[asterisk-bugs] [JIRA] (ASTERISK-28834) Segfault in taskprocessor_push

lvl (JIRA) noreply at issues.asterisk.org
Wed Apr 15 06:47:25 CDT 2020 

lvl created ASTERISK-28834:
------------------------------

             Summary: Segfault in taskprocessor_push
                 Key: ASTERISK-28834
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28834
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: . I did not set the category correctly.
    Affects Versions: 16.8.0
            Reporter: lvl


I see occasional segfaults in taskprocessor_push. Specifically,

{code}
	tps->listener->callbacks->task_pushed(tps->listener, was_empty);
{code}

will crash because {{tps->listener}} is null. All traces I've seen somehow relate to hangups, so I guess a race condition/lack of locking somewhere allows for a task to be pushed onto a task processor while it's already being destructed.

I don't know how to properly fix that underlying issue, but will propose a simple NULL check to prevent the segfault.

Two example backtraces:

{code}
#0  0x00000000005c3643 in taskprocessor_push (tps=0x7f29ec144b60, t=0x7f2a60007180) at taskprocessor.c:1122
#1  0x00000000005c369c in ast_taskprocessor_push (tps=0x7f29ec144b60, task_exe=0x7f2a476e7df7 <hangup>, datap=0x7f2a60068b50) at taskprocessor.c:1128
#2  0x00007f2a4eae31c2 in ast_sip_push_task (serializer=0x7f29ec144b60, sip_task=0x7f2a476e7df7 <hangup>, task_data=0x7f2a60068b50) at res_pjsip.c:4631
#3  0x00007f2a476e7faa in chan_pjsip_hangup (ast=0x7f2a60169d30) at chan_pjsip.c:2377
#4  0x00000000004a3f25 in ast_hangup (chan=0x7f2a60169d30) at channel.c:2628

(gdb) p *tps
$11 = {
  local_data = 0x0, 
  tps_queue_size = 0, 
  tps_queue = {
    first = 0x0, 
    last = 0x0
  }, 
  listener = 0x0, 
  thread = 18446744073709551615, 
  executing = 0, 
  suspended = 0, 
  subsystem = 0x7f29ec144bf4 "pjsip", 
  name = 0x7f29ec144bc0 "pjsip/outsess/proxy-001531b2"
}

{code}

{code}
// from asterisk 15
#0  0x000000000063688c in taskprocessor_push (tps=0x7fd918394b38, t=0x7fd81805bdf0) at taskprocessor.c:900
#1  0x00000000006368e5 in ast_taskprocessor_push (tps=0x7fd918394b38, task_exe=0x7fd871679980 <hangup>, datap=0x7fd8180253b8) at taskprocessor.c:906
#2  0x00007fd87167975a in chan_pjsip_hangup (ast=0x7fd818048968) at chan_pjsip.c:2332
#3  0x00000000004c69be in ast_hangup (chan=0x7fd818048968) at channel.c:2649

(gdb) p *tps
$3 = {name = 0x0, stats = 0x0, local_data = 0x0, tps_queue_size = 0, tps_queue_low = 2250, tps_queue_high = 2500, tps_queue = {first = 0x0, last = 0x0}, listener = 0x0, thread = 18446744073709551615, 
  executing = 0, suspended = 0}
{code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list