[sr-dev] [kamailio/kamailio] kazoo: SIGSEGV on module unload (Issue #3648)

sergey-safarov via sr-dev Tue, 21 Nov 2023 05:19:44 -0800

On core load
```
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/kamailio --atexit=no -DD -P 
/run/kamailio/kamailio.pid -f /etc/kamail'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000ffff94f36350 in strlen () from /lib64/libc.so.6
Missing separate debuginfos, use: yum debuginfo-install 
glibc-2.28-236.el8.aarch64 jansson-2.14-1.el8.aarch64 
json-c-0.13.1-3.el8.aarch64 keyutils-libs-1.5.10-9.el8.aarch64 
krb5-libs-1.18.2-25.el8.aarch64 libblkid-2.32.1-43.el8.aarch64 
libcom_err-1.45.6-5.el8.aarch64 libcurl-minimal-7.61.1-33.el8.aarch64 
libevent-2.1.8-5.el8.aarch64 libgcc-8.5.0-20.el8.aarch64 
libmount-2.32.1-43.el8.aarch64 libnghttp2-1.33.0-3.el8_2.1.aarch64 
librabbitmq-0.9.0-4.el8.aarch64 libselinux-2.9-8.el8.aarch64 
libunistring-0.9.9-3.el8.aarch64 libuuid-2.32.1-43.el8.aarch64 
libxml2-2.9.7-16.el8.aarch64 mariadb-connector-c-3.1.11-2.el8_3.aarch64 
openssl-libs-1.1.1k-9.el8.aarch64 pcre-8.42-6.el8.aarch64 
pcre2-10.32-3.el8.aarch64 systemd-libs-239-78.el8.aarch64 
xz-libs-5.2.4-4.el8.aarch64 zlib-1.2.11-25.el8.aarch64
```
**bt full**
```
#0  0x0000ffff94f36350 in strlen () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000ffff94f60c7c in vfprintf () from /lib64/libc.so.6
No symbol table info available.
#2  0x0000ffff94fe500c in __vsyslog_chk () from /lib64/libc.so.6
No symbol table info available.
#3  0x0000ffff94fe5110 in syslog () from /lib64/libc.so.6
No symbol table info available.
#4  0x000000000077ebb8 in qm_status (qmp=0xffff8acee000) at 
core/mem/q_malloc.c:877
        __llevel = -4
        qm = 0xffff8acee000
        f = 0xffff8c0e0c08
        i = 5961
        j = 9650680
        h = 0
        unused = 0
        memlog = -4
        mem_summary = 0
        __func__ = "qm_status"
        __llevel = <optimized out>
        __kld = <optimized out>
#5  0x0000000000772e30 in qm_debug_check_frag (qm=0xffff8acee000, 
f=0xffff8c0e0c08, file=0xffff8a2a47f0 "kazoo: kz_amqp.c", line=633, 
efile=0x934218 "core/mem/q_malloc.c", eline=511) at core/mem/q_malloc.c:139
        p = 0xffffd0ed96e0
        __func__ = "qm_debug_check_frag"
#6  0x00000000007775c8 in qm_free (qmp=0xffff8acee000, p=0xffff8c0e0c40, 
file=0xffff8a2a47f0 "kazoo: kz_amqp.c", func=0xffff8a2abcb0 <__func__.18644> 
"kz_amqp_destroy_channels", line=633, mname=0xffff8a2a4350 "kazoo") at 
core/mem/q_malloc.c:511
        qm = 0xffff8acee000
        f = 0xffff8c0e0c08
        size = 281472999768912
        next = 0xd0ed9740
        prev = 0x1
        __func__ = "qm_free"
#7  0x0000000000784058 in qm_shm_free (qmp=0xffff8acee000, p=0xffff8c0e0c40, 
file=0xffff8a2a47f0 "kazoo: kz_amqp.c", func=0xffff8a2abcb0 <__func__.18644> 
"kz_amqp_destroy_channels", line=633, mname=0xffff8a2a4350 "kazoo") at 
core/mem/q_malloc.c:1350
No locals.
#8  0x0000ffff8a248270 in kz_amqp_destroy_channels (server_ptr=0xffff8ad28880) 
at kz_amqp.c:633
        i = 25
        __func__ = "kz_amqp_destroy_channels"
#9  0x0000ffff8a2482b4 in kz_amqp_destroy_server (server_ptr=0xffff8ad28880) at 
