#2502 SFCB core dump in 1.3.14 at providerDrv.c:3019

Stability
pending-fixed
sfcb (1090)
5
2014-08-13
2012-07-20
No

SFCB core dump was seen in sfcb-1.3.14 while doing an EI on CIM_IndicationFilter.

Here is the approximate series of steps that led to this issue :-

1. EI --> IBM_HWCtrlPoint
2. createindicationsubscriptions_fsp
3. createindicationsubscriptions_psm
4. createindicationsubscriptions_led
5. createindicationsubscriptions_ip
6. EI --> CIM_IndicationFilter

Here is the bck trace from the core file :-

CORE DUMP TRACES:

(gdb) bt
**NOTE: debug frames are hidden in bt display**
#0 0x0fc335a0 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x0fc34cec in *__GI_abort () at abort.c:88
#2 0x0fc75454 in malloc_printerr (action=2, str=0xfd49de0 "free(): invalid pointer", ptr=0x0) at malloc.c:5621
#3 0x0fc76dc0 in *__GI___libc_free (mem=0x0) at malloc.c:3419
#4 0x0ff48bc4 in processProviderInvocationRequestsThread (prms=0x10021478) at providerDrv.c:3019
#5 0x0fd83aec in start_thread (arg=<value optimized out>) at pthread_create.c:308
#6 0x0fcd28fc in clone () from /opt/mcp/ppcnf/crossroot/lib/libc.so.6

(gdb) p resp->count
$1 = 1

(gdb) p req->operation
$2 = 20

(gdb) p resp->object[i]
$3 = {data = 0xff60eac, type = 1, length = 1}

(gdb) p resp->object[i].data
$4 = (void *) 0xff60eac

(gdb) p i
$5 = 0

3013 /* SF:2727918, Bugzilla:51733 - memory leak fix */
3014 #ifdef HAVE_QUALREP
3015 if ((req->operation == OPS_GetQualifier)
3016 || (req->operation == OPS_EnumerateQualifiers)) {
3017 for (i = 0; i < resp->count; i++) {
3018 if (resp->object[i].data) {
3019 free(resp->object[i].data); <-- Crash seen here!
3020 resp->object[i].data = NULL;
3021 }
3022 }
3023 }

Discussion

  • Dave Heller

    Dave Heller - 2012-07-21

    There is a bug in providerDvr.c where the QualifierProvider process will crash on any GetQualifier query for an unknown qualifier. This is reproducible with a cimcli query like: cimcli -n root/cimv2 gq SomeUnknownQualifier, or by sending an unknown qualifier in test xml like getQualifier.xml.

    This appears to be a regression from SF:2727918. That patch prevents a memory leak by freeing the message buffer after return from the qualifierProvider, but it should not do the free in the case of NOT_FOUND. The fix is the ensure the free is called only upon successful return from qualifierProvider.

    The backtrace looks similar to the one here. Please see if the attached patch fixes the problem.

    ===================================================================
    RCS file: /cvsroot/sblim/sfcb/providerDrv.c,v
    retrieving revision 1.118
    diff -a -u -p -U4 -r1.118 providerDrv.c
    --- providerDrv.c 3 Jul 2012 02:03:02 -0000 1.118
    +++ providerDrv.c 21 Jul 2012 22:37:23 -0000
    @@ -3017,9 +3017,10 @@ static void *processProviderInvocationRe
    #ifdef HAVE_QUALREP
    if ((req->operation == OPS_GetQualifier)
    || (req->operation == OPS_EnumerateQualifiers)) {
    for (i = 0; i < resp->count; i++) {
    - if (resp->object[i].data) {
    + /* SF:3546279 - only free on successful return */
    + if (resp->object[i].data && resp->object[i].type == MSG_SEG_QUALIFIER) {
    free(resp->object[i].data);
    resp->object[i].data = NULL;
    }
    }

     
  • Dave Heller

    Dave Heller - 2012-07-31

    Hi, any update? Are you able to verify the patch? Thx.

     
  • Dave Heller

    Dave Heller - 2012-08-07

    Hi Sarabjit, are you able to verify the patch? Thx.

     
  • Sarabjit S Saini

    We have not seen this issue till now in our local testing with this fix.
    I think the code changes are definitely good to have & can be committed.

     
  • Dave Heller

    Dave Heller - 2012-08-08

    Thank you, Sarabjit. Also thanks to mchasal for assistance in troubleshooting.

    This bug is dup of LTC 83502.

     
  • Dave Heller

    Dave Heller - 2012-08-08

    Committed to CVS HEAD and git master.

     
  • Chris Buccella

    Chris Buccella - 2012-11-20
    • assigned_to: buccella --> hellerda
    • status: open --> pending-fixed
     

Log in to post a comment.