Issue 8012 - SIGSEGV while disconnect/abandon
Summary: SIGSEGV while disconnect/abandon
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-29 08:17 UTC by Leonid Yuriev
Modified: 2015-07-02 17:46 UTC (History)
0 users

See Also:


Attachments
its8012.patch (1.74 KB, patch)
2014-12-29 10:50 UTC, Leonid Yuriev
Details
its8012.patch (3.10 KB, patch)
2014-12-29 12:10 UTC, Leonid Yuriev
Details

Note You need to log in before you can comment on or make changes to this issue.
Description Leonid Yuriev 2014-12-29 08:17:57 UTC
Full_Name: Leonid Yuriev
Version: 2.4-HEAD
OS: Ubuntu 14.10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (31.130.36.33)


with addition into main():
+       mallopt(M_CHECK_ACTION, 7);
+       mallopt(M_PERTURB, 111);

Core was generated by `/opt/openldap.devel/libexec/slapd -l LOCAL5 -d 32768 -s 0
-4 -h ldap://10.4.0.1'.
Program terminated with signal 11, Segmentation fault.
#0  0x000000000051025d in syncprov_op_abandon (op=0x7f14efffe970,
rs=0x7f14efffe7b0) at syncprov.c:1134
1134			if ( so->s_op->o_connid == op->o_connid &&
(gdb) bt
#0  0x000000000051025d in syncprov_op_abandon (op=7x7f14efffe970,
rs=0x7f14efffe7b0) at syncprov.c:1134
#1  0x000000000048ae3a in overlay_op_walk (op=op@entry=0x7f14efffe970,
rs=0x7f14efffe7b0, which=op_abandon, oi=0x23b3030, on=0x23b3210) at
backover.c:661
#2  0x000000000048afd1 in over_op_func (op=0x7f14efffe970, rs=<optimised
out>, which=<optimised out>) at backover.c:730
#3  0x0000000000442ea7 in fe_op_abandon (op=0x7f14efffe970, rs=0x7f14efffe7b0)
at abandon.c:136
#4  0x0000000000422d3c in connection_abandon (c=c@entry=0x7f15178fe390) at
connection.c:747
#5  0x0000000000424a09 in connection_closing (c=0x7f15178fe390, why=0x538d20
<conn_lost_str> "connection lost") at connection.c:820
#6  0x00000000004255ef in connection_read (cri=<optimised out>,
s=<optimised out>) at connection.c:1476
#7  connection_read_thread (ctx=0x7f14efffebd0, argv=0x12a) at
connection.c:1284
#8  0x00007f1517613cf2 in ldap_int_thread_pool_wrapper (xpool=0x233d090) at
tpool.c:688
#9  0x00007f1516c930a5 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0

coredump is available and additional info could be provided.
Comment 1 Leonid Yuriev 2014-12-29 08:47:25 UTC
(gdb) info local
on = <optimised out>
si = 0x23b33f0
so = 0x7f14b444cd30
soprev = 0x7f14e02dc9b0

(gdb) p *so->s_op->o_hdr
Cannot access memory at address 0x3932323134313032

(gdb) p *si
$1 = {si_ops = 0x7f14e949ed60, si_contextdn = {bv_len = 7, bv_val = 
0x2389e10 "dc=ldap"}, si_ctxcsn = 0x2640e60, si_sids = 0x243a6c0, 
si_numcsns = 4, si_chkops = 1, si_chktime = 60, si_numops = 0,
   si_nopres = 0, si_usehint = 1, si_active = 2, si_dirty = 0, 
si_chklast = 1419822205, si_mods = 0x7f14bcead650, si_logs = 0x0, 
si_csn_rwlock = {__data = {__lock = 0, __nr_readers = 0,
       __readers_wakeup = 5312, __writer_wakeup = 9078, 
__nr_readers_queued = 0, __nr_writers_queued = 0, __writer = 0, __shared 
= 0, __pad1 = 0, __pad2 = 0, __flags = 0},
     __size = "\000\000\000\000\000\000\000\000\300\024\000\000v#", 
'\000' <repeats 41 times>, __align = 0}, si_ops_mutex = {__data = 
{__lock = 1, __count = 0, __owner = 30051, __nusers = 1, __kind = 0,
       __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 
0x0}}, __size = "\001\000\000\000\000\000\000\000cu\000\000\001", '\000' 
<repeats 26 times>, __align = 1}, si_mods_mutex = {__data = {
       __lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, 
__spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, 
__size = '\000' <repeats 39 times>, __align = 0},
   si_resp_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, 
__nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 
0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>,
     __align = 0}}

