Bug#925961: segfault in libdovecot-storage at unknown circumstances
Dear Maintainer,
tried to get some more information out of the
kernel segfault line, until a backtrace or core
gets delivered...
For the lines with "ip .90e" I guess
it could be related to these functions:
array_append_array_i
mailbox_uidset_change
mail_search_arg_init
It might be that we hit following line with
dest_array or src_array containing a null pointer.
array.h:193 i_assert(dest_array->element_size ==
src_array->element_size);
Then we would get such a segfault instead
of the assert message.
But sure, the problem behind needs more context.
Kind regards,
Bernhard
# Stretch amd64 qemu VM 2019-03-29
apt update
apt dist-upgrade
apt install devscripts dpkg-dev mc systemd-coredump
dovecot-imapd=1:2.3.4.1-1~bpo9+1 gdb
wget
https://snapshot.debian.org/archive/debian-debug/20190222T150352Z/pool/main/d/dovecot/dovecot-imapd-dbgsym_2.3.4.1-1%7Ebpo9%2B1_amd64.deb
wget
https://snapshot.debian.org/archive/debian-debug/20190222T150352Z/pool/main/d/dovecot/dovecot-core-dbgsym_2.3.4.1-1%7Ebpo9%2B1_amd64.deb
dpkg -i dovecot-imapd-dbgsym_2.3.4.1-1~bpo9+1_amd64.deb
dovecot-core-dbgsym_2.3.4.1-1~bpo9+1_amd64.deb
mkdir /home/benutzer/source/dovecot/orig -p
cd/home/benutzer/source/dovecot/orig
dget
https://snapshot.debian.org/archive/debian-debug/20190222T150352Z/pool/main/d/dovecot/dovecot_2.3.4.1-1%7Ebpo9%2B1.dsc
cd
From submitter:
kernel: [1691560.449117] imap[8380]: segfault at 8 ip 7fea0c1c890e sp
7ffdc7607150 error 4 in libdovecot-storage.so.0.0.0[7fea0c10d000+12c000]
https://www.enodev.fr/posts/decode-segfault-errors-in-dmesg.html
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/mm/fault.c?h=linux-4.9.y#n31
/*
* Page fault error code bits:
*
* bit 0 ==<-> 0: no page found<->1: protection fault
* bit 1 ==<-> 0: read access><-->1: write access
* bit 2 ==<-> 0: kernel-mode access<>1: user-mode access
* bit 3 ==<-><--><--><-->1: use of reserved bit detected
* bit 4 ==<-><--><--><-->1: fault was an instruction fetch
* bit 5 ==<-><--><--><-->1: protection keys block access
*/
enum x86_pf_error_code {
<-->PF_PROT><-->=<-><-->1 << 0,
<-->PF_WRITE<-->=<-><-->1 << 1,
<-->PF_USER><-->=<-><-->1 << 2,
<-->PF_RSVD><-->=<-><-->1 << 3,
<-->PF_INSTR<-->=<-><-->1 << 4,
<-->PF_PK<-><-->=<-><-->1 << 5,
};
"error 4" == 0b100
bit 0 ==<--> 0: no page found
bit 1 ==<--> 0: read access
bit 2 ==<--> 1: user-mode access
#
script -c "gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'b main' -ex
'run' --args /usr/lib/dovecot/imap" -a gdb_$(date +%Y-%m-%d_%H-%M-%S).log
info share
disassemble 0x77ac15c0,0x77b8599e
kill
q
root@debian:~# grep "90e " gdb_2019-03-29_23-29-10.log | grep "0x8("
0x77ac690e : mov0x8(%r12),%rax
0x77ae390e : mov%rsi,0x8(%rsp)
0x77b6890e :mov
%esi,0x8(%rdi)
--> Could be the first line - as the second and third are writes
#
gdb -q --args /usr/lib/dovecot/imap
set width 0
set pagination off
b main
directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap
directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib-storage
directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib
run
root@debian:~# gdb -q --args /usr/lib/dovecot/imap
Reading symbols from /usr/lib/dovecot/imap...Reading symbols from
/usr/lib/debug/.build-id/18/305c1d9a040a3941346dc9a9a34a0839fc3bf0.debug...done.
done.
(gdb) set width 0
(gdb) set pagination off
(gdb) b main
Breakpoint 1 at 0xd510: file main.c, line 416.
(gdb) directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap
Source directories searched:
/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap:$cdir:$cwd
(gdb) directory
/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib-storage
Source directories searched:
/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib-storage:/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap:$cdir:$cwd
(gdb) directory /home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib
Source directories searched:
/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib:/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/lib-storage:/home/benutzer/source/dovecot/orig/dovecot-2.3.4.1/src/imap:$cdir:$cwd
(gdb) run
Starting program: /usr/lib/dovecot/imap
Breakpoint 1, main (argc=1, argv=0x7fffed18) at main.c:416
416 {
(gdb) print mail_search_arg_init
$1 = {void (struct mail_search_args *, struct mail_search_arg *, bool, const
union array__seq_range *)} 0x77ac67e0
(gdb) b *$1+302
Breakpoint 2 at 0x77ac690e: file ../../src/lib/array.h, line 193.
