[Dovecot] dovecot-lda (2.1.12) segfaults
We uograded our dovecot from version 2.1.10 -> 2.10.12, but within the first hour of use, dovecot-lda would segfault during delivery. This left a lock file lying around causing the user's mail readers to hang; much hilarity ensues. All further deliveries to the same user will result in a crash.
The only thing that fixes this condition is to blow away the user's INBOX cache index. Reindexing with "doveadm index" does not fix anything.
I've installed a test version with one user's problematic INBOX cache indices and ran
gdb dovecot-lda
(gdb) run -t testuser </dev/null
and it crashes with the following backtrace
Program received signal SIGSEGV, Segmentation fault.
0xff2a0440 in mail_cache_header_fields_read (cache=0x5c120) at mail-cache-fields.c:323
323 if (field_hdr->size < sizeof(*field_hdr) +
(gdb) bt
#0 0xff2a0440 in mail_cache_header_fields_read (cache=0x5c120) at mail-cache-fields.c:323
#1 0xff29e8bc in mail_cache_compress_locked (cache=0x5c120, trans=0x63ce8, unlock=0xffbfeeef)
at mail-cache-compress.c:361
#2 0xff29efd0 in mail_cache_compress (cache=0x5c120, trans=0x63ce8) at mail-cache-compress.c:489
#3 0xff2a3df4 in mail_cache_transaction_compress (ctx=0x5dac0) at mail-cache-transaction.c:180
#4 0xff2a4084 in mail_cache_transaction_open_if_needed (ctx=0x5dac0)
at mail-cache-transaction.c:241
#5 0xff2a6e60 in mail_cache_field_want_add (ctx=0x5dac0, seq=1, field_idx=12)
at mail-cache-transaction.c:1048
#6 0xff27e8e8 in index_mail_parse_header_register_all_wanted (mail=0x5e6b0)
at index-mail-headers.c:175
#7 0xff27ec90 in index_mail_parse_header_init (mail=0x5e6b0, headers=0x0)
at index-mail-headers.c:230
#8 0xff27f5c8 in index_mail_cache_parse_init (_mail=0x5e6b0, input=0x63760)
at index-mail-headers.c:376
#9 0xff2299cc in mbox_save_get_input_stream (ctx=0x5dde8, input=0x62ed0) at mbox-save.c:411
#10 0xff22a084 in mbox_save_begin (_ctx=0x5dde8, input=0x62ed0) at mbox-save.c:520
#11 0xff24e9c0 in mailbox_save_begin (ctx=0xffbff514, input=0x62ed0) at mail-storage.c:1652
#12 0xff23f138 in mail_storage_try_copy (_ctx=0xffbff514, mail=0x54cd8) at mail-copy.c:68
#13 0xff23f23c in mail_storage_copy (ctx=0x5dde8, mail=0x54cd8) at mail-copy.c:93
#14 0xff24ec28 in mailbox_copy (_ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1721
#15 0xff24ec98 in mailbox_save_using_mail (ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1730
#16 0xff388070 in mail_deliver_save (ctx=0xffbff8a8, mailbox=0x13fe8 "INBOX", flags=0,
keywords=0x0, storage_r=0xffbff83c) at mail-deliver.c:317
#17 0xff38869c in mail_deliver (ctx=0xffbff8a8, storage_r=0xffbff83c) at mail-deliver.c:403
#18 0x00012d08 in main (argc=3, argv=0xffbff964) at main.c:434
I dumped the value of field_hdr, and it has some bogus value
(gdb) p field_hdr
$1 = (const struct mail_cache_header_fields *) 0x20
Other observations
- blowing away the indices does not fix it permanantly. The
the LDA will eventually start crashing again.
- the problematic indices do not cause problems with 2.1.10.
Reverting to 2.1.10 restores proper mail delivery.
Is this enough debug info to work your magic, Timo? I can supply the cache data if you neded it. It's compiled on a Solaris10.
Joseph Tam <jtam.home@gmail.com>
On Thu, 2012-12-13 at 03:56 -0800, Joseph Tam wrote:
We uograded our dovecot from version 2.1.10 -> 2.10.12, but within the first hour of use, dovecot-lda would segfault during delivery. This left a lock file lying around causing the user's mail readers to hang; much hilarity ensues. All further deliveries to the same user will result in a crash.
The only thing that fixes this condition is to blow away the user's INBOX cache index. Reindexing with "doveadm index" does not fix anything.
I've installed a test version with one user's problematic INBOX cache indices and ran
gdb dovecot-lda (gdb) run -t testuser </dev/null
and it crashes with the following backtrace
Program received signal SIGSEGV, Segmentation fault. 0xff2a0440 in mail_cache_header_fields_read (cache=0x5c120) at mail-cache-fields.c:323 323 if (field_hdr->size < sizeof(*field_hdr) + .. (gdb) p field_hdr $1 = (const struct mail_cache_header_fields *) 0x20
So mail_cache_map() returned a broken pointer..
Is this enough debug info to work your magic, Timo? I can supply the cache data if you neded it. It's compiled on a Solaris10.
Can you still reproduce this in any way? I found two bugs, would be nice to know if they solve it:
http://hg.dovecot.org/dovecot-2.1/rev/2f848393f78e http://hg.dovecot.org/dovecot-2.1/rev/bded819417d9
participants (2)
-
Joseph Tam
-
Timo Sirainen