Hello everyone,
We discovered an issue in the error handling branch of
dns_cache_create(). The cleanup branch of this function directly calls
cache_free() which asserts because neither cache->references, nor
cache->live_tasks is zero.
This is an example backtrace:
named[22736]: cache.c:265: REQUIRE(isc_refcount_current(&cache->references) ==
0) failed, back trace
named[22736]: /opt/bind/lib/libisc-9.18.37.so(isc_backtrace+0x1b)
[0x7f83bba3fa9b]
named[22736]: ./named(+0x73321) [0x5644ce0c8321]
named[22736]: /opt/bind/lib/libisc-9.18.37.so(isc_assertion_failed+0x10)
[0x7f83bba3f220]
named[22736]: /opt/bind/lib/libdns-9.18.37.so(+0xfafb5) [0x7f83bb45bfb5]
named[22736]: /opt/bind/lib/libdns-9.18.37.so(dns_cache_create+0x40c)
[0x7f83bb45d42c]
named[22736]: ./named(+0xa8b86) [0x5644ce0fdb86]
named[22736]: ./named(+0xd50af) [0x5644ce12a0af]
named[22736]: ./named(+0xd750b) [0x5644ce12c50b]
named[22736]: /opt/bind/lib/libisc-9.18.37.so(isc_task_run+0x40b)
[0x7f83bba8a24b]
named[22736]: /opt/bind/lib/libisc-9.18.37.so(+0x587bc) [0x7f83bb9ff7bc]
named[22736]: /opt/bind/lib/libisc-9.18.37.so(+0x6a719) [0x7f83bba11719]
named[22736]: /opt/bind/lib/libisc-9.18.37.so(+0x6b675) [0x7f83bba12675]
named[22736]: /opt/bind/lib/libisc-9.18.37.so(+0x6c8fb) [0x7f83bba138fb]
named[22736]: /usr/lib64/libuv.so.1(+0x122b3) [0x7f83ba7cf2b3]
named[22736]: /usr/lib64/libuv.so.1(+0x26d57) [0x7f83ba7e3d57]
named[22736]: /usr/lib64/libuv.so.1(uv_run+0xc6) [0x7f83ba7d0146]
named[22736]: /opt/bind/lib/libisc-9.18.37.so(+0x6bb84) [0x7f83bba12b84]
named[22736]: /opt/bind/lib/libisc-9.18.37.so(isc__trampoline_run+0x44)
[0x7f83bba9d584]
named[22736]: /usr/lib/gcc/x86_64-pc-linux-gnu/14/libasan.so.8(+0x5b3aa)
[0x7f83bbb9b3aa]
named[22736]: /usr/lib64/libc.so.6(+0x91873) [0x7f83ba4b2873]
named[22736]: /usr/lib64/libc.so.6(+0x11090c) [0x7f83ba53190c]
This issue was discovered in an automated test case that managed to
send a SIGTERM to named shortly after startup when it was still
initialising, causing functions in dns_cache_create() to return
ISC_R_SHUTTINGDOWN.
I believe the issue was introduced in commit
26ad166a05a5f791fc66b4f5039a31bc59d0d6ab when this function was
reworked.
I wrote a small patch, although I am no expert in the bind code base,
that seemingly fixes the issue for us by using dns_cache_detach(), see
attachment. I have tested the patch on 9.18.37 by placing
kill(getpid(), SIGTERM) in various locations in the function to
provoke the issue.
Hope this can be helpful for anyone else encountering this issue!
Best regards,
Andreas Kempe
From 061c893395c9e4787b12de461778902675c9b6d2 Mon Sep 17 00:00:00 2001
From: Andreas Kempe <andreas.ke...@actia.se>
Date: Wed, 9 Jul 2025 17:39:07 +0200
Subject: [PATCH] lib: dns: cache: fix cleanup in dns_cache_create
Fix the cleanup branch of dns_cache_create. The code would crash with an
assertion error in cache_free because of cache->references and
cache->live_tasks not being zero.
Use dns_cache_detach instead of calling cache_free directly and also add
an extra NULL pointer check in cache_free to allow cache->tmctx to not
be initialised.
---
lib/dns/cache.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index c3532b6..2fb39f0 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -263,7 +263,9 @@ cache_free(dns_cache_t *cache) {
isc_refcount_destroy(&cache->references);
isc_refcount_destroy(&cache->live_tasks);
- isc_mem_clearwater(cache->tmctx);
+ if (cache->tmctx != NULL) {
+ isc_mem_clearwater(cache->tmctx);
+ }
if (cache->cleaner.task != NULL) {
isc_task_detach(&cache->cleaner.task);
@@ -431,7 +433,7 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
return ISC_R_SUCCESS;
cleanup:
- cache_free(cache);
+ dns_cache_detach(&cache);
return result;
}
--
2.49.0
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