(gdb) p *so
$2 = {s_next = 0x0, s_base = {bv_len = 15, bv_val = 0x7f14b4964180 
"dc=ngdr,dc=ldap"}, s_eid = 4, s_op = 0x7f14b0a12d30, s_rid = 4, s_sid = 
1, s_filterstr = {bv_len = 15,
     bv_val = 0x7f14b4000b18 "\300\f"}, s_flags = 17, s_inuse = 1, s_res 
= 0x7f14d19ff780, s_restail = 0x7f14c818b090, s_mutex = {__data = 
{__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0,
       __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 
0x0}}, __size = '\000' <repeats 39 times>, __align = 0}}

(gdb) p *so->s_op
$3 = {o_hdr = 0x3932323134313032, o_tag = 25385731496096560, o_time = 
8029759185026510703, o_tincr = 37, o_bd = 0x3932323134313032, o_req_dn = 
{bv_len = 25385731496096560,
     bv_val = 0x20 <Address 0x20 out of bounds>}, o_req_ndn = {bv_len = 
37, bv_val = 0x7061646c3d6364 <Address 0x7061646c3d6364 out of bounds>}, 
o_request = {oq_add = {rs_modlist = 0x6f6f6f6f6f6f6f6f,
       rs_e = 0x6f6f6f6f6f6f6f6f}, oq_bind = {rb_method = 1869573999, 
rb_cred = {bv_len = 8029759185026510703, bv_val = 0x25 <Address 0x25 out 
of bounds>}, rb_edn = {bv_len = 4121411795907850290,
         bv_val = 0x5a303034303330 <Address 0x5a303034303330 out of 
bounds>}, rb_ssf = 32, rb_mech = {bv_len = 53, bv_val = 0x6 <Address 0x6 
out of bounds>}}, oq_compare = {rs_ava = 0x6f6f6f6f6f6f6f6f},
     oq_modify = {rs_mods = {rs_modlist = 0x6f6f6f6f6f6f6f6f, 
rs_no_opattrs = 111 'o'}, rs_increment = 37}, oq_modrdn = {rs_mods = 
{rs_modlist = 0x6f6f6f6f6f6f6f6f, rs_no_opattrs = 111 'o'},
       rs_deleteoldrdn = 37, rs_newrdn = {bv_len = 4121411795907850290, 
bv_val = 0x5a303034303330 <Address 0x5a303034303330 out of bounds>}, 
rs_nnewrdn = {bv_len = 32,
         bv_val = 0x35 <Address 0x35 out of bounds>}, rs_newSup = 0x6, 
rs_nnewSup = 0x7f14b01bc820}, oq_search = {rs_scope = 1869573999, 
rs_deref = 1869573999, rs_slimit = 1869573999,
       rs_tlimit = 1869573999, rs_limit = 0x25, rs_attrsonly = 
875638834, rs_attrs = 0x5a303034303330, rs_filter = 0x20, rs_filterstr = 
{bv_len = 53, bv_val = 0x6 <Address 0x6 out of bounds>}},
     oq_abandon = {rs_msgid = 1869573999}, oq_cancel = {rs_msgid = 
1869573999}, oq_extended = {rs_reqoid = {bv_len = 8029759185026510703,
         bv_val = 0x6f6f6f6f6f6f6f6f <Address 0x6f6f6f6f6f6f6f6f out of 
bounds>}, rs_flags = 37, rs_reqdata = 0x3932323134313032}, oq_pwdexop = 
{rs_extended = {rs_reqoid = {bv_len = 8029759185026510703,
           bv_val = 0x6f6f6f6f6f6f6f6f <Address 0x6f6f6f6f6f6f6f6f out 
of bounds>}, rs_flags = 37, rs_reqdata = 0x3932323134313032}, rs_old = 
{bv_len = 25385731496096560,
         bv_val = 0x20 <Address 0x20 out of bounds>}, rs_new = {bv_len = 
53, bv_val = 0x6 <Address 0x6 out of bounds>}, rs_mods = 0x7f14b01bc820, 
rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0,
   o_groups = 0x6f6f6f6f6f6f6f6f, o_do_not_cache = 53 '5', 
o_is_auth_check = 0 '\000', o_dont_replicate = 0 '\000', o_acl_priv = 
ACL_NONE, o_nocaching = 36 '$', o_delete_glue_parent = 0 '\000',
   o_no_schema_check = 0 '\000', o_no_subordinate_glue = 0 '\000', 
o_ctrlflag = "\000\000\000\000г\033\260\024\177", '\000' <repeats 18 
times>, "oooo", o_controls = 0x25, o_authz = {
     sai_method = 3751589900465327636, sai_mech = {bv_len = 
1617057180469906565, bv_val = 0x0}, sai_dn = {bv_len = 53, bv_val = 0xf 
<Address 0xf out of bounds>}, sai_ndn = {bv_len = 139726839426656,
       bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 
48, sai_sasl_ssf = 0}, o_ber = 0x25, o_res_ber = 0x3932323134313032, 
o_callback = 0x5a303034303330, o_ctrls = 0x6f6f6f6f6f007972,
   o_csn = {bv_len = 37, bv_val = 0x3932323134313032 <Address 
0x3932323134313032 out of bounds>}, o_private = 0x5a303034303330, 
o_extra = {slh_first = 0x7972}, o_next = {stqe_next = 0x35}}

