Bug 869609 - Segmentation fault in sync_deliver_fn
Segmentation fault in sync_deliver_fn
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: corosync (Show other bugs)
6.4
All All
medium Severity medium
: rc
: ---
Assigned To: Jan Friesse
Cluster QE
:
Depends On:
Blocks: 830799 895654
  Show dependency treegraph
 
Reported: 2012-10-24 08:10 EDT by Jan Friesse
Modified: 2013-02-21 02:51 EST (History)
3 users (show)

See Also:
Fixed In Version: corosync-1.4.1-13.el6
Doc Type: Bug Fix
Doc Text:
Cause: Many corosync nodes are started at once Consequence: Corosync segfaults Fix: NULL pointer is not dereferenced Result: Corosync no longer segfaults
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 02:51:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (1.01 KB, patch)
2012-10-24 08:10 EDT, Jan Friesse
no flags Details | Diff

  None (edit)
Description Jan Friesse 2012-10-24 08:10:33 EDT
Created attachment 632732 [details]
Proposed patch

Description of problem:
sync_deliver_fn can segfault if following sequence of actions happen:
- corosync is started
- totem create membership
- totem receive message (sync type)
- totem delivers sync message to sync_deliver_fn but sync_confchg_fn was not yet called
- sync_confchg_fn is called
- sync_ring_id (which is NULL) is compared to message ring_id
-> segfault

Version-Release number of selected component (if applicable):
Flatiron

How reproducible:
0.00001%

Steps to Reproduce:
In Description
  
Actual results:
Segfault

Expected results:
No segfault

Additional info:
"Unit" Test:
Same as in #863940. Reproducible in about 20-50 runs of "Unit" test.

Backtrace should look like:
Program terminated with signal 11, Segmentation fault.
#0  sync_deliver_fn (nodeid=41658560, msg=0x7fd7840fc056, msg_len=<value optimized out>, endian_conversion_required=0) at sync.c:391
391		if (memcmp (&req_exec_sync_barrier_start->ring_id, sync_ring_id,
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.80.el6.x86_64 libgcc-4.4.6-4.el6.x86_64 libibverbs-1.1.6-4.el6.x86_64 librdmacm-1.0.15-2.el6.x86_64 nspr-4.9-1.el6.x86_64 nss-3.13.3-6.el6.x86_64 nss-util-3.13.3-2.el6.x86_64 zlib-1.2.3-27.el6.x86_64
(gdb) 
Thread 3 (Thread 0x7fd77ffff700 (LWP 14232)):
#0  0x00007fd7877ee720 in sem_wait () from /lib64/libpthread.so.0
#1  0x0000000000407ce0 in corosync_exit_thread_handler (arg=0x0) at main.c:199
#2  0x00007fd7877e8851 in start_thread () from /lib64/libpthread.so.0
#3  0x00007fd78733267d in clone () from /lib64/libc.so.6

Thread 2 (Thread 0x7fd788455da0 (LWP 14231)):
#0  0x00007fd787328fc3 in poll () from /lib64/libc.so.6
#1  0x0000000000409c1e in prioritized_timer_thread (data=<value optimized out>) at timer.c:127
#2  0x00007fd7877e8851 in start_thread () from /lib64/libpthread.so.0
#3  0x00007fd78733267d in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7fd788458700 (LWP 14229)):
#0  sync_deliver_fn (nodeid=41658560, msg=0x7fd7840fc056, msg_len=<value optimized out>, endian_conversion_required=0) at sync.c:391
#1  0x00007fd78802fdfd in app_deliver_fn (nodeid=41658560, msg=0x1172404, msg_len=<value optimized out>, endian_conversion_required=0) at totempg.c:529
#2  totempg_deliver_fn (nodeid=41658560, msg=0x1172404, msg_len=<value optimized out>, endian_conversion_required=0) at totempg.c:641
#3  0x00007fd7880289d5 in messages_deliver_to_app (instance=0x7fd788402010, skip=0, end_point=<value optimized out>) at totemsrp.c:3793
#4  0x00007fd78802c50e in memb_state_operational_enter (instance=0x7fd788402010) at totemsrp.c:1739
#5  0x00007fd78802e986 in message_handler_orf_token (instance=0x7fd788402010, msg=<value optimized out>, msg_len=<value optimized out>, endian_conversion_needed=<value optimized out>) at totemsrp.c:3651
#6  0x00007fd7880254ff in rrp_deliver_fn (context=0x111bdb0, msg=0x1162bac, msg_len=71) at totemrrp.c:1736
#7  0x00007fd78801fe94 in net_deliver_fn (handle=<value optimized out>, fd=<value optimized out>, revents=<value optimized out>, data=0x11624e0) at totemudp.c:1284
#8  0x00007fd78801b1e2 in poll_run (handle=1197105576937521152) at coropoll.c:513
#9  0x0000000000406f69 in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at main.c:1869
Comment 4 errata-xmlrpc 2013-02-21 02:51:04 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0497.html

Note You need to log in before you can comment on or make changes to this bug.