Bug 1252082

Summary: removing chaining database links trigger valgrind read errors
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: kbanerje, mreynolds, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.4.0-11.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 11:43:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
valgrind.out none

Description Noriko Hosoi 2015-08-10 16:39:48 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47686

While deleting a chainingdb database link we start calling that backend's callbacks, and one of those callbacks deletes other callbacks from that same callback list.

==16217== Invalid read of size 8
==16217==    at 0x4C713B9: dse_call_callback (dse.c:2555)
==16217==    by 0x4C70E31: dse_delete (dse.c:2439)
==16217==    by 0x4C652CB: op_shared_delete (delete.c:364)
==16217==    by 0x4C64AB4: do_delete (delete.c:128)
==16217==    by 0x415C00: connection_dispatch_operation (connection.c:650)
==16217==    by 0x417AB2: connection_threadmain (connection.c:2534)
==16217==    by 0x3A8D029A72: ??? (in /lib64/libnspr4.so)
==16217==    by 0x378E407850: start_thread (in /lib64/libpthread-2.12.so)
==16217==    by 0x378E0E890C: clone (in /lib64/libc-2.12.so)
==16217==  Address 0xaf3e1e8 is 56 bytes inside a block of size 64 free'd
==16217==    at 0x4A063F0: free (vg_replace_malloc.c:446)
==16217==    by 0x4C5FB24: slapi_ch_free (ch_malloc.c:363)
==16217==    by 0x4C6C572: dse_callback_delete (dse.c:265)
==16217==    by 0x4C6C80D: dse_callback_removefromlist (dse.c:350)
==16217==    by 0x4C7129D: dse_remove_callback (dse.c:2523)
==16217==    by 0x4C7152F: slapi_config_remove_callback (dse.c:2588)
==16217==    by 0x8CB62DB: cb_delete_monitor_callback (cb_monitor.c:260)
==16217==    by 0x4C713A3: dse_call_callback (dse.c:2548)
==16217==    by 0x4C70E31: dse_delete (dse.c:2439)
==16217==    by 0x4C652CB: op_shared_delete (delete.c:364)
==16217==    by 0x4C64AB4: do_delete (delete.c:128)
==16217==    by 0x415C00: connection_dispatch_operation (connection.c:650)
==16217==    by 0x417AB2: connection_threadmain (connection.c:2534)
==16217==    by 0x3A8D029A72: ??? (in /lib64/libnspr4.so)
==16217==    by 0x378E407850: start_thread (in /lib64/libpthread-2.12.so)
==16217==    by 0x378E0E890C: clone (in /lib64/libc-2.12.so)
==16217==
==16217== Thread 19:
==16217== Invalid read of size 8
==16217==    at 0x4C713B9: dse_call_callback (dse.c:2555)
==16217==    by 0x4C70F9E: dse_delete (dse.c:2465)
==16217==    by 0x4C652CB: op_shared_delete (delete.c:364)
==16217==    by 0x4C64AB4: do_delete (delete.c:128)
==16217==    by 0x415C00: connection_dispatch_operation (connection.c:650)
==16217==    by 0x417AB2: connection_threadmain (connection.c:2534)
==16217==    by 0x3A8D029A72: ??? (in /lib64/libnspr4.so)
==16217==    by 0x378E407850: start_thread (in /lib64/libpthread-2.12.so)
==16217==    by 0x378E0E890C: clone (in /lib64/libc-2.12.so)
==16217==  Address 0xcc6bf38 is 56 bytes inside a block of size 64 free'd
==16217==    at 0x4A063F0: free (vg_replace_malloc.c:446)
==16217==    by 0x4C5FB24: slapi_ch_free (ch_malloc.c:363)
==16217==    by 0x4C6C572: dse_callback_delete (dse.c:265)
==16217==    by 0x4C6C80D: dse_callback_removefromlist (dse.c:350)
==16217==    by 0x4C7129D: dse_remove_callback (dse.c:2523)
==16217==    by 0x4C7152F: slapi_config_remove_callback (dse.c:2588)
==16217==    by 0x8CB351E: cb_instance_delete_config_callback (cb_instance.c:1714)
==16217==    by 0x4C713A3: dse_call_callback (dse.c:2548)
==16217==    by 0x4C70F9E: dse_delete (dse.c:2465)
==16217==    by 0x4C652CB: op_shared_delete (delete.c:364)
==16217==    by 0x4C64AB4: do_delete (delete.c:128)
==16217==    by 0x415C00: connection_dispatch_operation (connection.c:650)
==16217==    by 0x417AB2: connection_threadmain (connection.c:2534)
==16217==    by 0x3A8D029A72: ??? (in /lib64/libnspr4.so)

Comment 1 mreynolds 2015-08-10 17:03:34 UTC
Fixed upstream.

Issue is only detectable in valgrind.

Steps to reproduce:

[1]  Enable valgrind for DS, and start it
[2]  Create a database link:

ldapmodify ...

dn: cn=example_link,cn=chaining database,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: example_link
nsslapd-suffix: dc=example,dc=com
nsmultiplexorbinddn: uid=test,dc=example,dc=com
nsfarmserverurl: ldap://localhost:389/
nsmultiplexorcredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUV
 GRERBNEJDUmxObUk0WXpjM1l5MHdaVE5rTXpZNA0KTnkxaE9XSmhORGRoT0MwMk1ESmpNV014TUFB
 Q0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQnY1M2VNeTVuR0hZT
 WRCVXRUYkcxcA==}mzH2Saj9gPyeozCbe+QehQ==

dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
add: nsslapd-backend
nsslapd-backend: example_link

dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
delete: nsslapd-backend
nsslapd-backend: example_link


[3]  Delete the Link

ldapmodify ...

dn: cn=monitor,cn=example_link,cn=chaining database,cn=plugins,cn=config
changetype: delete

dn: cn=example_link,cn=chaining database,cn=plugins,cn=config
changetype: delete

[4]  Stop the server

[5]  Check there is nothing in the valgrind report mentioning "dse_call_callback" and "Invalid read"

Comment 3 Viktor Ashirov 2015-08-23 17:48:25 UTC
Created attachment 1066067 [details]
valgrind.out

Build tested: 389-ds-base-1.3.4.0-13.el7.x86_64

I don't see any invalid reads with related dse_call_callback in the valgrind output. 

But there are plenty of these messages:
==20636==    by 0x4E917B8: dse_call_callback.isra.1 (dse.c:2634)

Mark, could you please confirm that they are unrelated? 
Thanks!

Comment 4 mreynolds 2015-08-25 15:41:05 UTC
(In reply to Viktor Ashirov from comment #3)
> Created attachment 1066067 [details]
> valgrind.out
> 
> Build tested: 389-ds-base-1.3.4.0-13.el7.x86_64
> 
> I don't see any invalid reads with related dse_call_callback in the valgrind
> output. 
> 
> But there are plenty of these messages:
> ==20636==    by 0x4E917B8: dse_call_callback.isra.1 (dse.c:2634)
> 
> Mark, could you please confirm that they are unrelated? 
> Thanks!

Those are unrelated messages, and can be ignored.

Thanks,
Mark

Comment 5 Viktor Ashirov 2015-08-25 15:42:50 UTC
Thanks, Mark!

Marking as VERIFIED.

Comment 6 errata-xmlrpc 2015-11-19 11:43:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2351.html