Hello,
On 7/16/2018 10:46 AM, Willy Tarreau wrote:
On Mon, Jul 16, 2018 at 08:32:31AM +0200, Janusz Dziemidowicz wrote:
pon., 16 lip 2018 o 08:02 Willy Tarreau <w...@1wt.eu> napisal(a):
This one looks a bit strange. I looked at it a little bit and it corresponds
to the line "free(bind_conf->keys_ref->tlskeys);". Unfortunately, there is no
other line in the code appearing to perfom a free on this element, and when
passing through this code the key_ref is destroyed and properly nulled. I
checked if it was possible for this element not to be allocated and I don't
see how that could happen either. Thus I'm seeing only three possibilities :
- this element was duplicated and appears at multiple places (multiple list
elements) leading to a real double free
- there is a memory corruption somewhere possibly resulting in this element
being corrupted and not in fact victim of a double free
- I can't read code and there is another free that I failed to detect.
Are you able to trigger this on a trivial config ? Maybe it only happens
when certain features you have in your config are enabled ?
I've reported this some time ago :)
https://www.mail-archive.com/haproxy@formilux.org/msg30093.html
Ah thank you Janusz, and I notice that your report matches Thierry's second
e-mail very closely.
I'm CCing Nenad who added the tls-ticket-keys in case he has any idea
on the subject, based on how the bind line is initialized maybe.
Ugh, this was a long time ago. [FROM MEMORY] The element should not be
duplicated as far as I can remember. The references are stored in an
ebtree in order to prevent duplication and to provide consistent view
when updated dynamically.
I just pulled HEAD and cannot reproduce this with either of these
configs. The "good" thing is that I get a crash every time I reload,
with different stack traces for each config.
One of them starts like:
#5 0x00007f271cce0847 in _int_free (av=0x7f271d015c40 <main_arena>,
p=0x562e01935460, have_lock=<optimized out>) at malloc.c:4362
size = 195488
fb = <optimized out>
nextchunk = 0x562e01944f30
nextsize = 131280
nextinuse = <optimized out>
prevsize = <optimized out>
bck = <optimized out>
fwd = <optimized out>
__PRETTY_FUNCTION__ = "_int_free"
#6 0x0000562e0011a7bb in deinit_pollers () at src/fd.c:554
bp = <optimized out>
p = <optimized out>
#7 0x0000562e00024c77 in main (argc=<optimized out>,
argv=0x7fffc630ec38) at src/haproxy.c:3095
err = <optimized out>
retry = <optimized out>
limit = {rlim_cur = 4012, rlim_max = 4012}
errmsg =
"\000\000\000\000\000\000\000\000\000\377\330q\356\336\342\345\370\351\060\306\377\177\000\000\000\t\216\001.V\000\000\230\351\060\306\377\177\000\000\261\000\000\000\000\000\000\000\262\000\000\000\000\000\000\000\330\352\060\306\377\177\000\000\370\351\060\306\377\177\000\000\346z\r\000.V\000\000y+\025\000.V\000\000\330\352\060\306\377\177\000\000\000\000\000"
pidfd = <optimized out>
I'll poke around it more tomorrow as it's quite late here.
Regards,
Nenad
thanks,
Willy
