https://bugs.openldap.org/show_bug.cgi?id=10258
Issue ID: 10258 Summary: test050 failure: connection_close race? Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: ondra@mistotebe.net Target Milestone: ---
Created attachment 1032 --> https://bugs.openldap.org/attachment.cgi?id=1032&action=edit tail of slapd log
Running test050 repeatedly, the slapd managed to get itself into an apparent inconsistency in the connections structure. The logs suggest that there might be a race closing the connection. Unfortunately the sanitiser didn't initiate a core dump in this case.
https://bugs.openldap.org/show_bug.cgi?id=10258
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Keywords|needs_review | Target Milestone|--- |2.5.19
https://bugs.openldap.org/show_bug.cgi?id=10258
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Correlating the logs with the code, this seems to be the sequence of events: - client sends an Unbind - slapd_daemon_task in thread A (0x7fc2738396c0) picks up fd=9 (conn=1004), calls slapd_clr_read and submits connection_read_thread to the queue - a worker thread B (0x7fc270c2c6c0) runs connection_read_thread->connection_read, reads one operation (unbind) queues it up in cri->op, then calls slapd_set_read - only the unbind was read, so it is immediately processed in the same worker thread B (B side of the race) - client closes the connection - slapd_daemon_task in thread A notices and picks up fd=9 again (A side of the race) - worker thread B wins the race and calls connection_closing resetting the epoll state - daemon A lost the race and will reach SLAP_EPOLL_SOCK_SET. Using invalid epoll state (which is now pointing to offset -1) it reaches memory that's not intended for this purpose (presumably not even allocated) and address sanitiser intervenes
https://bugs.openldap.org/show_bug.cgi?id=10258
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|ondra@mistotebe.net |hyc@openldap.org
-
openldap-its@openldap.org