(ITS#7716) slapd crashes after search immediately followed by (abandon+) unbind - openldap-bugs

2 Oct 2013


      Full_Name: Michael Vishchers
Version: 2.4.23
OS: Red Hat Enterprise Linux Server release 6.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (178.15.66.50)
slapd, running as a proxy to rewrite incoming connections based on user dn for
later routing to different back ends, dies sporadically after receiving a
(network delayed) search request that is "immediately" followed by an (optional)
abandon request and an unbind request.
We suspect that the abandon or unbind code tries to clean up data structures
that belong to a not yet completely initialized search operation.
The problem can unfortunately not easily be reproduced. Last time we had to wait
at least two weeks before it appeared. It may be a timing problem between two or
more threads.
This is the stacktrace, core and other files could be provided if necessary.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f299c3e71bc in ?? ()
#0  0x00007f299c3e71bc in ?? ()
No symbol table info available.
#1  0x00007f2999bbd983 in rwm_op_rollback (op=0x7f2984002190, rs=<value
optimized out>, ros=0x7f298c003570) at
../../../../servers/slapd/overlays/rwm.c:107
        __PRETTY_FUNCTION__ = "rwm_op_rollback"
#2  0x00007f2999bbe988 in rwm_op_search (op=0x7f2984002190, rs=0x7f2995bafaa0)
at ../../../../servers/slapd/overlays/rwm.c:984
        on = 0x7f299fb95210
        rwmap = 0x7f299fb94f70
        rc = <value optimized out>
        dc = {rwmap = 0x7f2984002190, conn = 0x7f298c003468, ctx = 0x12 <Address
0x12 out of bounds>, rs = 0x7f299e7963b0}
        fstr = {bv_len = 0, bv_val = 0x0}
        f = 0x0
        an = 0x0
        text = <value optimized out>
        roc = 0x7f298c003550
#3  0x00007f299e7fe02a in overlay_op_walk (op=0x7f2984002190, rs=0x7f2995bafaa0,
which=op_search, oi=0x7f299fb95030, on=0x7f299fb95210) at
../../../servers/slapd/backover.c:659
        func = 0x7f299fb95268
        rc = 32768
#4  0x00007f299e8d29a1 in slapi_op_func (op=0x7f2984002190, rs=0x7f2995bafaa0)
at ../../../../servers/slapd/slapi/slapi_overlay.c:647
        pb = 0x7f298c1051b0
        which = op_search
        opinfo = <value optimized out>
        rc = <value optimized out>
        oi = <value optimized out>
        on = <value optimized out>
        cb = {sc_next = 0x7f2995bae7e0, sc_response = 0x7f299e8d1fc0
<slapi_over_response>, sc_cleanup = 0x7f299e8d1ed0 <slapi_over_cleanup>,
sc_private = 0x7f298c1051b0}
        internal_op = 0
        preop_type = <value optimized out>
        postop_type = 503
        be = 0x7f2995bae800
#5  0x00007f299e7fe02a in overlay_op_walk (op=0x7f2984002190, rs=0x7f2995bafaa0,
which=op_search, oi=0x7f299fb95030, on=0x7f299fb9e8c0) at
../../../servers/slapd/backover.c:659
        func = 0x7f299fb9e918
        rc = 32768
#6  0x00007f299e7feb6b in over_op_func (op=0x7f2984002190, rs=<value optimized
out>, which=<value optimized out>) at ../../../servers/slapd/backover.c:721
        oi = <value optimized out>
        on = <value optimized out>
        be = 0x7f299fb940b0
        db = {bd_info = 0x7f299fb95210, bd_self = 0x7f299fb940b0, be_ctrls =
"\000", '\001' <repeats 17 times>, '\000' <repeats 14 times>, "\001", be_flags =
257, be_restrictops = 0, be_requires = 5, be_ssf_set = {sss_ssf = 0,
sss_transport = 0, sss_tls = 0, sss_sasl = 0, sss_update_ssf = 0,
sss_update_transport = 0, sss_update_tls = 0, sss_update_sasl = 0,
