[sr-dev] [kamailio/kamailio] Kamailio crash on http_async_client module callback invocation (Issue #4019)

7 Nov 2024


      ### Description
Kamailio service crashed occasionally on `sock_cb` callback function of `http_async_client` module
#### Reproduction
The crash happens occasionally, no specific conditions have been identified for this issue.
#### Debugging Data
```
Program terminated with signal SIGSEGV, Segmentation fault.
(gdb) bt full
#0  0x0000ffff9f4205e4 in event_del_ () from /lib64/libevent-2.1.so.6
No symbol table info available.
#1  0x0000ffff9e7c9b24 in sock_cb (e=0xffffa2027ba8, s=9, what=4, cbp=0xffffa1c0fe58, sockp=0xffffa202d258) at http_multi.c:166
        g = 0xffffa1c0fe58
        cell = 0xffffa202d258
        whatstr = {0xffff9e7eb508 "none", 0xffff9e7eb510 "IN", 0xffff9e7eb518 "OUT", 0xffff9e7eb520 "INOUT", 0xffff9e7eb528 "REMOVE"}
        __func__ = "sock_cb"
#2  0x0000ffff9e73ffa8 in Curl_multi_closed () from /lib64/libcurl.so.4
No symbol table info available.
#3  0x0000ffff9e73d43c in Curl_closesocket () from /lib64/libcurl.so.4
No symbol table info available.
#4  0x0000ffff9e72c8f8 in conn_free.part () from /lib64/libcurl.so.4
No symbol table info available.
#5  0x0000ffff9e72d544 in Curl_disconnect () from /lib64/libcurl.so.4
No symbol table info available.
#6  0x0000ffff9e740948 in multi_done () from /lib64/libcurl.so.4
No symbol table info available.
#7  0x0000ffff9e742b10 in curl_multi_remove_handle () from /lib64/libcurl.so.4
No symbol table info available.
#8  0x0000ffff9e7c7f2c in event_cb (fd=59, kind=1, userp=0xffffa2027ba8) at http_multi.c:123
        error = 0xffff9e7eac70 "TIMEOUT"
        g = 0xffffa1c0fe58
        rc = 1968268110
        easy = 0xffffa2027ba8
        cell = 0xffffa202d258
        __func__ = "event_cb"
        action = 0
#9  0x0000ffff9f423628 in event_process_active_single_queue () from /lib64/libevent-2.1.so.6
No symbol table info available.
#10 0x0000ffff9f423ee8 in event_base_loop () from /lib64/libevent-2.1.so.6
No symbol table info available.
#11 0x0000ffff9e7b7160 in async_http_run_worker (worker=0xffffa1606ed8) at async_http.c:95
        ret = 65535
        __func__ = "async_http_run_worker"
#12 0x0000ffff9e7dc364 in child_init (rank=0) at http_async_client_mod.c:380
        pid = 0
        i = 0
        __func__ = "child_init"
#13 0x0000000000607fa8 in init_mod_child (m=0xffffb136c2f0, rank=0) at core/sr_module.c:899
--Type <RET> for more, q to quit, c to continue without paging--
        ret = 0
        __func__ = "init_mod_child"
#14 0x0000000000607b38 in init_mod_child (m=0xffffb136d018, rank=0) at core/sr_module.c:892
        ret = 0
        __func__ = "init_mod_child"
#15 0x0000000000607b38 in init_mod_child (m=0xffffb136ead0, rank=0) at core/sr_module.c:892
        ret = 0
        __func__ = "init_mod_child"
#16 0x0000000000607b38 in init_mod_child (m=0xffffb13a98f8, rank=0) at core/sr_module.c:892
        ret = 0
        __func__ = "init_mod_child"
#17 0x0000000000607b38 in init_mod_child (m=0xffffb140ab28, rank=0) at core/sr_module.c:892
        ret = 0
        __func__ = "init_mod_child"
#18 0x0000000000607b38 in init_mod_child (m=0xffffb145ebf8, rank=0) at core/sr_module.c:892
        ret = 1
        __func__ = "init_mod_child"
#19 0x00000000006089c4 in init_child (rank=0) at core/sr_module.c:953
        ret = -783429656
        type = 0x923dc0 "PROC_MAIN"
        __func__ = "init_child"
#20 0x0000000000433030 in main_loop () at main.c:1843
        i = 8
        pid = 2823204
        si = 0x0
        si_desc = "udp receiver child=7 sock=[2605:84c0:48:205:1::6]:5080\000\000\220\036ٰ\377\377\000\000 \321M\321\377\377\000\000h\220\066\261\377\377\000\000\320\377\377\377\200\377\377\377\020\321M\321\377\377\000\000 \321M\321\377\377\000\000 \321M\321\377\377\000\000\360\320M\321\377\377\000\000\320\377\377\377\200\377\377\377"
        nrprocs = 8
        woneinit = 1
        __func__ = "main_loop"
#21 0x000000000043f4e8 in main (argc=11, argv=0xffffd14dd6a8) at main.c:3086
        cfg_stream = 0xc2502a0
        c = -1
        r = 0
        tmp = 0xffffd14dfe34 ""
        tmp_len = 0
        port = 0
        proto = 65535
        ahost = 0x0
--Type <RET> for more, q to quit, c to continue without paging--
        aport = 0
        options = 0x8e7c08 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 203142350
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 2
        n_lst = 0xffffffff
