite (like debug level only) but it is just cosmetic change.

Comment 10 errata-xmlrpc 2010-03-30 09:01:34 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0298.html

Note You need to log in before you can comment on or make changes to this bug.