touch-packages team mailing list archive

Thread
Date

[Bug 1447756] Re: segfault in log.c code causes phone reboot loops

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Steve Langasek <steve.langasek@xxxxxxxxxxxxx>
Date: Thu, 23 Apr 2015 19:54:30 -0000
Reply-to: Bug 1447756 <1447756@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I think I see a potential problem if 'initctl notify-disk-writeable' is
called multiple times.  The log_clear_unflushed() function walks the
log_unflushed_files list, attempting to flush each of the logs and
freeing them when done with nih_free().  But as far as I know,
nih_free() will not cause the element to be removed from the
log_unflushed_files list, so if this function is ever called a second
time it looks to me that it will re-process the list, traversing freed
memory with undefined results.

We can't see anything in the official Ubuntu rootfs that would account
for this function being called more than once.  On the other hand, we
also haven't seen this reproduced on any devices other than those
installed in the factory, so it could be that an error has crept in
there.

We can try to produce a patch to upstart to fix this bug, to see if it
fixes the segfault for those who are seeing it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/1447756

Title:
  segfault in log.c code causes phone reboot loops

Status in the base for Ubuntu mobile products:
  Confirmed
Status in upstart package in Ubuntu:
  Confirmed

Bug description:
  We recently started getting reprots from phone users that their
  devices go into a reboot loop after changing the language or getting
  an OTA upgrade (either of both end with a reboot of the phone)

  after a bit of research we collected the log at
  http://pastebin.ubuntu.com/10872934/

  this shows a segfault of upstarts init binary in the log.c code:

  [    6.999083]init: log.c:819: Assertion failed in log_clear_unflushed: log->unflushed->len
  [    7.000279]init: Caught abort, core dumped
  [    7.467176]Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000600

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1447756/+subscriptions

References

[Bug 1447756] [NEW] segfault in log.c code causes phone reboot loops
From: Oliver Grawert, 2015-04-23