** Description changed: - I obtained a coredump from a system where multipathd had crashed and - received the following backtrace: + I obtained a coredump from a system where natty's multipathd had crashed + and received the following backtrace: 0 0x00007f802925da75 in *__GI_raise (sig=<value optimized out>) - at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 + at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007f80292615c0 in *__GI_abort () at abort.c:92 #2 0x00007f80292974fb in __libc_message (do_abort=<value optimized out>, - fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 + fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 #3 0x00007f80292a15b6 in malloc_printerr (action=3, - str=0x7f8029374c70 "double free or corruption (fasttop)", - ptr=<value optimized out>) at malloc.c:6266 + str=0x7f8029374c70 "double free or corruption (fasttop)", + ptr=<value optimized out>) at malloc.c:6266 #4 0x00007f80292a7e83 in *__GI___libc_free (mem=<value optimized out>) - at malloc.c:3738 + at malloc.c:3738 #5 0x00000000004173a5 in xfree (p=0x147bcb0) at memory.c:52 #6 0x00000000004286cd in free_multipath (mpp=0x14ce1b0, free_paths=0) - at structs.c:172 + at structs.c:172 #7 0x0000000000429285 in remove_map (mpp=0x14ce1b0, vecs=0x147b620, - stop_waiter=0, purge_vec=1) at structs_vec.c:141 + stop_waiter=0, purge_vec=1) at structs_vec.c:141 #8 0x0000000000404e06 in ev_add_path (devname=0x16fae48 "sdi", vecs=0x147b620) - at main.c:438 + at main.c:438 #9 0x0000000000404913 in uev_add_path (dev=0x16fabc0, vecs=0x147b620) - at main.c:327 + at main.c:327 #10 0x000000000040584c in uev_trigger (uev=0x7f801c009940, - trigger_data=0x147b620) at main.c:684 + trigger_data=0x147b620) at main.c:684 #11 0x000000000042b679 in service_uevq () at uevent.c:77 #12 0x000000000042b714 in uevq_thread (et=0x0) at uevent.c:101 ---Type <return> to continue, or q <return> to quit--- #13 0x00007f8029e579ca in start_thread () from /lib/libpthread.so.0 #14 0x00007f802931070d in clone () - at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 + at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #15 0x0000000000000000 in ?? () So it looks like we are trying to free a non-NULL value here: - if (mpp->dmi) - FREE(mpp->dmi); + if (mpp->dmi) + FREE(mpp->dmi); What's suspicious is that, after freeing that, we don't set it to NULL. I took a look at upstream git, and found that they do now set it to NULL after freeing it. This was part of the following commit: commit b7ca0eaae6ccd8dca60df3e2ee93220eadd691ee Author: Hannes Reinecke <h...@suse.de> Date: Wed Jan 28 09:24:10 2009 +0100 - Plug memory leaks + Plug memory leaks - Running the internal memory checker revealed quite some memory - leaks. + Running the internal memory checker revealed quite some memory + leaks. - Signed-off-by: Hannes Reinecke <h...@suse.de> + Signed-off-by: Hannes Reinecke <h...@suse.de> + + Note that this change is already included in oneiric.
** Summary changed: - double free of mpp->dmi in free_multipath() + [SRU] double free of mpp->dmi in free_multipath() -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to multipath-tools in Ubuntu. https://bugs.launchpad.net/bugs/829061 Title: [SRU] double free of mpp->dmi in free_multipath() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/multipath-tools/+bug/829061/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs