Bug ID: 6735303 meta_*_check_component frees random memory

Bug ID	6735303
Synopsis	meta_*_check_component frees random memory
State	10-Fix Delivered (Fix available in build)
Category:Subcategory	utility:cmd-svm
Keywords	rtiq_regression
Responsible Engineer	Peter Dennis
Reported Against
Duplicate Of
Introduced In	solaris_nevada
Commit to Fix	snv_101
Fixed In	snv_101
Release Fixed	solaris_nevada(snv_101) , solaris_10u7(s10u7_02) (Bug ID:2169294)
Related Bugs	6480431
Submit Date	8-August-2008
Last Update Date	22-October-2008
Description	In TSlvm, I got the following failure in DEVID/nodev_and_movement: === 06:30 NOTE: 8.2.1.22 Deregistering device IDs for all td devices associated with disk1 === 06:30 NOTE: 8.2.1.23 Swapping device IDs between td devices associated with disk2 and those associated with disk5 === 06:30 NOTE: /opt/TSdrvs/td/tddevidadmin -s /dev/td/dsk/d7s0 /dev/td/dsk/d8s0 Device name: /dev/td/dsk/d7s0 Device Id: id1,td@Etd0008-ndecade80babeabba000000040000 Device name: /dev/td/dsk/d8s0 Device Id: id1,td@Etd0007-ndecade80babeabba000000030000 ... === 06:30 NOTE: 8.2.1.24 Will determine which td devices should be associated with which metadevices individually for each device during 8.2.1.26-8.2.1.29 === 06:30 NOTE: 8.2.1.25 Restarting SVM === 06:30 PASS: /usr/sbin/metainit -r === 06:30 PASS: /usr/sbin/metasync -r metastat: Segmentation Fault Segmentation Fault - core dumped ... === 06:30 FAIL: core file found The core file analysis shows the following: > $c libc.so.1`_free_unlocked+0x23(11c, ffffffff, bfe2e000, 8047618, bfda2cab, 11c) libc.so.1`free+0x3b(11c) libmeta.so.1`Free+0x1b(11c) libmeta.so.1`meta_raid_check_component+0x327(8067518, 807cbd8, 6, 11c, 8047890) libmeta.so.1`meta_fix_compnames+0xca(8067518, 807cbd8, 6, 11c, 8047890) libmeta.so.1`meta_getdevs+0x2d2(8067518, 807cbd8, 80478c8, 8047890) libmeta.so.1`meta_getalldevs+0x2e3(8067518, 80478c8, 0, 8047890) print_specific_set+0xe3(8067518, 184, 0, 0) main+0x38d(1, 8047990, 8047998) _start+0x7a(1, 8047aac, 0, 8047abf, 8047b5d, 8047b7c) meta_raid_check_component+0x322 is the first of the series of four Free's after out:; this indicates that the value for pname is invalid. It is initialised only in an conditional code (l.2871), and apparently it happened that the condition was not satisfied in any iteration of the loop, or we did not iterate the loop at all (see l. 2821 and similar). 2781 meta_raid_check_component( ... 2786 ) 2787 { ... 2795 char pname, t; ... 2818 if (metaioctl(MD_IOCGET_DEVS, &mgd, &mgd.mde, np->cname) != 0) { ... 2821 goto out; 2822 } else if (mgd.cnt <= 0) { ... 2825 goto out; 2826 } ... 2846 for (i = 0; i < raid->orig_ncol; i++) { ... 2850 if (mydevs == mydev[i]) { ... 2857 if (compnp->dev != meta_getminor(mydev[i])) { ... 2871 pname = Zalloc((len - strlen(t)) + 1); ... 2880 } ... 2883 } /* End of if (mydevs == mydev[i]) / 2884 } / end of for loop / 2885 out: 2886 if (pname != NULL) 2887 Free(pname); ... 2895 } The variables ctd_name and devname and the functions meta_sp_check_component and meta_stripe_check_component suffer with the same problem. The functions meta__check_component have been introduced with the putback for 6480431.
Work Around	N/A
Comments	N/A

OpenSolaris