(gdb) p *op
$4 = {o_hdr = 0x7f14efffe820, o_tag = 80, o_time = 0, o_tincr = 0, o_bd 
= 0x7f14efffe5d0, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn = 
{bv_len = 0, bv_val = 0x0}, o_request = {oq_add = {
       rs_modlist = 0x3, rs_e = 0x0}, oq_bind = {rb_method = 3, rb_cred 
= {bv_len = 0, bv_val = 0x0}, rb_edn = {bv_len = 0, bv_val = 0x0}, 
rb_ssf = 0, rb_mech = {bv_len = 0, bv_val = 0x0}}, oq_compare = {
       rs_ava = 0x3}, oq_modify = {rs_mods = {rs_modlist = 0x3, 
rs_no_opattrs = 0 '\000'}, rs_increment = 0}, oq_modrdn = {rs_mods = 
{rs_modlist = 0x3, rs_no_opattrs = 0 '\000'}, rs_deleteoldrdn = 0,
       rs_newrdn = {bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0, 
bv_val = 0x0}, rs_newSup = 0x0, rs_nnewSup = 0x0}, oq_search = {rs_scope 
= 3, rs_deref = 0, rs_slimit = 0, rs_tlimit = 0,
       rs_limit = 0x0, rs_attrsonly = 0, rs_attrs = 0x0, rs_filter = 
0x0, rs_filterstr = {bv_len = 0, bv_val = 0x0}}, oq_abandon = {rs_msgid 
= 3}, oq_cancel = {rs_msgid = 3}, oq_extended = {rs_reqoid = {
         bv_len = 3, bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, 
oq_pwdexop = {rs_extended = {rs_reqoid = {bv_len = 3, bv_val = 0x0}, 
rs_flags = 0, rs_reqdata = 0x0}, rs_old = {bv_len = 0,
         bv_val = 0x0}, rs_new = {bv_len = 0, bv_val = 0x0}, rs_mods = 
0x0, rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x0, 
o_do_not_cache = 0 '\000', o_is_auth_check = 0 '\000',
   o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0 
'\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000', 
o_no_subordinate_glue = 0 '\000',
   o_ctrlflag = '\000' <repeats 31 times>, o_controls = 0x0, o_authz = 
{sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len 
= 0, bv_val = 0x0}, sai_ndn = {bv_len = 0, bv_val = 0x0},
     sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, sai_sasl_ssf = 
0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 0x7f14efffe5a0, o_ctrls = 
0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0,
   o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}}

(gdb) p *soprev
$5 = {s_next = 0x7f14b444cd30, s_base = {bv_len = 15, bv_val = 
0x7f14e063fb20 "dc=ngdr,dc=ldap"}, s_eid = 4, s_op = 0x7f14e0260c70, 
s_rid = 4, s_sid = 2, s_filterstr = {bv_len = 15,
     bv_val = 0x7f14e0000b18 "\300\f"}, s_flags = 2, s_inuse = 1, s_res 
= 0x0, s_restail = 0x0, s_mutex = {__data = {__lock = 0, __count = 0, 
__owner = 0, __nusers = 0, __kind = 0, __spins = 0,
       __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = 
'\000' <repeats 39 times>, __align = 0}}

(gdb) p op->o_hdr
$6 = (Opheader *) 0x7f14efffe820
(gdb) p *op->o_hdr
$7 = {oh_opid = 0, oh_connid = 15472, oh_conn = 0x7f15178fe390, oh_msgid 
= 0, oh_protocol = 0, oh_tid = 0, oh_threadctx = 0x0, oh_tmpmemctx = 
0x0, oh_tmpmfuncs = 0x0, oh_counters = 0x0,
   oh_log_prefix = '\000' <repeats 255 times>}