sss_simple_bind = 0}, be_suffix = 0x7f299fb94ed0, be_nsuffix = 0x7f299fb94f00,
be_schemadn = {bv_len = 0, bv_val = 0x0}, be_schemandn = {bv_len = 0, bv_val =
0x0}, be_rootdn = {bv_len = 0, bv_val = 0x0}, be_rootndn = {bv_len = 0, bv_val =
0x0}, be_rootpw = {bv_len = 0, bv_val = 0x0}, be_max_deref_depth = 15,
be_def_limit = {lms_t_soft = 3600, lms_t_hard = 0, lms_s_soft = 500, lms_s_hard
= 0, lms_s_unchecked = -1, lms_s_pr = 0, lms_s_pr_hide = 0, lms_s_pr_total = 0},
be_limits = 0x0, be_acl = 0x0, be_dfltaccess = ACL_READ, be_update_ndn = {bv_len
= 0, bv_val = 0x0}, be_update_refs = 0x0, be_pending_csn_list = 0x7f299fc738f0,
be_pcl_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0,
__kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000'
<repeats 39 times>, __align = 0}, be_syncinfo = 0x0, be_pb = 0x7f299fb9eaa0,
be_cf_ocs = 0x7f299eb6da00, be_private = 0x7f299fb94240, be_next = {stqe_next =
0x0}}
        cb = {sc_next = 0x0, sc_response = 0x7f299e7fdd40 <over_back_response>,
sc_cleanup = 0, sc_private = 0x7f299fb95030}
        sc = <value optimized out>
        rc = 32768
        __PRETTY_FUNCTION__ = "over_op_func"
#7  0x00007f299e794999 in fe_op_search (op=0x7f2984002190, rs=0x7f2995bafaa0) at
../../../servers/slapd/search.c:366
        bd = 0x7f299eb72760
#8  0x00007f299e795177 in do_search (op=0x7f2984002190, rs=<value optimized
out>) at ../../../servers/slapd/search.c:217
        base = {bv_len = 55, bv_val = 0x7f298c11fef9
"vfsid=491722472236,ou=subscriber,ou=mmo,c=de,o=vodafone"}
        siz = 0
        off = 0
        i = <value optimized out>
#9  0x00007f299e7920f9 in connection_operation (ctx=0x7f2995bafb70,
arg_v=0x7f2984002190) at ../../../servers/slapd/connection.c:1109
        rc = 80
        cancel = <value optimized out>
        op = 0x7f2984002190
        rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 80,
sr_matched = 0x0, sr_text = 0x7f2999bc4122 "Rewrite error", sr_ref = 0x0,
sr_ctrls = 0x0, sr_un = {sru_search = {r_entry = 0x0, r_attr_flags = 0,
r_operational_attrs = 0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0},
sru_sasl = {r_sasldata = 0x0}, sru_extended = {r_rspoid = 0x0, r_rspdata =
0x0}}, sr_flags = 0}
        tag = 99
        opidx = SLAP_OP_SEARCH
        conn = 0x7f2996db74d0
        memctx = 0x7f298c002820
        memctx_null = 0x0
        memsiz = 1048576
        __PRETTY_FUNCTION__ = "connection_operation"
#10 0x00007f299e892678 in ldap_int_thread_pool_wrapper (xpool=0x7f299fae9ae0) at
../../../libraries/libldap_r/tpool.c:685
        pool = 0x7f299fae9ae0
        task = 0x7f2988000a20
        work_list = <value optimized out>
        ctx = {ltu_id = 139816582448896, ltu_key = {{ltk_key = 0x7f299e790d50,
ltk_data = 0x7f298c002d40, ltk_free = 0x7f299e790e30 <conn_counter_destroy>},
{ltk_key = 0x7f299e7eaf70, ltk_data = 0x7f298c002820, ltk_free = 0x7f299e7eae50
<slap_sl_mem_destroy>}, {ltk_key = 0x7f299e7a6b70, ltk_data = 0x0, ltk_free =
0x7f299e7a6940 <slap_op_q_destroy>}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free =
0} <repeats 29 times>}}
        kctx = <value optimized out>
        keyslot = <value optimized out>
        hash = <value optimized out>
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#11 0x00007f299c91e7f1 in ?? ()
No symbol table info available.
#12 0x00007f2995bb0700 in ?? ()
No symbol table info available.
#13 0x0000000000000000 in ?? ()
No symbol table info available.