Uploaded image for project: 'FreeSWITCH'
  1. FreeSWITCH
  2. FS-10473

Crash conference_cdr_del hangup race on conference cdr causing NULL event pointer dereference during

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.6.12
    • Fix Version/s: 1.8, 1.6.19
    • Component/s: mod_conference
    • Labels:
      None
    • Environment:
      Debian 8 (Jessie)
    • CPU Architecture:
      x86-64
    • Kernel:
      Linux
    • Userland:
      GNU/Linux
    • Distribution:
      Debian
    • Distribution Version:
      Debian 8 jessie
    • Compiler:
      gcc
    • FreeSWITCH GIT Revision:
      d28f29594faaa881ab3088e55e01cdce72d6dcfa
    • GIT Master Revision hash::
      00d1a79d084b85341c3b1edd9da7b8ff1d616148
    • FSS Support Agreement Customer Number and Company name:
      Dialpad

      Description

      We're seeing an occasional crash with the following backtrace:
      {panel}
      #0 switch_event_base_add_header (event=0x0, stack=SWITCH_STACK_BOTTOM, header_name=0x7f6433ab5300 "rtp_local_sdp_str",
      data=0x7f640ec18e90 "v=0\r\no=FreeSWITCH 1498493499 1498493500 IN IP4 185.91.11.116\r\ns=FreeSWITCH\r\nc=IN IP4 185.91.11.116\r\nt=0 0\r\nm=audio 19732 RTP/AVP 0 8 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telep"...) at src/switch_event.c:1052
      1052 if (switch_test_flag(event, EF_UNIQ_HEADERS)) {
      (gdb) bt
      #0 switch_event_base_add_header (event=0x0, stack=SWITCH_STACK_BOTTOM, header_name=0x7f6433ab5300 "rtp_local_sdp_str",
      data=0x7f640ec18e90 "v=0\r\no=FreeSWITCH 1498493499 1498493500 IN IP4 185.91.11.116\r\ns=FreeSWITCH\r\nc=IN IP4 185.91.11.116\r\nt=0 0\r\nm=audio 19732 RTP/AVP 0 8 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telep"...) at src/switch_event.c:1052
      #1 0x00007f682e23edd4 in switch_event_dup (event=event@entry=0x7f6416b05c00, todup=0x7f6431e108b0) at src/switch_event.c:1325
      #2 0x00007f682e1c2409 in switch_channel_get_variables (channel=0x7f641584ad50, event=event@entry=0x7f6416b05c00) at src/switch_channel.c:4310
      #3 0x00007f68254a3a0a in conference_cdr_del (member=member@entry=0x7f66d5f2b7c0) at conference_cdr.c:495
      #4 0x00007f68254b3add in conference_member_del (conference=0x7f643219c188, member=0x7f66d5f2b7c0) at conference_member.c:1122
      #5 0x00007f68254932f2 in conference_function (session=0x7f64069b8108, data=0x1 <error: Cannot access memory at address 0x1>) at mod_conference.c:2233
      #6 0x00007f682e1ebe0a in switch_core_session_exec (session=0x7f64069b8108, application_interface=0x131c6e0, arg=0x7f6431fc7730 "5027986942984192@plivo_pass_dtmf") at src/switch_core_session.c:2784
      #7 0x00007f682e1ec3a8 in switch_core_session_execute_application_get_flags (session=0x0, app=0x7f643049e990 "conference", arg=0x7f6431fc7730 "5027986942984192@plivo_pass_dtmf", flags=0x0) at src/switch_core_session.c:2654
      #8 0x00007f682e28506c in switch_ivr_parse_event (session=0x7f6433ab5300, session@entry=0x7f64069b8108, event=0x7f6431fc7730) at src/switch_ivr.c:634
      #9 0x00007f682e2858f0 in switch_ivr_parse_next_event (session=session@entry=0x7f64069b8108) at src/switch_ivr.c:761
      #10 0x00007f682e285998 in switch_ivr_parse_all_events (session=0x7f64069b8108) at src/switch_ivr.c:884
      #11 0x00007f682e286f40 in switch_ivr_park (session=0x7f64069b8108, args=0x0) at src/switch_ivr.c:1096
      #12 0x00007f6826862278 in socket_function (session=0x7f64069b8108, data=0x7f641584ad50 "\b9\356\024d\177") at mod_event_socket.c:514
      #13 0x00007f682e1ebe0a in switch_core_session_exec (session=0x7f64069b8108, application_interface=0x12e7258, arg=0x7f640501c420 "127.0.0.1:8084 async full") at src/switch_core_session.c:2784
      #14 0x00007f682e1ec3a8 in switch_core_session_execute_application_get_flags (session=0x0, app=0x7f640501c418 "socket", arg=0x7f640501c420 "127.0.0.1:8084 async full", flags=0x0) at src/switch_core_session.c:2654
      #15 0x00007f682e1efc82 in switch_core_standard_on_execute (session=<optimized out>) at src/switch_core_state_machine.c:353
      #16 switch_core_session_run (session=0x7f64069b8108) at src/switch_core_state_machine.c:650
      #17 0x00007f682e1e96ae in switch_core_session_thread (thread=<optimized out>, obj=0x7f64069b8108) at src/switch_core_session.c:1630
      #18 0x00007f682e1e544d in switch_core_session_thread_pool_worker (thread=0x7f6415c5ea60, obj=0x5b) at src/switch_core_session.c:1693
      #19 0x00007f682e4c8ae0 in dummy_worker (opaque=0x7f6415c5ea60) at threadproc/unix/thread.c:151
      #20 0x00007f682d90b0a4 in start_thread (arg=0x7f66d5f2f700) at pthread_create.c:309
      #21 0x00007f682cfe387d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
      {panel}

      We think this is happening because at the end of mod_conference.c's conference_thread_run, the cdr_nodes events are destroyed inside the conference->mutex lock but outside conference->member_mutex, which conference_cdr_add and conference_cdr_del take.

        Attachments

          Activity

            People

            • Assignee:
              mikej Mike Jerris
              Reporter:
              Corey Burke Corey Burke
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: