Your message dated Thu, 12 Jun 2014 19:17:05 +0000
with message-id <[email protected]>
and subject line Bug#691528: fixed in unbound 1.4.17-3+deb7u1
has caused the Debian Bug report #691528,
regarding unbound crashes under high query load if num-threads > 1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
691528: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691528
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unbound
Version: 1.4.18-1
Severity: normal
Tags: upstream patch
Unbound crashes under high query load (while doing DNSSEC validation)
if "num-threads" configuration setting is higher than 1.
A simple workaround is to reduce the amount of threads to 1 (which is
the default).
There is a gdb backtrace of the crash at:
https://unbound.net/pipermail/unbound-users/2012-October/002653.html
A detailed description of the problem is available at:
https://unbound.net/pipermail/unbound-users/2012-September/002571.html
There is a patch included at the end of that message. I am attaching
it also to this bug report.
The fix is committed in Unbound SVN repository at r2733. It will be
included in the next Unbound version.
I have filed also Ubuntu bug report at:
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1070247
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages unbound depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-35
ii libevent-2.0-5 2.0.19-stable-3
ii libgcc1 1:4.7.2-4
ii libldns1 1.6.13-3
ii libpython2.7 2.7.3-5
ii libssl1.0.0 1.0.1c-4
ii openssl 1.0.1c-4
ii unbound-anchor 1.4.18-1
unbound recommends no packages.
unbound suggests no packages.
-- Configuration Files:
/etc/unbound/unbound.conf changed:
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
num-threads: 2
-- no debconf information
Index: daemon/daemon.c
===================================================================
--- daemon/daemon.c (revision 2732)
+++ daemon/daemon.c (revision 2733)
@@ -209,6 +209,10 @@
comp_meth = (void*)SSL_COMP_get_compression_methods();
# endif
(void)SSL_library_init();
+# if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+ if(!ub_openssl_lock_init())
+ fatal_exit("could not init openssl locks");
+# endif
#elif defined(HAVE_NSS)
if(NSS_NoDB_Init(NULL) != SECSuccess)
fatal_exit("could not init NSS");
@@ -568,6 +572,9 @@
ERR_remove_state(0);
ERR_free_strings();
RAND_cleanup();
+# if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+ ub_openssl_lock_delete();
+# endif
#elif defined(HAVE_NSS)
NSS_Shutdown();
#endif /* HAVE_SSL or HAVE_NSS */
Index: util/net_help.c
===================================================================
--- util/net_help.c (revision 2732)
+++ util/net_help.c (revision 2733)
@@ -725,3 +725,54 @@
return NULL;
#endif
}
+
+/** global lock list for openssl locks */
+static lock_basic_t *ub_openssl_locks = NULL;
+
+/** callback that gets thread id for openssl */
+static unsigned long
+ub_crypto_id_cb(void)
+{
+ return (unsigned long)ub_thread_self();
+}
+
+static void
+ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
+ int ATTR_UNUSED(line))
+{
+ if((mode&CRYPTO_LOCK)) {
+ lock_basic_lock(&ub_openssl_locks[type]);
+ } else {
+ lock_basic_unlock(&ub_openssl_locks[type]);
+ }
+}
+
+int ub_openssl_lock_init(void)
+{
+#ifdef OPENSSL_THREADS
+ size_t i;
+ ub_openssl_locks = (lock_basic_t*)malloc(
+ sizeof(lock_basic_t)*CRYPTO_num_locks());
+ if(!ub_openssl_locks)
+ return 0;
+ for(i=0; i<CRYPTO_num_locks(); i++) {
+ lock_basic_init(&ub_openssl_locks[i]);
+ }
+ CRYPTO_set_id_callback(&ub_crypto_id_cb);
+ CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
+#endif /* OPENSSL_THREADS */
+ return 1;
+}
+
+void ub_openssl_lock_delete(void)
+{
+#ifdef OPENSSL_THREADS
+ size_t i;
+ if(!ub_openssl_locks)
+ return;
+ for(i=0; i<CRYPTO_num_locks(); i++) {
+ lock_basic_destroy(&ub_openssl_locks[i]);
+ }
+#endif /* OPENSSL_THREADS */
+}
+
Index: util/net_help.h
===================================================================
--- util/net_help.h (revision 2732)
+++ util/net_help.h (revision 2733)
@@ -369,4 +369,15 @@
*/
void* outgoing_ssl_fd(void* sslctx, int fd);
+/**
+ * Initialize openssl locking for thread safety
+ * @return false on failure (alloc failure).
