[asterisk-bugs] [JIRA] (ASTERISK-29377) cpool_release_pool "double free or corruption (out)"

Robert Sutton (JIRA) noreply at issues.asterisk.org
Tue Mar 30 18:50:15 CDT 2021 

Robert Sutton created ASTERISK-29377:
----------------------------------------

             Summary: cpool_release_pool "double free or corruption (out)"
                 Key: ASTERISK-29377
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29377
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: pjproject/pjsip
    Affects Versions: 16.16.1
         Environment: ubuntu 18.04, Docker 
            Reporter: Robert Sutton


Two threads appear to be freeing the same resource leading to a crash as can be seen below..

thread 1

{quote}
1617056270.asterisk.core.1.txt-Thread 1 (Thread 0x7fd335e21700 (LWP 28196)):
1617056270.asterisk.core.1.txt-#0  __GI_abort () at abort.c:107
1617056270.asterisk.core.1.txt-#1  0x00007fd3c92b8967 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7fd3c93e5b0d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
1617056270.asterisk.core.1.txt-#2  0x00007fd3c92bf9da in malloc_printerr (str=str at entry=0x7fd3c93e7818 "double free or corruption (out)") at malloc.c:5342
1617056270.asterisk.core.1.txt-#3  0x00007fd3c92c6f6a in _int_free (have_lock=0, p=0x7fd2f1db62e0, av=0x7fd3c961ac40 <main_arena>) at malloc.c:4308
1617056270.asterisk.core.1.txt-#4  __GI___libc_free (mem=0x7fd2f1db62f0) at malloc.c:3134
1617056270.asterisk.core.1.txt-#5  0x000055ab6487ef6e in __ast_free (ptr=0x7fd2f1db62f0, file=0x7fd3cbb608b0 "../src/pj/pool_policy_malloc.c", lineno=78, func=0x7fd3cbb608f0 <__PRETTY_FUNCTION__.3957> "default_block_free") at astmm.c:1588
1617056270.asterisk.core.1.txt-#6  0x00007fd3cbb2a5d7 in default_block_free (factory=0x7fd36d3c2560 <cachingpool>, mem=0x7fd2f1db62f0, size=512) at ../src/pj/pool_policy_malloc.c:78
1617056270.asterisk.core.1.txt-#7  0x00007fd3cbb33723 in pj_pool_destroy_int (pool=0x7fd2f1db62f0) at ../src/pj/pool.c:296
1617056270.asterisk.core.1.txt:#8  0x00007fd3cbb33f22 in cpool_release_pool (pf=0x7fd36d3c2560 <cachingpool>, pool=0x7fd2f1db62f0) at ../src/pj/pool_caching.c:238
1617056270.asterisk.core.1.txt-#9  0x00007fd3cbb32e7c in pj_pool_release (pool=0x7fd2f1db62f0) at ../include/pj/pool_i.h:103
1617056270.asterisk.core.1.txt-#10 0x00007fd3cbb30d17 in grp_lock_destroy (p=0x7fd2f1db6398) at ../src/pj/lock.c:397
1617056270.asterisk.core.1.txt-#11 0x00007fd3cbb31150 in grp_lock_dec_ref (glock=0x7fd2f1db6398) at ../src/pj/lock.c:555
1617056270.asterisk.core.1.txt-#12 0x00007fd3cbb31190 in pj_grp_lock_dec_ref (glock=0x7fd2f1db6398) at ../src/pj/lock.c:646
1617056270.asterisk.core.1.txt-#13 0x00007fd3cbb30b5d in grp_lock_release (p=0x7fd2f1db6398) at ../src/pj/lock.c:335
1617056270.asterisk.core.1.txt-#14 0x00007fd3cbb30f83 in pj_grp_lock_release (grp_lock=0x7fd2f1db6398) at ../src/pj/lock.c:488
1617056270.asterisk.core.1.txt-#15 0x00007fd3cbaa51ee in destroy_ice (ice=0x7fd2f0219318, reason=0) at ../src/pjnath/ice_session.c:507
1617056270.asterisk.core.1.txt-#16 0x00007fd3cbaa521b in pj_ice_sess_destroy (ice=0x7fd2f0219318) at ../src/pjnath/ice_session.c:517
1617056270.asterisk.core.1.txt-#17 0x00007fd36d1980e3 in ice_wrap_dtor (vdoomed=0x7fd2f233d8e8) at res_rtp_asterisk.c:896
1617056270.asterisk.core.1.txt-#18 0x000055ab6488077b in __ao2_ref (user_data=0x7fd2f233d8e8, delta=-1, tag=0x7fd36d1b93d0 "", file=0x7fd36d1b93b2 "res_rtp_asterisk.c", line=874, func=0x7fd36d1bd3d0 <__PRETTY_FUNCTION__.40143> "ast_rtp_ice_stop") at astobj2.c:614
1617056270.asterisk.core.1.txt-#19 0x00007fd36d197fd1 in ast_rtp_ice_stop (instance=0x7fd2f143a0d0) at res_rtp_asterisk.c:874
1617056270.asterisk.core.1.txt-#20 0x00007fd36d1a1e9a in rtp_deallocate_transport (instance=0x7fd2f143a0d0, rtp=0x7fd2f05e44d0) at res_rtp_asterisk.c:3947
1617056270.asterisk.core.1.txt-#21 0x00007fd36d1a25c1 in ast_rtp_destroy (instance=0x7fd2f143a0d0) at res_rtp_asterisk.c:4050
