Running 4.2.2 from git on an all Win 8.1 clients. The machine in the logs (AIO10) didn't have anyone logged in recently. Logs show some spew like: ... [2015/07/08 15:44:15.609705, 2] ../source3/smbd/service.c:1138(close_cnum) 192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$ [2015/07/08 15:44:15.609907, 2] ../source3/smbd/service.c:1138(close_cnum) 192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$ [2015/07/08 15:44:15.610112, 2] ../source3/smbd/service.c:1138(close_cnum) 192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$ [2015/07/08 15:44:15.610320, 2] ../source3/smbd/service.c:1138(close_cnum) 192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$ [2015/07/08 15:44:15.610532, 2] ../source3/smbd/service.c:1138(close_cnum) 192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$ [2015/07/08 15:44:15.610743, 2] ../source3/smbd/service.c:1138(close_cnum) 192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$ [2015/07/08 15:44:15.610956, 2] ../source3/smbd/service.c:1138(close_cnum) 192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$ [2015/07/08 15:44:15.611162, 2] ../source3/smbd/service.c:1138(close_cnum) 192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$ [2015/07/08 15:44:15.611947, 2] ../source3/smbd/service.c:1138(close_cnum) [2015/07/08 15:44:15.611975, 0] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn) talloc: access after free error - first free may be at ../source3/smbd/server_exit.c:225 [2015/07/08 15:44:15.617760, 0] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn) Bad talloc magic value - access after free [2015/07/08 15:44:15.617785, 0] ../source3/lib/util.c:788(smb_panic_s3) PANIC (pid 24253): Bad talloc magic value - access after free [2015/07/08 15:44:15.620530, 0] ../source3/lib/util.c:899(log_stack_trace) BACKTRACE: 44 stack frames: ... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 0x00007fe5acc6184a in __GI___waitpid (pid=10817, stat_loc=stat_loc@entry=0x7ffd7e1216d0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31 #0 0x00007fe5acc6184a in __GI___waitpid (pid=10817, stat_loc=stat_loc@entry=0x7ffd7e1216d0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31 resultvar = 18446744073709551104 oldtype = <optimized out> result = <optimized out> #1 0x00007fe5acbdaffb in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148 __result = <optimized out> _buffer = {__routine = 0x7fe5acbdb2f0 <cancel_handler>, __arg = 0x7ffd7e1216ac, __canceltype = 0, __prev = 0x0} _avail = 1 status = 0 save = <optimized out> pid = 10817 sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x7fe5b401a340} omask = {__val = {6272, 140624475828668, 6, 6, 140726718568480, 140624548831392, 140726718572608, 140624488632464, 140624548831392, 140726718572608, 0, 0, 0, 140624488716701, 1, 0}} #2 0x00007fe5ae2d2662 in smb_panic_s3 (why=0x7fe5afcd4d90 "Bad talloc magic value - access after free") at ../source3/lib/util.c:801 