multipathd coredump when calling resizing.

From: "Eli Qiao(Li Yong Qiao)" <taget@linux.vnet.ibm.com>
To: dm-devel@redhat.com
Subject: multipathd coredump when calling resizing.
Date: Mon, 17 Jun 2013 11:34:42 +0800	[thread overview]
Message-ID: <51BE83D2.4020004@linux.vnet.ibm.com> (raw)

hi all:

I got a coredump when I ran multipathd -k resize multipath $mypath

looked at the core trace(version is 0.4.9-64):

(gdb) frame 0
#0 cli_resize (v=<value optimized out>, reply=<value optimized out>,
len=<value optimized out>, data=0x18b2ef0) at cli_handlers.c:539
539 pp = VECTOR_SLOT(pgp->paths, 0);
(gdb) l
534 condlog(0, "%s: invalid map name. cannot resize", mapname);
535 return 1;
536 }
537
538 pgp = VECTOR_SLOT(mpp->pg, 0);
539 pp = VECTOR_SLOT(pgp->paths, 0);
540 if (sysfs_get_size(pp->sysdev, &size)) {
541 condlog(0, "%s: couldn't get size for sysfs. cannot resize",
542 mapname);
543 return 1;
(gdb) p mpp->pg
$1 = (vector) 0x0
(gdb) p *mpp
$2 = {
wwid = "36005076802808159ac", '0' <repeats 12 times>, "98", '\000'
<repeats 94 times>, alias_old = '\000' <repeats 127 times>, pgpolicy = 4,
pgpolicyfn = 0x7f96df3d1610 <group_by_prio>, nextpg = 0, bestpg = 1,
queuedio = 0,
action = 1, pgfailback = -2, failback_tick = 0, rr_weight = 1, nr_active
= 0,
no_path_retry = 5, retry_tick = 149, minio = 1, pg_timeout = 0,
flush_on_last_del = 0, attribute_flags = 0, fast_io_fail = 0,
retain_hwhandler = 1,
dev_loss = 0, uid = 0, gid = 0, mode = 0, size = 33554432, paths = 0x0,
pg = 0x0,
params = "1 queue_if_no_path 0 0 0 \000ound-robin 0 1 1 66:208
1\000\066\066:176 1\000in 0 2 1 66:208 1 66:176 1\000\066\066:176 1 ",
'\000' <repeats 926 times>,
status = "2 0 0 0 0 0 \000 0 2 0 66:192 F 1 66:160 F 1 E 0 2 0 66:208 F
1 66:176 F 1 ", '\000' <repeats 951 times>, dmi = 0x7f96c8025200,
alias = 0x7f96c8071590 "36005076802808159ac", '0' <repeats 12 times>, "98",
selector = 0x18ad500 "round-robin 0", features = 0x7f96d8002180 "1
queue_if_no_path",
hwhandler = 0x7f96d8002990 "0", mpe = 0x0, hwe = 0x18ad3a0, waiter =
0x7f96c80217f0,
stat_switchgroup = 0, stat_path_failures = 4, stat_map_loads = 5,
stat_total_queueing_time = 152, stat_queueing_timeouts = 1, mpcontext =
0x0,
reservation_key = 0x0, prflag = 0 '\000'}
(gdb)

for some reason, paths = 0x0, pg = 0x0,
multipathd didn't check these values before using it.
when try to call VECTOR_SLOT, access null pointer , it core dumped.

538 pgp = VECTOR_SLOT(mpp->pg, 0);
539 pp = VECTOR_SLOT(pgp->paths, 0);

(gdb) p pgp
$3 = (struct pathgroup *) 0x0

when try to access pgp->paths, we got a core dump.

we need to check the value before calling the member of pgp.

any thought ?

I go though the latest upsteam code, pp->udev is checked.

pgp = VECTOR_SLOT(mpp->pg, 0);
pp = VECTOR_SLOT(pgp->paths, 0);
if (!pp->udev || sysfs_get_size(pp, &size)) {
condlog(0, "%s: couldn't get size for sysfs. cannot resize",
mapname);
return 1;
}

this is not enough , we need to check

pgp , and pp

I will send a path to fix it. thanks.

-- 
Thanks Eli.(Li Yong Qiao/qiaoly@cn.ibm.com Chinese Name:乔立勇)
LTC, Chian CSTL

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel