[kamailio/kamailio] Kamailio crash on http_async_client module callback invocation (Issue #4019)
7 Nov
2024
7 Nov
'24
12:13 p.m.
### Description
Kamailio service crashed occasionally on `sock_cb` callback function of
`http_async_client` module
#### Reproduction
The crash happens occasionally, no specific conditions have been identified for this
issue.
#### Debugging Data
```
Program terminated with signal SIGSEGV, Segmentation fault.
(gdb) bt full
#0 0x0000ffff9f4205e4 in event_del_ () from /lib64/libevent-2.1.so.6
No symbol table info available.
#1 0x0000ffff9e7c9b24 in sock_cb (e=0xffffa2027ba8, s=9, what=4, cbp=0xffffa1c0fe58,
sockp=0xffffa202d258) at http_multi.c:166
g = 0xffffa1c0fe58
cell = 0xffffa202d258
whatstr = {0xffff9e7eb508 "none", 0xffff9e7eb510 "IN",
0xffff9e7eb518 "OUT", 0xffff9e7eb520 "INOUT", 0xffff9e7eb528
"REMOVE"}
__func__ = "sock_cb"
#2 0x0000ffff9e73ffa8 in Curl_multi_closed () from /lib64/libcurl.so.4
No symbol table info available.
#3 0x0000ffff9e73d43c in Curl_closesocket () from /lib64/libcurl.so.4
No symbol table info available.
#4 0x0000ffff9e72c8f8 in conn_free.part () from /lib64/libcurl.so.4
No symbol table info available.
#5 0x0000ffff9e72d544 in Curl_disconnect () from /lib64/libcurl.so.4
No symbol table info available.
#6 0x0000ffff9e740948 in multi_done () from /lib64/libcurl.so.4
No symbol table info available.
#7 0x0000ffff9e742b10 in curl_multi_remove_handle () from /lib64/libcurl.so.4
No symbol table info available.
#8 0x0000ffff9e7c7f2c in event_cb (fd=59, kind=1, userp=0xffffa2027ba8) at
http_multi.c:123
error = 0xffff9e7eac70 "TIMEOUT"
g = 0xffffa1c0fe58
rc = 1968268110
easy = 0xffffa2027ba8
cell = 0xffffa202d258
__func__ = "event_cb"
action = 0
#9 0x0000ffff9f423628 in event_process_active_single_queue () from
/lib64/libevent-2.1.so.6
No symbol table info available.
#10 0x0000ffff9f423ee8 in event_base_loop () from /lib64/libevent-2.1.so.6
No symbol table info available.
#11 0x0000ffff9e7b7160 in async_http_run_worker (worker=0xffffa1606ed8) at
async_http.c:95
ret = 65535
__func__ = "async_http_run_worker"
#12 0x0000ffff9e7dc364 in child_init (rank=0) at http_async_client_mod.c:380
pid = 0
i = 0
__func__ = "child_init"
#13 0x0000000000607fa8 in init_mod_child (m=0xffffb136c2f0, rank=0) at
core/sr_module.c:899
--Type <RET> for more, q to quit, c to continue without paging--
ret = 0
__func__ = "init_mod_child"
#14 0x0000000000607b38 in init_mod_child (m=0xffffb136d018, rank=0) at
core/sr_module.c:892
ret = 0
__func__ = "init_mod_child"
#15 0x0000000000607b38 in init_mod_child (m=0xffffb136ead0, rank=0) at
core/sr_module.c:892
ret = 0
__func__ = "init_mod_child"
#16 0x0000000000607b38 in init_mod_child (m=0xffffb13a98f8, rank=0) at
core/sr_module.c:892
ret = 0
__func__ = "init_mod_child"
#17 0x0000000000607b38 in init_mod_child (m=0xffffb140ab28, rank=0) at
core/sr_module.c:892
ret = 0
__func__ = "init_mod_child"
#18 0x0000000000607b38 in init_mod_child (m=0xffffb145ebf8, rank=0) at
core/sr_module.c:892
ret = 1
__func__ = "init_mod_child"
#19 0x00000000006089c4 in init_child (rank=0) at core/sr_module.c:953
ret = -783429656
type = 0x923dc0 "PROC_MAIN"
__func__ = "init_child"
#20 0x0000000000433030 in main_loop () at main.c:1843
i = 8
pid = 2823204
si = 0x0
si_desc = "udp receiver child=7