cmd = 0x7fe5b401a340 "/home/semenko/panic-action 24253" result = 925904693 __FUNCTION__ = "smb_panic_s3" #3 0x00007fe5b06e8f21 in smb_panic (why=0x7fe5afcd4d90 "Bad talloc magic value - access after free") at ../lib/util/fault.c:166 No locals. #4 0x00007fe5afcd056d in talloc_abort (reason=0x7fe5afcd4d90 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:343 No locals. #5 0x00007fe5afcd05ec in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:359 No locals. #6 0x00007fe5afcd0669 in talloc_chunk_from_ptr (ptr=0x7fe5b47b14d0) at ../lib/talloc/talloc.c:380 pp = 0x7fe5b47b14d0 "\020" tc = 0x7fe5b47b1470 #7 0x00007fe5afcd21f9 in __talloc_get_name (ptr=0x7fe5b47b14d0) at ../lib/talloc/talloc.c:1366 tc = 0x7fe5aee1070e <trim_char+376> #8 0x00007fe5afcd2293 in talloc_check_name (ptr=0x7fe5b47b14d0, name=0x7fe5adea46b4 "struct tsocket_address_bsd") at ../lib/talloc/talloc.c:1389 pname = 0x0 #9 0x00007fe5ade9d337 in tsocket_address_bsd_string (addr=0x7fe5b2e36d40, mem_ctx=0x7fe5b3cbc7d0) at ../lib/tsocket/tsocket_bsd.c:593 bsda = 0x7fe5b3cbc7d0 str = 0x7fe5b447a0a0 "AIO10$" addr_str = 0x0 prefix = 0x7fe5b3939950 "AIO10$" port = 0 #10 0x00007fe5ade9a5be in tsocket_address_string (addr=0x7fe5b2e36d40, mem_ctx=0x7fe5b3cbc7d0) at ../lib/tsocket/tsocket.c:89 No locals. #11 0x00007fe5b025e92e in close_cnum (conn=0x7fe5b44f59f0, vuid=0) at ../source3/smbd/service.c:1134 __FUNCTION__ = "close_cnum" #12 0x00007fe5b02a1892 in smbXsrv_tcon_disconnect (tcon=0x7fe5b3cada50, vuid=0) at ../source3/smbd/smbXsrv_tcon.c:979 ok = true table = 0x7fe5b3f25bd0 local_rec = 0x0 global_rec = 0x0 status = {v = 0} error = {v = 0} __FUNCTION__ = "smbXsrv_tcon_disconnect" #13 0x00007fe5b02a0a17 in smbXsrv_tcon_destructor (tcon=0x7fe5b3cada50) at ../source3/smbd/smbXsrv_tcon.c:688 status = {v = 3016415824} __FUNCTION__ = "smbXsrv_tcon_destructor" #14 0x00007fe5afcd145c in _talloc_free_internal (ptr=0x7fe5b3cada50, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:993 d = 0x7fe5b02a09fa <smbXsrv_tcon_destructor> tc = 0x7fe5b3cad9f0 ptr_to_free = 0x7fe5b42ff600 #15 0x00007fe5afcd2593 in _talloc_free_children_internal (tc=0x7fe5b3f25b70, ptr=0x7fe5b3f25bd0, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1472 child = 0x7fe5b3cada50 new_parent = 0x7fe5b2e25500 #16 0x00007fe5afcd160d in _talloc_free_internal (ptr=0x7fe5b3f25bd0, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1019 tc = 0x7fe5b3f25b70 ptr_to_free = 0x7fe5b44b03e0 #17 0x00007fe5afcd2593 in _talloc_free_children_internal (tc=0x7fe5b3ee8740, ptr=0x7fe5b3ee87a0, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1472 child = 0x7fe5b3f25bd0 new_parent = 0x7fe5b2e25500 #18 0x00007fe5afcd160d in _talloc_free_internal (ptr=0x7fe5b3ee87a0, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1019 tc = 0x7fe5b3ee8740 ptr_to_free = 0x7fe5b3dddfd0 #19 0x00007fe5afcd2593 in _talloc_free_children_internal (tc=0x7fe5b3d381f0, ptr=0x7fe5b3d38250, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1472 child = 0x7fe5b3ee87a0 new_parent = 0x7fe5b2e25500 #20 0x00007fe5afcd160d in _talloc_free_internal (ptr=0x7fe5b3d38250, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1019 tc = 0x7fe5b3d381f0 ptr_to_free = 0x7fe5b473eab0 #21 0x00007fe5afcd2593 in _talloc_free_children_internal (tc=0x7fe5b37478c0, ptr=0x7fe5b3747920, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1472 child = 0x7fe5b3d38250 new_parent = 0x7fe5b2e25500 #22 0x00007fe5afcd160d in _talloc_free_internal (ptr=0x7fe5b3747920, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1019 tc = 0x7fe5b37478c0 ptr_to_free = 0x7fe5b3d206d0 #23 0x00007fe5afcd29a0 in _talloc_free (ptr=0x7fe5b3747920, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1594 tc = 0x7fe5b37478c0 #24 0x00007fe5b02a68b0 in exit_server_common (how=SERVER_EXIT_NORMAL, reason=0x7fe5af0a1be3 "NT_STATUS_IO_TIMEOUT") at ../source3/smbd/server_exit.c:230 client = 0x0 xconn = 0x0 sconn = 0x0 msg_ctx = 0x7fe5b2e369b0 __FUNCTION__ = "exit_server_common" #25 0x00007fe5b02a69ee in smbd_exit_server_cleanly (explanation=0x7fe5af0a1be3 "NT_STATUS_IO_TIMEOUT") at ../source3/smbd/server_exit.c:263 No locals. #26 0x00007fe5adc8de70 in exit_server_cleanly (reason=0x7fe5af0a1be3 "NT_STATUS_IO_TIMEOUT") at ../source3/lib/smbd_shim.c:131 No locals. #27 0x00007fe5b0271f51 in smbd_server_connection_terminate_ex (xconn=0x7fe5b39e2070, reason=0x7fe5af0a1be3 "NT_STATUS_IO_TIMEOUT", location=0x7fe5b03fea38 "../source3/smbd/smb2_server.c:3498") at ../source3/smbd/smb2_server.c:1050 __FUNCTION__ = "smbd_server_connection_terminate_ex" #28 0x00007fe5b0279d30 in smbd_smb2_connection_handler (ev=0x7fe5b2e368c0, fde=0x7fe5b363cca0, flags=1, private_data=0x7fe5b39e2070) at ../source3/smbd/smb2_server.c:3498 xconn = 0x7fe5b39e2070 status = {v = 3221225653} #29 0x00007fe5ae2f2d26 in run_events_poll (ev=0x7fe5b2e368c0, pollrtn=1, pfds=0x7fe5b37ad7e0, num_pfds=4) at ../source3/lib/events.c:257 pfd = 0x7fe5b37ad7f8 flags = 1 state = 0x7fe5b2e378d0 pollfd_idx = 0x7fe5b30e3420 fde = 0x7fe5b363cca0 __FUNCTION__ = "run_events_poll" #30 0x00007fe5ae2f2fb5 in s3_event_loop_once (ev=0x7fe5b2e368c0, location=0x7fe5b03f5ff0 "../source3/smbd/process.c:3992") at ../source3/lib/events.c:326 state = 0x7fe5b2e378d0 timeout = 60000 num_pfds = 4 ret = 1 poll_errno = 0 #31 0x00007fe5af8be539 in _tevent_loop_once (ev=0x7fe5b2e368c0, location=0x7fe5b03f5ff0 "../source3/smbd/process.c:3992") at ../lib/tevent/tevent.c:533 ret = 0 nesting_stack_ptr = 0x0 #32 0x00007fe5af8be783 in tevent_common_loop_wait (ev=0x7fe5b2e368c0, location=0x7fe5b03f5ff0 "../source3/smbd/process.c:3992") at ../lib/tevent/tevent.c:637 ret = 0 #33 0x00007fe5af8be84e in _tevent_loop_wait (ev=0x7fe5b2e368c0, location=0x7fe5b03f5ff0 "../source3/smbd/process.c:3992") at ../lib/tevent/tevent.c:656 No locals. #34 0x00007fe5b025afe4 in smbd_process (ev_ctx=0x7fe5b2e368c0, msg_ctx=0x7fe5b2e369b0, sock_fd=47, interactive=false) at ../source3/smbd/process.c:3992 trace_state = {frame = 0x7fe5b3cbc7d0, smbd_idle_profstamp = 0} client = 0x7fe5b3747920 sconn = 0x7fe5b3d20730 xconn = 0x7fe5b39e2070 locaddr = 0x7fe5b4465630 "G\250\346\364\337\340\f\325\370:\346;\033\"_\215\200" remaddr = 0x7fe5b40ee8e0 "" ret = 32741 status = {v = 0} __FUNCTION__ = "smbd_process" #35 0x00007fe5b0d4716b in smbd_accept_connection (ev=0x7fe5b2e368c0, fde=0x7fe5b363cca0, flags=1, private_data=0x7fe5b35d0f60) at ../source3/smbd/server.c:627 status = {v = 0} s = 0x0 msg_ctx = 0x7fe5b2e369b0 addr = {ss_family = 2, __ss_align = 0, __ss_padding = '\000' <repeats 16 times>, "H8\177\263\345\177\000\000\220\"\022~\375\177\000\000\020\"\022~\375\177\000\000\221Vn\260\345\177\000\000H8\177\263\345\177\000\000\220\"\022~\375\177\000\000\066\000\000\000\000\000\000\000\247:\n\000\000\000\000\000\260\"\022~\375\177\000\000\263'/\256\345\177\000\000\301{\235U\000\000\000\000\330\"\022~\375\177\000"} in_addrlen = 16 fd = 47 pid = 0 unique_id = 5755098027256396629 __FUNCTION__ = "smbd_accept_connection" #36 0x00007fe5ae2f2d26 in run_events_poll (ev=0x7fe5b2e368c0, pollrtn=1, pfds=0x7fe5b37ad7e0, num_pfds=8) at ../source3/lib/events.c:257 pfd = 0x7fe5b37ad810 flags = 1 state = 0x7fe5b2e378d0 pollfd_idx = 0x7fe5b30e3420 fde = 0x7fe5b363cca0 __FUNCTION__ = "run_events_poll" #37 0x00007fe5ae2f2fb5 in s3_event_loop_once (ev=0x7fe5b2e368c0, location=0x7fe5b0d4beea "../source3/smbd/server.c:985") at ../source3/lib/events.c:326 state = 0x7fe5b2e378d0 timeout = 54671 num_pfds = 8 ret = 1 poll_errno = 0 #38 0x00007fe5af8be539 in _tevent_loop_once (ev=0x7fe5b2e368c0, location=0x7fe5b0d4beea "../source3/smbd/server.c:985") at ../lib/tevent/tevent.c:533 ret = 0 nesting_stack_ptr = 0x0 #39 0x00007fe5af8be783 in tevent_common_loop_wait (ev=0x7fe5b2e368c0, location=0x7fe5b0d4beea "../source3/smbd/server.c:985") at ../lib/tevent/tevent.c:637 ret = 0 #40 0x00007fe5af8be84e in _tevent_loop_wait (ev=0x7fe5b2e368c0, location=0x7fe5b0d4beea "../source3/smbd/server.c:985") at ../lib/tevent/tevent.c:656 No locals. #41 0x00007fe5b0d47f81 in smbd_parent_loop (ev_ctx=0x7fe5b2e368c0, parent=0x7fe5b2e36b30) at ../source3/smbd/server.c:985 trace_state = {frame = 0x7fe5b2e375b0} ret = 0 __FUNCTION__ = "smbd_parent_loop" #42 0x00007fe5b0d498df in main (argc=4, argv=0x7ffd7e122848) at ../source3/smbd/server.c:1626 is_daemon = true interactive = false Fork = false no_process_group = false log_stdout = false ports = 0x0 profile_level = 0x0 opt = -1 pc = 0x7fe5b2e27100 print_build_options = false long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fe5ad16c3c0 <poptHelpOptions>, val = 0, descrip = 0x7fe5b0d4bfe9 "Help options:", argDescrip = 0x0}, {longName = 0x7fe5b0d4bff7 "daemon", shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x7fe5b0d4bffe "Become a daemon (default)", argDescrip = 0x0}, {longName = 