Menu

#1358 smfd: core dump in smfd when receive smfnd UP event

4.6.1
fixed
Ingvar Bergström
None
defect
smf
d
4.6.0
major
2015-04-30
2015-04-30
Ingvar Bergström
No

(gdb) bt

0 0x000000000040ac88 in get_smfnd (i_node_id=131343) at smfd_smfnd.c:102

1 0x000000000040b229 in smfnd_up (i_node_id=131343, i_smfnd_dest=564115946602536, i_rem_svc_pvt_ver=2 '\002') at smfd_smfnd.c:127

2 0x000000000040a3e5 in proc_mds_info (evt=<optimized out="">, cb=<optimized out="">) at smfd_evt.c:64

3 smfd_process_mbx (mbx=<optimized out="">) at smfd_evt.c:117

4 0x000000000040ab15 in main_process () at smfd_main.c:309

5 main (argc=<optimized out="">, argv=<optimized out="">) at smfd_main.c:379

(gdb) bt full

0 0x000000000040ac88 in get_smfnd (i_node_id=131343) at smfd_smfnd.c:102

    smfnd = 0x64656c69616620

1 0x000000000040b229 in smfnd_up (i_node_id=131343, i_smfnd_dest=564115946602536, i_rem_svc_pvt_ver=2 '\002') at smfd_smfnd.c:127

    rc = <optimized out>
    clmHandle = <optimized out>
    smfnd = <optimized out>
    newNode = false
    clmInfo = {nodeId = 24, nodeAddress = {family = (SA_CLM_AF_INET | SA_CLM_AF_INET6 | unknown: 32764), length = 10864, 
        value = "\005\232\377\177\000\000`\003m", '\000' <repeats 21 times>, "7\000\000\000\000\000\000\000`\003m\000\000\000\000\000\200\356\235G\001\177\000\000^cG\000\000\000\000\000\240*"}, nodeName = {_opaque = {32767, 0, 67, 
          0, 0, 0, 25356, 71, 0, 0, 0, 0, 0, 0, 23388, 18286, 32513, 0, 4, 0, 0, 0, 13196, 18910, 32513, 0, 32, 0, 48, 0, 11184, 39429, 32767, 0, 10944, 39429, 32767, 0, 27162, 18456, 32513, 0, 32, 0, 48, 0, 11184, 39429, 32767, 
          0, 10944, 39429, 32767, 0, 61264, 108, 0, 0, 13, 0, 0, 0, 35575, 18910, 32513, 0, 0, 0, 0, 0, 27604, 18456, 32513, 0, 25568, 106, 0, 0, 0, 0, 0, 0, 64694, 108, 0, 0, 27037, 18911, 32513, 0, 1, 0, 0, 0, 23890, 18911, 
          32513, 0, 39424, 64, 0, 256, 27037, 18911, 32513, 0, 14752, 18948, 32513, 0, 13423, 18911, 32513, 0, 0, 0, 1, 65488, 46048, 107, 0, 0, 14752, 18948, 32513, 0, 13423, 18911, 32513}}, member = (unknown: 6969232), 
      bootTimestamp = -13510794587144192, initialViewNumber = 7141712}

2 0x000000000040a3e5 in proc_mds_info (evt=<optimized out="">, cb=<optimized out="">) at smfd_evt.c:64

No locals.

3 smfd_process_mbx (mbx=<optimized out="">) at smfd_evt.c:117

    evt = 0x6cf950

4 0x000000000040ab15 in main_process () at smfd_main.c:309

    ret = 1767990816
    term_fd = 15
    omHandle = 1803886395919
    error = 1767990816
    immVersion = {releaseCode = 65 'A', majorVersion = 2 '\002', minorVersion = 1 '\001'}
    rc = <optimized out>
    __FUNCTION__ = "main_process"

5 main (argc=<optimized out="">, argv=<optimized out="">) at smfd_main.c:379

0 0x00007f716345675d in write () from /lib64/libpthread.so.0

(gdb) bt

0 0x00007f716345675d in write () from /lib64/libpthread.so.0

1 0x00007f7163cae0da in nid_notify (service=0x4902ca "IMMND", status=2, error=0x0) at nid_api.c:81

2 0x000000000041fad0 in immnd_ackToNid (rc=<optimized out="">) at immnd_proc.c:47

3 0x000000000041a060 in immnd_evt_proc_reset (sinfo=<optimized out="">, evt=<optimized out="">, cb=<optimized out="">) at immnd_evt.c:8389

4 immnd_process_evt () at immnd_evt.c:680

5 0x000000000041a81f in main (argc=<optimized out="">, argv=<optimized out="">) at immnd_main.c:348

(gdb) bt full

0 0x00007f716345675d in write () from /lib64/libpthread.so.0

No symbol table info available.