kz_amqp.c:641
        next = 0x0
        __func__ = "kz_amqp_destroy_server"
#10 0x0000ffff8a248388 in kz_amqp_destroy_zone (zone_ptr=0xffff8ad28410) at 
kz_amqp.c:652
        next = 0xffff8ad28918
        server_ptr = 0xffff8ad28880
        __func__ = "kz_amqp_destroy_zone"
#11 0x0000ffff8a248488 in kz_amqp_destroy_zones () at kz_amqp.c:664
        g = 0xffff8ad28410
        __func__ = "kz_amqp_destroy_zones"
#12 0x0000ffff8a248510 in kz_amqp_destroy () at kz_amqp.c:672
        __func__ = "kz_amqp_destroy"
#13 0x0000ffff8a2402a0 in mod_destroy () at kazoo.c:541
        __func__ = "mod_destroy"
#14 0x00000000005e1670 in destroy_modules () at core/sr_module.c:842
        t = 0xffff9379c750
        foo = 0xffff9379b798
        __func__ = "destroy_modules"
#15 0x000000000041e81c in cleanup (show_status=1) at main.c:561
        memlog = -767102331
        __func__ = "cleanup"
#16 0x00000000004208b4 in shutdown_children (sig=15, show_status=1) at 
main.c:704
        __func__ = "shutdown_children"
#17 0x00000000004217d0 in handle_sigs () at main.c:735
        chld = 65535
        chld_status = 0
        any_chld_stopped = 0
        memlog = 4407388
        __func__ = "handle_sigs"
#18 0x0000000000434058 in main_loop () at main.c:1900
        i = 8
        pid = 1350059
        si = 0x0
        si_desc = "udp receiver child=7 
sock=[2605:84c0:51:1f04::6]:5080\000\000\000\360\234\355\320\377\377\000\000صx\223\377\377\000\000\300\234\355\320\377\377\000\000\250\303Փ\377\377\000\000\340\234\355\320\377\377\000\000\360\234\355\320\377\377\000\000\360\234\355\320\377\377\000\000\300\234\355\320\377\377\000\000\320\377\377\377\200\377\377\377"
        nrprocs = 8
        woneinit = 1
        __func__ = "main_loop"
#19 0x000000000043f094 in main (argc=11, argv=0xffffd0eda278) at main.c:3078
        cfg_stream = 0xec522a0
        c = -1
        r = 0
        tmp = 0xffffd0edae66 ""
        tmp_len = 0
        port = 0
        proto = 65535
        ahost = 0x0
        aport = 0
        options = 0x8c99d0 
":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 1225301378
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 2
        n_lst = 0xffffffff
        p = 0xffff94f39348 <__libc_start_main+160> ""
        st = {st_dev = 22, st_ino = 18918, st_mode = 16832, st_nlink = 2, 
st_uid = 992, st_gid = 987, st_rdev = 0, __pad1 = 0, st_size = 60, st_blksize = 
4096, __pad2 = 0, st_blocks = 0, st_atim = {tv_sec = 1695127265, tv_nsec = 
210164976}, st_mtim = {tv_sec = 1695742685, tv_nsec = 688032700}, st_ctim = 
{tv_sec = 1695742685, tv_nsec = 688032700}, __glibc_reserved = {0, 0}}
        tbuf = '\000' <repeats 56 times>, 
"xN!\225\377\377\000\000hN!\225\377\377\000\000\bN!\225\377\377\000\000(N!\225\377\377\000\000\070N!\225\377\377\000\000\250N!\225\377\377\000\000\270N!\225\377\377\000\000\310N!\225\377\377\000\000HN!\225\377\377\000\000XN!\225\377\377",
 '\000' <repeats 18 times>, "\330M!\225\377\377", '\000' <repeats 42 times>...
        option_index = 12
        long_options = {{name = 0x8cbda8 "help", has_arg = 0, flag = 0x0, val = 