0x7fe5b0d4c018 "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1001, descrip = 0x7fe5b0d4c028 "Run interactive (not a daemon)", argDescrip = 0x0}, {longName = 0x7fe5b0d4c047 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, val = 1002, descrip = 0x7fe5b0d4c058 "Run daemon in foreground (for daemontools, etc.)", argDescrip = 0x0}, {longName = 0x7fe5b0d4c089 "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1003, descrip = 0x7fe5b0d4c0a0 "Don't create a new process group", argDescrip = 0x0}, {longName = 0x7fe5b0d4c0c1 "log-stdout", shortName = 83 'S', argInfo = 0, arg = 0x0, val = 1004, descrip = 0x7fe5b0d4c0cc "Log to stdout", argDescrip = 0x0}, {longName = 0x7fe5b0d4c0da "build-options", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 98, descrip = 0x7fe5b0d4c0e8 "Print build options", argDescrip = 0x0}, {longName = 0x7fe5b0d4c0fc "port", shortName = 112 'p', argInfo = 1, arg = 0x7ffd7e122430, val = 0, descrip = 0x7fe5b0d4c101 "Listen on the specified ports", argDescrip = 0x0}, {longName = 0x7fe5b0d4c11f "profiling-level", shortName = 80 'P', argInfo = 1, arg = 0x7ffd7e122438, val = 0, descrip = 0x7fe5b0d4c12f "Set profiling level", argDescrip = 0x7fe5b0d4c143 "PROFILE_LEVEL"}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fe5ae96d380 <popt_common_samba>, val = 0, descrip = 0x7fe5b0d4c151 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} parent = 0x7fe5b2e36b30 frame = 0x7fe5b2e255e0 status = {v = 0} ev_ctx = 0x7fe5b2e368c0 msg_ctx = 0x7fe5b2e369b0 server_id = {pid = 7812, task_id = 0, vnn = 4294967295, unique_id = 7911962480482536927} se = 0x7fe5b2e41ca0 np_dir = 0x7fe5b48e8410 "\340c|\263\345\177" smbd_shim_fns = {cancel_pending_lock_requests_by_fid = 0x7fe5b023682e <smbd_cancel_pending_lock_requests_by_fid>, send_stat_cache_delete_message = 0x7fe5b0240f24 <smbd_send_stat_cache_delete_message>, change_to_root_user = 0x7fe5b021df68 <smbd_change_to_root_user>, become_authenticated_pipe_user = 0x7fe5b021e01e <smbd_become_authenticated_pipe_user>, unbecome_authenticated_pipe_user = 0x7fe5b021e110 <smbd_unbecome_authenticated_pipe_user>, contend_level2_oplocks_begin = 0x7fe5b02b3341 <smbd_contend_level2_oplocks_begin>, contend_level2_oplocks_end = 0x7fe5b02b33b4 <smbd_contend_level2_oplocks_end>, become_root = 0x7fe5b021e330 <smbd_become_root>, unbecome_root = 0x7fe5b021e358 <smbd_unbecome_root>, exit_server = 0x7fe5b02a69b4 <smbd_exit_server>, exit_server_cleanly = 0x7fe5b02a69d1 <smbd_exit_server_cleanly>} __FUNCTION__ = "main" A debugging session is active. Inferior 1 [process 24253] will be detached. Quit anyway? (y or n) [answered Y; input not from terminal]
We saw the same crash with Samba 4.2.3.
We believe that we have hit this as well at Nutanix. It was an NT_STATUS_CONNECTION_RESET in our case but the rest of the stack looks the same. This was with 4.3.0pre ...
(In reply to Richard Sharpe from comment #2) Is this reproducible for you ?
