Ubuntu
nfs-utils package

Merge ~ahasenack/ubuntu/+source/nfs-utils:jammy-blkmapd-invalid-free into ubuntu/+source/nfs-utils:ubuntu/jammy-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/nfs-utils
  3. jammy-blkmapd-invalid-free
  4. Merge into ubuntu/jammy-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: d4d78b2c0bfe3cfcc8caf3affcf97b73cdec25fa
Proposed branch: ~ahasenack/ubuntu/+source/nfs-utils:jammy-blkmapd-invalid-free
Merge into: ubuntu/+source/nfs-utils:ubuntu/jammy-devel
Diff against target: 69 lines (+47/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/blkmapd-fix-invalid-free.patch (+39/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Bryce Harrington (community) Approve
Canonical Server Reporter Pending
Review via email: mp+431927@code.launchpad.net

Description of the change

Fix for a core dump in blkmapd. The linked SRU bug has testing instructions.

I haven't heard back from upstream yet, maybe the final commit will be different. I'll evaluate if/when that happens, and submit to debian.

Once LL is open, I'll propose the fix there too, and then proceed with the SRU.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/blkmapd-invalid-free

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ahasenack-blkmapd-invalid-free/?format=plain)
  nfs-utils @ amd64:
    20.10.22 18:51:48 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.2~ppa1
    20.10.22 23:22:57 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.2~ppa1
  nfs-utils @ arm64:
    20.10.22 23:30:06 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.2~ppa1
  nfs-utils @ armhf:
    20.10.22 23:12:11 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.2~ppa1
  nfs-utils @ ppc64el:
    20.10.22 23:22:27 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.2~ppa1
    20.10.22 23:25:51 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.2~ppa1
  nfs-utils @ s390x:
    20.10.22 23:18:30 Log 🗒️ ✅ Triggers: nfs-utils/1:2.6.1-1ubuntu1.2~ppa1

It's interesting that this reports a core dump has occurred, yet I'm not spotting a stack trace in any of the comments. Despite that, looks like the discussion went through some thorough debugging to find the root cause of the error.

Looks like the serial memory gets initialized with:

 struct bl_serial {
     int len;
     char *data;
 };

 struct bl_serial *serial = NULL;
        ...
 serial = bldev_read_serial(fd, filepath);

The object itself seems to be created with this:

    static struct bl_serial *bl_create_scsi_string(int len, const char *bytes)
    {
        struct bl_serial *s;

        s = malloc(sizeof(*s) + len);
        if (s) {
                s->data = (char *)&s[1];
                s->len = len;
                memcpy(s->data, bytes, len);
        }
        return s;
    }

Indeed that is malloc'ing the entire bl_serial structure, and not alloc'ing serial->data separately. So yes confirmed this needs only the one free. And this matches to what you've written in the SRU [Impact].

LGTM, +1

Just as a nitpick, I would suggest mentioning in the changelog the text of the error associated with the crash, i.e. "nfs-blkmap.service: Failed with result 'core-dump'." so users can more easily identify what this fixes. Maybe even mention that it occurs with SCSI devices.

Oh, also in the [Where problems could occur] section, in general whenever I have C code and in particular with C code that does memory alloc, I mention memory leaks and segfaults as other types of regressions to watch for. Gotta love pointers. &(<3)

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> It's interesting that this reports a core dump has occurred, yet I'm not spotting a stack trace
> in any of the comments.

The coredump is in this crash file: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1979885/comments/27

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I updated the "Where problems could occur" section, good call. Nasty pointers. On the changelog, I think I'll leave it. It mentions the service and that it crashes.

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, bryce
Uploaders: ahasenack, bryce
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

lunar isn't open yet, but it exists, and can be uploaded to (unapproved, though), which I did. I'll now proceed with this SRU.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploaded:

Uploading nfs-utils_2.6.1-1ubuntu1.2.dsc
Uploading nfs-utils_2.6.1-1ubuntu1.2.debian.tar.xz
Uploading nfs-utils_2.6.1-1ubuntu1.2_source.buildinfo
Uploading nfs-utils_2.6.1-1ubuntu1.2_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 92e7b2e..49ab19f 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+nfs-utils (1:2.6.1-1ubuntu1.2) jammy; urgency=medium
7+
8+ * d/p/blkmapd-fix-invalid-free.patch: fix blkmapd crash due to invalid
9+ free() (LP: #1979885)
10+
11+ -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Oct 2022 11:50:13 -0300
12+
13 nfs-utils (1:2.6.1-1ubuntu1.1) jammy; urgency=medium
14
15 * rpc.svcgssd fixes and improvements (LP: #1977745):
16diff --git a/debian/patches/blkmapd-fix-invalid-free.patch b/debian/patches/blkmapd-fix-invalid-free.patch
17new file mode 100644
18index 0000000..bdcdc19
19--- /dev/null
20+++ b/debian/patches/blkmapd-fix-invalid-free.patch
21@@ -0,0 +1,39 @@
22+Description: remove invalid free() call
23+ The data pointer is not allocated separatedly, it's the struct that needs to
24+ be free()ed.
25+ Originally reported by lixiaokeng via
26+ https://www.spinics.net/lists/linux-nfs/msg87598.html with a slightly different
27+ fix proposal.
28+Author: Andreas Hasenack <andreas@canonical.com>
29+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022185
30+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1979885
31+Forwarded: https://lore.kernel.org/linux-nfs/CANYNYEG=utJ2pe+FtMWh8O+dz63R2wbzOC7ZVrvoqD=U04WL5g@mail.gmail.com/T/#u
32+Last-Update: 2022-10-20
33+diff --git a/utils/blkmapd/device-discovery.c b/utils/blkmapd/device-discovery.c
34+index 2736ac89..b3786a1f 100644
35+--- a/utils/blkmapd/device-discovery.c
36++++ b/utils/blkmapd/device-discovery.c
37+@@ -188,7 +188,6 @@ static void bl_add_disk(char *filepath)
38+
39+ if (disk && diskpath) {
40+ if (serial) {
41+- free(serial->data);
42+ free(serial);
43+ }
44+ return;
45+@@ -229,7 +228,6 @@ static void bl_add_disk(char *filepath)
46+ disk->valid_path = path;
47+ }
48+ if (serial) {
49+- free(serial->data);
50+ free(serial);
51+ }
52+ }
53+@@ -242,7 +240,6 @@ static void bl_add_disk(char *filepath)
54+ free(path);
55+ }
56+ if (serial) {
57+- free(serial->data);
58+ free(serial);
59+ }
60+ return;
61diff --git a/debian/patches/series b/debian/patches/series
62index 5626161..8d52ce0 100644
63--- a/debian/patches/series
64+++ b/debian/patches/series
65@@ -8,3 +8,4 @@ svcgssd-fix-use-after-free.patch
66 svcgssd-display-principal-if-set.patch
67 svcgssd-document-missing-options.patch
68 nfs-conf-manpage-missing-svcgssd-options.patch
69+blkmapd-fix-invalid-free.patch

Subscribers

People subscribed via source and target branches