Bug#916288: kea-dhcp4-server: Segfault after running for several minutes

Mon, 17 Dec 2018 10:03:15 -0800 

Hello Burnhard,

On 2018-12-15 9:02 a.m., Bernhard Übelacker wrote:

Hello Anton,

On Fri, 14 Dec 2018 16:34:23 -0500 Anton Avramov <lu...@lukav.com> wrote:

Hello Bernhard,

Well no. I've actually installed. apt install
libmariadbclient18=10.1.26-0+deb9u1 libmariadbclient18-dbgsym

(gdb) display/i $pc
2: x/i $pc
=> 0x7ffff479eccc <mysql_stmt_bind_result+172>:    movzbl 0x451(%rax),%eax

At this instruction $rax seems to contain the address stored in stmt->mysql.
This address seems to be invalid in your process.
And therefore accessing the options member crashes.


Could you please add the output of following commands, when the crash happened:
   print/x $rax
   print stmt->mysql
   print stmt
   set print pretty on
   print *stmt
   print *stmt->mysql
   set print pretty off
   up
   print 
conn_.statements_[isc::dhcp::MySqlHostDataSourceImpl::GET_HOST_SUBID4_DHCPID]
   up
   x/6xb identifier_begin


Here is the output of the requested commands:

(gdb)   print/x $rax
$7 = 0x0
(gdb) print stmt->mysql
$8 = (MYSQL *) 0x0
(gdb) print stmt
$9 = (MYSQL_STMT *) 0x5555558f6be8
(gdb) set print pretty on
(gdb) print *stmt
$10 = {
  mem_root = {
    free = 0x5555558f6f28,
    used = 0x5555558f9cb8,
    pre_alloc = 0x5555558f6f28,
    min_malloc = 32,
    block_size = 2009,
    block_num = 6,
    first_block_usage = 0,
    error_handler = 0x0
  },
  list = {
    prev = 0x0,
    next = 0x5555558f2c70,
    data = 0x5555558f6be8
  },
  mysql = 0x0,
  params = 0x5555558f9cd0,
  bind = 0x5555558f9e20,
  fields = 0x5555558f7770,
  result = {
    data = 0x0,
    embedded_info = 0x0,
    alloc = {
      free = 0x5555558f8c88,
      used = 0x0,
      pre_alloc = 0x5555558f8c88,
      min_malloc = 24,
      block_size = 4057,
      block_num = 4,
      first_block_usage = 0,
      error_handler = 0x0
    },
    rows = 0,
    fields = 0,
---Type <return> to continue, or q <return> to quit---
    extension = 0x0
  },
  data_cursor = 0x0,
  read_row_func = 0x7ffff479d630 <stmt_read_row_no_result_set>,
  affected_rows = 18446744073709551615,
  insert_id = 0,
  stmt_id = 4269,
  flags = 0,
  prefetch_rows = 1,
  server_status = 2,
  last_errno = 2013,
  param_count = 3,
  field_count = 18,
  state = MYSQL_STMT_PREPARE_DONE,
  last_error = "Lost connection to MySQL server during query", '\000' <repeats 467 times>, 
  sqlstate = "HY000",
  send_types_to_server = 1 '\001',
  bind_param_done = 1 '\001',
  bind_result_done = 1 '\001',
  unbuffered_fetch_cancelled = 0 '\000',
  update_max_length = 0 '\000',
  extension = 0x5555558e7948
}
(gdb) print *stmt->mysql
Cannot access memory at address 0x0
(gdb) set print pretty off
(gdb) up
#1  0x00007ffff7a9ed19 in isc::dhcp::MySqlHostDataSourceImpl::getHostCollection (this=0x5555558d6840, stindex=isc::dhcp::MySqlHostDataSourceImpl::GET_HOST_SUBID4_DHCPID, bind=0x7fffffffd340, exchange=..., 
    result=std::vector of length 0, capacity 0, single=true)
    at ../../../../src/lib/dhcpsrv/mysql_host_data_source.cc:2262
2262    ../../../../src/lib/dhcpsrv/mysql_host_data_source.cc: Няма такъв файл или директория. (gdb) print conn_.statements_[isc::dhcp::MySqlHostDataSourceImpl::GET_HOST_SUBID4_DHCPID] 
$11 = (st_mysql_stmt *) 0x5555558f6be8
(gdb) up
#2  0x00007ffff7a9f540 in isc::dhcp::MySqlHostDataSourceImpl::getHost (this=0x5555558d6840,     subnet_id=@0x7fffffffd8ac: 1, identifier_type=@0x555555883830: isc::dhcp::Host::IDENT_HWADDR, 
    identifier_begin=0x555555834300 "\b", identifier_len=6,
stindex=isc::dhcp::MySqlHostDataSourceImpl::GET_HOST_SUBID4_DHCPID, exchange=...) 
    at ../../../../src/lib/dhcpsrv/mysql_host_data_source.cc:2345
2345    in ../../../../src/lib/dhcpsrv/mysql_host_data_source.cc
(gdb) x/6xb identifier_begin
0x555555834300:    0x08    0x00    0x27    0x04    0xcc    0x0e




The last line should output 6 bytes showing the MAC address of the
requesting client. Maybe you could check if that crash is
triggered always by the same client or kind of client.
Each time the identifier is different, so I would say it is not caused by a particular client. 
The clients are identical dhclient that is the default with debian


I looked through upstream git history and commits [1] and [2] might be
related: they disable automatic reconnects.
No such commit seem to have reached the stretch version of kea-dhcp:
./isc-kea-1.1.0/src/lib/dhcpsrv/mysql_connection.cc:138:    my_bool 
auto_reconnect = MLM_TRUE;
Hmmm ... but if you disable autoreconnect, doesn't this means each time you restart your database server for any reason your dhcp server would become in a not working state and it would require restart also? 


Kind regards,
Bernhard

Thank you very much for all your effort.
Best regards.



(gdb) list libmysql.c:4134
4129                  field->type, param_count);
4130          DBUG_RETURN(1);
4131        }
4132      }
4133      stmt->bind_result_done= BIND_RESULT_DONE;
4134      if (stmt->mysql->options.report_data_truncation)
4135        stmt->bind_result_done|= REPORT_DATA_TRUNCATION;
4136
4137      DBUG_RETURN(0);
4138    }


[1] 
https://gitlab.isc.org/isc-projects/kea/commit/9881ef6d772f27de82c048e198ba0ff9e71b9351
[2] 
https://gitlab.isc.org/isc-projects/kea/commit/6b278a3f54ecf6bd6e2d381047a9eced4bf165f5

Reply via email to