This is the same as the original backtrace of bug #11218. Is anybody able to reproduce this reliable? I wasn't yet able to do that at all even without the fix of bug #11218. I have reports that it also happened with 4.2.4
We at Nutanix, Inc. are hitting the same issue with Version 4.3.0pre1-GIT-ad10c1d. GDB stack trace of the crash: ------------------------------ (gdb) bt #0 0x00007f17f489065e in waitpid () from /lib64/libc.so.6 #1 0x00007f17f4822609 in do_system () from /lib64/libc.so.6 #2 0x00007f17f62fd41c in smb_panic_s3 (why=0x7f17f82b2fbd "internal error") at ../source3/lib/util.c:803 #3 0x00007f17f82a2839 in smb_panic (why=0x7f17f82b2fbd "internal error") at ../lib/util/fault.c:166 #4 0x00007f17f82a2513 in fault_report (sig=11) at ../lib/util/fault.c:83 #5 0x00007f17f82a2528 in sig_fault (sig=11) at ../lib/util/fault.c:94 #6 <signal handler called> #7 0x00007f17f4d8b4cb in talloc_chunk_from_ptr () from /usr/lib/libtalloc.so.2 #8 0x00007f17f4d8d0d5 in __talloc_get_name () from /usr/lib/libtalloc.so.2 #9 0x00007f17f4d8d16f in talloc_check_name () from /usr/lib/libtalloc.so.2 #10 0x00007f17f5eca696 in tsocket_address_bsd_string (addr=0x7f17f8f8d0c0, mem_ctx=0x7f17f9c9f780) at ../lib/tsocket/tsocket_bsd.c:594 #11 0x00007f17f5ec7848 in tsocket_address_string (addr=0x7f17f8f8d0c0, mem_ctx=0x7f17f9c9f780) at ../lib/tsocket/tsocket.c:89 #12 0x00007f17f7e1e5e6 in close_cnum (conn=0x7f17f9bc03a0, vuid=0) at ../source3/smbd/service.c:1130 #13 0x00007f17f7e64004 in smbXsrv_tcon_disconnect (tcon=0x7f17f9bcbfd0, vuid=0) at ../source3/smbd/smbXsrv_tcon.c:983 #14 0x00007f17f7e630b4 in smbXsrv_tcon_destructor (tcon=0x7f17f9bcbfd0) at ../source3/smbd/smbXsrv_tcon.c:692 #15 0x00007f17f4d8c2fc in _talloc_free_internal () from /usr/lib/libtalloc.so.2 #16 0x00007f17f4d8d495 in _talloc_free_children_internal () from /usr/lib/libtalloc.so.2 #17 0x00007f17f4d8c49f in _talloc_free_internal () from /usr/lib/libtalloc.so.2 #18 0x00007f17f4d8d495 in _talloc_free_children_internal () from /usr/lib/libtalloc.so.2 #19 0x00007f17f4d8c49f in _talloc_free_internal () from /usr/lib/libtalloc.so.2 #20 0x00007f17f4d8d495 in _talloc_free_children_internal () from /usr/lib/libtalloc.so.2 #21 0x00007f17f4d8c49f in _talloc_free_internal () from /usr/lib/libtalloc.so.2 #22 0x00007f17f4d8d495 in _talloc_free_children_internal () from /usr/lib/libtalloc.so.2 #23 0x00007f17f4d8c49f in _talloc_free_internal () from /usr/lib/libtalloc.so.2 #24 0x00007f17f4d8d88e in _talloc_free () from /usr/lib/libtalloc.so.2 #25 0x00007f17f7e695d1 in exit_server_common (how=SERVER_EXIT_NORMAL, reason=0x7f17f6e6f6ca "NT_STATUS_CONNECTION_RESET") at ../source3/smbd/server_exit.c:234 #26 0x00007f17f7e6970c in smbd_exit_server_cleanly (explanation=0x7f17f6e6f6ca "NT_STATUS_CONNECTION_RESET") at ../source3/smbd/server_exit.c:267 #27 0x00007f17f5cbbd7b in exit_server_cleanly (reason=0x7f17f6e6f6ca "NT_STATUS_CONNECTION_RESET") at ../source3/lib/smbd_shim.c:131 #28 0x00007f17f7e32450 in smbd_server_connection_terminate_ex (xconn=0x7f17f8f8d4f0, reason=0x7f17f6e6f6ca "NT_STATUS_CONNECTION_RESET", location=0x7f17f7fc1a18 "../source3/smbd/smb2_server.c:3484") at ../source3/smbd/smb2_server.c:1051 #29 0x00007f17f7e3a970 