[kamailio/kamailio] kamailio 5.5 (commit 54c9df) SIGSEGV on run_dlg_callbacks (Issue #3106)
### Description
Crash occurred during load test.
#### Reproduction
This cannot be reproduced at will. It happened after about 40 days of load testing.
#### Debugging Data
``` [root@lab002201-flip-server ~]$ gdb /usr/local/src/git/kamailio-5.5/src/kamailio /core GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: https://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/.
For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/local/src/git/kamailio-5.5/src/kamailio...
warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing [New LWP 730446] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/local/src/git/kamailio-5.5/src/kamailio -m 1024 -f /usr/local/etc/kamailio'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fb609cba495 in run_dlg_callbacks (type=4, dlg=0x7fb5ca1798d0, req=0x7fb5ce0a7380, rpl=0xffffffffffffffff, dir=2, dlg_data=0x0) at dlg_cb.c:273 273 cb->callback( dlg, type, ¶ms ); (gdb) bt full #0 0x00007fb609cba495 in run_dlg_callbacks (type=4, dlg=0x7fb5ca1798d0, req=0x7fb5ce0a7380, rpl=0xffffffffffffffff, dir=2, dlg_data=0x0) at dlg_cb.c:273 cb = 0x7fb609ce7a23 <dlg_iuid_sfree> __func__ = "run_dlg_callbacks" #1 0x00007fb609ceb3ee in dlg_onreply (t=0x7fb5cfa8a1f0, type=1048576, param=0x7fff4bdc6060) at dlg_handlers.c:576 dlg = 0x7fb5ca1798d0 iuid = 0x7fb5cca0bbf0 new_state = 5 old_state = 2 unref = 1 event = 4 tag = {s = 0x80d000001ff <error: Cannot access memory at address 0x80d000001ff>, len = 174085573} req = 0x7fb5ce0a7380 rpl = 0xffffffffffffffff __func__ = "dlg_onreply" #2 0x00007fb60a53c399 in run_trans_callbacks_internal (cb_lst=0x7fb5cfa8a268, type=1048576, trans=0x7fb5cfa8a1f0, params=0x7fff4bdc6060) at t_hooks.c:258 cbp = 0x7fb5cb5b2520 backup_from = 0x5591e2acbe90 <def_list+16> backup_to = 0x5591e2acbe98 <def_list+24> backup_dom_from = 0x5591e2acbea0 <def_list+32> backup_dom_to = 0x5591e2acbea8 <def_list+40> backup_uri_from = 0x5591e2acbe80 <def_list> backup_uri_to = 0x5591e2acbe88 <def_list+8> backup_xavps = 0x5591e2acbfd8 <_xavp_list_head> backup_xavus = 0x5591e2acbfe0 <_xavu_list_head> backup_xavis = 0x5591e2acbfe8 <_xavi_list_head> __func__ = "run_trans_callbacks_internal" #3 0x00007fb60a53c5b2 in run_trans_callbacks_with_buf (type=1048576, rbuf=0x7fb5cfa8a2c0, req=0x7fb5ce0a7380, repl=0xffffffffffffffff, flags=0) at t_hooks.c:303 params = {req = 0x7fb5ce0a7380, rpl = 0xffffffffffffffff, param = 0x7fb5cb5b2530, code = 408, flags = 0, branch = 0, t_rbuf = 0x7fb5cfa8a2c0, dst = 0x7fb5cfa8a310, send_buf = { s = 0x7fb5caa9cda0 "SIP/2.0 408 Request Timeout\r\nVia: SIP/2.0/UDP 192.168.2.202:5020;rport=5020;branch=z9hG4bK-2375372-4769-10;received=192.168.2.202\r\nFrom: "0312341234" sip:0312341234@fakedomain.com;tag=2375372SIPpTag"..., len = 407}} trans = 0x7fb5cfa8a1f0 #4 0x00007fb60a5b322d in relay_reply (t=0x7fb5cfa8a1f0, p_msg=0xffffffffffffffff, branch=0, msg_status=408, cancel_data=0x7fff4bdc6280, do_put_on_wait=0) at t_reply.c:2094 relay = 0 save_clone = 0 buf = 0x7fb60a8f6b68 "SIP/2.0 408 Request Timeout\r\nVia: SIP/2.0/UDP 192.168.2.202:5020;rport=5020;branch=z9hG4bK-2375372-4769-10;received=192.168.2.202\r\nFrom: "0312341234" sip:0312341234@fakedomain.com;tag=2375372SIPpTag"... res_len = 407 relayed_code = 408 relayed_msg = 0xffffffffffffffff reply_bak = 0x7fff4bdc6220 bm = {to_tag_val = { s = 0x7fb60a8f6c5f "0a86cd31e4e6805cdd7f1dffc4ec5169-53cd2e21\r\nCall-ID: 4769-2375372@192.168.2.202\r\nCSeq: 801 INVITE\r\nServer: kamailio (5.5.4 (x86_64/linux))\r\nContent-Length: 0\r\n\r\n", len = 41}} totag_retr = 0 reply_status = RPS_COMPLETED uas_rb = 0x7fb5cfa8a2c0 to_tag = 0x7fb60a61cb30 <tm_tag> reason = {s = 0x5591e2933463 "Request Timeout", len = 15} onsend_params = {req = 0x40, rpl = 0x0, param = 0x1c9f56660, code = -923035960, flags = 32693, branch = 0, t_rbuf = 0x7fff4bdc61b0, dst = 0x5591e27f9149 <futex_release+29>, send_buf = { s = 0x2260 <error: Cannot access memory at address 0x2260>, len = -923035960}} ip = {af = 3407219152, len = 32693, u = {addrl = {140418773026976, 1}, addr32 = {3407218848, 32693, 1, 0}, addr16 = {2208, 51990, 32693, 0, 1, 0, 0, 0}, addr = "\240\b\026˵\177\000\000\001\000\000\000\000\000\000"}} __func__ = "relay_reply" #5 0x00007fb60a540ec0 in fake_reply (t=0x7fb5cfa8a1f0, branch=0, code=408) at timer.c:295 --Type <RET> for more, q to quit, c to continue without paging--c cancel_data = {cancel_bitmap = 0, reason = {cause = 0, u = {text = {s = 0x0, len = -811032080}, e2e_cancel = 0x0, packed_hdrs = {s = 0x0, len = -811032080}}}} do_cancel_branch = 1 reply_status = 730446 #6 0x00007fb60a54132e in final_response_handler (r_buf=0x7fb5cfa8a490, t=0x7fb5cfa8a1f0) at timer.c:462 silent = 0 branch_ret = 0 prev_branch = 0 now = 0 #7 0x00007fb60a5413f2 in retr_buf_handler (ticks=280654947, tl=0x7fb5cfa8a4b0, p=0x7d0) at timer.c:518 rbuf = 0x7fb5cfa8a490 fr_remainder = 0 retr_remainder = 32693 retr_interval = 3371932768 new_retr_interval_ms = 4294967296 crt_retr_interval_ms = 0 t = 0x7fb5cfa8a1f0 __func__ = "retr_buf_handler" #8 0x00005591e27bda9f in timer_list_expire (t=280654947, h=0x7fb5c8ffdd40, slow_l=0x7fb5c8fff2a8, slow_mark=48435) at core/timer.c:857 tl = 0x7fb5cfa8a4b0 ret = 0 #9 0x00005591e27bdfa9 in timer_handler () at core/timer.c:922 saved_ticks = 280654947 run_slow_timer = 0 i = 307 __func__ = "timer_handler" #10 0x00005591e27be4ac in timer_main () at core/timer.c:961 No locals. #11 0x00005591e25066cf in main_loop () at main.c:1839 i = 12 pid = 0 si = 0x0 si_desc = "udp receiver child=11 sock=192.168.2.201:9060\000\270\000\340e\334K\377\177\000\000\000\000\000\000\000\000\000\000\360e\334K\377\177\000\000)+\373\b\266\177\000\000\b\024l\n\266\177\000\000]q\373\b\266\177", '\000' <repeats 14 times>, "\001\000\000\000\360e\334K\377\177\000\000⌀\342\221U\000" nrprocs = 12 woneinit = 1 __func__ = "main_loop" #12 0x00005591e25112ab in main (argc=8, argv=0x7fff4bdc6bd8) at main.c:3053 cfg_stream = 0x5591e46482d0 c = -1 r = 0 tmp = 0x7fff4bdc8d08 "" tmp_len = 0 port = 0 proto = 0 ahost = 0x0 aport = 0 options = 0x5591e291d0b8 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:" ret = -1 seed = 529371157 rfd = 4 debug_save = 0 debug_flag = 0 dont_fork_cnt = 0 n_lst = 0x0 p = 0xc2 <error: Cannot access memory at address 0xc2> st = {st_dev = 22, st_ino = 2420, st_nlink = 2, st_mode = 16877, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 60, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1646813990, tv_nsec = 961425837}, st_mtim = {tv_sec = 1647220116, tv_nsec = 385726158}, st_ctim = {tv_sec = 1647220120, tv_nsec = 853813654}, __glibc_reserved = {0, 0, 0}} tbuf = "\020\357\027\v\266\177\000\000\300\372\344\n\001\000\000\000\377\377\377\377", '\000' <repeats 12 times>, "(\326\030\v\266\177\000\000\350\211\033\v\266\177\000\000\377\377\377\377", '\000' <repeats 12 times>, "@\265\343\n\266\177\000\000\020\364\027\v\266\177\000\000\350\224\033\v\266\177\000\000\204\331\030\v\266\177\000\000\060\324\030\v\266\177\000\000XR\001\v\266\177\000\000h\211\033\v\266\177\000\000`\200\033\v\266\177\000\000 