Bug 12180 - CTDB crashes running eventscripts
Summary: CTDB crashes running eventscripts
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: CTDB (show other bugs)
Version: 4.4.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-08-26 05:44 UTC by Amitay Isaacs
Modified: 2016-09-20 07:24 UTC (History)
2 users (show)

See Also:

Patch for 4.5rc (15.10 KB, patch)
2016-09-02 00:36 UTC, Martin Schwenke
amitay: review+
Patch for 4.4 (9.41 KB, patch)
2016-09-02 00:40 UTC, Martin Schwenke
amitay: review+
Patch for 4.3 (9.47 KB, patch)
2016-09-02 00:45 UTC, Martin Schwenke
amitay: review-

Note You need to log in before you can comment on or make changes to this bug.
Description Amitay Isaacs 2016-08-26 05:44:31 UTC
(gdb) bt
#0  0x00007fc123aac5f7 in raise () from /lib64/libc.so.6
#1  0x00007fc123aadce8 in abort () from /lib64/libc.so.6
#2  0x00007fc1254b6b3c in smb_panic_default (why=0x7fc125503c92
"internal error") at ../lib/util/fault.c:156
#3  smb_panic (why=why@entry=0x7fc125503c92 "internal error") at
#4  0x00007fc1254b6cf6 in fault_report (sig=<optimized out>) at
#5  sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
#6  <signal handler called>
#7  ctdb_request_control_reply (ctdb=0x7fc1279cd890,
c=0x4354444200000000, outdata=0x0, status=-12, errormsg=0x0) at
#8  0x00007fc125b8f097 in ctdb_ipreallocated_callback
(ctdb=0x7fc1279cd890, status=-12, p=<optimized out>) at
#9  0x00007fc125b8cce7 in event_script_destructor
(state=state@entry=0x7fc127a05eb0) at ../ctdb/server/eventscript.c:649
#10 0x00007fc124a6eec0 in _talloc_free_internal (location=<optimized
out>, ptr=<optimized out>) at ../lib/talloc/talloc.c:1046
#11 _talloc_free (ptr=0x7fc127a05eb0, location=0x7fc125bdd5e8
"../ctdb/server/eventscript.c:828") at ../lib/talloc/talloc.c:1647
#12 0x00007fc125b8d9ff in ctdb_event_script_callback_v
(ctdb=0x7fc1279cd890, mem_ctx=<optimized out>, callback=0x7fc125b8f050
<ctdb_ipreallocated_callback>, private_data=0x7fc1279f5eb0,
    call=CTDB_EVENT_IPREALLOCATED, fmt=<optimized out>,
ap=ap@entry=0x7ffccbbe0f08) at ../ctdb/server/eventscript.c:828
#13 0x00007fc125b8e1ba in ctdb_event_script_callback
(ctdb=ctdb@entry=0x7fc1279cd890, mem_ctx=mem_ctx@entry=0x7fc1279f5eb0,
callback=callback@entry=0x7fc125b8f050 <ctdb_ipreallocated_callback>,
call=call@entry=CTDB_EVENT_IPREALLOCATED, fmt=fmt@entry=0x7fc125bd8b2d
"%s") at ../ctdb/server/eventscript.c:862
#14 0x00007fc125b97255 in ctdb_control_ipreallocated
(ctdb=ctdb@entry=0x7fc1279cd890, c=c@entry=0x7fc1279fef80,
async_reply=async_reply@entry=0x7ffccbbe1047) at
#15 0x00007fc125b8177d in ctdb_control_dispatch
(async_reply=0x7ffccbbe1047, errormsg=0x7ffccbbe1048,
srcnode=<optimized out>, outdata=0x7fc127a00370, indata=...,
c=0x7fc1279fef80, ctdb=0x7fc1279cd890)
    at ../ctdb/server/ctdb_control.c:367
#16 ctdb_request_control (ctdb=ctdb@entry=0x7fc1279cd890,
hdr=hdr@entry=0x7fc1279fef80) at ../ctdb/server/ctdb_control.c:793
#17 0x00007fc125b7e339 in ctdb_input_pkt (ctdb=0x7fc1279cd890,
hdr=0x7fc1279fef80) at ../ctdb/server/ctdb_server.c:279
#18 0x00007fc125b7e46f in queue_next_trigger (ev=<optimized out>,
te=<optimized out>, t=..., private_data=<optimized out>) at
#19 0x00007fc124864a7f in tevent_common_loop_timer_delay
(ev=ev@entry=0x7fc1279e5090) at ../lib/tevent/tevent_timed.c:341
#20 0x00007fc124865a8a in epoll_event_loop_once (ev=0x7fc1279e5090,
location=<optimized out>) at ../lib/tevent/tevent_epoll.c:911
#21 0x00007fc124864187 in std_event_loop_once (ev=0x7fc1279e5090,
location=0x7fc125bbfb00 "../ctdb/server/ctdb_daemon.c:1379") at
#22 0x00007fc12486033d in _tevent_loop_once
(ev=ev@entry=0x7fc1279e5090, location=location@entry=0x7fc125bbfb00
"../ctdb/server/ctdb_daemon.c:1379") at ../lib/tevent/tevent.c:533
#23 0x00007fc1248604db in tevent_common_loop_wait (ev=0x7fc1279e5090,
location=0x7fc125bbfb00 "../ctdb/server/ctdb_daemon.c:1379") at
#24 0x00007fc124864127 in std_event_loop_wait (ev=0x7fc1279e5090,
location=0x7fc125bbfb00 "../ctdb/server/ctdb_daemon.c:1379") at
#25 0x00007fc125b6d21b in ctdb_start_daemon
(ctdb=ctdb@entry=0x7fc1279cd890, do_fork=<optimized out>) at
#26 0x00007fc125b671bc in main (argc=<optimized out>, argv=<optimized
out>) at ../ctdb/server/ctdbd.c:335
Comment 1 Martin Schwenke 2016-09-02 00:36:33 UTC
Created attachment 12422 [details]
Patch for 4.5rc
Comment 2 Martin Schwenke 2016-09-02 00:40:38 UTC
Created attachment 12423 [details]
Patch for 4.4

For 4.4 (and 4.3), the test patches have too many dependencies (i.e. would need many more patches backported) so I have left them out.  The new test will really allow breakage in master to be detected, so isn't terribly useful for backports.
Comment 3 Martin Schwenke 2016-09-02 00:45:12 UTC
Created attachment 12424 [details]
Patch for 4.3

I'm not sure this will make 4.3 but I'm attaching patches.  It is a bug fix where uninitialised memory is accessed, but I'm not sure if there are any security implications.  Happy to discuss...
Comment 4 Amitay Isaacs 2016-09-02 06:38:35 UTC
Comment on attachment 12424 [details]
Patch for 4.3

We can leave this out of 4.3.x for now.
Comment 5 Amitay Isaacs 2016-09-02 06:39:58 UTC
Hi Karolin,

This is ready for v4-5 and v4-4 branches.

No need for backport to v4-3.
Comment 6 Stefan Metzmacher 2016-09-06 06:22:12 UTC
Pushed to autobuild-v4-5-test.
Comment 7 Stefan Metzmacher 2016-09-06 14:13:25 UTC
Pushed to v4-5-test.
Comment 8 Karolin Seeger 2016-09-13 10:27:02 UTC
Pushed to autobuild-v4-4-test.
Comment 9 Karolin Seeger 2016-09-20 07:24:06 UTC
Pushed to both branches.
Closing out bug report.