in smbd_smb2_connection_handler (ev=0x7f17f8f620e0, fde=0x7f17f8f765f0, flags=1, --Type <return> to continue, or q <return> to quit-- private_data=0x7f17f8f8d4f0) at ../source3/smbd/smb2_server.c:3484 #30 0x00007f17f631f23a in run_events_poll (ev=0x7f17f8f620e0, pollrtn=1, pfds=0x7f17f8f76140, num_pfds=5) at ../source3/lib/events.c:257 #31 0x00007f17f631f510 in s3_event_loop_once (ev=0x7f17f8f620e0, location=0x7f17f7fb8f90 "../source3/smbd/process.c:3990") at ../source3/lib/events.c:326 #32 0x00007f17f4b7c449 in _tevent_loop_once () from /usr/lib/libtevent.so.0 #33 0x00007f17f4b7c6c1 in tevent_common_loop_wait () from /usr/lib/libtevent.so.0 #34 0x00007f17f4b7c78c in _tevent_loop_wait () from /usr/lib/libtevent.so.0 #35 0x00007f17f7e1ad46 in smbd_process (ev_ctx=0x7f17f8f620e0, msg_ctx=0x7f17f8f621d0, sock_fd=34, interactive=false) at ../source3/smbd/process.c:3990 #36 0x00007f17f890757e in smbd_accept_connection (ev=0x7f17f8f620e0, fde=0x7f17f8f87ac0, flags=1, private_data=0x7f17f8f81d80) at ../source3/smbd/server.c:649 #37 0x00007f17f631f23a in run_events_poll (ev=0x7f17f8f620e0, pollrtn=1, pfds=0x7f17f8f76140, num_pfds=4) at ../source3/lib/events.c:257 #38 0x00007f17f631f510 in s3_event_loop_once (ev=0x7f17f8f620e0, location=0x7f17f890c141 "../source3/smbd/server.c:1018") at ../source3/lib/events.c:326 #39 0x00007f17f4b7c449 in _tevent_loop_once () from /usr/lib/libtevent.so.0 #40 0x00007f17f4b7c6c1 in tevent_common_loop_wait () from /usr/lib/libtevent.so.0 #41 0x00007f17f4b7c78c in _tevent_loop_wait () from /usr/lib/libtevent.so.0 #42 0x00007f17f8908332 in smbd_parent_loop (ev_ctx=0x7f17f8f620e0, parent=0x7f17f8f72e90) at ../source3/smbd/server.c:1018 #43 0x00007f17f8909a80 in main (argc=6, argv=0x7ffc2049ac88) at ../source3/smbd/server.c:1659
I am trying to come up with ways to reliably provoke this. Is it possible that the client had sessions using multiple different users?
We think we have a reasonably reliable way to hit this problems. Net Use 10 or more shares and then log out from the client, or something like that. We will be testing the patch in a while.
Created attachment 11674 [details] Patch
(In reply to Richard Sharpe from comment #7) We have got a way to reproduce it reasonably consistently. After applying the attached patch by Stefan Metzmacher (given by Richard to me), we are not able to see this crash anymore after more than 15 tries. In conclusion, there is a good chance that the attached patch resolves this crash.
Created attachment 11677 [details] Patches for v4-3-test
Created attachment 11678 [details] Patches for v4-2-test
We believe that we found a way to easily repro this in tests. We run a PowerShell script that connects to multiple shares and then log out (or something, I just described the approach to QA and they coded it and it works.) In any event, it seems that the fix provided by Metze fixes the problem. QA now reports that they cannot hit it with the test that used to expose the problem.
*** Bug 11375 has been marked as a duplicate of this bug. ***
Karolin, please push to 4.3.next, 4.2.next. Thanks !
Pushed to both branches. Closing out bug report. Thanks!
*** Bug 12388 has been marked as a duplicate of this bug. ***