sock=[2605:84c0:48:205:1::6]:5080\000\000\220\036ٰ\377\377\000\000
\321M\321\377\377\000\000h\220\066\261\377\377\000\000\320\377\377\377\200\377\377\377\020\321M\321\377\377\000\000
\321M\321\377\377\000\000
\321M\321\377\377\000\000\360\320M\321\377\377\000\000\320\377\377\377\200\377\377\377"
nrprocs = 8
woneinit = 1
__func__ = "main_loop"
#21 0x000000000043f4e8 in main (argc=11, argv=0xffffd14dd6a8) at main.c:3086
cfg_stream = 0xc2502a0
c = -1
r = 0
tmp = 0xffffd14dfe34 ""
tmp_len = 0
port = 0
proto = 65535
ahost = 0x0
--Type <RET> for more, q to quit, c to continue without paging--
aport = 0
options = 0x8e7c08
":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
ret = -1
seed = 203142350
rfd = 4
debug_save = 0
debug_flag = 0
dont_fork_cnt = 2
n_lst = 0xffffffff
p = 0xffffb3d34348 <__libc_start_main+160> ""
st = {st_dev = 25, st_ino = 18459, st_mode = 16877, st_nlink = 3, st_uid = 0,
st_gid = 987, st_rdev = 0, __pad1 = 0, st_size = 80, st_blksize = 65536,
__pad2 = 0, st_blocks = 0, st_atim = {tv_sec = 1707863213, tv_nsec = 9999979},
st_mtim = {tv_sec = 1729635590, tv_nsec = 702238079}, st_ctim = {
tv_sec = 1729635598, tv_nsec = 32030431}, __glibc_reserved = {0, 0}}
tbuf = '\000' <repeats 56 times>,
"x\376\b\264\377\377\000\000h\376\b\264\377\377\000\000\b\376\b\264\377\377\000\000(\376\b\264\377\377\000\000\070\376\b\264\377\377\000\000\250\376\b\264\377\377\000\000\270\376\b\264\377\377\000\000\310\376\b\264\377\377\000\000H\376\b\264\377\377\000\000X\376\b\264\377\377",
'\000' <repeats 18 times>, "\330\375\b\264\377\377",
'\000' <repeats 42 times>...
option_index = 12
long_options = {{name = 0x8e9fe0 "help", has_arg = 0, flag = 0x0, val =
104}, {name = 0x8e4e48 "version", has_arg = 0, flag = 0x0, val = 118}, {
name = 0x8e9fe8 "alias", has_arg = 1, flag = 0x0, val = 1024}, {name
= 0x8e9ff0 "subst", has_arg = 1, flag = 0x0, val = 1025}, {name = 0x8e9ff8
"substdef",
has_arg = 1, flag = 0x0, val = 1026}, {name = 0x8ea008 "substdefs",
has_arg = 1, flag = 0x0, val = 1027}, {name = 0x8ea018 "server-id", has_arg = 1,
flag = 0x0, val = 1028}, {name = 0x8ea028 "loadmodule", has_arg = 1,
flag = 0x0, val = 1029}, {name = 0x8ea038 "modparam", has_arg = 1, flag = 0x0,
val = 1030}, {name = 0x8ea048 "log-engine", has_arg = 1, flag = 0x0,
val = 1031}, {name = 0x8ea058 "debug", has_arg = 1, flag = 0x0, val = 1032}, {
name = 0x8ea060 "cfg-print", has_arg = 0, flag = 0x0, val = 1033},
{name = 0x8ea070 "atexit", has_arg = 1, flag = 0x0, val = 1034}, {
name = 0x8ea078 "all-errors", has_arg = 0, flag = 0x0, val = 1035},
{name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
__func__ = "main"
(gdb) f 8
#8 0x0000ffff9e7c7f2c in event_cb (fd=59, kind=1, userp=0xffffa2027ba8) at
http_multi.c:123
123 curl_multi_remove_handle(g->multi, easy);
(gdb) f 1
#1 0x0000ffff9e7c9b24 in sock_cb (e=0xffffa2027ba8, s=9, what=4, cbp=0xffffa1c0fe58,
sockp=0xffffa202d258) at http_multi.c:166
166 event_del(cell->ev);
(gdb) p cell
$1 = (struct http_m_cell *) 0xffffa202d258
(gdb) p cell->ev
$2 = (struct event *) 0x92fbf0
(gdb) p *cell->ev
$3 = {type = 1701998435, name = {s = 0x615f7273752f6572 <error: Cannot access memory at
address 0x615f7273752f6572>, len = 1663987830}, params = {hooks = {contact = {
expires = 0x7273752f65726f63, q = 0x632e7076615f, methods = 0x5b203e65726f633c,
