[asterisk-bugs] [JIRA] (ASTERISK-22083) res_musiconhold segfault in free, in moh_scan_files

Thu May 22 08:49:44 CDT 2014

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=218385#comment-218385 ] 

Walter Doekes commented on ASTERISK-22083:
------------------------------------------

Okay. So that backtrace from July was useful after all:
{noformat}
Thread 101 (Thread 17685):
#0  0x00007faf5d6de16e in ?? () from /lib/libc.so.6
#1  0x00007faf5d6673dc in ?? () from /lib/libc.so.6
#2  0x00007faf5d665e78 in free () from /lib/libc.so.6
#3  0x00007faf4876099f in moh_scan_files (class=0x353c898) at res_musiconhold.c:1066
#4  0x00007faf4876265e in local_ast_moh_start (chan=0x7faf4d526f18, mclass=0x7faf3fc19268 "vascomain", interpclass=0x0) at res_musiconhold.c:1516
#5  0x00000000004894cd in ast_moh_start (chan=0x7faf4d526f18, mclass=0x7faf3fc19268 "vascomain", interpclass=0x0) at channel.c:7964
#6  0x00007faf4772485f in queue_exec (chan=0x7faf4d526f18, data=0x7faf3fc1c9a0 "vascomain-premium,i") at app_queue.c:6228
#7  0x000000000050e1fb in pbx_exec (c=0x7faf4d526f18, app=0x7faf54ac10e0, data=0x7faf3fc1c9a0 "vascomain-premium,i") at pbx.c:1446
#8  0x00000000005184f5 in pbx_extension_helper (c=0x7faf4d526f18, con=0x0, context=0x7faf4d527470 "func-queue", exten=0x7faf4d5274c0 "s", priority=15, label=0x0, callerid=0x7faf4cf34bb0 "4504315181", action=E_SPAWN, found=0x7faf3fc1ec8c, combined_find_spawn=1) at pbx.c:4489
...
{noformat}

{noformat}
Thread 57 (Thread 17682):
#0  0x00007faf5d6de16e in ?? () from /lib/libc.so.6
#1  0x00007faf5d6673dc in ?? () from /lib/libc.so.6
#2  0x00007faf5d665e78 in free () from /lib/libc.so.6
#3  0x00007faf4876099f in moh_scan_files (class=0x353c898) at res_musiconhold.c:1066
#4  0x00007faf4876265e in local_ast_moh_start (chan=0x7faf4d164618, mclass=0x7faf3fb9d268 "vascomain", interpclass=0x0) at res_musiconhold.c:1516
#5  0x00000000004894cd in ast_moh_start (chan=0x7faf4d164618, mclass=0x7faf3fb9d268 "vascomain", interpclass=0x0) at channel.c:7964
#6  0x00007faf4772485f in queue_exec (chan=0x7faf4d164618, data=0x7faf3fba09a0 "vascomain-premium,i") at app_queue.c:6228
#7  0x000000000050e1fb in pbx_exec (c=0x7faf4d164618, app=0x7faf54ac10e0, data=0x7faf3fba09a0 "vascomain-premium,i") at pbx.c:1446
#8  0x00000000005184f5 in pbx_extension_helper (c=0x7faf4d164618, con=0x0, context=0x7faf4d164b70 "func-queue", exten=0x7faf4d164bc0 "s", priority=15, label=0x0, callerid=0x7faf4d4377d0 "5143527328", action=E_SPAWN, found=0x7faf3fba2c8c, combined_find_spawn=1) at pbx.c:4489
#9  0x000000000051a26d in ast_spawn_extension (c=0x7faf4d164618, context=0x7faf4d164b70 "func-queue", exten=0x7faf4d164bc0 "s", priority=15, callerid=0x7faf4d4377d0 "5143527328", found=0x7faf3fba2c8c, combined_find_spawn=1) at pbx.c:5127
...
{noformat}

{noformat}
Thread 1 (Thread 17758):
#0  0x00007faf5d61ba75 in raise () from /lib/libc.so.6
#1  0x00007faf5d61f5c0 in abort () from /lib/libc.so.6
#2  0x00007faf5d6554fb in ?? () from /lib/libc.so.6
#3  0x00007faf5d65f5b6 in ?? () from /lib/libc.so.6
#4  0x00007faf5d665e83 in free () from /lib/libc.so.6
#5  0x00007faf4876099f in moh_scan_files (class=0x353c898) at res_musiconhold.c:1066
#6  0x00007faf4876265e in local_ast_moh_start (chan=0x3923dd8, mclass=0x7faf3ee0d268 "vascomain", interpclass=0x0) at res_musiconhold.c:1516
#7  0x00000000004894cd in ast_moh_start (chan=0x3923dd8, mclass=0x7faf3ee0d268 "vascomain", interpclass=0x0) at channel.c:7964
#8  0x00007faf4772485f in queue_exec (chan=0x3923dd8, data=0x7faf3ee109a0 "vascomain-premium,i") at app_queue.c:6228
#9  0x000000000050e1fb in pbx_exec (c=0x3923dd8, app=0x7faf54ac10e0, data=0x7faf3ee109a0 "vascomain-premium,i") at pbx.c:1446
#10 0x00000000005184f5 in pbx_extension_helper (c=0x3923dd8, con=0x0, context=0x3924330 "func-queue", exten=0x3924380 "s", priority=15, label=0x0, callerid=0x3874a40 "4505158115", action=E_SPAWN, found=0x7faf3ee12c8c, combined_find_spawn=1) at pbx.c:4489
#11 0x000000000051a26d in ast_spawn_extension (c=0x3923dd8, context=0x3924330 "func-queue", exten=0x3924380 "s", priority=15, callerid=0x3874a40 "4505158115", found=0x7faf3ee12c8c, combined_find_spawn=1) at pbx.c:5127
...
{noformat}

Observe how class is the same in all cases. Three threads are attempting to free the same memory at once.

{noformat}
        for (i = 0; i < class->total_files; i++) {
                ast_free(class->filearray[i]);
        }
        class->total_files = 0;
{noformat}

This doesn't look like the same bug as ASTERISK-21775 because that memory isn't used in multiple threads at once there, according to the backtraces. Although I'm not sure.
{noformat}
#0  0x00002b9ac0a708e0 in moh_files_alloc (chan=0x2b9ae0071fc8, params=0x2b9ae0071268) at res_musiconhold.c:432
432				state->pos = ast_random() % class->total_files;
{noformat}

The fix:
- add a mutex in class so we can lock the scanning/reinitialization
- explain why the same memory can be used and don't do it

> res_musiconhold segfault in free, in moh_scan_files
> ---------------------------------------------------
>
>                 Key: ASTERISK-22083
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22083
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_musiconhold
>    Affects Versions: 1.8.22.0
>         Environment: Linux vgw1 2.6.32-35-generic #78-Ubuntu SMP Tue Oct 11 16:11:24 UTC 2011 x86_64 GNU/Linux
>            Reporter: Sébastien Couture
>            Assignee: Sébastien Couture
>         Attachments: backtrace.txt
>
>
> We've had Asterisk segfault with an error in res_musiconhold.c; more specifically in the 'moh_scan_files' function (line 1066):
> {code}
> for (i = 0; i < class->total_files; i++)
>   ast_free(class->filearray[i]);
> {code}
> I've attached a backtrace of the core dump. I'm wondering if this could be related to ASTERISK-21775. I haven't yet tried the patch mentioned in that issue.

--
This message was sent by Atlassian JIRA
(v6.2#6252)