(gdb) p *op->o_hdr->oh_conn
$8 = {c_struct_state = SLAP_C_USED, c_conn_state = SLAP_C_CLOSING, 
c_conn_idx = 298, c_sd = 298, c_close_reason = 0x538d20 <conn_lost_str> 
"connection lost", c_mutex = {__data = {__lock = 1, __count = 0,
       __owner = 30051, __nusers = 1, __kind = 0, __spins = 0, __elision 
= 0, __list = {__prev = 0x0, __next = 0x0}}, __size = 
"\001\000\000\000\000\000\000\000cu\000\000\001", '\000' <repeats 26 
times>,
     __align = 1}, c_sb = 0x7f14d43369e0, c_starttime = 1419822255, 
c_activitytime = 1419822255, c_connid = 15472, c_peer_domain = {bv_len = 
7, bv_val = 0x7f14d495fdc0 "unknown"}, c_peer_name = {
     bv_len = 18, bv_val = 0x7f14d495be10 "IP=127.0.0.1:52784"}, 
c_listener = 0x231d210, c_sasl_bind_mech = {bv_len = 0, bv_val = 0x0}, 
c_sasl_dn = {bv_len = 0, bv_val = 0x0}, c_sasl_authz_dn = {
     bv_len = 0, bv_val = 0x0}, c_authz_backend = 0x2388eb0, 
c_authz_cookie = 0x0, c_authz = {sai_method = 128, sai_mech = {bv_len = 
0, bv_val = 0x0}, sai_dn = {bv_len = 7,
       bv_val = 0x7f14a8adeef0 "dc=ldap"}, sai_ndn = {bv_len = 7, bv_val 
= 0x7f14a8c3e860 "dc=ldap"}, sai_ssf = 0, sai_transport_ssf = 0, 
sai_tls_ssf = 0, sai_sasl_ssf = 0}, c_protocol = 3, c_ops = {
     stqh_first = 0x7f14c13dfa50, stqh_last = 0x7f14c13dfbb8}, 
c_pending_ops = {stqh_first = 0x0, stqh_last = 0x7f15178fe4b8}, 
c_write1_mutex = {__data = {__lock = 0, __count = 0, __owner = 0,
       __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = 
{__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, 
__align = 0}, c_write1_cv = {__data = {__lock = 0, __futex = 0,
       __total_seq = 0, __wakeup_seq = 0, __woken_seq = 0, __mutex = 
0x0, __nwaiters = 0, __broadcast_seq = 0}, __size = '\000' <repeats 47 
times>, __align = 0}, c_write2_mutex = {__data = {__lock = 0,
       __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, 
__elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' 
<repeats 39 times>, __align = 0}, c_write2_cv = {__data = {
       __lock = 0, __futex = 0, __total_seq = 0, __wakeup_seq = 0, 
__woken_seq = 0, __mutex = 0x0, __nwaiters = 0, __broadcast_seq = 0}, 
__size = '\000' <repeats 47 times>, __align = 0},
   c_currentber = 0x0, c_writers = 0, c_writing = 0 '\000', 
c_sasl_bind_in_progress = 0 '\000', c_writewaiter = 0 '\000', c_is_tls = 
0 '\000', c_needs_tls_accept = 0 '\000', c_sasl_layers = 0 '\000',
   c_sasl_done = 0 '\000', c_sasl_authctx = 0x0, c_sasl_sockctx = 0x0, 
c_sasl_extra = 0x0, c_sasl_bindop = 0x0, c_pagedresults_state = {ps_be = 
0x0, ps_size = 0, ps_count = 0, ps_cookie = 0,
     ps_cookieval = {bv_len = 0, bv_val = 0x0}}, c_n_ops_received = 3, 
c_n_ops_executing = 1, c_n_ops_pending = 0, c_n_ops_completed = 2, 
c_n_get = 3, c_n_read = 3, c_n_write = 0, c_extensions = 0x0,
   c_clientfunc = 0x0, c_clientarg = 0x0, c_send_ldap_result = 0x435340 
<slap_send_ldap_result>, c_send_search_entry = 0x435d80 
<slap_send_search_entry>,
   c_send_search_reference = 0x437270 <slap_send_search_reference>, 
c_send_ldap_extended = 0x435a50 <slap_send_ldap_extended>, 
c_send_ldap_intermediate = 0x435bf0 <slap_send_ldap_intermediate>}


Comment 2 Leonid Yuriev 2014-12-29 09:27:04 UTC
Let see to syncprov_matchops() in syncprov.c:

lines 1233-1235 (begin of the loop):
     ldap_pvt_thread_mutex_lock( &si->si_ops_mutex );
     for (ss = si->si_ops, sprev = (syncops *)&si->si_ops; ss;
         sprev = ss, ss=snext)

lines 1273-1275:
             ss = sprev;
             continue;
         }

and 1347 (near from end of the loop):
             syncprov_free_syncop( ss );

Seems that syncops which is freed on 1347 could be referenced by 1273 on 
a next iteration of the loop.