104}, {name = 0x8c6c10 "version", has_arg = 0, flag = 0x0, val = 118}, {name = 
0x8cbdb0 "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x8cbdb8 
"subst", has_arg = 1, flag = 0x0, val = 1025}, {name = 0x8cbdc0 "substdef", 
has_arg = 1, flag = 0x0, val = 1026}, {name = 0x8cbdd0 "substdefs", has_arg = 
1, flag = 0x0, val = 1027}, {name = 0x8cbde0 "server-id", has_arg = 1, flag = 
0x0, val = 1028}, {name = 0x8cbdf0 "loadmodule", has_arg = 1, flag = 0x0, val = 
1029}, {name = 0x8cbe00 "modparam", has_arg = 1, flag = 0x0, val = 1030}, {name 
= 0x8cbe10 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x8cbe20 
"debug", has_arg = 1, flag = 0x0, val = 1032}, {name = 0x8cbe28 "cfg-print", 
has_arg = 0, flag = 0x0, val = 1033}, {name = 0x8cbe38 "atexit", has_arg = 1, 
flag = 0x0, val = 1034}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        __func__ = "main"
```
Some more info
```
(gdb) f 8 
#8  0x0000ffff8a248270 in kz_amqp_destroy_channels (server_ptr=0xffff8ad28880) 
at kz_amqp.c:633
633             shm_free(server_ptr->channels);
(gdb) list
628             for(i=0; i < dbk_channels; i++) {
629                     if(server_ptr->channels[i].targeted != NULL) {
630                             
kz_amqp_free_bind(server_ptr->channels[i].targeted);
631                     }
632             }
633             shm_free(server_ptr->channels);
634             server_ptr->channels = NULL;
635     }
636     
637     kz_amqp_server_ptr kz_amqp_destroy_server(kz_amqp_server_ptr server_ptr)
(gdb) p server_ptr
$1 = (kz_amqp_server_ptr) 0xffff8ad28880
(gdb) p *server_ptr
$2 = {id = 1, channel_index = 20, zone = 0xffff8ad28410, connection = 
0xffff8ad28578, producer = 0xffff8c754700, channels = 0xffff8c0e0c40, next = 
0x0}
(gdb) p server_ptr->channels
$3 = (kz_amqp_channel_ptr) 0xffff8c0e0c40
(gdb) p *server_ptr->channels
$4 = {cmd = 0x0, targeted = 0xffff8c0e1220, consumer = 0x0, channel = 1, state 
= KZ_AMQP_CHANNEL_FREE, timer = {tv_sec = 1700266610, tv_usec = 250929}, lock = 
0}
(gdb) f 7
#7  0x0000000000784058 in qm_shm_free (qmp=0xffff8acee000, p=0xffff8c0e0c40, 
file=0xffff8a2a47f0 "kazoo: kz_amqp.c", func=0xffff8a2abcb0 <__func__.18644> 
"kz_amqp_destroy_channels", line=633, mname=0xffff8a2a4350 "kazoo") at 
core/mem/q_malloc.c:1350
1350            qm_free(qmp, p, file, func, line, mname);
(gdb) list
1345    }
1346    void qm_shm_free(void* qmp, void* p, const char* file, const char* func,
1347                    unsigned int line, const char* mname)
1348    {
1349            qm_shm_lock();
1350            qm_free(qmp, p, file, func, line, mname);
1351            qm_shm_unlock();
1352    }
1353    #else
1354    void* qm_shm_malloc(void* qmp, size_t size)
```
This happened on customized  Kamailio 5.6.4 where reverted some commits.
If it does not make sense for you please close.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3648
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/[email protected]>

_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to [email protected]

[sr-dev] [kamailio/kamailio] kazoo: SIGSEGV on module unload (Issue #3648)

Reply via email to