Bug 12180 - CTDB crashes running eventscripts
Summary: CTDB crashes running eventscripts
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: CTDB (show other bugs)
Version: 4.4.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-26 05:44 UTC by Amitay Isaacs
Modified: 2016-09-20 07:24 UTC (History)
2 users (show)

See Also:

Attachments
Patch for 4.5rc (15.10 KB, patch)
2016-09-02 00:36 UTC, Martin Schwenke 		amitay: review+
Details
Patch for 4.4 (9.41 KB, patch)
2016-09-02 00:40 UTC, Martin Schwenke 		amitay: review+
Details
Patch for 4.3 (9.47 KB, patch)
2016-09-02 00:45 UTC, Martin Schwenke 		amitay: review-
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amitay Isaacs 2016-08-26 05:44:31 UTC 
(gdb) bt
#0  0x00007fc123aac5f7 in raise () from /lib64/libc.so.6
#1  0x00007fc123aadce8 in abort () from /lib64/libc.so.6
#2  0x00007fc1254b6b3c in smb_panic_default (why=0x7fc125503c92
"internal error") at ../lib/util/fault.c:156
#3  smb_panic (why=why@entry=0x7fc125503c92 "internal error") at
../lib/util/fault.c:169
#4  0x00007fc1254b6cf6 in fault_report (sig=<optimized out>) at
../lib/util/fault.c:83
#5  sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
#6  <signal handler called>
#7  ctdb_request_control_reply (ctdb=0x7fc1279cd890,
c=0x4354444200000000, outdata=0x0, status=-12, errormsg=0x0) at
../ctdb/server/ctdb_control.c:746
#8  0x00007fc125b8f097 in ctdb_ipreallocated_callback
(ctdb=0x7fc1279cd890, status=-12, p=<optimized out>) at
../ctdb/server/ctdb_takeover.c:3422
#9  0x00007fc125b8cce7 in event_script_destructor
(state=state@entry=0x7fc127a05eb0) at ../ctdb/server/eventscript.c:649
#10 0x00007fc124a6eec0 in _talloc_free_internal (location=<optimized
out>, ptr=<optimized out>) at ../lib/talloc/talloc.c:1046
#11 _talloc_free (ptr=0x7fc127a05eb0, location=0x7fc125bdd5e8
"../ctdb/server/eventscript.c:828") at ../lib/talloc/talloc.c:1647
#12 0x00007fc125b8d9ff in ctdb_event_script_callback_v
(ctdb=0x7fc1279cd890, mem_ctx=<optimized out>, callback=0x7fc125b8f050
<ctdb_ipreallocated_callback>, private_data=0x7fc1279f5eb0,
    call=CTDB_EVENT_IPREALLOCATED, fmt=<optimized out>,
ap=ap@entry=0x7ffccbbe0f08) at ../ctdb/server/eventscript.c:828
#13 0x00007fc125b8e1ba in ctdb_event_script_callback
(ctdb=ctdb@entry=0x7fc1279cd890, mem_ctx=mem_ctx@entry=0x7fc1279f5eb0,
callback=callback@entry=0x7fc125b8f050 <ctdb_ipreallocated_callback>,
    private_data=private_data@entry=0x7fc1279f5eb0,
call=call@entry=CTDB_EVENT_IPREALLOCATED, fmt=fmt@entry=0x7fc125bd8b2d
"%s") at ../ctdb/server/eventscript.c:862
#14 0x00007fc125b97255 in ctdb_control_ipreallocated
(ctdb=ctdb@entry=0x7fc1279cd890, c=c@entry=0x7fc1279fef80,
async_reply=async_reply@entry=0x7ffccbbe1047) at
../ctdb/server/ctdb_takeover.c:3439
#15 0x00007fc125b8177d in ctdb_control_dispatch
(async_reply=0x7ffccbbe1047, errormsg=0x7ffccbbe1048,
srcnode=<optimized out>, outdata=0x7fc127a00370, indata=...,
c=0x7fc1279fef80, ctdb=0x7fc1279cd890)
    at ../ctdb/server/ctdb_control.c:367
#16 ctdb_request_control (ctdb=ctdb@entry=0x7fc1279cd890,
hdr=hdr@entry=0x7fc1279fef80) at ../ctdb/server/ctdb_control.c:793
#17 0x00007fc125b7e339 in ctdb_input_pkt (ctdb=0x7fc1279cd890,
hdr=0x7fc1279fef80) at ../ctdb/server/ctdb_server.c:279
#18 0x00007fc125b7e46f in queue_next_trigger (ev=<optimized out>,
te=<optimized out>, t=..., private_data=<optimized out>) at
../ctdb/server/ctdb_server.c:364
#19 0x00007fc124864a7f in tevent_common_loop_timer_delay
(ev=ev@entry=0x7fc1279e5090) at ../lib/tevent/tevent_timed.c:341
#20 0x00007fc124865a8a in epoll_event_loop_once (ev=0x7fc1279e5090,
location=<optimized out>) at ../lib/tevent/tevent_epoll.c:911
#21 0x00007fc124864187 in std_event_loop_once (ev=0x7fc1279e5090,
location=0x7fc125bbfb00 "../ctdb/server/ctdb_daemon.c:1379") at
../lib/tevent/tevent_standard.c:114
#22 0x00007fc12486033d in _tevent_loop_once
(ev=ev@entry=0x7fc1279e5090, location=location@entry=0x7fc125bbfb00
"../ctdb/server/ctdb_daemon.c:1379") at ../lib/tevent/tevent.c:533
#23 0x00007fc1248604db in tevent_common_loop_wait (ev=0x7fc1279e5090,
location=0x7fc125bbfb00 "../ctdb/server/ctdb_daemon.c:1379") at
../lib/tevent/tevent.c:637
#24 0x00007fc124864127 in std_event_loop_wait (ev=0x7fc1279e5090,
location=0x7fc125bbfb00 "../ctdb/server/ctdb_daemon.c:1379") at
../lib/tevent/tevent_standard.c:140
#25 0x00007fc125b6d21b in ctdb_start_daemon
(ctdb=ctdb@entry=0x7fc1279cd890, do_fork=<optimized out>) at
../ctdb/server/ctdb_daemon.c:1379
#26 0x00007fc125b671bc in main (argc=<optimized out>, argv=<optimized
out>) at ../ctdb/server/ctdbd.c:335
Comment 1 Martin Schwenke 2016-09-02 00:36:33 UTC 
Created attachment 12422 [details]
Patch for 4.5rc
Comment 2 Martin Schwenke 2016-09-02 00:40:38 UTC 
Created attachment 12423 [details]
Patch for 4.4

