Can you try out the attached patch?
Aki
> On 03 February 2019 at 17:17 Marcel Menzel <m...@mcl.gg> wrote:
>
>
> All I did was
>
> - create a sqlite database with: # sqlite3 /tmp/storage.db (/run
> only to test for perm issues in other folders)
>
> - change it's owner to mail (that's the user owning the mail files):
> # chown mail:mail /tmp/storage.db
>
> - point dovecot to the file in "dovecot-dict-sql.conf.ext" with
> "connect = /tmp/storage.db"
>
> - enable quota in "90-quota.conf" with "quota = dict:User
> quota::proxy::quota" in the plugin section (sample config file taken
> from sources)
>
> - changing the dict section in dovecot.conf to:
>
> dict {
> quota = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
> expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
> }
>
> After this, a simple "doveadm quota recalc -u m...@mcl.gg" is enough to
> cause a dict crash.
>
>
> While tinkering with the config (and making a small mistake where i
> moved the file and dovecot complaining about
>
> doveadm: Error: dict quota: Quota update failed: dict-server returned
> failure: sql dict: commit failed: out of memory (reply took 0.041 secs
> (0.001 in dict wait, 0.000 in other ioloops, 0.001 in locks, async-id
> reply 0.000 secs ago, started on dict-server 0.041 secs ago, took 0.000
> secs)) - Quota is now desynced
>
> And reloading it afterwards, my log got filled with like 200 lines
> containing
>
> dovecot[6213]: dict(6301): Warning: Event 0x67a90293830 leaked
> (parent=0x67a9027c890): driver-sqlite.c:173
>
> - Marcel
>
> Am 03.02.2019 um 15:57 schrieb Aki Tuomi:
> > Can you provide steps on how to reproduce this? Tracked as DOP-899
> >> On 03 February 2019 at 16:50 Aki Tuomi < aki.tu...@open-xchange.com
> >> <mailto:aki.tu...@open-xchange.com>> wrote:
> >>
> >>
> >> Right it was already in 2.3.4. Looking more closely this looks like
> >> use after free. We'll look into this.
> >>
> >> Aki
> >>
> >>> On 03 February 2019 at 16:44 Marcel Menzel < m...@mcl.gg
> >>> <mailto:m...@mcl.gg>> wrote:
> >>>
> >>>
> >>> Hello Aki,
> >>>
> >>> unfortunately, this patch is already in my source files, as patch
> >>> refuses to apply it:
> >>>
> >>> -> Applying patch fix-sqlite.patch
> >>> patching file src/lib-sql/driver-sqlite.c
> >>> Reversed (or previously applied) patch detected! Skipping patch.
> >>> 2 out of 2 hunks ignored -- saving rejects to file
> >>> src/lib-sql/driver-sqlite.c.rej
> >>>
> >>> I verified it by looking in the source code and indeed, this patch is
> >>> already applied.
> >>>
> >>> - Marcel
> >>>
> >>> Am 03.02.2019 um 15:25 schrieb Aki Tuomi:
> >>>
> >>> > > Can you try if applying
> >>>> >
> >>> > >
> >>> https://github.com/dovecot/core/commit/b291ff1fd61b47639a2db99bd858c9511945f4ab.patch
> >>>
> >>>> > >
> >>> > > helps?
> >>>> >
> >>> > > Aki
> >>>> > > > On 03 February 2019 at 16:20 Marcel Menzel < m...@mcl.gg
> >>>> <mailto:m...@mcl.gg>
> >>>>> <mailto: m...@mcl.gg <mailto:m...@mcl.gg>>> wrote:
> >>>>>
> >>>>> > >
> >>>> > >>
> >>> >> Hello Aki,
> >>> >>
> >>> >> Arch Linux doesn't have install-able debug symbols for Dovecot.
> >>> That's
> >>> >> why I just compiled the package for myself with enabled debug
> >>> symbols
> >>> >> (by editing the makepkg.conf).
> >>> >>
> >>> >> I've attached the output from gdb's bt full.
> >>> >>
> >>> >> - Marcel
> >>> >>
> >>> >> Am 03.02.2019 um 14:45 schrieb Aki Tuomi:
> >>> >>> You need to install debug symbols. Not sure how this is done in
> >>> arch
> >>> >>> linux though.
> >>> >>> Aki
> >>> >>>> On 03 February 2019 at 15:02 Marcel Menzel < m...@mcl.gg
> >>> <mailto:m...@mcl.gg>
> >>> >>>> <mailto: m...@mcl.gg <mailto:m...@mcl.gg>>
> >>> >>>> <mailto: m...@mcl.gg <mailto:m...@mcl.gg> <mailto: m...@mcl.gg
> >>> <mailto:m...@mcl.gg>>>> wrote:
> >>> >> >>
> >>> >> >> Hello John,
> >>> >> >>
> >>> >> >> I tried (until now) to get a valuable backtrace, but it seems
> >>> that
> >>> >> GDB
> >>> >> >> can't resolve all symbols.
> >>> >> >> This is what systemd-coredump is giving me:
> >>> >> >>
> >>> >> >> Stack trace of thread 22359:
> >>> >> >> #0 0x0000638167eaf062 event_unref (libdovecot.so.0)
> >>> >> >> #1 0x000004a58a212151 n/a (dict)
> >>> >> >> #2 0x000004a58a211333 n/a (dict)
> >>> >> >> #3 0x000004a58a20514d n/a (dict)
> >>> >> >> #4 0x0000638167e556f2 dict_transaction_begin (libdovecot.so.0)
> >>> >> >> #5 0x000004a58a203b06 n/a (dict)
> >>> >> >> #6 0x000004a58a2045ff dict_command_input (dict)
> >>> >> >> #7 0x000004a58a202a31 n/a (dict)
> >>> >> >> #8 0x000004a58a202b35 n/a (dict)
> >>> >> >> #9 0x0000638167eaacfd io_loop_call_io (libdovecot.so.0)
> >>> >> >> #10 0x0000638167eac635 io_loop_handler_run_internal
> >>> (libdovecot.so.0)
> >>> >> >> #11 0x0000638167eaadc7 io_loop_handler_run (libdovecot.so.0)
> >>> >> >> #12 0x0000638167eaaf68 io_loop_run (libdovecot.so.0)
> >>> >> >> #13 0x0000638167e1b36a master_service_run (libdovecot.so.0)
> >>> >> >> #14 0x000004a58a202300 main (dict)
> >>> >> >> #15 0x0000638167a17223 __libc_start_main (libc.so.6)
> >>> >> >> #16 0x000004a58a2023fe _start (dict)
> >>> >> >>
> >>> >> >> GDB's "bt full" won't give anything more here, I might compile
> >>> >> Dovecot
> >>> >> >> with debug symbols enabled as soon as I have a little more time:
> >>> >> >>
> >>> >> >> (gdb) bt full
> >>> >> >> #0 0x0000638167eaf062 in event_unref () from
> >>> >> >> /usr/lib/dovecot/libdovecot.so.0
> >>> >> >> No symbol table info available.
> >>> >> >> #1 0x000004a58a212151 in ?? ()
> >>> >> >> No symbol table info available.
> >>> >> >> #2 0x000004a58a211333 in ?? ()
> >>> >> >> No symbol table info available.
> >>> >> >> #3 0x000004a58a20514d in ?? ()
> >>> >> >> No symbol table info available.
> >>> >> >> #4 0x0000638167e556f2 in dict_transaction_begin () from
> >>> >> >> /usr/lib/dovecot/libdovecot.so.0
> >>> >> >> No symbol table info available.
> >>> >> >> #5 0x000004a58a203b06 in ?? ()
> >>> >> >> No symbol table info available.
> >>> >> >> #6 0x000004a58a2045ff in dict_command_input ()
> >>> >> >> No symbol table info available.
> >>> >> >> #7 0x000004a58a202a31 in ?? ()
> >>> >> >> No symbol table info available.
> >>> >> >> #8 0x000004a58a202b35 in ?? ()
> >>> >> >> No symbol table info available.
> >>> >> >> #9 0x0000638167eaacfd in io_loop_call_io () from
> >>> >> >> /usr/lib/dovecot/libdovecot.so.0
> >>> >> >> No symbol table info available.
> >>> >> >> #10 0x0000638167eac635 in io_loop_handler_run_internal () from
> >>> >> >> /usr/lib/dovecot/libdovecot.so.0
> >>> >> >> No symbol table info available.
> >>> >> >> #11 0x0000638167eaadc7 in io_loop_handler_run () from
> >>> >> >> /usr/lib/dovecot/libdovecot.so.0
> >>> >> >> No symbol table info available.