        p = 0xffffb3d34348 <__libc_start_main+160> ""
        st = {st_dev = 25, st_ino = 18459, st_mode = 16877, st_nlink = 3, st_uid = 0, st_gid = 987, st_rdev = 0, __pad1 = 0, st_size = 80, st_blksize = 65536, 
          __pad2 = 0, st_blocks = 0, st_atim = {tv_sec = 1707863213, tv_nsec = 9999979}, st_mtim = {tv_sec = 1729635590, tv_nsec = 702238079}, st_ctim = {
            tv_sec = 1729635598, tv_nsec = 32030431}, __glibc_reserved = {0, 0}}
        tbuf = '\000' <repeats 56 times>, "x\376\b\264\377\377\000\000h\376\b\264\377\377\000\000\b\376\b\264\377\377\000\000(\376\b\264\377\377\000\000\070\376\b\264\377\377\000\000\250\376\b\264\377\377\000\000\270\376\b\264\377\377\000\000\310\376\b\264\377\377\000\000H\376\b\264\377\377\000\000X\376\b\264\377\377", '\000' <repeats 18 times>, "\330\375\b\264\377\377", '\000' <repeats 42 times>...
        option_index = 12
        long_options = {{name = 0x8e9fe0 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x8e4e48 "version", has_arg = 0, flag = 0x0, val = 118}, {
            name = 0x8e9fe8 "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x8e9ff0 "subst", has_arg = 1, flag = 0x0, val = 1025}, {name = 0x8e9ff8 "substdef", 
            has_arg = 1, flag = 0x0, val = 1026}, {name = 0x8ea008 "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name = 0x8ea018 "server-id", has_arg = 1, 
            flag = 0x0, val = 1028}, {name = 0x8ea028 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name = 0x8ea038 "modparam", has_arg = 1, flag = 0x0, 
            val = 1030}, {name = 0x8ea048 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x8ea058 "debug", has_arg = 1, flag = 0x0, val = 1032}, {
            name = 0x8ea060 "cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x8ea070 "atexit", has_arg = 1, flag = 0x0, val = 1034}, {
            name = 0x8ea078 "all-errors", has_arg = 0, flag = 0x0, val = 1035}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        __func__ = "main"
(gdb) f 8
#8  0x0000ffff9e7c7f2c in event_cb (fd=59, kind=1, userp=0xffffa2027ba8) at http_multi.c:123
123                     curl_multi_remove_handle(g->multi, easy);
(gdb) f 1
#1  0x0000ffff9e7c9b24 in sock_cb (e=0xffffa2027ba8, s=9, what=4, cbp=0xffffa1c0fe58, sockp=0xffffa202d258) at http_multi.c:166
166                                     event_del(cell->ev);
(gdb) p cell
$1 = (struct http_m_cell *) 0xffffa202d258
(gdb) p cell->ev
$2 = (struct event *) 0x92fbf0
(gdb) p *cell->ev
$3 = {type = 1701998435, name = {s = 0x615f7273752f6572 <error: Cannot access memory at address 0x615f7273752f6572>, len = 1663987830}, params = {hooks = {contact = {
        expires = 0x7273752f65726f63, q = 0x632e7076615f, methods = 0x5b203e65726f633c, received = 0x7273752f65726f63, instance = 0x393a632e7076615f, 
        reg_id = 0x203a5d32, ob = 0x6f6e20646c756f63, flags = 0x61636f6c6c612074}, uri = {transport = 0x7273752f65726f63, lr = 0x632e7076615f, r2 = 0x5b203e65726f633c, 
        maddr = 0x7273752f65726f63, ttl = 0x393a632e7076615f, dstip = 0x203a5d32, dstport = 0x6f6e20646c756f63, ftag = 0x61636f6c6c612074, ob = 0x6572616873206574}, 
      event_dialog = {call_id = 0x7273752f65726f63, from_tag = 0x632e7076615f, to_tag = 0x5b203e65726f633c, include_session_description = 0x7273752f65726f63, 
        sla = 0x393a632e7076615f, ma = 0x203a5d32}}, list = 0x79726f6d656d2064}}
```
As it's seen in the stack backtrace the `cell` object is already released at the moment when `event_del` with this object is called.
#### Log Messages
-
#### SIP Traffic
-
### Possible Solutions
-
### Additional Information
```
[centos@esrp-1b ~]$ kamailio -v
version: kamailio 5.7.2 (aarch64/linux) 968dbe
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT-NOSMP, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 968dbe 
compiled on 19:25:05 Nov 10 2023 with gcc 8.5.0
```
* **Operating System**:
```
[centos@esrp-1b ~]$ cat /etc/centos-release 
CentOS Stream release 8
[centos@esrp-1b ~]$ uname -a
Linux esrp-1b.fl.base911.com 4.18.0-536.el8.aarch64 #1 SMP Thu Jan 18 15:21:54 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
```
-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4019
You are receiving this because you are subscribed to this thread.

Message ID: kamailio/kamailio/issues/4019@github.com

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[sr-dev] [kamailio/kamailio] Kamailio crash on http_async_client module callback invocation (Issue #4019)