Bug 11394 - Crash: Bad talloc magic value - access after free
Summary: Crash: Bad talloc magic value - access after free
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.2.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 11375 12388 (view as bug list)
Depends on: 11375
Blocks: 11218
  Show dependency treegraph
 
Reported: 2015-07-08 21:20 UTC by Nick Semenkovich
Modified: 2016-10-26 00:41 UTC (History)
4 users (show)

See Also:


Attachments
Patch (14.03 KB, text/plain)
2015-12-06 07:18 UTC, Shyam Rathi
no flags Details
Patches for v4-3-test (14.60 KB, text/plain)
2015-12-07 11:08 UTC, Stefan Metzmacher
vl: review+
Details
Patches for v4-2-test (17.54 KB, text/plain)
2015-12-07 11:09 UTC, Stefan Metzmacher
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Semenkovich 2015-07-08 21:20:54 UTC
Running 4.2.2 from git on an all Win 8.1 clients.

The machine in the logs (AIO10) didn't have anyone logged in recently. Logs show some spew like:

...
[2015/07/08 15:44:15.609705,  2] ../source3/smbd/service.c:1138(close_cnum)
  192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$
[2015/07/08 15:44:15.609907,  2] ../source3/smbd/service.c:1138(close_cnum)
  192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$
[2015/07/08 15:44:15.610112,  2] ../source3/smbd/service.c:1138(close_cnum)
  192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$
[2015/07/08 15:44:15.610320,  2] ../source3/smbd/service.c:1138(close_cnum)
  192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$
[2015/07/08 15:44:15.610532,  2] ../source3/smbd/service.c:1138(close_cnum)
  192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$
[2015/07/08 15:44:15.610743,  2] ../source3/smbd/service.c:1138(close_cnum)
  192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$
[2015/07/08 15:44:15.610956,  2] ../source3/smbd/service.c:1138(close_cnum)
  192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$
[2015/07/08 15:44:15.611162,  2] ../source3/smbd/service.c:1138(close_cnum)
  192.168.0.110 (ipv4:192.168.0.110:52212) closed connection to service AIO10$
[2015/07/08 15:44:15.611947,  2] ../source3/smbd/service.c:1138(close_cnum)
[2015/07/08 15:44:15.611975,  0] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at ../source3/smbd/server_exit.c:225
[2015/07/08 15:44:15.617760,  0] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2015/07/08 15:44:15.617785,  0] ../source3/lib/util.c:788(smb_panic_s3)
  PANIC (pid 24253): Bad talloc magic value - access after free
[2015/07/08 15:44:15.620530,  0] ../source3/lib/util.c:899(log_stack_trace)
  BACKTRACE: 44 stack frames:
...



[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007fe5acc6184a in __GI___waitpid (pid=10817, stat_loc=stat_loc@entry=0x7ffd7e1216d0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
#0  0x00007fe5acc6184a in __GI___waitpid (pid=10817, stat_loc=stat_loc@entry=0x7ffd7e1216d0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
        resultvar = 18446744073709551104
        oldtype = <optimized out>
        result = <optimized out>
#1  0x00007fe5acbdaffb in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
        __result = <optimized out>
        _buffer = {__routine = 0x7fe5acbdb2f0 <cancel_handler>, __arg = 0x7ffd7e1216ac, __canceltype = 0, __prev = 0x0}
        _avail = 1
        status = 0
        save = <optimized out>
        pid = 10817
        sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x7fe5b401a340}
        omask = {__val = {6272, 140624475828668, 6, 6, 140726718568480, 140624548831392, 140726718572608, 140624488632464, 140624548831392, 140726718572608, 0, 0, 0, 140624488716701, 1, 0}}
#2  0x00007fe5ae2d2662 in smb_panic_s3 (why=0x7fe5afcd4d90 "Bad talloc magic value - access after free") at ../source3/lib/util.c:801
        cmd = 0x7fe5b401a340 "/home/semenko/panic-action 24253"
        result = 925904693
        __FUNCTION__ = "smb_panic_s3"
#3  0x00007fe5b06e8f21 in smb_panic (why=0x7fe5afcd4d90 "Bad talloc magic value - access after free") at ../lib/util/fault.c:166
No locals.
#4  0x00007fe5afcd056d in talloc_abort (reason=0x7fe5afcd4d90 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:343
No locals.
#5  0x00007fe5afcd05ec in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:359
No locals.
#6  0x00007fe5afcd0669 in talloc_chunk_from_ptr (ptr=0x7fe5b47b14d0) at ../lib/talloc/talloc.c:380
        pp = 0x7fe5b47b14d0 "\020"
        tc = 0x7fe5b47b1470
#7  0x00007fe5afcd21f9 in __talloc_get_name (ptr=0x7fe5b47b14d0) at ../lib/talloc/talloc.c:1366
        tc = 0x7fe5aee1070e <trim_char+376>
#8  0x00007fe5afcd2293 in talloc_check_name (ptr=0x7fe5b47b14d0, name=0x7fe5adea46b4 "struct tsocket_address_bsd") at ../lib/talloc/talloc.c:1389
        pname = 0x0
#9  0x00007fe5ade9d337 in tsocket_address_bsd_string (addr=0x7fe5b2e36d40, mem_ctx=0x7fe5b3cbc7d0) at ../lib/tsocket/tsocket_bsd.c:593
        bsda = 0x7fe5b3cbc7d0
        str = 0x7fe5b447a0a0 "AIO10$"
        addr_str = 0x0
        prefix = 0x7fe5b3939950 "AIO10$"
        port = 0
#10 0x00007fe5ade9a5be in tsocket_address_string (addr=0x7fe5b2e36d40, mem_ctx=0x7fe5b3cbc7d0) at ../lib/tsocket/tsocket.c:89
No locals.
#11 0x00007fe5b025e92e in close_cnum (conn=0x7fe5b44f59f0, vuid=0) at ../source3/smbd/service.c:1134
        __FUNCTION__ = "close_cnum"
#12 0x00007fe5b02a1892 in smbXsrv_tcon_disconnect (tcon=0x7fe5b3cada50, vuid=0) at ../source3/smbd/smbXsrv_tcon.c:979
        ok = true
        table = 0x7fe5b3f25bd0
        local_rec = 0x0
        global_rec = 0x0
        status = {v = 0}
        error = {v = 0}
        __FUNCTION__ = "smbXsrv_tcon_disconnect"
#13 0x00007fe5b02a0a17 in smbXsrv_tcon_destructor (tcon=0x7fe5b3cada50) at ../source3/smbd/smbXsrv_tcon.c:688
        status = {v = 3016415824}
        __FUNCTION__ = "smbXsrv_tcon_destructor"
#14 0x00007fe5afcd145c in _talloc_free_internal (ptr=0x7fe5b3cada50, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:993
        d = 0x7fe5b02a09fa <smbXsrv_tcon_destructor>
        tc = 0x7fe5b3cad9f0
        ptr_to_free = 0x7fe5b42ff600
#15 0x00007fe5afcd2593 in _talloc_free_children_internal (tc=0x7fe5b3f25b70, ptr=0x7fe5b3f25bd0, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1472
        child = 0x7fe5b3cada50
        new_parent = 0x7fe5b2e25500
#16 0x00007fe5afcd160d in _talloc_free_internal (ptr=0x7fe5b3f25bd0, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1019
        tc = 0x7fe5b3f25b70
        ptr_to_free = 0x7fe5b44b03e0
#17 0x00007fe5afcd2593 in _talloc_free_children_internal (tc=0x7fe5b3ee8740, ptr=0x7fe5b3ee87a0, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1472
        child = 0x7fe5b3f25bd0
        new_parent = 0x7fe5b2e25500
#18 0x00007fe5afcd160d in _talloc_free_internal (ptr=0x7fe5b3ee87a0, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1019
        tc = 0x7fe5b3ee8740
        ptr_to_free = 0x7fe5b3dddfd0
#19 0x00007fe5afcd2593 in _talloc_free_children_internal (tc=0x7fe5b3d381f0, ptr=0x7fe5b3d38250, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1472
        child = 0x7fe5b3ee87a0
        new_parent = 0x7fe5b2e25500
#20 0x00007fe5afcd160d in _talloc_free_internal (ptr=0x7fe5b3d38250, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1019
        tc = 0x7fe5b3d381f0
        ptr_to_free = 0x7fe5b473eab0
#21 0x00007fe5afcd2593 in _talloc_free_children_internal (tc=0x7fe5b37478c0, ptr=0x7fe5b3747920, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1472
        child = 0x7fe5b3d38250
        new_parent = 0x7fe5b2e25500
#22 0x00007fe5afcd160d in _talloc_free_internal (ptr=0x7fe5b3747920, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1019
        tc = 0x7fe5b37478c0
        ptr_to_free = 0x7fe5b3d206d0
#23 0x00007fe5afcd29a0 in _talloc_free (ptr=0x7fe5b3747920, location=0x7fe5b040ea40 "../source3/smbd/server_exit.c:230") at ../lib/talloc/talloc.c:1594
        tc = 0x7fe5b37478c0
#24 0x00007fe5b02a68b0 in exit_server_common (how=SERVER_EXIT_NORMAL, reason=0x7fe5af0a1be3 "NT_STATUS_IO_TIMEOUT") at ../source3/smbd/server_exit.c:230
        client = 0x0
        xconn = 0x0
        sconn = 0x0
        msg_ctx = 0x7fe5b2e369b0
        __FUNCTION__ = "exit_server_common"
#25 0x00007fe5b02a69ee in smbd_exit_server_cleanly (explanation=0x7fe5af0a1be3 "NT_STATUS_IO_TIMEOUT") at ../source3/smbd/server_exit.c:263
No locals.
#26 0x00007fe5adc8de70 in exit_server_cleanly (reason=0x7fe5af0a1be3 "NT_STATUS_IO_TIMEOUT") at ../source3/lib/smbd_shim.c:131
No locals.
#27 0x00007fe5b0271f51 in smbd_server_connection_terminate_ex (xconn=0x7fe5b39e2070, reason=0x7fe5af0a1be3 "NT_STATUS_IO_TIMEOUT", location=0x7fe5b03fea38 "../source3/smbd/smb2_server.c:3498") at ../source3/smbd/smb2_server.c:1050
        __FUNCTION__ = "smbd_server_connection_terminate_ex"
#28 0x00007fe5b0279d30 in smbd_smb2_connection_handler (ev=0x7fe5b2e368c0, fde=0x7fe5b363cca0, flags=1, private_data=0x7fe5b39e2070) at ../source3/smbd/smb2_server.c:3498
        xconn = 0x7fe5b39e2070
        status = {v = 3221225653}
#29 0x00007fe5ae2f2d26 in run_events_poll (ev=0x7fe5b2e368c0, pollrtn=1, pfds=0x7fe5b37ad7e0, num_pfds=4) at ../source3/lib/events.c:257
        pfd = 0x7fe5b37ad7f8
        flags = 1
        state = 0x7fe5b2e378d0
        pollfd_idx = 0x7fe5b30e3420
        fde = 0x7fe5b363cca0
        __FUNCTION__ = "run_events_poll"