received = 0x7273752f65726f63, instance = 0x393a632e7076615f,
reg_id = 0x203a5d32, ob = 0x6f6e20646c756f63, flags = 0x61636f6c6c612074}, uri =
{transport = 0x7273752f65726f63, lr = 0x632e7076615f, r2 = 0x5b203e65726f633c,
maddr = 0x7273752f65726f63, ttl = 0x393a632e7076615f, dstip = 0x203a5d32, dstport
= 0x6f6e20646c756f63, ftag = 0x61636f6c6c612074, ob = 0x6572616873206574},
event_dialog = {call_id = 0x7273752f65726f63, from_tag = 0x632e7076615f, to_tag =
0x5b203e65726f633c, include_session_description = 0x7273752f65726f63,
sla = 0x393a632e7076615f, ma = 0x203a5d32}}, list = 0x79726f6d656d2064}}
```
As it's seen in the stack backtrace the `cell` object is already released at the
moment when `event_del` with this object is called.
#### Log Messages
-
#### SIP Traffic
-
### Possible Solutions
-
### Additional Information
```
[centos@esrp-1b ~]$ kamailio -v
version: kamailio 5.7.2 (aarch64/linux) 968dbe
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST,
DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC,
DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT-NOSMP, USE_DNS_CACHE, USE_DNS_FAILOVER,
USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535,
DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 968dbe
compiled on 19:25:05 Nov 10 2023 with gcc 8.5.0
```
* **Operating System**:
```
[centos@esrp-1b ~]$ cat /etc/centos-release
CentOS Stream release 8
[centos@esrp-1b ~]$ uname -a
Linux esrp-1b.fl.base911.com 4.18.0-536.el8.aarch64 #1 SMP Thu Jan 18 15:21:54 UTC 2024
aarch64 aarch64 aarch64 GNU/Linux
```
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4019
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/4019(a)github.com>
7 Nov
7 Nov
1:50 p.m.
Are you on OpenSSL 3.x library on this distribution and are using https? Then you should
upgrade at least to the latest bugfix release of 5.7 branch, e.g. 5.7.6. There have been
important bugfixes for this module. Even if this is not the case, an upgrade is probably a
good idea.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4019#issuecomment-2462983011
You are receiving this because you are subscribed to this thread.
Message ID: &lt;kamailio/kamailio/issues/4019/2462983011(a)github.com&gt;
2:29 p.m.
The same crash happens on kamailio 5.8.2
```
[centos@esrp-0a ~]$ cat /etc/centos-release
CentOS Stream release 8
[centos@esrp-0a ~]$ uname -a
Linux esrp-0a.fl.nga911.com 4.18.0-536.el8.aarch64 #1 SMP Thu Jan 18 15:21:54 UTC 2024
aarch64 aarch64 aarch64 GNU/Linux
[centos@esrp-0a coredump]# sudo rpm -qa | grep openssl
openssl-devel-1.1.1k-12.el8.aarch64
openssl-libs-1.1.1k-12.el8.aarch64
openssl-1.1.1k-12.el8.aarch64
[centos@esrp-0a ~]$ kamailio -v
version: kamailio 5.8.2 (aarch64/linux) f0f03c-dirty
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST,
DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC,
DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT-NOSMP, USE_DNS_CACHE, USE_DNS_FAILOVER,
USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 262144,
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: f0f03c -dirty
compiled on 18:18:25 Jul 17 2024 with gcc 8.5.0
```
This is stack backtrace for this crash on kamailio 5.8.2, it looks the same
```
(gdb) bt full
#0 0x0000ffff9e7f05d8 in event_del_ () from /lib64/libevent-2.1.so.6
No symbol table info available.
