race condition in bind
yhu2
yadi.hu at windriver.com
Tue Aug 5 06:53:33 UTC 2014
There seems to be a race condition in bind/named that leads to a
segfault. This is the patch that solves the problem,and it is not fixed
in upstream:
--- lib/dns/view.c.orig 2014-07-22 14:55:09.300375792 +0300
+++ lib/dns/view.c 2014-07-22 14:55:15.025126595 +0300
@@ -516,6 +516,8 @@
UNUSED(task);
+ isc_event_free(&event);
+
LOCK(&view->lock);
view->attributes |= DNS_VIEWATTR_RESSHUTDOWN;
@@ -523,8 +525,6 @@
UNLOCK(&view->lock);
- isc_event_free(&event);
-
if (done)
destroy(view);
}
@@ -540,6 +540,8 @@
UNUSED(task);
+ isc_event_free(&event);
+
LOCK(&view->lock);
view->attributes |= DNS_VIEWATTR_ADBSHUTDOWN;
@@ -547,8 +549,6 @@
UNLOCK(&view->lock);
- isc_event_free(&event);
-
if (done)
destroy(view);
}
@@ -564,6 +564,8 @@
UNUSED(task);
+ isc_event_free(&event);
+
LOCK(&view->lock);
view->attributes |= DNS_VIEWATTR_REQSHUTDOWN;
@@ -571,8 +573,6 @@
UNLOCK(&view->lock);
- isc_event_free(&event);
-
if (done)
destroy(view);
}
-------------------------------------------------------------------------------------------------------------------------------------------------------
Example backtrace below. Originally Thread 1's (the faulting thread)
backtrace showed just:
Thread 1 (LWP 19194):
#0 0xdededede in ?? ()
By modifiying the core file to display the stack below that frame) we
can get the following:
Program terminated with signal 11, Segmentation fault.
#0 0xb7414724 in isc_event_free (eventp=0xb6fe82dc) at event.c:85
85 event.c: No such file or directory.
in event.c
(gdb) t a a bt
Thread 7 (LWP 19195):
#0 0xb73f5bcd in __lll_lock_wait () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#1 0xb73f192b in _L_lock_502 () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#2 0xb73f1760 in pthread_mutex_lock () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#3 0xb7423394 in isc___mem_put (ctx0=0x9a9c138, ptr=0xb3d20b70,
size=36, file=0xb7450514 "radix.c", line=190) at mem.c:1326
#4 0xb74285ed in _clear_radix (radix=0xb70165a8, func=<value
optimized out>) at radix.c:190
#5 0xb7428725 in isc_radix_destroy (radix=0xb70165a8, func=0x9a9c154)
at radix.c:215
#6 0xb7623e18 in destroy_iptable (tabp=0xb6fea524) at iptable.c:181
#7 dns_iptable_detach (tabp=0xb6fea524) at iptable.c:171
#8 0xb75fe8b9 in destroy (aclp=0xb7028c24) at acl.c:463
#9 dns_acl_detach (aclp=0xb7028c24) at acl.c:476
#10 0xb75fe9ac in dns_aclenv_destroy (env=0xb7028c24) at acl.c:621
#11 0xb76f4179 in destroy (view=0xb7028ab8) at view.c:370
#12 0xb76f5122 in req_shutdown (task=0x9d4c408, event=0x0) at view.c:577
#13 0xb74348e7 in dispatch (uap=0xb6fed008) at task.c:1013
#14 run (uap=0xb6fed008) at task.c:1158
#15 0xb73ef4f8 in start_thread () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#16 0xb724b97e in clone () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
Thread 6 (LWP 19198):
#0 0xb73f38f7 in pthread_cond_timedwait () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#1 0xb744cb5d in isc_condition_waituntil (c=0xb6fee048, m=0xb6fee018,
t=0xb6fee040) at condition.c:59
#2 0xb743746b in run (uap=0xb6fee008) at timer.c:822
#3 0xb73ef4f8 in start_thread () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#4 0xb724b97e in clone () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
Thread 5 (LWP 19182):
#0 0xb71abcbd in sigsuspend () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
#1 0xb74391bd in isc__app_ctxrun (ctx0=0xb7457ee0) at app.c:680
#2 0xb74392f9 in isc__app_run () at app.c:707
#3 0x080696bc in ?? ()
#4 0xb7198ba3 in __libc_start_main () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
#5 0x080578f1 in ?? ()
Thread 4 (LWP 19196):
#0 0xb73f5bcd in __lll_lock_wait () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#1 0xb73f192b in _L_lock_502 () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#2 0xb73f1760 in pthread_mutex_lock () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#3 0xb7619a71 in destroy_disp (task=0x9d534e8, event=0xb6fead58) at
dispatch.c:716
#4 0xb74348e7 in dispatch (uap=0xb6fed008) at task.c:1013
#5 run (uap=0xb6fed008) at task.c:1158
#6 0xb73ef4f8 in start_thread () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#7 0xb724b97e in clone () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
Thread 3 (LWP 19197):
#0 0xb761949e in dispatch_free (dispp=<value optimized out>) at
dispatch.c:2536
#1 0xb7619c1e in destroy_disp (task=0x9d530f8, event=0x0) at
dispatch.c:733
#2 0xb74348e7 in dispatch (uap=0xb6fed008) at task.c:1013
#3 run (uap=0xb6fed008) at task.c:1158
#4 0xb73ef4f8 in start_thread () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#5 0xb724b97e in clone () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
Thread 2 (LWP 19199):
#0 0xb724c09c in epoll_wait () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
#1 0xb74491ea in watcher (uap=0xb6ff0008) at socket.c:3717
#2 0xb73ef4f8 in start_thread () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#3 0xb724b97e in clone () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
Thread 1 (LWP 19194):
#0 0xb7414724 in isc_event_free (eventp=0xb6fe82dc) at event.c:85
#1 0xb76f5117 in req_shutdown (task=0x9d4fcc8, event=0xb70287d8) at
view.c:574
#2 0xb74348e7 in dispatch (uap=0xb6fed008) at task.c:1013
#3 run (uap=0xb6fed008) at task.c:1158
#4 0xb73ef4f8 in start_thread () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libpthread.so.0
#5 0xb724b97e in clone () from
./NG0927903_CLA-0-19182-53bf44ea-named-SEGV.env/lib/libc.so.6
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
More information about the bind-users
mailing list