1617056270.asterisk.core.1.txt-#22 0x000055ab64988031 in instance_destructor (obj=0x7fd2f143a0d0) at rtp_engine.c:434
1617056270.asterisk.core.1.txt-#23 0x000055ab6488077b in __ao2_ref (user_data=0x7fd2f143a0d0, delta=-1, tag=0x55ab64ac7159 "", file=0x55ab64ac71ea "rtp_engine.c", line=460, func=0x55ab64ac8470 <__PRETTY_FUNCTION__.18829> "ast_rtp_instance_destroy") at astobj2.c:614
1617056270.asterisk.core.1.txt-#24 0x000055ab64880af3 in __ao2_cleanup_debug (obj=0x7fd2f143a0d0, tag=0x55ab64ac7159 "", file=0x55ab64ac71ea "rtp_engine.c", line=460, function=0x55ab64ac8470 <__PRETTY_FUNCTION__.18829> "ast_rtp_instance_destroy") at astobj2.c:670
1617056270.asterisk.core.1.txt-#25 0x000055ab649882a0 in ast_rtp_instance_destroy (instance=0x7fd2f143a0d0) at rtp_engine.c:460
1617056270.asterisk.core.1.txt-#26 0x00007fd3655ae2a9 in stream_destroy (session_media=0x7fd2f0040718) at res_pjsip_sdp_rtp.c:2149
1617056270.asterisk.core.1.txt-#27 0x00007fd367425e2a in stream_destroy (obj=0x55ab65f40df0, arg=0x7fd2f0040718, flags=0) at res_pjsip_session.c:462
1617056270.asterisk.core.1.txt-#28 0x000055ab648823ce in internal_ao2_traverse (self=0x55ab65fe76c0, flags=OBJ_SEARCH_NONE, cb_fn=0x7fd367425de9 <stream_destroy>, arg=0x7fd2f0040718, data=0x0, type=AO2_CALLBACK_DEFAULT, tag=0x7fd36743f684 "", file=0x7fd36743f670 "res_pjsip_session.c", line=477, func=0x7fd367442af0 <__PRETTY_FUNCTION__.33873> "session_media_dtor") at astobj2_container.c:328
1617056270.asterisk.core.1.txt-#29 0x000055ab648826b7 in __ao2_callback (c=0x55ab65fe76c0, flags=OBJ_SEARCH_NONE, cb_fn=0x7fd367425de9 <stream_destroy>, arg=0x7fd2f0040718, tag=0x7fd36743f684 "", file=0x7fd36743f670 "res_pjsip_session.c", line=477, func=0x7fd367442af0 <__PRETTY_FUNCTION__.33873> "session_media_dtor") at astobj2_container.c:414
1617056270.asterisk.core.1.txt-#30 0x00007fd367425e95 in session_media_dtor (obj=0x7fd2f0040718) at res_pjsip_session.c:477
1617056270.asterisk.core.1.txt-#31 0x000055ab6488077b in __ao2_ref (user_data=0x7fd2f0040718, delta=-1, tag=0x7fd36743f684 "", file=0x7fd36743f670 "res_pjsip_session.c", line=285, func=0x7fd3674429c0 <__PRETTY_FUNCTION__.33758> "ast_sip_session_media_state_reset") at astobj2.c:614
1617056270.asterisk.core.1.txt-#32 0x000055ab64880af3 in __ao2_cleanup_debug (obj=0x7fd2f0040718, tag=0x7fd36743f684 "", file=0x7fd36743f670 "res_pjsip_session.c", line=285, function=0x7fd3674429c0 <__PRETTY_FUNCTION__.33758> "ast_sip_session_media_state_reset") at astobj2.c:670
1617056270.asterisk.core.1.txt-#33 0x00007fd3674253a4 in ast_sip_session_media_state_reset (media_state=0x7fd3bcb07670) at res_pjsip_session.c:285
1617056270.asterisk.core.1.txt-#34 0x00007fd367436e32 in ast_sip_session_terminate (session=0x7fd3bcb2b790, response=603) at res_pjsip_session.c:3538
1617056270.asterisk.core.1.txt-#35 0x00007fd366bfb63e in hangup (data=0x7fd39404d620) at chan_pjsip.c:2468
1617056270.asterisk.core.1.txt-#36 0x000055ab649f689f in ast_taskprocessor_execute (tps=0x7fd3bc81ad20) at taskprocessor.c:1237
1617056270.asterisk.core.1.txt-#37 0x000055ab64a00b1e in execute_tasks (data=0x7fd3bc81ad20) at threadpool.c:1354
1617056270.asterisk.core.1.txt-#38 0x000055ab649f689f in ast_taskprocessor_execute (tps=0x55ab65a5e1f0) at taskprocessor.c:1237
1617056270.asterisk.core.1.txt-#39 0x000055ab649fe4e7 in threadpool_execute (pool=0x55ab65a5cb40) at threadpool.c:367
1617056270.asterisk.core.1.txt-#40 0x000055ab64a002e7 in worker_active (worker=0x7fd33c0011b0) at threadpool.c:1137
1617056270.asterisk.core.1.txt-#41 0x000055ab64a00057 in worker_start (arg=0x7fd33c0011b0) at threadpool.c:1056
1617056270.asterisk.core.1.txt-#42 0x000055ab64a0a53b in dummy_start (data=0x7fd2f05f7740) at utils.c:1299
1617056270.asterisk.core.1.txt-#43 0x00007fd3ca15e6db in start_thread (arg=0x7fd335e21700) at pthread_create.c:463
1617056270.asterisk.core.1.txt-#44 0x00007fd3c935071f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

