Opened 9 years ago

Closed 9 years ago

#4960 closed Bug (duplicate)

Segmentation fault in UTP_ProcessIncoming

Reported by: Malizor Owned by:
Priority: Normal Milestone: None Set
Component: Daemon Version: 2.60
Severity: Normal Keywords:
Cc:

Description

Running transmission-daemon 2.60-0ubuntu0.12.04.1 (Ubuntu PPA) on my server (with the web interface).

I often noticed random segfaults. So I installed debug-symbols, ran transmission-daemon in GDB with the -f option, ignored SIGPIPE (triggered really often it seems, but transmission does not crash with them) and waited for a new segfault.

I just got one, after a bit more than a day.

GDB output:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff28d3700 (LWP 812)]
UTP_ProcessIncoming (conn=0xce4e0000ce4f, packet=<optimized out>, 
    len=<optimized out>, syn=false) at utp.cpp:2111
2111    utp.cpp: Aucun fichier ou dossier de ce type.
(gdb) bt
#0  UTP_ProcessIncoming (conn=0xce4e0000ce4f, packet=<optimized out>, 
    len=<optimized out>, syn=false) at utp.cpp:2111
#1  0x00000000004529a6 in UTP_IsIncomingUTP (
    incoming_proc=0x41e9b0 <incoming>, send_to_proc=0x41ea90 <tr_utpSendTo>, 
    send_to_userdata=0x671680, 
    buffer=0x7ffff28d1d10 "!\001\022T?F\n\373\367\347\003\275", len=30, 
    to=0x7ffff28d2d10, tolen=16) at utp.cpp:2580
#2  0x000000000041eb32 in tr_utpPacket (
    buf=0x7ffff28d1d10 "!\001\022T?F\n\373\367\347\003\275", buflen=30, 
    from=<optimized out>, fromlen=16, ss=0x671680) at tr-utp.c:179
#3  0x000000000041e044 in event_callback (s=<optimized out>, 
    type=<optimized out>, sv=0x671680) at tr-udp.c:225
#4  0x00007ffff779094c in event_base_loop () from /usr/lib/libevent-2.0.so.5
#5  0x000000000041f3c0 in libeventThreadFunc (veh=0x6725f0) at trevent.c:248
#6  0x000000000041004a in ThreadFunc (_t=0x671c20) at platform.c:118
#7  0x00007ffff6d34e9a in start_thread ()
   from /lib/x86_64-linux-gnu/libpthread.so.0
#8  0x00007ffff6a624bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#9  0x0000000000000000 in ?? ()

Do you need something else? For now my GDB is still running, so I can still run a command on the stack if needed.

Change History (8)

comment:1 Changed 9 years ago by jordan

Thanks for the backtrace. You did the right thing with SIGPIPE, those are red herrings.

Hmmm.... from this report, I'm not sure whether the issue is in libtransmission or in libutp. It smells a bit like memory corruption. Valgrind, maybe?

comment:2 Changed 9 years ago by Malizor

I relaunched Transmission in GDB 2 days ago and I just got a new segfault. But this time the traceback is quite useless... Perhaps it's another bug?

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff28d3700 (LWP 15785)]
0x0000722200007223 in ?? ()
(gdb) bt
#0  0x0000722200007223 in ?? ()
#1  0x0000722000007221 in ?? ()
#2  0x0000721e0000721f in ?? ()
#3  0x00007ffff28d1d26 in ?? ()
#4  0x000000f7000002f7 in ?? ()
#5  0x00007ffff28d1d2e in ?? ()
#6  0x0000000000000000 in ?? ()

Now I will relaunch transmission with valgrind and keep you up-to-date.

nb: my transmission is currently seeding 25 torrents and generally uploads around 1MB/s (but sometime up to 40MB/s). Both in IPv4 and IPv6. Perhaps my usecase triggers some special bugs?

comment:3 Changed 9 years ago by x190

See also: #4935

comment:4 Changed 9 years ago by jordan

wrt that second traceback, it looks like maybe you're running a different copy of Transmission, one which has the debugging information stripped out?

One way to ensure you've got debugging information is to build from source... another is to install Ubuntu's transmission-dbg package.

Please do keep me posted wrt a Valgrind log if you see the crash again... thanks :)

comment:5 Changed 9 years ago by Malizor

No, this second traceback is from the very same installation. That's why I think it's another bug (it may be because of #4968).

For now, valgrind is still running...

comment:6 Changed 9 years ago by Malizor

After 12 days, I finally got a new crash.

