** Description changed: + ============================================================================ + SRU Justification: + Impact: cgmanager crashes + Detailed explanation: The close handler calls nih_free(io), which can result in calling the error handler. The error handler dereferences the data struct. Therefore the data struct must be freed after calling nih_free(io). + Test case: This is a hard to reproduce, timing-related bug. Reboot a vm with cgmanager installed 30 times, running the cgmanager test-suite each time. Check the logs for a cgmanager crash. + Regression potential: Freeing the io struct before the data struct should be safe and cause no regressions. + ============================================================================ + In testing the split greeter silo, I'm seeing an occasional (1 in 20 boots?) crash in cgmanager, which sometimes also causes problems starting a pam session for the greeter. Here's the stacktrace I've got: #0 __libc_do_syscall () - at ../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:44 + at ../ports/sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:44 #1 0xb6e870fe in __GI_raise (sig=sig@entry=6) - at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 + at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #2 0xb6e89956 in __GI_abort () at abort.c:89 - #3 0xb6eadde0 in __libc_message (do_abort=<optimized out>, - fmt=0xb6f2f2b8 "*** Error in `%s': %s: 0x%s ***\n") - at ../sysdeps/posix/libc_fatal.c:175 - #4 0xb6eb498e in malloc_printerr (action=1, - str=0xb6f2f450 "free(): corrupted unsorted chunks", ptr=<optimized out>) - at malloc.c:4996 - #5 0xb6eb53b4 in _int_free (av=<optimized out>, p=<optimized out>, - have_lock=0) at malloc.c:3840 + #3 0xb6eadde0 in __libc_message (do_abort=<optimized out>, + fmt=0xb6f2f2b8 "*** Error in `%s': %s: 0x%s ***\n") + at ../sysdeps/posix/libc_fatal.c:175 + #4 0xb6eb498e in malloc_printerr (action=1, + str=0xb6f2f450 "free(): corrupted unsorted chunks", ptr=<optimized out>) + at malloc.c:4996 + #5 0xb6eb53b4 in _int_free (av=<optimized out>, p=<optimized out>, + have_lock=0) at malloc.c:3840 #6 0xb6f8ccae in nih_alloc_context_free (ctx=0xb73502a0) at alloc.c:490 #7 nih_free (ptr=0xb73502b8) at alloc.c:332 #8 0xb6fe8b5a in scm_sock_close (data=0xb7354978, io=0xb73502b8) - at frontend.c:114 - #9 0xb6fe8d48 in sock_scm_reader (data=0xb7354978, io=0xb73502b8, - buf=0xb7352910 "p", len=1) at frontend.c:177 - #10 0xb6f91324 in nih_io_watcher (io=0xb73502b8, watch=0xb734c760, - events=NIH_IO_READ) at io.c:961 - #11 0xb6f90090 in nih_io_handle_fds (readfds=readfds@entry=0xbed9aa18, - writefds=writefds@entry=0xbed9aa98, exceptfds=exceptfds@entry=0xbed9ab18) - at io.c:237 + at frontend.c:114 + #9 0xb6fe8d48 in sock_scm_reader (data=0xb7354978, io=0xb73502b8, + buf=0xb7352910 "p", len=1) at frontend.c:177 + #10 0xb6f91324 in nih_io_watcher (io=0xb73502b8, watch=0xb734c760, + events=NIH_IO_READ) at io.c:961 + #11 0xb6f90090 in nih_io_handle_fds (readfds=readfds@entry=0xbed9aa18, + writefds=writefds@entry=0xbed9aa98, exceptfds=exceptfds@entry=0xbed9ab18) + at io.c:237 #12 0xb6f9322a in nih_main_loop () at main.c:586 #13 0xb6fdea6c in main (argc=4, argv=0xbed9ada4) at cgmanager.c:933
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1322798 Title: Crashes occasionally on boot due to a bad free() call To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cgmanager/+bug/1322798/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