#1 0x0000ffff9db99c14 in sock_cb (e=0xffffa11cdb80, s=9, what=4, cbp=0xffffa106c4b0,
sockp=0xffffa11fb400) at http_multi.c:170
g = 0xffffa106c4b0
cell = 0xffffa11fb400
whatstr = {0xffff9dbbb718 "none", 0xffff9dbbb720
"IN", 0xffff9dbbb728 "OUT", 0xffff9dbbb730
"INOUT", 0xffff9dbbb738 "REMOVE"}
__func__ = "sock_cb"
#2 0x0000ffff9db0ffa8 in Curl_multi_closed () from /lib64/libcurl.so.4
No symbol table info available.
#3 0x0000ffff9db0d43c in Curl_closesocket () from /lib64/libcurl.so.4
No symbol table info available.
#4 0x0000ffff9dafc8f8 in conn_free.part () from /lib64/libcurl.so.4
No symbol table info available.
#5 0x0000ffff9dafd544 in Curl_disconnect () from /lib64/libcurl.so.4
No symbol table info available.
#6 0x0000ffff9db10948 in multi_done () from /lib64/libcurl.so.4
No symbol table info available.
#7 0x0000ffff9db12b10 in curl_multi_remove_handle () from /lib64/libcurl.so.4
No symbol table info available.
#8 0x0000ffff9db9801c in event_cb (fd=59, kind=1, userp=0xffffa11cdb80) at
http_multi.c:124
error = 0xffff9dbbae80 "TIMEOUT"
g = 0xffffa106c4b0
rc = 2040172201
easy = 0xffffa11cdb80
cell = 0xffffa11fb400
__func__ = "event_cb"
action = 0
#9 0x0000ffff9e7f3628 in event_process_active_single_queue () from
/lib64/libevent-2.1.so.6
No symbol table info available.
#10 0x0000ffff9e7f3ee8 in event_base_loop () from /lib64/libevent-2.1.so.6
No symbol table info available.
#11 0x0000ffff9db87250 in async_http_run_worker (worker=0xffffa09e0f40) at
async_http.c:95
ret = 65535
__func__ = "async_http_run_worker"
#12 0x0000ffff9dbac578 in child_init (rank=0) at http_async_client_mod.c:388
pid = 0
i = 0
__func__ = "child_init"
#13 0x00000000005fd458 in init_mod_child (m=0xffffb086bd80, rank=0) at
core/sr_module.c:920
ret = 0
__func__ = "init_mod_child"
#14 0x00000000005fcfe8 in init_mod_child (m=0xffffb086cba0, rank=0) at
core/sr_module.c:912
ret = 0
__func__ = "init_mod_child"
#15 0x00000000005fcfe8 in init_mod_child (m=0xffffb086e740, rank=0) at
core/sr_module.c:912
ret = 0
__func__ = "init_mod_child"
#16 0x00000000005fcfe8 in init_mod_child (m=0xffffb08aaf90, rank=0) at
core/sr_module.c:912
ret = 0
__func__ = "init_mod_child"
#17 0x00000000005fcfe8 in init_mod_child (m=0xffffb090dbe0, rank=0) at
core/sr_module.c:912
ret = 0
__func__ = "init_mod_child"
#18 0x00000000005fcfe8 in init_mod_child (m=0xffffb09634e0, rank=0) at
core/sr_module.c:912
ret = 1
__func__ = "init_mod_child"
#19 0x00000000005fde74 in init_child (rank=0) at core/sr_module.c:999
ret = -762743888
type = 0x939e78 "PROC_MAIN"
__func__ = "init_child"
#20 0x00000000004339e0 in main_loop () at main.c:1942
i = 8
pid = 3440811
si = 0x0
si_desc = "udp receiver child=7
sock=[2605:84c0:4a:204:1::6]:5080\000\000\270\322&\260\377\377\000\000\360t\211\322\377\377\000\000\020\211\206\260\377\377\000\000\300t\211\322\377\377\000\000\320\377\377\377\200\377\377\377\340t\211\322\377\377\000\000\360t\211\322\377\377\000\000\360t\211\322\377\377\000\000\300t\211\322\377\377\000"
nrprocs = 8
woneinit = 1
__func__ = "main_loop"
#21 0x0000000000440020 in main (argc=11, argv=0xffffd2897a88) at main.c:3256
cfg_stream = 0x2c8702a0
c = -1
r = 0
tmp = 0xffffd289fe34 ""
tmp_len = 65535
port = 5060
proto = 0
aproto = 0
ahost = 0x0
aport = 0
options = 0x8fd0b8
":f:cm:M:dVIhEeb:B:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
ret = -1
seed = 1933999959
rfd = 4
debug_save = 0
debug_flag = 0
dont_fork_cnt = 2
n_lst = 0xffffb3276390 <__pthread_initialize_minimal+688>
p = 0xffffb3114348 <__libc_start_main+160> ""