(gdb) info b
Num Type Disp Enb AddressWhat
1 breakpoint keep y
Bug#925961: segfault in libdovecot-storage at unknown circumstances
Package: dovecot-core
Version: 1:2.3.4.1-1~bpo9+1
Severity: normal
Yes, I know this is not very informative. I've already set
ALLOW_COREDUMPS to 1 in /etc/default/dovecot and waiting for the next
fault.
% grep segfa kern.log*
kern.log.1: Mar 17 13:27:09 mail kernel: [118616.482998] imap[3]:
segfault at 8 ip 7efbff924cbb sp 7fff0b333890 error 4 in
libdovecot-storage.so.0.0.0[7efbff858000+145000]
% zgrep segfa kern.log*gz
kern.log.2.gz:Mar 15 01:51:07 mail kernel: [1691560.449110] imap[8329]:
segfault at 8 ip 7ff38ae2390e sp 7ffcd3317640 error 4
kern.log.2.gz:Mar 15 01:51:07 mail kernel: [1691560.449117] imap[8380]:
segfault at 8 ip 7fea0c1c890e sp 7ffdc7607150 error 4 in
libdovecot-storage.so.0.0.0[7fea0c10d000+12c000]
kern.log.2.gz:Mar 15 01:51:07 mail kernel: [1691560.449438] imap[8371]:
segfault at 8 ip 7f4775b0490e sp 7ffce2814cc0 error 4 in
libdovecot-storage.so.0.0.0[7f4775a49000+12c000]
kern.log.2.gz:Mar 15 01:51:07 mail kernel: [1691560.461685] imap[2435]:
segfault at 8 ip 7fa8cb0ab90e sp 7ffc4185e130 error 4 in
libdovecot-storage.so.0.0.0[7fa8caff+12c000]
kern.log.3.gz:Mar 13 02:35:33 mail kernel: [1521426.802606] imap[11824]:
segfault at 8 ip 7fa1b95d290e sp 7ffd935de700 error 4
kern.log.3.gz:Mar 13 02:35:33 mail kernel: [1521426.802614] imap[11827]:
segfault at 8 ip 7f1afe53490e sp 7fffbeb753d0 error 4 in
libdovecot-storage.so.0.0.0[7f1afe479000+12c000]
kern.log.3.gz:Mar 13 02:35:33 mail kernel: [1521426.802983] imap[11837]:
segfault at 8 ip 7f70b5c9b90e sp 7ffd7f80bc80 error 4 in
libdovecot-storage.so.0.0.0[7f70b5be+12c000]
% grep 'signal 11' mail.err*
mail.err.1: Mar 17 13:27:09 mail dovecot:
imap(sergio)<3>: Fatal: master: service(imap): child
3 killed with signal 11 (core dumps disabled -
https://dovecot.org/bugreport.html#coredumps)
% zgrep 'signal 11' mail.err*
mail.err.1:Mar 17 13:27:09 mail dovecot: imap(sergio)<3>:
Fatal: master: service(imap): child 3 killed with signal 11 (core dumps
disabled - https://dovecot.org/bugreport.html#coredumps)
mail.err.2.gz:Mar 15 01:51:07 mail dovecot: imap(sergio): Fatal: master:
service(imap): child 8371 killed with signal 11 (core dumps disabled)
mail.err.2.gz:Mar 15 01:51:07 mail dovecot: imap(sergio): Fatal: master:
service(imap): child 8380 killed with signal 11 (core dumps disabled)
mail.err.2.gz:Mar 15 01:51:07 mail dovecot: imap(sergio): Fatal: master:
service(imap): child 8329 killed with signal 11 (core dumps disabled)
mail.err.2.gz:Mar 15 01:51:07 mail dovecot: imap(sergio): Fatal: master:
service(imap): child 2435 killed with signal 11 (core dumps disabled)
mail.err.3.gz:Mar 13 02:35:33 mail dovecot: imap(sergio): Fatal: master:
service(imap): child 11827 killed with signal 11 (core dumps disabled)
mail.err.3.gz:Mar 13 02:35:33 mail dovecot: imap(sergio): Fatal: master:
service(imap): child 11837 killed with signal 11 (core dumps disabled)
mail.err.3.gz:Mar 13 02:35:33 mail dovecot: imap(sergio): Fatal: master:
service(imap): child 11824 killed with signal 11 (core dumps disabled)
% s dovecot -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
doveconf: Warning: service auth { client_limit=1000 } is lower than required
under max. load (1324)
doveconf: Warning: service anvil { client_limit=1000 } is lower than required
under max. load (1227)
# OS: Linux 4.9.0-8-amd64 x86_64 Debian 9.8 ext4
# Hostname: mail.outerface.net
auth_verbose = yes
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_rcpt_check_quota = yes
lmtp_save_to_detail_mailbox = yes
mail_home = /var/mail/%u
mail_location = sdbox:/var/mail/%u
mail_plugins = quota fts virtual
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext spamtest spamtestplus
namespace {
location = virtual:~/mailboxes/virtual
prefix = virtual/
separator = /
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
special_use = \Junk
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
fts_autoindex = yes
quota = count:User quota
quota_grace = 10%%
quota_rule = *:storage=2G
quota_vsizes = yes
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_extensions = +spamtest +spamtestplus
sieve_global = /etc/dovecot/sieve/
sieve_spamtest_max_value = 120
sieve_spamtest_status_header = X-Spam_score_int
sieve_spamtest_status_type = score
}
protocols =