1 0x00007f7163cae0da in nid_notify (service=0x4902ca "IMMND", status=2, error=0x0) at nid_api.c:81

    msg = "aab49daa:IMMND:2\000\000\000\000\060\000\000\000\220+W\361\377\177\000\000\240*W\361\377\177\000\000\032jEcq\177\000\000\070\a\311cq\177\000\000\060W\022dq\177\000\000\240*W\361\377\177\000\000y\340Q\006", '\000' <repeats 20 times>"\330, \320i", '\000' <repeats 13 times>"\360, \324i\000\000\000\000\000d", '\000' <repeats 15 times>, "x\\\361cq\177\000\000\005", '\000' <repeats 22 times>, "\001\235\211\313cq\177\000\000\070\a\311cq\177\000\000\360\324i\000\000\000\000\000\260\331l\000\000\000\000\000@\325i\000\000\000\000\000Ñ\235\005M\001\000\000ż\361cq\177\000\000\001", '\000' <repeats 23 times>, "\002"
    fd = 17
    retry = 3
    strbuff = "\000\000\000\000\005\000\000\000\245\000\000\000\001\000\000\000\231&\000\000\000\000\000\000 \205\022dq\177\000\000\320*W\361\377\177\000\000\230*W\361\377\177\000\000\270Å\234\000\000\000\000\200*W\361\377\177\000\000È\022dq\177\000\000\303\034\361cq\177", '\000' <repeats 18 times>, "\005\000\000\000q\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000È\022dq\177\000\000\245<W\361\377\177\000\000\a\000\000\000\000\000\000\000\302<W\361\377\177\000\000\000\000\000\000\000\000\000\000p\375l\000\001", '\000' <repeats 11 times>, " \205\022dq\177\000\000\000+W\361\377\177\000\000\355\031@", '\000' <repeats 13 times>, "X\305G\000\000\000\000\000\200*W\361\377\177\000\000\231&\000\000\000\000\000\000\000iG\000\000\000\000\000d\000\000\000\000\000\000\000"...

2 0x000000000041fad0 in immnd_ackToNid (rc=<optimized out="">) at immnd_proc.c:47

No locals.

3 0x000000000041a060 in immnd_evt_proc_reset (sinfo=<optimized out="">, evt=<optimized out="">, cb=<optimized out="">) at immnd_evt.c:8389

    __FUNCTION__ = "immnd_evt_proc_reset"

4 immnd_process_evt () at immnd_evt.c:680

    cb = 0x69d540 <_immnd_cb>
    rc = 16
   evt = 0x6cd9b0
    __FUNCTION__ = "immnd_process_evt"

5 0x000000000041a81f in main (argc=<optimized out="">, argv=<optimized out="">) at immnd_main.c:348

    wasCoord = 0 '\000'
    passed_time = <optimized out>
    ret = <optimized out>
    mbx_fd = <optimized out>
    error = <optimized out>
    timeout = 100
    eventCount = 0
    maxEvt = 50
    start_time = 1430318318545
    fds = {{fd = 16, events = 1, revents = 0}, {fd = 14, events = 1, revents = 0}, {fd = 12, events = 1, revents = 1}}
    term_fd = 16
    __FUNCTION__ = "main"

(gdb)

Related

Tickets: #1358
Wiki: ChangeLog-4.6.1

Discussion

  • Anders Widell

    Anders Widell - 2015-04-30

    The following code can call free() on memory which is allocated in a linked list:

        if (smfnd == NULL) {
                TRACE("New node Id, create new SmfndNodeT structure");
                smfnd = calloc(1, sizeof(SmfndNodeT));
                if (smfnd == NULL) {
                        LOG_ER("alloc of SmfndNodeT failed");
                        pthread_mutex_unlock(&smfnd_list_lock);
                        return NCSCC_RC_FAILURE;
                }
                newNode = true;
    }

    /* Find Clm info about the node */
    rc = saClmInitialize(&clmHandle, NULL, &clmVersion);
    if (rc != SA_AIS_OK) {
        LOG_ER("saClmInitialize failed, rc=%s", saf_error(rc));
        free(smfnd);
        pthread_mutex_unlock(&smfnd_list_lock);
        return NCSCC_RC_FAILURE;
    }

    The free(smfnd) call should only be done when newNode == true.

     

  • Ingvar Bergström

    Ingvar Bergström - 2015-04-30
    • status: unassigned --> accepted
    • assigned_to: Ingvar Bergström
    • Version: 4.7 --> 4.6.0
    • Milestone: 4.7-Tentative --> 4.6.1
     

  • Ingvar Bergström

    Ingvar Bergström - 2015-04-30
    • status: accepted --> review
     

  • Ingvar Bergström

    Ingvar Bergström - 2015-04-30

    changeset: 6505:d9c77680a878
    branch: opensaf-4.6.x
    parent: 6503:d5bcc9a763ef
    user: Ingvar Bergstrom ingvar.bergstrom@ericsson.com
    date: Thu Apr 30 13:13:07 2015 +0200
    summary: smfd: free SmfndNodeT pointer correctly at UP event and saClmInitialize() fail [#1358]

    changeset: 6506:a0172a813a9e
    tag: tip
    parent: 6504:9bd7a6f5645b
    user: Ingvar Bergstrom ingvar.bergstrom@ericsson.com
    date: Thu Apr 30 13:13:07 2015 +0200
    summary: smfd: free SmfndNodeT pointer correctly at UP event and saClmInitialize() fail [#1358]

     

    Related

    Tickets: #1358

  • Ingvar Bergström

    Ingvar Bergström - 2015-04-30
    • status: review --> fixed
     

Log in to post a comment.