#30 0x00007fe5ae2f2fb5 in s3_event_loop_once (ev=0x7fe5b2e368c0, location=0x7fe5b03f5ff0 "../source3/smbd/process.c:3992") at ../source3/lib/events.c:326
        state = 0x7fe5b2e378d0
        timeout = 60000
        num_pfds = 4
        ret = 1
        poll_errno = 0
#31 0x00007fe5af8be539 in _tevent_loop_once (ev=0x7fe5b2e368c0, location=0x7fe5b03f5ff0 "../source3/smbd/process.c:3992") at ../lib/tevent/tevent.c:533
        ret = 0
        nesting_stack_ptr = 0x0
#32 0x00007fe5af8be783 in tevent_common_loop_wait (ev=0x7fe5b2e368c0, location=0x7fe5b03f5ff0 "../source3/smbd/process.c:3992") at ../lib/tevent/tevent.c:637
        ret = 0
#33 0x00007fe5af8be84e in _tevent_loop_wait (ev=0x7fe5b2e368c0, location=0x7fe5b03f5ff0 "../source3/smbd/process.c:3992") at ../lib/tevent/tevent.c:656
No locals.
#34 0x00007fe5b025afe4 in smbd_process (ev_ctx=0x7fe5b2e368c0, msg_ctx=0x7fe5b2e369b0, sock_fd=47, interactive=false) at ../source3/smbd/process.c:3992
        trace_state = {frame = 0x7fe5b3cbc7d0, smbd_idle_profstamp = 0}
        client = 0x7fe5b3747920
        sconn = 0x7fe5b3d20730
        xconn = 0x7fe5b39e2070
        locaddr = 0x7fe5b4465630 "G\250\346\364\337\340\f\325\370:\346;\033\"_\215\200"
        remaddr = 0x7fe5b40ee8e0 ""
        ret = 32741
        status = {v = 0}
        __FUNCTION__ = "smbd_process"
#35 0x00007fe5b0d4716b in smbd_accept_connection (ev=0x7fe5b2e368c0, fde=0x7fe5b363cca0, flags=1, private_data=0x7fe5b35d0f60) at ../source3/smbd/server.c:627
        status = {v = 0}
        s = 0x0
        msg_ctx = 0x7fe5b2e369b0
        addr = {ss_family = 2, __ss_align = 0, __ss_padding = '\000' <repeats 16 times>, "H8\177\263\345\177\000\000\220\"\022~\375\177\000\000\020\"\022~\375\177\000\000\221Vn\260\345\177\000\000H8\177\263\345\177\000\000\220\"\022~\375\177\000\000\066\000\000\000\000\000\000\000\247:\n\000\000\000\000\000\260\"\022~\375\177\000\000\263'/\256\345\177\000\000\301{\235U\000\000\000\000\330\"\022~\375\177\000"}
        in_addrlen = 16
        fd = 47
        pid = 0
        unique_id = 5755098027256396629
        __FUNCTION__ = "smbd_accept_connection"
#36 0x00007fe5ae2f2d26 in run_events_poll (ev=0x7fe5b2e368c0, pollrtn=1, pfds=0x7fe5b37ad7e0, num_pfds=8) at ../source3/lib/events.c:257
        pfd = 0x7fe5b37ad810
        flags = 1
        state = 0x7fe5b2e378d0
        pollfd_idx = 0x7fe5b30e3420
        fde = 0x7fe5b363cca0
        __FUNCTION__ = "run_events_poll"
#37 0x00007fe5ae2f2fb5 in s3_event_loop_once (ev=0x7fe5b2e368c0, location=0x7fe5b0d4beea "../source3/smbd/server.c:985") at ../source3/lib/events.c:326
        state = 0x7fe5b2e378d0
        timeout = 54671
        num_pfds = 8
        ret = 1
        poll_errno = 0
#38 0x00007fe5af8be539 in _tevent_loop_once (ev=0x7fe5b2e368c0, location=0x7fe5b0d4beea "../source3/smbd/server.c:985") at ../lib/tevent/tevent.c:533
        ret = 0
        nesting_stack_ptr = 0x0
#39 0x00007fe5af8be783 in tevent_common_loop_wait (ev=0x7fe5b2e368c0, location=0x7fe5b0d4beea "../source3/smbd/server.c:985") at ../lib/tevent/tevent.c:637
        ret = 0
#40 0x00007fe5af8be84e in _tevent_loop_wait (ev=0x7fe5b2e368c0, location=0x7fe5b0d4beea "../source3/smbd/server.c:985") at ../lib/tevent/tevent.c:656
No locals.
#41 0x00007fe5b0d47f81 in smbd_parent_loop (ev_ctx=0x7fe5b2e368c0, parent=0x7fe5b2e36b30) at ../source3/smbd/server.c:985
        trace_state = {frame = 0x7fe5b2e375b0}
