681379 – ns-slapd segfaults if I have more than 100 DBs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 681379 - ns-slapd segfaults if I have more than 100 DBs

Summary: ns-slapd segfaults if I have more than 100 DBs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	6.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Rich Megginson
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	680555
Blocks:	639035 389_1.2.8 680575
TreeView+	depends on / blocked

Reported:	2011-03-01 23:42 UTC by Rich Megginson
Modified:	2015-01-04 23:46 UTC (History)
CC List:	4 users (show)
Fixed In Version:	389-ds-base-1.2.8-0.6.rc1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	680555
Environment:
Last Closed:	2011-05-19 12:42:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2011:0533	0	normal	SHIPPED_LIVE	new package: 389-ds-base	2011-05-18 17:57:44 UTC

Description Rich Megginson 2011-03-01 23:42:11 UTC

+++ This bug was initially created as a clone of Bug #680555 +++

Description of problem:
If you have more than 100 sub suffixes with their databases, 389 DS segfaults.


Version-Release number of selected component (if applicable):
1.2.8.a2


How reproducible:
Execute this from command line 150 times:
ldapadd -x -D uid=superuser,ou=People,dc=domain,dc=ar -w superpass << EOF
dn: cn=ou=$1\,dc=domain\,dc=ar,cn=mapping tree,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend 
nsslapd-backend: $1
nsslapd-parent-suffix: dc=domain,dc=ar
cn: ou=$1,dc=domain,dc=ar

dn: cn=$1,cn=ldbm database,cn=plugins,cn=config
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: ou=$1,dc=domain,dc=ar

dn: ou=$1,dc=domain,dc=ar
objectClass: organizationalUnit
objectClass: top
ou: $1  
description: $1
EOF     

  
Actual results:
Running ns-slapd from gdb:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff55c11c4 in PR_RWLock_Unlock () from /usr/lib/libnspr4.so.0d
(gdb) bt
#0  0x00007ffff55c11c4 in PR_RWLock_Unlock () from /usr/lib/libnspr4.so.0d
#1  0x00007ffff7b5cb60 in slapi_mapping_tree_free_all (be_list=<value optimized out>,
    referral_list=0x7fffffffd2e0) at ldap/servers/slapd/mapping_tree.c:2272
#2  0x00007ffff7b68710 in op_shared_search (pb=0x4787410,
    send_result=<value optimized out>) at ldap/servers/slapd/opshared.c:872
#3  0x00007ffff7b72609 in search_internal_callback_pb (pb=0x4787410,
    callback_data=<value optimized out>, prc=<value optimized out>,
    psec=0x7fffed0ab760 <views_dn_views_cb>, prec=0)
    at ldap/servers/slapd/plugin_internal_op.c:761
#4  0x00007fffed0ac3ea in views_cache_add_dn_views ()
    at ldap/servers/plugins/views/views.c:1307
#5  views_cache_build_view_list () at ldap/servers/plugins/views/views.c:1177
#6  views_cache_create () at ldap/servers/plugins/views/views.c:439
#7  0x00007fffed0ac554 in views_start (pb=<value optimized out>)
    at ldap/servers/plugins/views/views.c:254
#8  0x00007ffff7b6f6cd in plugin_call_func (list=0x99a500, operation=212, pb=0x8398f0,
    call_one=1) at ldap/servers/slapd/plugin.c:1428
#9  0x00007ffff7b70046 in plugin_call_one (argc=9, argv=0x7fffffffe5e8,
    errmsg=<value optimized out>, operation=<value optimized out>)
    at ldap/servers/slapd/plugin.c:1396
#10 plugin_dependency_startall (argc=9, argv=0x7fffffffe5e8,
    errmsg=<value optimized out>, operation=<value optimized out>)
    at ldap/servers/slapd/plugin.c:1187
#11 0x000000000041dfaa in main (argc=9, argv=0x7fffffffe5e8)


I found that DS works if I set BE_LIST_SIZE to 300 in ldap/servers/slapd/slap.h

The problem is in ldap/servers/slapd/mapping_tree.c:slapi_mapping_tree_select_all() too.

Line 2181 should be: "while ((node) &&(index < BE_LIST_SIZE -1))" to let space for the NULL value assigned after the loop. A warning if we have more than BE_LIST_SIZE datases would be great.

--- Additional comment from rmeggins on 2011-03-01 17:40:58 EST ---

Created attachment 481729 [details]
0001-Bug-680555-ns-slapd-segfaults-if-I-have-more-than-10.patch

--- Additional comment from rmeggins on 2011-03-01 18:41:45 EST ---

To ssh://git.fedorahosted.org/git/389/ds.git
   e3c72d0..6c4eac9  master -> master
commit 6c4eac9ca642b99d7664d3a6b04067c3091f5694
Author: Rich Megginson <rmeggins>
Date:   Tue Mar 1 15:36:11 2011 -0700
    Reviewed by: nhosoi, nkinder (Thanks!)
    Branch: master
    Fix Description: 1) slapi_mapping_tree_select_all() does
    be_list[BE_LIST_SIZE] = NULL
    so be_list must be of size BE_LIST_SIZE+1
    2) loop counter should check be_index, not index, to see if the loop is
    completed
    3) if the search is going to hit more backends than we can process, just
    return ADMINLIMIT_EXCEEDED with an explanatory error message
    4) increase the BE_LIST_SIZE to 1000
    Platforms tested: RHEL6 x86_64
    Flag Day: no
    Doc impact: no
To ssh://git.fedorahosted.org/git/389/ds.git
   1ba8420..ef1cb3d  389-ds-base-1.2.8 -> 389-ds-base-1.2.8
commit ef1cb3d053888274a8b7d0f59c8392427b01e783

Comment 3 Chandrasekar Kannan 2011-04-17 22:59:42 UTC

Ran the following script with the latest 389-ds-base and no crash was observed. 
marking bug verified. 389-ds-base-1.2.8.2-1.el6.i686

[root@ds90-rhel6-32vm ~]# cat run.sh 
i=1
while [ $i -le 200 ];
do
ldapadd -x -D "cn=directory manager" -w Secret123 << EOF
dn: cn=ou=a-$i\,dc=idm\,dc=lab\,dc=bos\,dc=bos\,dc=redhat\,dc=com\,cn=mapping tree,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend 
nsslapd-backend: a-$i
nsslapd-parent-suffix: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn: ou=a-$i,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

dn: cn=a-$i,cn=ldbm database,cn=plugins,cn=config
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: ou=a-$i,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

dn: ou=a-$i,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectClass: organizationalUnit
objectClass: top
ou: a-$i  
description: a-$i
EOF

i=`expr $i + 1`
done

Comment 4 errata-xmlrpc 2011-05-19 12:42:26 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0533.html

Note You need to log in before you can comment on or make changes to this bug.