[asterisk-bugs] [JIRA] (ASTERISK-28834) Segfault in taskprocessor_push

Sean Bright (JIRA) noreply at issues.asterisk.org
Wed Apr 15 11:38:25 CDT 2020 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-28834?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean Bright updated ASTERISK-28834:
-----------------------------------

    Assignee: lvl  (was: Unassigned)

> Segfault in taskprocessor_push
> ------------------------------
>
>                 Key: ASTERISK-28834
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28834
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: . I did not set the category correctly.
>    Affects Versions: 16.3.0
>            Reporter: lvl
>            Assignee: lvl
>
> I see occasional segfaults in taskprocessor_push. Specifically,
> {code}
> 	tps->listener->callbacks->task_pushed(tps->listener, was_empty);
> {code}
> will crash because {{tps->listener}} is null. All traces I've seen somehow relate to hangups, so I guess a race condition/lack of locking somewhere allows for a task to be pushed onto a task processor while it's already being destructed.
> I don't know how to properly fix that underlying issue, but will propose a simple NULL check to prevent the segfault.
> Two example backtraces:
> {code}
> #0  0x00000000005c3643 in taskprocessor_push (tps=0x7f29ec144b60, t=0x7f2a60007180) at taskprocessor.c:1122
> #1  0x00000000005c369c in ast_taskprocessor_push (tps=0x7f29ec144b60, task_exe=0x7f2a476e7df7 <hangup>, datap=0x7f2a60068b50) at taskprocessor.c:1128
> #2  0x00007f2a4eae31c2 in ast_sip_push_task (serializer=0x7f29ec144b60, sip_task=0x7f2a476e7df7 <hangup>, task_data=0x7f2a60068b50) at res_pjsip.c:4631
> #3  0x00007f2a476e7faa in chan_pjsip_hangup (ast=0x7f2a60169d30) at chan_pjsip.c:2377
> #4  0x00000000004a3f25 in ast_hangup (chan=0x7f2a60169d30) at channel.c:2628
> (gdb) p *tps
> $11 = {
>   local_data = 0x0, 
>   tps_queue_size = 0, 
>   tps_queue = {
>     first = 0x0, 
>     last = 0x0
>   }, 
>   listener = 0x0, 
>   thread = 18446744073709551615, 
>   executing = 0, 
>   suspended = 0, 
>   subsystem = 0x7f29ec144bf4 "pjsip", 
>   name = 0x7f29ec144bc0 "pjsip/outsess/proxy-001531b2"
> }
> {code}
> {code}
> // from asterisk 15
> #0  0x000000000063688c in taskprocessor_push (tps=0x7fd918394b38, t=0x7fd81805bdf0) at taskprocessor.c:900
> #1  0x00000000006368e5 in ast_taskprocessor_push (tps=0x7fd918394b38, task_exe=0x7fd871679980 <hangup>, datap=0x7fd8180253b8) at taskprocessor.c:906
> #2  0x00007fd87167975a in chan_pjsip_hangup (ast=0x7fd818048968) at chan_pjsip.c:2332
> #3  0x00000000004c69be in ast_hangup (chan=0x7fd818048968) at channel.c:2649
> (gdb) p *tps
> $3 = {name = 0x0, stats = 0x0, local_data = 0x0, tps_queue_size = 0, tps_queue_low = 2250, tps_queue_high = 2500, tps_queue = {first = 0x0, last = 0x0}, listener = 0x0, thread = 18446744073709551615, 
>   executing = 0, suspended = 0}
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list