{quote}


and thread 96

{quote}
1617056270.asterisk.core.1.txt-Thread 96 (Thread 0x7fd33669f700 (LWP 24420)):
1617056270.asterisk.core.1.txt-#0  __lll_lock_wait () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
1617056270.asterisk.core.1.txt-#1  0x00007fd3ca161025 in __GI___pthread_mutex_lock (mutex=0x7fd36d3c27b0 <cachingpool+592>) at ../nptl/pthread_mutex_lock.c:80
1617056270.asterisk.core.1.txt-#2  0x00007fd3cbb283b9 in pj_mutex_lock (mutex=0x7fd36d3c27b0 <cachingpool+592>) at ../src/pj/os_core_unix.c:1281
1617056270.asterisk.core.1.txt-#3  0x00007fd3cbb308a6 in pj_lock_acquire (lock=0x7fd36d3c2788 <cachingpool+552>) at ../src/pj/lock.c:180
1617056270.asterisk.core.1.txt:#4  0x00007fd3cbb33ebd in cpool_release_pool (pf=0x7fd36d3c2560 <cachingpool>, pool=0x7fd394035d90) at ../src/pj/pool_caching.c:213
1617056270.asterisk.core.1.txt-#5  0x00007fd3cbb32e7c in pj_pool_release (pool=0x7fd394035d90) at ../include/pj/pool_i.h:103
1617056270.asterisk.core.1.txt-#6  0x00007fd3cbb32eb4 in pj_pool_safe_release (ppool=0x7fd394035e48) at ../include/pj/pool_i.h:112
1617056270.asterisk.core.1.txt-#7  0x00007fd3cbab8389 in tdata_on_destroy (arg=0x7fd394035e38) at ../src/pjnath/stun_session.c:170
1617056270.asterisk.core.1.txt-#8  0x00007fd3cbb30cc9 in grp_lock_destroy (p=0x7fd39402f088) at ../src/pj/lock.c:390
1617056270.asterisk.core.1.txt-#9  0x00007fd3cbb31150 in grp_lock_dec_ref (glock=0x7fd39402f088) at ../src/pj/lock.c:555
1617056270.asterisk.core.1.txt-#10 0x00007fd3cbb31190 in pj_grp_lock_dec_ref (glock=0x7fd39402f088) at ../src/pj/lock.c:646
1617056270.asterisk.core.1.txt-#11 0x00007fd3cbb437d8 in pj_timer_heap_poll (ht=0x55ab65cd89d8, next_delay=0x0) at ../src/pj/timer.c:916
1617056270.asterisk.core.1.txt-#12 0x00007fd36d19dd8a in timer_worker_thread (data=0x0) at res_rtp_asterisk.c:2708
1617056270.asterisk.core.1.txt-#13 0x00007fd3cbb278f5 in thread_main (param=0x55ab65cec540) at ../src/pj/os_core_unix.c:541
1617056270.asterisk.core.1.txt-#14 0x00007fd3ca15e6db in start_thread (arg=0x7fd33669f700) at pthread_create.c:463
1617056270.asterisk.core.1.txt-#15 0x00007fd3c935071f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
{quote}





--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list