        ret = 0
        __FUNCTION__ = "smbd_parent_loop"
#42 0x00007fe5b0d498df in main (argc=4, argv=0x7ffd7e122848) at ../source3/smbd/server.c:1626
        is_daemon = true
        interactive = false
        Fork = false
        no_process_group = false
        log_stdout = false
        ports = 0x0
        profile_level = 0x0
        opt = -1
        pc = 0x7fe5b2e27100
        print_build_options = false
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fe5ad16c3c0 <poptHelpOptions>, val = 0, descrip = 0x7fe5b0d4bfe9 "Help options:", argDescrip = 0x0}, {longName = 0x7fe5b0d4bff7 "daemon", shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x7fe5b0d4bffe "Become a daemon (default)", argDescrip = 0x0}, {longName = 0x7fe5b0d4c018 "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1001, descrip = 0x7fe5b0d4c028 "Run interactive (not a daemon)", argDescrip = 0x0}, {longName = 0x7fe5b0d4c047 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, val = 1002, descrip = 0x7fe5b0d4c058 "Run daemon in foreground (for daemontools, etc.)", argDescrip = 0x0}, {longName = 0x7fe5b0d4c089 "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1003, descrip = 0x7fe5b0d4c0a0 "Don't create a new process group", argDescrip = 0x0}, {longName = 0x7fe5b0d4c0c1 "log-stdout", shortName = 83 'S', argInfo = 0, arg = 0x0, val = 1004, descrip = 0x7fe5b0d4c0cc "Log to stdout", argDescrip = 0x0}, {longName = 0x7fe5b0d4c0da "build-options", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 98, descrip = 0x7fe5b0d4c0e8 "Print build options", argDescrip = 0x0}, {longName = 0x7fe5b0d4c0fc "port", shortName = 112 'p', argInfo = 1, arg = 0x7ffd7e122430, val = 0, descrip = 0x7fe5b0d4c101 "Listen on the specified ports", argDescrip = 0x0}, {longName = 0x7fe5b0d4c11f "profiling-level", shortName = 80 'P', argInfo = 1, arg = 0x7ffd7e122438, val = 0, descrip = 0x7fe5b0d4c12f "Set profiling level", argDescrip = 0x7fe5b0d4c143 "PROFILE_LEVEL"}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fe5ae96d380 <popt_common_samba>, val = 0, descrip = 0x7fe5b0d4c151 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
        parent = 0x7fe5b2e36b30
        frame = 0x7fe5b2e255e0
        status = {v = 0}
        ev_ctx = 0x7fe5b2e368c0
        msg_ctx = 0x7fe5b2e369b0
        server_id = {pid = 7812, task_id = 0, vnn = 4294967295, unique_id = 7911962480482536927}
        se = 0x7fe5b2e41ca0
        np_dir = 0x7fe5b48e8410 "\340c|\263\345\177"
        smbd_shim_fns = {cancel_pending_lock_requests_by_fid = 0x7fe5b023682e <smbd_cancel_pending_lock_requests_by_fid>, send_stat_cache_delete_message = 0x7fe5b0240f24 <smbd_send_stat_cache_delete_message>, change_to_root_user = 0x7fe5b021df68 <smbd_change_to_root_user>, become_authenticated_pipe_user = 0x7fe5b021e01e <smbd_become_authenticated_pipe_user>, unbecome_authenticated_pipe_user = 0x7fe5b021e110 <smbd_unbecome_authenticated_pipe_user>, contend_level2_oplocks_begin = 0x7fe5b02b3341 <smbd_contend_level2_oplocks_begin>, contend_level2_oplocks_end = 0x7fe5b02b33b4 <smbd_contend_level2_oplocks_end>, become_root = 0x7fe5b021e330 <smbd_become_root>, unbecome_root = 0x7fe5b021e358 <smbd_unbecome_root>, exit_server = 0x7fe5b02a69b4 <smbd_exit_server>, exit_server_cleanly = 0x7fe5b02a69d1 <smbd_exit_server_cleanly>}
        __FUNCTION__ = "main"
A debugging session is active.