For 4.4 (and 4.3), the test patches have too many dependencies (i.e. would need many more patches backported) so I have left them out.  The new test will really allow breakage in master to be detected, so isn't terribly useful for backports.
Comment 3 Martin Schwenke 2016-09-02 00:45:12 UTC 
Created attachment 12424 [details]
Patch for 4.3

I'm not sure this will make 4.3 but I'm attaching patches.  It is a bug fix where uninitialised memory is accessed, but I'm not sure if there are any security implications.  Happy to discuss...
Comment 4 Amitay Isaacs 2016-09-02 06:38:35 UTC 
Comment on attachment 12424 [details]
Patch for 4.3

We can leave this out of 4.3.x for now.
Comment 5 Amitay Isaacs 2016-09-02 06:39:58 UTC 
Hi Karolin,

This is ready for v4-5 and v4-4 branches.

No need for backport to v4-3.
Comment 6 Stefan Metzmacher 2016-09-06 06:22:12 UTC 
Pushed to autobuild-v4-5-test.
Comment 7 Stefan Metzmacher 2016-09-06 14:13:25 UTC 
Pushed to v4-5-test.
Comment 8 Karolin Seeger 2016-09-13 10:27:02 UTC 
Pushed to autobuild-v4-4-test.
Comment 9 Karolin Seeger 2016-09-20 07:24:06 UTC 
Pushed to both branches.
Closing out bug report.

Thanks!