segfault in resolver when serving UDP clients
When running BIND9 as a resolver, it crashes with SIGSEGV within a couple of seconds when I run DNS Shotgun simulating UDP clients using a realistic query set.
I managed to bisect the cause of this issue to commit f36e118b.
BIND9 is executed with a single thread (seems to be the most reliable way to reproduce the issue): ./bin/named/named -n 1 -c named.conf
named.conf
options {
listen-on { 10.53.0.1; };
recursion yes;
};coredump
Program terminated with signal SIGSEGV, Segmentation fault.
warning: Section `.reg-xstate/1798547' in core file too small.
#0 0x00007fe4acaca388 in async_restart (arg=0x7fe4a3e8ba00) at query.c:5843
Thread 1 (Thread 0x7fe4ab144580 (LWP 1798547)):
#0 0x00007fe4acaca388 in async_restart (arg=0x7fe4a3e8ba00) at query.c:5843
#1 0x00007fe4acb18268 in isc__async_cb (handle=<optimized out>) at async.c:111
#2 0x00007fe4ac5879fb in ?? () from /usr/lib/libuv.so.1
#3 0x00007fe4ac5a4cdb in ?? () from /usr/lib/libuv.so.1
#4 0x00007fe4ac58cf9f in uv_run () from /usr/lib/libuv.so.1
#5 0x00007fe4acb2b38c in loop_thread (arg=0x7fe4a8a90000) at loop.c:282
#6 0x000055f0f2f03928 in main (argc=8, argv=0x7ffd47f22688) at main.c:1574
#0 0x00007fa3a23bf388 in async_restart (arg=0x7fa39b178700) at query.c:5843
5843 isc_mem_put(client->manager->mctx, qctx, sizeof(*qctx));
(gdb) p client
$1 = (ns_client_t *) 0x7fa399e96800
(gdb) p client->manager
$2 = (ns_clientmgr_t *) 0xdedededededededeclient->manager has been deallocated while still in use.
I also have an rr recording, but I don't have the knowledge to make much use of it. The client->manager was deallocated here:
Old value = (ns_clientmgr_t *) 0x7f19d8e6c1de
New value = (ns_clientmgr_t *) 0x7f19d8e6c1e0
0x00007f19dbd10c4a in ?? () from /usr/lib/libc.so.6
(rr) bt
#0 0x00007f19dbd10c4a in ?? () from /usr/lib/libc.so.6
#1 0x00007f19dced81c0 in memset (__len=<optimized out>, __ch=222, __dest=0x7f19d5ec7c00)
at /usr/include/bits/string_fortified.h:59
#2 mem_put (flags=0, size=<optimized out>, mem=0x7f19d5ec7c00, ctx=0x7f19d8e22760)
at mem.c:326
#3 isc__mem_put (ctx=0x7f19d8e22760, ptr=0x7f19d5ec7c00, size=<optimized out>, flags=0,
file=<optimized out>, line=<optimized out>) at mem.c:761
#4 0x00007f19dce557db in ns__client_put_cb (client0=0x7f19d5ec7c00) at client.c:1627
#5 0x00007f19dceb2503 in nmhandle_free (handle=0x7f19d6543280, sock=0x7f19d8e92800)
at netmgr/netmgr.c:886
#6 nmhandle__destroy (handle=0x7f19d6543280) at netmgr/netmgr.c:906
#7 0x00007f19dce6a814 in ns_query_done (qctx=qctx@entry=0x7f19d51b1600) at query.c:11663
#8 0x00007f19dce73ba7 in query_delegation_recurse (qctx=qctx@entry=0x7f19d51b1600)
at query.c:9054
#9 0x00007f19dce73dae in query_delegation (qctx=0x7f19d51b1600) at query.c:8976
#10 0x00007f19dce712b6 in query_lookup (qctx=0x7f19d51b1600) at query.c:6179
#11 0x00007f19dce72be6 in ns__query_start (qctx=0x7f19d51b1600) at query.c:5820
#12 0x00007f19dce73355 in async_restart (arg=0x7f19d51b1600) at query.c:5838
#13 0x00007f19dcec1268 in isc__async_cb (handle=<optimized out>) at async.c:111
#14 0x00007f19dc9359fb in ?? () from /usr/lib/libuv.so.1
#15 0x00007f19dc952cdb in ?? () from /usr/lib/libuv.so.1
#16 0x00007f19dc93af9f in uv_run () from /usr/lib/libuv.so.1
#17 0x00007f19dced438c in loop_thread (arg=0x7f19d8e90000) at loop.c:282
#18 0x0000562924fc5928 in main (argc=6, argv=0x7ffdf1f45078) at main.c:1574