> >>> >> >> #12 0x0000638167eaaf68 in io_loop_run () from
> >>> >> >> /usr/lib/dovecot/libdovecot.so.0
> >>> >> >> No symbol table info available.
> >>> >> >> #13 0x0000638167e1b36a in master_service_run () from
> >>> >> >> /usr/lib/dovecot/libdovecot.so.0
> >>> >> >> No symbol table info available.
> >>> >> >> #14 0x000004a58a202300 in main ()
> >>> >> >> No symbol table info available.
> >>> >> >>
> >>> >> >> - Marcel
> >>> >> >>
> >>> >> >> Am 03.02.2019 um 09:08 schrieb John Fawcett:
> >>> >> >>> On 01/02/2019 20:40, Marcel Menzel wrote:
> >>> >> >>>> Hello,
> >>> >> >> >>
> >>> >> >> >> After I configured a SQLite backed dict quota backend, the
> >>> dict
> >>> >> >> process
> >>> >> >> >> crashes every time a quota operation is happening.
> >>> >> >> >>
> >>> >> >> >> SQLite: 3.26.0
> >>> >> >> >>
> >>> >> >> >> Dovecot: 2.3.4 (0ecbaf23d)
> >>> >> >> >>
> >>> >> >> >> Linux: 4.20.4.a-1-hardened #1 SMP PREEMPT Fri Jan 25
> >>> 01:24:51 CET
> >>> >> >> 2019
> >>> >> >> >> x86_64 GNU/Linux (Arch Linux)
> >>> >> >> >>
> >>> >> >> >> Filesystem: BTRFS
> >>> >> >> >>
> >>> >> >> >>
> >>> >> >> >> I can't get any debug output from Dovecot, even after setting
> >>> >> >> log_debug
> >>> >> >> >> = cat:* event:* source:* field:*=*
> >>> >> >> >>
> >>> >> >> >> dovecot[6457]: dict(6687): Debug: sqlite: Finished query
> >>> 'BEGIN
> >>> >> >> >> TRANSACTION' in 0 msecs
> >>> >> >> >> dovecot[6457]: dict(6687): Fatal: master: service(dict): child
> >>> >> 6687
> >>> >> >> >> killed with signal 11 (core dumped)
> >>> >> >> >>
> >>> >> >> >>
> >>> >> >> >> I've attached the output of dovecot -n and the coredump
> >>> file from
> >>> >> >> >> systemd-coredump.
> >>> >> >> >>
> >>> >> >> >>
> >>> >> >> >> Kind regards,
> >>> >> >> >>
> >>> >> >> >> Marcel Menzel
> >>> >> >> >>
> >>> >> >>> Any chance of posting a backtrace?
> >>> >> >>> John
> >>> >> >
> >>> >>> ---
> >>> >>> Aki Tuomi
> >>> >
> >>>
> >>> > > ---
> >>>> Aki Tuomi
> >>>>
> >>>> >
> >> ---
> >> Aki Tuomi
> >
> > ---
> > Aki TuomiFrom 0a06060ee2b27d1554d08d760334d1f2e0f56bce Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tu...@open-xchange.com>
Date: Sun, 3 Feb 2019 20:03:39 +0200
Subject: [PATCH] lib-sql: driver-sqlite - Fix crash caused by wrong variable
Should be using result.event, instead of event.
Fixes signal 11 crash
reported by Marcel Menzel
---
src/lib-sql/driver-sqlite.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lib-sql/driver-sqlite.c b/src/lib-sql/driver-sqlite.c
index 30fb575e9..6b378927f 100644
--- a/src/lib-sql/driver-sqlite.c
+++ b/src/lib-sql/driver-sqlite.c
@@ -166,7 +166,6 @@ static void driver_sqlite_exec(struct sql_db *_db, const char *query)
{
struct sqlite_db *db = (struct sqlite_db *)_db;
struct sql_result result;
- struct event *event;
i_zero(&result);
result.db = _db;
@@ -183,7 +182,7 @@ static void driver_sqlite_exec(struct sql_db *_db, const char *query)
db->rc = sqlite3_exec(db->sqlite, query, NULL, NULL, NULL);
driver_sqlite_result_log(&result, query);
- event_unref(&event);
+ event_unref(&result.event);
}
static void driver_sqlite_query(struct sql_db *db, const char *query,
--
2.11.0
