[sr-dev] [kamailio/kamailio] kamailio 5.5 (commit 54c9df) SIGSEGV on run_dlg_callbacks (Issue #3106)

Fri May 13 07:11:09 CEST 2022

### Description

Crash occurred during load test. 

#### Reproduction

This cannot be reproduced at will.
It happened after about 40 days of load testing. 

#### Debugging Data

```
[root at lab002201-flip-server ~]$ gdb /usr/local/src/git/kamailio-5.5/src/kamailio /core 
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/src/git/kamailio-5.5/src/kamailio...

warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 730446]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/local/src/git/kamailio-5.5/src/kamailio -m 1024 -f /usr/local/etc/kamailio'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fb609cba495 in run_dlg_callbacks (type=4, dlg=0x7fb5ca1798d0, req=0x7fb5ce0a7380, rpl=0xffffffffffffffff, dir=2, dlg_data=0x0) at dlg_cb.c:273
273				cb->callback( dlg, type, &params );
(gdb) bt full
#0  0x00007fb609cba495 in run_dlg_callbacks (type=4, dlg=0x7fb5ca1798d0, req=0x7fb5ce0a7380, rpl=0xffffffffffffffff, dir=2, dlg_data=0x0) at dlg_cb.c:273
        cb = 0x7fb609ce7a23 <dlg_iuid_sfree>
        __func__ = "run_dlg_callbacks"
#1  0x00007fb609ceb3ee in dlg_onreply (t=0x7fb5cfa8a1f0, type=1048576, param=0x7fff4bdc6060) at dlg_handlers.c:576
        dlg = 0x7fb5ca1798d0
        iuid = 0x7fb5cca0bbf0
        new_state = 5
        old_state = 2
        unref = 1
        event = 4
        tag = {s = 0x80d000001ff <error: Cannot access memory at address 0x80d000001ff>, len = 174085573}
        req = 0x7fb5ce0a7380
        rpl = 0xffffffffffffffff
        __func__ = "dlg_onreply"
#2  0x00007fb60a53c399 in run_trans_callbacks_internal (cb_lst=0x7fb5cfa8a268, type=1048576, trans=0x7fb5cfa8a1f0, params=0x7fff4bdc6060) at t_hooks.c:258
        cbp = 0x7fb5cb5b2520
        backup_from = 0x5591e2acbe90 <def_list+16>
        backup_to = 0x5591e2acbe98 <def_list+24>
        backup_dom_from = 0x5591e2acbea0 <def_list+32>
        backup_dom_to = 0x5591e2acbea8 <def_list+40>
        backup_uri_from = 0x5591e2acbe80 <def_list>
        backup_uri_to = 0x5591e2acbe88 <def_list+8>
        backup_xavps = 0x5591e2acbfd8 <_xavp_list_head>
        backup_xavus = 0x5591e2acbfe0 <_xavu_list_head>
        backup_xavis = 0x5591e2acbfe8 <_xavi_list_head>
        __func__ = "run_trans_callbacks_internal"
#3  0x00007fb60a53c5b2 in run_trans_callbacks_with_buf (type=1048576, rbuf=0x7fb5cfa8a2c0, req=0x7fb5ce0a7380, repl=0xffffffffffffffff, flags=0) at t_hooks.c:303
        params = {req = 0x7fb5ce0a7380, rpl = 0xffffffffffffffff, param = 0x7fb5cb5b2530, code = 408, flags = 0, branch = 0, t_rbuf = 0x7fb5cfa8a2c0, dst = 0x7fb5cfa8a310, send_buf = {
            s = 0x7fb5caa9cda0 "SIP/2.0 408 Request Timeout\r\nVia: SIP/2.0/UDP 192.168.2.202:5020;rport=5020;branch=z9hG4bK-2375372-4769-10;received=192.168.2.202\r\nFrom: \"0312341234\" <sip:0312341234 at fakedomain.com>;tag=2375372SIPpTag"..., len = 407}}
        trans = 0x7fb5cfa8a1f0
#4  0x00007fb60a5b322d in relay_reply (t=0x7fb5cfa8a1f0, p_msg=0xffffffffffffffff, branch=0, msg_status=408, cancel_data=0x7fff4bdc6280, do_put_on_wait=0) at t_reply.c:2094
        relay = 0
        save_clone = 0
        buf = 0x7fb60a8f6b68 "SIP/2.0 408 Request Timeout\r\nVia: SIP/2.0/UDP 192.168.2.202:5020;rport=5020;branch=z9hG4bK-2375372-4769-10;received=192.168.2.202\r\nFrom: \"0312341234\" <sip:0312341234 at fakedomain.com>;tag=2375372SIPpTag"...
