-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-8.10
-
None
-
No
-
Moderate
-
rhel-sst-cs-plumbers
-
ssg_core_services
-
3
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
A customer sees systemd-resolved crash from time to time when reading a hashmap.
This occurs when an event is received while the request has been completed already.
The RHEL8 code clearly states it's a bug in the code to have a caller access the query:
520 static void dns_query_complete(DnsQuery *q, DnsTransactionState state) { 521 assert(q); 522 assert(!DNS_TRANSACTION_IS_LIVE(state)); 523 assert(DNS_TRANSACTION_IS_LIVE(q->state)); 524 525 /* Note that this call might invalidate the query. Callers 526 * should hence not attempt to access the query or transaction 527 * after calling this function. */ 528 529 q->state = state; 530 531 dns_query_stop(q); 532 if (q->complete) 533 q->complete(q); 534 }
Using a ASAN build, I could find that this was exactly matching the following commit:
commit c856ef0457c35e9edfdbf085b69ec81c126d48e5
Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Fri May 14 10:49:24 2021 +0200
resolved: fix braino with reference counting and linked lists
In 0e0fd08fc832b8f42e567d722d388eba086da5ff I added reference counts to keep
track of the DnsQueryCandidate objects. Unfortunately, dns_query_unref_candidates()
was written as
while (q->candidates)
dns_query_candidate_unref(q->candidates);
i.e. it would keep dropping the reference count as many times as needed for it
to hit 0, making the patch less than fully effective.
dns_query_unref_candidates() is renamed to dns_query_detach_candidates() and
changed to drop exactly one reference from each of the linked candidates.
[...]
I'm attaching the ASAN report.
What is the impact of this issue to you?
Crashes
Please provide the package NVR for which the bug is seen:
systemd-239-78.el8
How reproducible is this bug?:
Often on customer systems