st = {st_dev = 25, st_ino = 18453, st_mode = 16877, st_nlink = 3, st_uid = 0,
st_gid = 987, st_rdev = 0, __pad1 = 0, st_size = 80, st_blksize = 65536, __pad2 = 0,
st_blocks = 0, st_atim = {tv_sec = 1708716961, tv_nsec = 749999981}, st_mtim = {tv_sec =
1730276508, tv_nsec = 825303614}, st_ctim = {tv_sec = 1730276531, tv_nsec = 494692804},
__glibc_reserved = {0, 0}}
l1 = 256
tbuf = "\330\375F\263\377\377", '\000'
<repeats 58 times>,
"x\376F\263\377\377\000\000h\376F\263\377\377\000\000\b\376F\263\377\377\000\000(\376F\263\377\377\000\000\070\376F\263\377\377\000\000\250\376F\263\377\377\000\000\270\376F\263\377\377\000\000\310\376F\263\377\377\000\000H\376F\263\377\377\000\000X\376F\263\377\377",
'\000' <repeats 18 times>,
"\330\375F\263\377\377", '\000' <repeats 42
times>...
option_index = 12
long_options = {{name = 0x8ff528 "help", has_arg = 0, flag =
0x0, val = 104}, {name = 0x8fa228 "version", has_arg = 0, flag = 0x0,
val = 118}, {name = 0x8ff530 "alias", has_arg = 1, flag = 0x0, val =
1024}, {name = 0x8ff538 "subst", has_arg = 1, flag = 0x0, val = 1025},
{name = 0x8ff540 "substdef", has_arg = 1, flag = 0x0, val = 1026}, {name
= 0x8ff550 "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name =
0x8ff560 "server-id", has_arg = 1, flag = 0x0, val = 1028}, {name =
0x8ff570 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name =
0x8ff580 "modparam", has_arg = 1, flag = 0x0, val = 1030}, {name =
0x8ff590 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name =
0x8ff5a0 "debug", has_arg = 1, flag = 0x0, val = 1032}, {name = 0x8ff5a8
"cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x8ff5b8
"atexit", has_arg = 1, flag = 0x0, val = 1034}, {name = 0x8ff5c0
"all-errors", has_arg = 0, flag = 0x0, val = 1035}, {name = 0x0, has_arg
= 0, flag = 0x0, val = 0}}
__func__ = "main"
```
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4019#issuecomment-2463049220
You are receiving this because you are subscribed to this thread.
Message ID: &lt;kamailio/kamailio/issues/4019/2463049220(a)github.com&gt;
8 Nov
8 Nov
5:03 a.m.
Just for completeness, in order for the tls fixes from the update to work its also
necessary to set tls_threads_mode = 2. But as you suggested in the linked PR, its probably
another issue.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4019#issuecomment-2464294064
You are receiving this because you are subscribed to this thread.
Message ID: &lt;kamailio/kamailio/issues/4019/2464294064(a)github.com&gt;
20 Dec
20 Dec
9:59 p.m.
This issue is stale because it has been open 6 weeks with no activity. Remove stale label
or comment or this will be closed in 2 weeks.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4019#issuecomment-2557967993
You are receiving this because you commented.
Message ID: <kamailio/kamailio/issues/4019/2557967993(a)github.com>
21 Dec
21 Dec
7:01 a.m.
Closed #4019 as completed.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4019#event-15739425768
You are receiving this because you commented.
Message ID: <kamailio/kamailio/issue/4019/issue_event/15739425768(a)github.com>
7:01 a.m.
Fixed by https://github.com/kamailio/kamailio/pull/4020.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4019#issuecomment-2558096111
You are receiving this because you commented.
Message ID: <kamailio/kamailio/issues/4019/2558096111(a)github.com>
9
days inactive
53
days old
6 comments
4 participants
participants (4)
-
Federico Cabiddu -
github-actions[bot]
-
Henning Westerholt
-
Ivanuschak Nikolay