l\334K\377\177\000\000\200\221\033\v\266\177\000\000\000\000\000\000\000\000\000\000#\306\031\v\266\177\000\000\001", '\000' <repeats 23 times>, "(\326\030\v\266\177\000\000\060j\334K\377\177\000\000"... option_index = 12 long_options = {{name = 0x5591e291f516 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x5591e291a514 "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x5591e291f51b "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x5591e291f521 "subst", has_arg = 1, flag = 0x0, val = 1025}, {name = 0x5591e291f527 "substdef", has_arg = 1, flag = 0x0, val = 1026}, {name = 0x5591e291f530 "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name = 0x5591e291f53a "server-id", has_arg = 1, flag = 0x0, val = 1028}, {name = 0x5591e291f544 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name = 0x5591e291f54f "modparam", has_arg = 1, flag = 0x0, val = 1030}, {name = 0x5591e291f558 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x5591e291f563 "debug", has_arg = 1, flag = 0x0, val = 1032}, {name = 0x5591e291f569 "cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x5591e291f573 "atexit", has_arg = 1, flag = 0x0, val = 1034}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} __func__ = "main" (gdb) info locals cb = 0x7fb609ce7a23 <dlg_iuid_sfree> __func__ = "run_dlg_callbacks" (gdb) list 268 269 for ( cb=dlg->cbs.first; cb; cb=cb->next) { 270 if ( (cb->types)&type ) { 271 LM_DBG("dialog=%p, type=%d\n", dlg, type); 272 params.param = &cb->param; 273 cb->callback( dlg, type, ¶ms ); 274 } 275 } 276 return; 277 } (gdb)
```
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
``` version: kamailio 5.5.4 (x86_64/linux) 54c9df flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: 54c9df compiled on 10:32:51 Mar 9 2022 with gcc 10.2.1 ```
* **Operating System**:
``` [root@lab002201-flip-server ~]$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 11 (bullseye) Release: 11 Codename: bullseye
[root@lab002201-flip-server ~]$ uname -a Linux lab002201-flip-server 5.10.0-11-amd64 #1 SMP Debian 5.10.92-2 (2022-02-28) x86_64 GNU/Linux ```
Thanks for the report. Did you observed this once so far, or does it happen in different intervals? Just trying to sort out eventual (virtual) hardware issues and the like.
I have prepared four load test environments. The above crash happened only once so far. Another instance of kamailio crashed at a different location #3107 but it might be related as both seem to have been processing locally generated '408 Request Timeout' (from what I can infer from the backtrace). The remaining two load test environments are still running fine.
I am also facing similar issue with kamailio 5.4.1, unfortunatlley unable collect debugging data. In my scenario, kamailio first giving timeout on ctl unix socket as I am scratping data using prometheus exporter, after few minutes it stop responding to any sip request on default/prodution udp port using for sip traffic.
The other lisiting port which is used by keepalive checkscipt for bing-pong keep responding to option messages.
Its very random behaviour occures after 2-4 months system having load avg 200-350 concurrent calls.
This issue is stale because it has been open 6 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks.
The version 5.5. is now end of life. So if you only observed it once, you probably can try to update to 5.6.x or 5.7.x and see if it still happens. Close this issue for now.
Closed #3106 as completed.
-
github-actions[bot] -
Henning Westerholt
-
maruqmch
-
MayamaTakeshi