+ */
+int ub_openssl_lock_init(void);
+
+/**
+ * De-init the allocated openssl locks
+ */
+void ub_openssl_lock_delete(void);
+
#endif /* NET_HELP_H */
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.4.17-3+deb7u1
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert S. Edmonds <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 02 Jun 2014 16:00:29 -0400
Source: unbound
Binary: unbound unbound-anchor unbound-host libunbound2 libunbound-dev
python-unbound
Architecture: amd64 source
Version: 1.4.17-3+deb7u1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Robert S. Edmonds <[email protected]>
Changed-By: Robert S. Edmonds <[email protected]>
Closes: 691528
Description:
libunbound-dev - static library, header files, and docs for libunbound
libunbound2 - library implementing DNS resolution and validation
python-unbound - library implementing DNS resolution and validation (Python
bindin
unbound - validating, recursive, caching DNS resolver
unbound-anchor - utility to securely fetch the root DNS trust anchor
unbound-host - reimplementation of the 'host' command
Changes:
unbound (1.4.17-3+deb7u1) stable-proposed-updates; urgency=low
.
[ Helmut Grohne ]
* Fix crash when using DNSSEC and num-threads > 1; closes: #691528.
Checksums-Sha1:
42332b49d325097d655e5307b2b89fe9062e8496 1713 unbound_1.4.17-3+deb7u1.dsc
bff7eb2832ff1d16ac683dd9df6321429c7063b0 12300
unbound_1.4.17-3+deb7u1.debian.tar.xz
34b4a045b7ca5d976a7b8c77b6bcc6fe942f9b84 675660
unbound_1.4.17-3+deb7u1_amd64.deb
6d9616257212454620414a896996a5936a03f50c 92636
unbound-anchor_1.4.17-3+deb7u1_amd64.deb
b6068bf5a56f2cd37fac8cc43dececc10bc04c01 80992
unbound-host_1.4.17-3+deb7u1_amd64.deb
eb3912707e1d5ff3f8c6b227aa08b9ec1962a1c9 309416
libunbound2_1.4.17-3+deb7u1_amd64.deb
44a5b929a8ad95ff0a34c2cb3ceaaad20a5f6cf5 3480086
libunbound-dev_1.4.17-3+deb7u1_amd64.deb
612992ed097027d90499094694effadde9aec169 113640
python-unbound_1.4.17-3+deb7u1_amd64.deb
Checksums-Sha256:
c215fb8308ddc644df5801936179b692c9d83a516c41d9dc61bb7bb292180ec4 1713
unbound_1.4.17-3+deb7u1.dsc
e619a4ffb163fb0521f416cbcbbcec5b3507dfabd40ea037b37f5fa074acbd11 12300
unbound_1.4.17-3+deb7u1.debian.tar.xz
4b04ed490d8e4b627761700c008f89c9e60b362deb3157885f107b93236210c8 675660
unbound_1.4.17-3+deb7u1_amd64.deb
5b4fb0b955a5e4ec3725d8f19e71fef882fc24103d030f8d41a290f965f3aca0 92636
unbound-anchor_1.4.17-3+deb7u1_amd64.deb
d56a87f7944536cfe27d211ce21a7c29f39504326b12dde90fa535d35b0ddb2d 80992
unbound-host_1.4.17-3+deb7u1_amd64.deb
6956874b0eb9179dbb18666bab73384533034d910f6ea055ff2da3780b1b02f6 309416
libunbound2_1.4.17-3+deb7u1_amd64.deb
57234772d4a897275be8c74fbee15ee0592aacffdd63a940f73c97882e6a6138 3480086
libunbound-dev_1.4.17-3+deb7u1_amd64.deb
0a2ca54f6c45e55b99a44999cb37a5414dc202bb92a0a12878c073ea33cf8bad 113640
python-unbound_1.4.17-3+deb7u1_amd64.deb
Files:
2717691e90e5c8ec738cc222bebe5460 1713 net optional unbound_1.4.17-3+deb7u1.dsc
d8ab501ae740dd79a6a2011589489b06 12300 net optional
unbound_1.4.17-3+deb7u1.debian.tar.xz
813e2a692e6d3e6afa01cfdef696b354 675660 net optional
unbound_1.4.17-3+deb7u1_amd64.deb
ccb1915aa5d430f91d9d9cb693fbfc54 92636 net optional
unbound-anchor_1.4.17-3+deb7u1_amd64.deb
434a73cea3b393a9e233bbd4e0bcf393 80992 net optional
unbound-host_1.4.17-3+deb7u1_amd64.deb
b8532a676ba3dcaa0b660afc493a9147 309416 net optional
libunbound2_1.4.17-3+deb7u1_amd64.deb
3b78bc967141516d6566205269f0b58b 3480086 libdevel optional
libunbound-dev_1.4.17-3+deb7u1_amd64.deb
bf0d09c4dbdc4703c64dd6744fa993aa 113640 python optional
python-unbound_1.4.17-3+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlORQYIACgkQdp+/SHMBQJHeIQCbB5AZtcpJVt9zeF9XzFTx3aoL
UMwAoIIldirL4M4JTZ0uvU+tvNyYkPuv
=pcYj
-----END PGP SIGNATURE-----
--- End Message ---