For the record, I used this command line:

sudo -g debian-transmission -u debian-transmission valgrind --tool=memcheck --leak-check=full --log-file=/tmp/valgrind.output /usr/bin/transmission-daemon -g /var/lib/transmission-daemon/info/ -f

And here is the Valgrind output:

==5213== Memcheck, a memory error detector
==5213== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==5213== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==5213== Command: /usr/bin/transmission-daemon -g /var/lib/transmission-daemon/info/ -f
==5213== Parent PID: 5212
==5213== 
==5213== Thread 2:
==5213== Syscall param write(buf) points to uninitialised byte(s)
==5213==    at 0x5CD0CCD: ??? (syscall-template.S:82)
==5213==    by 0x409A31: tr_bencToFile (bencode.c:1700)
==5213==    by 0x43A02C: tr_torrentSaveResume (resume.c:662)
==5213==    by 0x4170FB: stopTorrent (torrent.c:1777)
==5213==    by 0x41F775: tr_runInEventThread (trevent.c:312)
==5213==    by 0x41740D: tr_torrentStop (torrent.c:1794)
==5213==    by 0x43401A: bandwidthPulse (peer-mgr.c:3612)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213==    by 0x5FD14BC: clone (clone.S:112)
==5213==  Address 0xd697c92 is 3,826 bytes inside a block of size 16,384 alloc'd
==5213==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5213==    by 0x5258137: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x525ABCD: evbuffer_pullup (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x409A0D: tr_bencToFile (bencode.c:1696)
==5213==    by 0x43A02C: tr_torrentSaveResume (resume.c:662)
==5213==    by 0x4170FB: stopTorrent (torrent.c:1777)
==5213==    by 0x41F775: tr_runInEventThread (trevent.c:312)
==5213==    by 0x41740D: tr_torrentStop (torrent.c:1794)
==5213==    by 0x43401A: bandwidthPulse (peer-mgr.c:3612)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213== 
==5213== Syscall param write(buf) points to uninitialised byte(s)
==5213==    at 0x5CD0CCD: ??? (syscall-template.S:82)
==5213==    by 0x409A31: tr_bencToFile (bencode.c:1700)
==5213==    by 0x43A02C: tr_torrentSaveResume (resume.c:662)
==5213==    by 0x411753: onSaveTimer (session.c:544)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213==    by 0x5FD14BC: clone (clone.S:112)
==5213==  Address 0xcc013b7 is 663 bytes inside a block of size 8,192 alloc'd
==5213==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5213==    by 0x5258137: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x5258E17: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x525B7DB: evbuffer_expand (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x4098AD: tr_bencToBuf (bencode.c:1623)
==5213==    by 0x4099F9: tr_bencToFile (bencode.c:1695)
==5213==    by 0x43A02C: tr_torrentSaveResume (resume.c:662)
==5213==    by 0x411753: onSaveTimer (session.c:544)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213== 
==5213== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==5213==    at 0x5CD13A3: ??? (syscall-template.S:82)
==5213==    by 0x4497DD: dht_send (dht.c:2338)
==5213==    by 0x44E64F: dht_periodic (dht.c:2657)
==5213==    by 0x41D0B2: tr_dhtCallback (tr-dht.c:639)
==5213==    by 0x41E0AB: event_callback (tr-udp.c:216)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213==    by 0x5FD14BC: clone (clone.S:112)
==5213==  Address 0xaf36897 is on thread 2's stack
==5213== 
==5213== Invalid read of size 4
==5213==    at 0x451A08: UTP_ProcessIncoming(UTPSocket*, unsigned char const*, unsigned long, bool) (utp.cpp:2111)
==5213==    by 0x4529A5: UTP_IsIncomingUTP (utp.cpp:2580)
==5213==    by 0x41EB31: tr_utpPacket (tr-utp.c:179)
==5213==    by 0x41E043: event_callback (tr-udp.c:225)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213==    by 0x5FD14BC: clone (clone.S:112)
==5213==  Address 0xac040000ac71 is not stack'd, malloc'd or (recently) free'd
==5213== 
==5213== 
==5213== Process terminating with default action of signal 11 (SIGSEGV)
==5213==  General Protection Fault
==5213==    at 0x451A08: UTP_ProcessIncoming(UTPSocket*, unsigned char const*, unsigned long, bool) (utp.cpp:2111)
==5213==    by 0x4529A5: UTP_IsIncomingUTP (utp.cpp:2580)
==5213==    by 0x41EB31: tr_utpPacket (tr-utp.c:179)
==5213==    by 0x41E043: event_callback (tr-udp.c:225)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213==    by 0x5FD14BC: clone (clone.S:112)
==5213== 
==5213== HEAP SUMMARY:
==5213==     in use at exit: 11,138,505 bytes in 17,724 blocks
==5213==   total heap usage: 1,434,350,603 allocs, 1,434,332,879 frees, 7,198,490,486,289 bytes allocated
==5213== 
==5213== Thread 1:
==5213== 32 bytes in 1 blocks are possibly lost in loss record 109 of 518
==5213==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5213==    by 0x54BA811: Curl_llist_alloc (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.2.0)