        res_len = 407
        relayed_code = 408
        relayed_msg = 0xffffffffffffffff
        reply_bak = 0x7fff4bdc6220
        bm = {to_tag_val = {
            s = 0x7fb60a8f6c5f "0a86cd31e4e6805cdd7f1dffc4ec5169-53cd2e21\r\nCall-ID: 4769-2375372 at 192.168.2.202\r\nCSeq: 801 INVITE\r\nServer: kamailio (5.5.4 (x86_64/linux))\r\nContent-Length: 0\r\n\r\n", len = 41}}
        totag_retr = 0
        reply_status = RPS_COMPLETED
        uas_rb = 0x7fb5cfa8a2c0
        to_tag = 0x7fb60a61cb30 <tm_tag>
        reason = {s = 0x5591e2933463 "Request Timeout", len = 15}
        onsend_params = {req = 0x40, rpl = 0x0, param = 0x1c9f56660, code = -923035960, flags = 32693, branch = 0, t_rbuf = 0x7fff4bdc61b0, dst = 0x5591e27f9149 <futex_release+29>, send_buf = {
            s = 0x2260 <error: Cannot access memory at address 0x2260>, len = -923035960}}
        ip = {af = 3407219152, len = 32693, u = {addrl = {140418773026976, 1}, addr32 = {3407218848, 32693, 1, 0}, addr16 = {2208, 51990, 32693, 0, 1, 0, 0, 0}, 
            addr = "\240\b\026˵\177\000\000\001\000\000\000\000\000\000"}}
        __func__ = "relay_reply"
#5  0x00007fb60a540ec0 in fake_reply (t=0x7fb5cfa8a1f0, branch=0, code=408) at timer.c:295
--Type <RET> for more, q to quit, c to continue without paging--c
        cancel_data = {cancel_bitmap = 0, reason = {cause = 0, u = {text = {s = 0x0, len = -811032080}, e2e_cancel = 0x0, packed_hdrs = {s = 0x0, len = -811032080}}}}
        do_cancel_branch = 1
        reply_status = 730446
#6  0x00007fb60a54132e in final_response_handler (r_buf=0x7fb5cfa8a490, t=0x7fb5cfa8a1f0) at timer.c:462
        silent = 0
        branch_ret = 0
        prev_branch = 0
        now = 0
#7  0x00007fb60a5413f2 in retr_buf_handler (ticks=280654947, tl=0x7fb5cfa8a4b0, p=0x7d0) at timer.c:518
        rbuf = 0x7fb5cfa8a490
        fr_remainder = 0
        retr_remainder = 32693
        retr_interval = 3371932768
        new_retr_interval_ms = 4294967296
        crt_retr_interval_ms = 0
        t = 0x7fb5cfa8a1f0
        __func__ = "retr_buf_handler"
#8  0x00005591e27bda9f in timer_list_expire (t=280654947, h=0x7fb5c8ffdd40, slow_l=0x7fb5c8fff2a8, slow_mark=48435) at core/timer.c:857
        tl = 0x7fb5cfa8a4b0
        ret = 0
#9  0x00005591e27bdfa9 in timer_handler () at core/timer.c:922
        saved_ticks = 280654947
        run_slow_timer = 0
        i = 307
        __func__ = "timer_handler"
#10 0x00005591e27be4ac in timer_main () at core/timer.c:961
No locals.
#11 0x00005591e25066cf in main_loop () at main.c:1839
        i = 12
        pid = 0
        si = 0x0
        si_desc = "udp receiver child=11 sock=192.168.2.201:9060\000\270\000\340e\334K\377\177\000\000\000\000\000\000\000\000\000\000\360e\334K\377\177\000\000)+\373\b\266\177\000\000\b\024l\n\266\177\000\000]q\373\b\266\177", '\000' <repeats 14 times>, "\001\000\000\000\360e\334K\377\177\000\000⌀\342\221U\000"
        nrprocs = 12
        woneinit = 1
        __func__ = "main_loop"
#12 0x00005591e25112ab in main (argc=8, argv=0x7fff4bdc6bd8) at main.c:3053
        cfg_stream = 0x5591e46482d0
        c = -1
        r = 0
        tmp = 0x7fff4bdc8d08 ""
        tmp_len = 0
        port = 0
        proto = 0
        ahost = 0x0
        aport = 0