        Inferior 1 [process 24253] will be detached.

Quit anyway? (y or n) [answered Y; input not from terminal]
Comment 1 Stefan Gohmann 2015-08-31 06:18:52 UTC
We saw the same crash with Samba 4.2.3.
Comment 2 Richard Sharpe 2015-11-06 20:41:38 UTC
We believe that we have hit this as well at Nutanix.

It was an NT_STATUS_CONNECTION_RESET in our case but the rest of the stack looks the same.

This was with 4.3.0pre ...
Comment 3 Jeremy Allison 2015-11-06 20:43:15 UTC
(In reply to Richard Sharpe from comment #2)

Is this reproducible for you ?
Comment 4 Stefan Metzmacher 2015-11-07 07:55:42 UTC
This is the same as the original backtrace of bug #11218.

Is anybody able to reproduce this reliable?
I wasn't yet able to do that at all even without the fix of bug #11218.

I have reports that it also happened with 4.2.4
Comment 5 Shyam Rathi 2015-11-14 02:01:56 UTC
We at Nutanix, Inc. are hitting the same issue with Version 4.3.0pre1-GIT-ad10c1d.

GDB stack trace of the crash:
------------------------------

(gdb) bt
#0 0x00007f17f489065e in waitpid () from /lib64/libc.so.6
#1 0x00007f17f4822609 in do_system () from /lib64/libc.so.6
#2 0x00007f17f62fd41c in smb_panic_s3 (why=0x7f17f82b2fbd "internal error") at ../source3/lib/util.c:803
#3 0x00007f17f82a2839 in smb_panic (why=0x7f17f82b2fbd "internal error") at ../lib/util/fault.c:166
#4 0x00007f17f82a2513 in fault_report (sig=11) at ../lib/util/fault.c:83
#5 0x00007f17f82a2528 in sig_fault (sig=11) at ../lib/util/fault.c:94
#6 <signal handler called>
#7 0x00007f17f4d8b4cb in talloc_chunk_from_ptr () from /usr/lib/libtalloc.so.2
#8 0x00007f17f4d8d0d5 in __talloc_get_name () from /usr/lib/libtalloc.so.2
#9 0x00007f17f4d8d16f in talloc_check_name () from /usr/lib/libtalloc.so.2
#10 0x00007f17f5eca696 in tsocket_address_bsd_string (addr=0x7f17f8f8d0c0, mem_ctx=0x7f17f9c9f780)
at ../lib/tsocket/tsocket_bsd.c:594
#11 0x00007f17f5ec7848 in tsocket_address_string (addr=0x7f17f8f8d0c0, mem_ctx=0x7f17f9c9f780) at ../lib/tsocket/tsocket.c:89
#12 0x00007f17f7e1e5e6 in close_cnum (conn=0x7f17f9bc03a0, vuid=0) at ../source3/smbd/service.c:1130
#13 0x00007f17f7e64004 in smbXsrv_tcon_disconnect (tcon=0x7f17f9bcbfd0, vuid=0) at ../source3/smbd/smbXsrv_tcon.c:983
#14 0x00007f17f7e630b4 in smbXsrv_tcon_destructor (tcon=0x7f17f9bcbfd0) at ../source3/smbd/smbXsrv_tcon.c:692
#15 0x00007f17f4d8c2fc in _talloc_free_internal () from /usr/lib/libtalloc.so.2
#16 0x00007f17f4d8d495 in _talloc_free_children_internal () from /usr/lib/libtalloc.so.2
#17 0x00007f17f4d8c49f in _talloc_free_internal () from /usr/lib/libtalloc.so.2
#18 0x00007f17f4d8d495 in _talloc_free_children_internal () from /usr/lib/libtalloc.so.2
#19 0x00007f17f4d8c49f in _talloc_free_internal () from /usr/lib/libtalloc.so.2
#20 0x00007f17f4d8d495 in _talloc_free_children_internal () from /usr/lib/libtalloc.so.2
#21 0x00007f17f4d8c49f in _talloc_free_internal () from /usr/lib/libtalloc.so.2
#22 0x00007f17f4d8d495 in _talloc_free_children_internal () from /usr/lib/libtalloc.so.2
#23 0x00007f17f4d8c49f in _talloc_free_internal () from /usr/lib/libtalloc.so.2
#24 0x00007f17f4d8d88e in _talloc_free () from /usr/lib/libtalloc.so.2
#25 0x00007f17f7e695d1 in exit_server_common (how=SERVER_EXIT_NORMAL, reason=0x7f17f6e6f6ca "NT_STATUS_CONNECTION_RESET")
at ../source3/smbd/server_exit.c:234
#26 0x00007f17f7e6970c in smbd_exit_server_cleanly (explanation=0x7f17f6e6f6ca "NT_STATUS_CONNECTION_RESET")
at ../source3/smbd/server_exit.c:267
#27 0x00007f17f5cbbd7b in exit_server_cleanly (reason=0x7f17f6e6f6ca "NT_STATUS_CONNECTION_RESET")
at ../source3/lib/smbd_shim.c:131
#28 0x00007f17f7e32450 in smbd_server_connection_terminate_ex (xconn=0x7f17f8f8d4f0,
reason=0x7f17f6e6f6ca "NT_STATUS_CONNECTION_RESET", location=0x7f17f7fc1a18 "../source3/smbd/smb2_server.c:3484")
at ../source3/smbd/smb2_server.c:1051
#29 0x00007f17f7e3a970 in smbd_smb2_connection_handler (ev=0x7f17f8f620e0, fde=0x7f17f8f765f0, flags=1,
--Type <return> to continue, or q <return> to quit--
private_data=0x7f17f8f8d4f0) at ../source3/smbd/smb2_server.c:3484
#30 0x00007f17f631f23a in run_events_poll (ev=0x7f17f8f620e0, pollrtn=1, pfds=0x7f17f8f76140, num_pfds=5)
at ../source3/lib/events.c:257
#31 0x00007f17f631f510 in s3_event_loop_once (ev=0x7f17f8f620e0, location=0x7f17f7fb8f90 "../source3/smbd/process.c:3990")
at ../source3/lib/events.c:326
#32 0x00007f17f4b7c449 in _tevent_loop_once () from /usr/lib/libtevent.so.0
#33 0x00007f17f4b7c6c1 in tevent_common_loop_wait () from /usr/lib/libtevent.so.0
#34 0x00007f17f4b7c78c in _tevent_loop_wait () from /usr/lib/libtevent.so.0
#35 0x00007f17f7e1ad46 in smbd_process (ev_ctx=0x7f17f8f620e0, msg_ctx=0x7f17f8f621d0, sock_fd=34, interactive=false)
at ../source3/smbd/process.c:3990
#36 0x00007f17f890757e in smbd_accept_connection (ev=0x7f17f8f620e0, fde=0x7f17f8f87ac0, flags=1, private_data=0x7f17f8f81d80)
at ../source3/smbd/server.c:649
#37 0x00007f17f631f23a in run_events_poll (ev=0x7f17f8f620e0, pollrtn=1, pfds=0x7f17f8f76140, num_pfds=4)
at ../source3/lib/events.c:257
#38 0x00007f17f631f510 in s3_event_loop_once (ev=0x7f17f8f620e0, location=0x7f17f890c141 "../source3/smbd/server.c:1018")
at ../source3/lib/events.c:326
#39 0x00007f17f4b7c449 in _tevent_loop_once () from /usr/lib/libtevent.so.0
#40 0x00007f17f4b7c6c1 in tevent_common_loop_wait () from /usr/lib/libtevent.so.0
#41 0x00007f17f4b7c78c in _tevent_loop_wait () from /usr/lib/libtevent.so.0
#42 0x00007f17f8908332 in smbd_parent_loop (ev_ctx=0x7f17f8f620e0, parent=0x7f17f8f72e90) at ../source3/smbd/server.c:1018
#43 0x00007f17f8909a80 in main (argc=6, argv=0x7ffc2049ac88) at ../source3/smbd/server.c:1659
Comment 6 Richard Sharpe 2015-12-04 21:43:18 UTC
I am trying to come up with ways to reliably provoke this.