Leonid.

Comment 3 Leonid Yuriev 2014-12-29 10:50:45 UTC
Please review attached patch and merge-in.

Leonid.

---

The attached files is derived from OpenLDAP Software. All of the 
modifications
to OpenLDAP Software represented in the following patch(es) were 
developed by
Peter-Service LLC, Moscow, Russia. Peter-Service LLC has not assigned 
rights
and/or interest in this work to any party. I, Leonid Yuriev am 
authorized by
Peter-Service LLC, my employer, to release this work under the following 
terms.

Peter-Service LLC hereby places the following modifications to OpenLDAP 
Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose
with or without attribution and/or other notice.

Comment 4 Leonid Yuriev 2014-12-29 11:15:04 UTC
I think this is duplicate of ITS#5452.
Happy New Year!

Leonid.


Comment 5 Leonid Yuriev 2014-12-29 12:10:24 UTC
Patch update:

     Detaching a syncops record from op-list CONDITIONALLY, only when it 
was freed by syncprov_free_syncop.
     The syncprov_drop_psearch() and syncprov_drop_psearch() now returns 
a flag, which is nonzero if the given syncops was freed.

Leonid.

29.12.2014 13:50, Leonid Yuriev пишет:
> Please review attached patch and merge-in.
>
> Leonid.
>
> ---
>
> The attached files is derived from OpenLDAP Software. All of the 
> modifications
> to OpenLDAP Software represented in the following patch(es) were 
> developed by
> Peter-Service LLC, Moscow, Russia. Peter-Service LLC has not assigned 
> rights
> and/or interest in this work to any party. I, Leonid Yuriev am 
> authorized by
> Peter-Service LLC, my employer, to release this work under the 
> following terms.
>
> Peter-Service LLC hereby places the following modifications to 
> OpenLDAP Software
> (and only these modifications) into the public domain. Hence, these
> modifications may be freely used and/or redistributed for any purpose
> with or without attribution and/or other notice.
>

Comment 6 Howard Chu 2015-01-04 07:30:57 UTC
changed notes
changed state Open to Test
moved from Incoming to Software Bugs
Comment 7 Howard Chu 2015-01-04 07:31:10 UTC
Leonid Yuriev wrote:
> Patch update:
>
>      Detaching a syncops record from op-list CONDITIONALLY, only when it
> was freed by syncprov_free_syncop.
>      The syncprov_drop_psearch() and syncprov_drop_psearch() now returns
> a flag, which is nonzero if the given syncops was freed.

Thanks, applied to master.
>
> Leonid.
>
> 29.12.2014 13:50, Leonid Yuriev пишет:
>> Please review attached patch and merge-in.
>>
>> Leonid.
>>
>> ---
>>
>> The attached files is derived from OpenLDAP Software. All of the
>> modifications
>> to OpenLDAP Software represented in the following patch(es) were
>> developed by
>> Peter-Service LLC, Moscow, Russia. Peter-Service LLC has not assigned
>> rights
>> and/or interest in this work to any party. I, Leonid Yuriev am
>> authorized by
>> Peter-Service LLC, my employer, to release this work under the
>> following terms.
>>
>> Peter-Service LLC hereby places the following modifications to
>> OpenLDAP Software
>> (and only these modifications) into the public domain. Hence, these
>> modifications may be freely used and/or redistributed for any purpose
>> with or without attribution and/or other notice.
>>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 8 Quanah Gibson-Mount 2015-01-05 19:51:14 UTC
changed notes
changed state Test to Release
Comment 9 Quanah Gibson-Mount 2015-01-05 19:53:32 UTC
changed notes
Comment 10 OpenLDAP project 2015-07-02 17:46:10 UTC
dup ITS#5452
fixed in master
fixed in RE25
fixed in RE24
Comment 11 Quanah Gibson-Mount 2015-07-02 17:46:10 UTC
changed notes
changed state Release to Closed