==5213==    by 0x54BAC1B: Curl_hash_init (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.2.0)
==5213==    by 0x54BACF3: Curl_hash_alloc (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.2.0)
==5213==    by 0x54BB9B6: curl_multi_init (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.2.0)
==5213==    by 0x422EBD: tr_webThreadFunc (web.c:340)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213==    by 0x5FD14BC: clone (clone.S:112)
==5213== 
==5213== 288 bytes in 1 blocks are possibly lost in loss record 257 of 518
==5213==    at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5213==    by 0x4012074: _dl_allocate_tls (dl-tls.c:297)
==5213==    by 0x5CCAABC: pthread_create@@GLIBC_2.2.5 (allocatestack.c:571)
==5213==    by 0x41030F: tr_threadNew (platform.c:145)
==5213==    by 0x41F643: tr_eventInit (trevent.c:269)
==5213==    by 0x4126EF: tr_sessionInit (session.c:598)
==5213==    by 0x405DD3: main (daemon.c:515)
==5213== 
==5213== 288 bytes in 1 blocks are possibly lost in loss record 258 of 518
==5213==    at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5213==    by 0x4012074: _dl_allocate_tls (dl-tls.c:297)
==5213==    by 0x5CCAABC: pthread_create@@GLIBC_2.2.5 (allocatestack.c:571)
==5213==    by 0x41030F: tr_threadNew (platform.c:145)
==5213==    by 0x412932: tr_sessionInitImpl (session.c:724)
==5213==    by 0x41F505: readFromPipe (trevent.c:192)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213==    by 0x5FD14BC: clone (clone.S:112)
==5213== 
==5213== 27,941 bytes in 1 blocks are possibly lost in loss record 476 of 518
==5213==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5213==    by 0x40878D: tr_bencInitRaw (bencode.c:604)
==5213==    by 0x4092D5: tr_bencParse (bencode.c:306)
==5213==    by 0x4093D4: tr_bencLoad (bencode.c:352)
==5213==    by 0x43C5E3: handle_request (rpc-server.c:263)
==5213==    by 0x526F8F4: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x526E96C: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x525EE2C: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213== 
==5213== 30,480 (768 direct, 29,712 indirect) bytes in 2 blocks are definitely lost in loss record 481 of 518
==5213==    at 0x4C2B7B2: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5213==    by 0x407BC9: makeroom (bencode.c:176)
==5213==    by 0x407C35: getNode.part.8 (bencode.c:209)
==5213==    by 0x4093A4: tr_bencParse (bencode.c:197)
==5213==    by 0x4093D4: tr_bencLoad (bencode.c:352)
==5213==    by 0x43C5E3: handle_request (rpc-server.c:263)
==5213==    by 0x526F8F4: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x526E96C: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x525EE2C: ??? (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x525494B: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.4)
==5213==    by 0x41F3BF: libeventThreadFunc (trevent.c:248)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213== 
==5213== 38,014 (216 direct, 37,798 indirect) bytes in 1 blocks are definitely lost in loss record 487 of 518
==5213==    at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5213==    by 0x54BB973: curl_multi_init (in /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.2.0)
==5213==    by 0x422EBD: tr_webThreadFunc (web.c:340)
==5213==    by 0x410049: ThreadFunc (platform.c:118)
==5213==    by 0x5CC9E99: start_thread (pthread_create.c:308)
==5213==    by 0x5FD14BC: clone (clone.S:112)
==5213== 
==5213== LEAK SUMMARY:
==5213==    definitely lost: 984 bytes in 3 blocks
==5213==    indirectly lost: 67,510 bytes in 949 blocks
==5213==      possibly lost: 28,549 bytes in 4 blocks
==5213==    still reachable: 11,041,462 bytes in 16,768 blocks
==5213==         suppressed: 0 bytes in 0 blocks
==5213== Reachable blocks (those to which a pointer was found) are not shown.
==5213== To see them, rerun with: --leak-check=full --show-reachable=yes
==5213== 
==5213== For counts of detected and suppressed errors, rerun with: -v
==5213== Use --track-origins=yes to see where uninitialised values come from
==5213== ERROR SUMMARY: 10098 errors from 10 contexts (suppressed: 2 from 2)

comment:7 Changed 9 years ago by x190

 Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==5213==    at 0x5CD13A3: ??? (syscall-template.S:82)
==5213==    by 0x4497DD: dht_send (dht.c:2338)
==5213==    by 0x44E64F: dht_periodic (dht.c:2657)

Possible security issue?

http://stackoverflow.com/questions/5844242/valgrind-yells-about-an-uninitialised-bytes

comment:8 Changed 9 years ago by jordan

  • Resolution set to duplicate
  • Status changed from new to closed

Closing as a dupe of #5002

Note: See TracTickets for help on using tickets.