Bug 2128857

Summary: If mailbox opening fails, the backend mailbox is leaked and process crashes when client disconnects
Product: Red Hat Enterprise Linux 8 Reporter: jcalhoun
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED MIGRATED QA Contact: Evgeny Fedin <efedin>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.7CC: efedin, mhlavink
Target Milestone: rcKeywords: MigratedToJIRA, Patch, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dovecot-2.3.16-4.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2231408 (view as bug list) Environment:
Last Closed: 2023-08-22 13:11:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2231408    

Description jcalhoun 2022-09-21 17:19:43 UTC 
Description of problem:

A customer is hitting an issue with the dovecot lmtp process when sieve rules fail. For example, when a user sets an invalid forward address (in forward sieve rule), the message gets rejected when forwarded (as expected) - but the rejection causes the dovecot lmtp process to crash. After some time, probably when multiple such lmtp crashes occur, the whole lmtp process stops working temporarily.

Version-Release number of selected component (if applicable):

  Red Hat Enterprise Linux release 8.6 (Ootpa)

  dovecot-2.3.16-2.el8.x86_64
  dovecot-mysql-2.3.16-2.el8.x86_64
  dovecot-pigeonhole-2.3.16-2.el8.x86_64

How reproducible:

Always. This cycle repeats multiple times a day.

Steps to Reproduce:
1. Set invalid forward address on a message to be processed by sieve rule.
2. Repeat until dovecot lmtp process fails with a panic.

Actual results:

Aug 31 12:40:40 server dovecot[932770]: lmtp(987026): Panic: file mail-user.c: line 229 (mail_user_deinit): assertion failed: ((*user)->refcount == 1)
Aug 31 12:40:40 server dovecot[932770]: lmtp(987026): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x41) [0x7f2438ea2e11] -> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x22) [0x7f2438ea2f32] -> /usr/lib64/dovecot/libdovecot.so.0(+0x10914b) [0x7f2438eb014b] -> /usr/lib64/dovecot/libdovecot.so.0(+0x1091e7) [0x7f2438eb01e7] -> /usr/lib64/dovecot/libdovecot.so.0(+0x5c146) [0x7f2438e03146] -> /usr/lib64/dovecot/libdovecot-storage.so.0(+0x475dd) [0x7f24391bf5dd] -> dovecot/lmtp [193.2.0.184 DATA](lmtp_local_data+0x3ed) [0x5623bac2aa2d] -> dovecot/lmtp [193.2.0.184 DATA](client_default_cmd_data+0x190) [0x5623bac29560] -> dovecot/lmtp [193.2.0.184 DATA](cmd_data_continue+0x1f5) [0x5623bac29335] -> /usr/lib64/dovecot/libdovecot.so.0(+0x7b0d4) [0x7f2438e220d4] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x6d) [0x7f2438ec699d] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x135) [0x7f2438ec8025] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x50) [0x7f2438ec6a40] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x40) [0x7f2438ec6bc0] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x17) [0x7f2438e38387] -> dovecot/lmtp [193.2.0.184 DATA](main+0x230) [0x5623bac27ef0] -> /lib64/libc.so.6(__libc_start_main+0xf3) [0x7f2438a1ccf3] -> dovecot/lmtp [193.2.0.184 DATA](_start+0x2e) [0x5623bac27ffe]

Expected results:

The lmtp process does not crash from expected sieve rule failures or other mailbox opening failures.

Additional info:

Issue is similar to that discussed on the following upstream mailing list. Each manifests in different ways, but the end result of the lmtp process crashing is the same:

  Panic/Fatal error in lmtp when quota is full
  https://www.mail-archive.com/dovecot@dovecot.org/msg84543.html

This has been fixed in upstream dovecot v2.3.18:

- virtual: If mailbox opening fails, the backend mailbox is leaked and
	  process crashes when client disconnects. Fixes
	  Panic: file mail-user.c: line 232 (mail_user_deinit):
	  assertion failed: ((*user)->refcount == 1)

  https://dovecot.org/doc/NEWS

The system has had the following updated upstream packages installed and the issue is no longer present:

  dovecot-2.3.19.1-2.x86_64
  dovecot-mysql-2.3.19.1-2.x86_64
  dovecot-pigeonhole-2.3.19.1-2.x86_64
Comment 8 RHEL Program Management 2023-08-22 13:06:27 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 9 RHEL Program Management 2023-08-22 13:11:31 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.