[Bug 284250] sysutils/bacula15-server: segfault on large backup job

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 22 Jan 2025 06:03:24 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284250

            Bug ID: 284250
           Summary: sysutils/bacula15-server: segfault on large backup job
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: dvl@FreeBSD.org
          Reporter: joerg@FreeBSD.org
             Flags: maintainer-feedback?(dvl@FreeBSD.org)
          Assignee: dvl@FreeBSD.org

bacula-fd repeatedly crashes on backing up large jobs.

This is triggered by (e.g.) the following job description:

FileSet {
  Name = "Bhyve-W10"
  Include {
    Options {
      signature = SHA1
    }
    Plugin = "bpipe:/var/bacula/w10.fifo:/usr/local/sbin/send-zfs-snapshot
zjail/bhyve/w10/disk0:/usr/local/sbin/bacula-restore-zvol zjail/bhyve/w10/disk0
%r '%w'"
  }
}

(which eventually performs a "zfs send" of a snapshot of a bhyve disk)

The crash appears to be caused a double free:

root@uriah:/ # lldb /usr/local/sbin/bacula-fd
(lldb) target create "/usr/local/sbin/bacula-fd"
Current executable set to '/usr/local/sbin/bacula-fd' (x86_64).
(lldb) run -f -s
Process 57439 launched: '/usr/local/sbin/bacula-fd' (x86_64)
uriah.heep.sax.de-fd: ABORTING via segfault due to ERROR in smartall.c:201
in-use bit not set: double free from bsys.c:405
22-Jan 06:49 uriah.heep.sax.de-fd: ABORTING via segfault due to ERROR in
smartall.c:201
in-use bit not set: double free from bsys.c:405
Process 57439 stopped
* thread #5, name = 'bacula-fd', stop reason = signal SIGSEGV: address not
mapped to object (fault address: 0x8)
    frame #0: 0x00000008245c753e libbac-15.0.2.so`sm_free(char const*, int,
void*) + 286
libbac-15.0.2.so`sm_free:
->  0x8245c753e <+286>: cmpq   %r12, 0x8(%rax)
    0x8245c7542 <+290>: je     0x8245c7586    ; <+358>
    0x8245c7544 <+292>: leaq   0x3252d(%rip), %rdi ; mutex
    0x8245c754b <+299>: callq  0x8245f37d0    ; symbol stub for:
lmgr_v(pthread_mutex**)
(lldb) bt
* thread #5, name = 'bacula-fd', stop reason = signal SIGSEGV: address not
mapped to object (fault address: 0x8)
  * frame #0: 0x00000008245c753e libbac-15.0.2.so`sm_free(char const*, int,
void*) + 286
    frame #1: 0x0000000831410fdd bpipe-fd.so`freePlugin(bpContext*) + 45
    frame #2: 0x00000000002254ca bacula-fd`free_plugins(JCR*) + 138
    frame #3: 0x0000000000230217 bacula-fd`filed_free_jcr(JCR*) + 215
    frame #4: 0x00000008245a0f2f libbac-15.0.2.so`b_free_jcr(char const*, int,
JCR*) + 1039
    frame #5: 0x0000000000230d90 bacula-fd`handle_connection_request(void*) +
2720
    frame #6: 0x00000008245d23cc libbac-15.0.2.so`workq_server + 556
    frame #7: 0x00000008245db5f8 libbac-15.0.2.so`lmgr_thread_launcher + 88
    frame #8: 0x0000000824e039c5
libthr.so.3`thread_start(curthread=0x000000082da44500) at thr_create.c:289:16

The same job description did work in bacula 12.

-- 
You are receiving this mail because:
You are the assignee for the bug.