Is it possible that the client had sessions using multiple different users?
Comment 7 Richard Sharpe 2015-12-05 05:46:03 UTC
We think we have a reasonably reliable way to hit this problems.

Net Use 10 or more shares and then log out from the client, or something like that.

We will be testing the patch in a while.
Comment 8 Shyam Rathi 2015-12-06 07:18:14 UTC
Created attachment 11674 [details]
Patch
Comment 9 Shyam Rathi 2015-12-06 07:19:38 UTC
(In reply to Richard Sharpe from comment #7)
We have got a way to reproduce it reasonably consistently. After applying the attached patch by Stefan Metzmacher (given by Richard to me), we are not able to see this crash anymore after more than 15 tries.

In conclusion, there is a good chance that the attached patch resolves this crash.
Comment 10 Stefan Metzmacher 2015-12-07 11:08:46 UTC
Created attachment 11677 [details]
Patches for v4-3-test
Comment 11 Stefan Metzmacher 2015-12-07 11:09:32 UTC
Created attachment 11678 [details]
Patches for v4-2-test
Comment 12 Richard Sharpe 2015-12-07 16:06:09 UTC
We believe that we found a way to easily repro this in tests.

We run a PowerShell script that connects to multiple shares and then log out (or something, I just described the approach to QA and they coded it and it works.)

In any event, it seems that the fix provided by Metze fixes the problem.

QA now reports that they cannot hit it with the test that used to expose the problem.
Comment 13 Jeremy Allison 2015-12-07 17:11:17 UTC
*** Bug 11375 has been marked as a duplicate of this bug. ***
Comment 14 Jeremy Allison 2015-12-07 17:49:36 UTC
Karolin, please push to 4.3.next, 4.2.next.

Thanks !
Comment 15 Karolin Seeger 2015-12-17 09:57:15 UTC
Pushed to both branches.
Closing out bug report.

Thanks!
Comment 16 crashskyshadow 2016-10-26 00:41:57 UTC
*** Bug 12388 has been marked as a duplicate of this bug. ***