        options = 0x5591e291d0b8 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 529371157
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 0
        n_lst = 0x0
        p = 0xc2 <error: Cannot access memory at address 0xc2>
        st = {st_dev = 22, st_ino = 2420, st_nlink = 2, st_mode = 16877, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 60, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1646813990, tv_nsec = 961425837}, st_mtim = {tv_sec = 1647220116, tv_nsec = 385726158}, st_ctim = {tv_sec = 1647220120, tv_nsec = 853813654}, __glibc_reserved = {0, 0, 0}}
        tbuf = "\020\357\027\v\266\177\000\000\300\372\344\n\001\000\000\000\377\377\377\377", '\000' <repeats 12 times>, "(\326\030\v\266\177\000\000\350\211\033\v\266\177\000\000\377\377\377\377", '\000' <repeats 12 times>, "@\265\343\n\266\177\000\000\020\364\027\v\266\177\000\000\350\224\033\v\266\177\000\000\204\331\030\v\266\177\000\000\060\324\030\v\266\177\000\000XR\001\v\266\177\000\000h\211\033\v\266\177\000\000`\200\033\v\266\177\000\000 l\334K\377\177\000\000\200\221\033\v\266\177\000\000\000\000\000\000\000\000\000\000#\306\031\v\266\177\000\000\001", '\000' <repeats 23 times>, "(\326\030\v\266\177\000\000\060j\334K\377\177\000\000"...
        option_index = 12
        long_options = {{name = 0x5591e291f516 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x5591e291a514 "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x5591e291f51b "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x5591e291f521 "subst", has_arg = 1, flag = 0x0, val = 1025}, {name = 0x5591e291f527 "substdef", has_arg = 1, flag = 0x0, val = 1026}, {name = 0x5591e291f530 "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name = 0x5591e291f53a "server-id", has_arg = 1, flag = 0x0, val = 1028}, {name = 0x5591e291f544 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name = 0x5591e291f54f "modparam", has_arg = 1, flag = 0x0, val = 1030}, {name = 0x5591e291f558 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x5591e291f563 "debug", has_arg = 1, flag = 0x0, val = 1032}, {name = 0x5591e291f569 "cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x5591e291f573 "atexit", has_arg = 1, flag = 0x0, val = 1034}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        __func__ = "main"
(gdb) info locals
cb = 0x7fb609ce7a23 <dlg_iuid_sfree>
__func__ = "run_dlg_callbacks"
(gdb) list
268	
269		for ( cb=dlg->cbs.first; cb; cb=cb->next)  {
270			if ( (cb->types)&type ) {
271				LM_DBG("dialog=%p, type=%d\n", dlg, type);
272				params.param = &cb->param;
273				cb->callback( dlg, type, &params );
274			}
275		}
276		return;
277	}
(gdb) 

```

### Additional Information

  * **Kamailio Version** - output of `kamailio -v`

```
version: kamailio 5.5.4 (x86_64/linux) 54c9df
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 54c9df 
compiled on 10:32:51 Mar  9 2022 with gcc 10.2.1
```

* **Operating System**:

```
[root at lab002201-flip-server ~]$ lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 11 (bullseye)
Release:	11
Codename:	bullseye

[root at lab002201-flip-server ~]$ uname -a
Linux lab002201-flip-server 5.10.0-11-amd64 #1 SMP Debian 5.10.92-2 (2022-02-28) x86_64 GNU/Linux
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3106
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/3106 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20220512/83e878d8/attachment-0001.htm>