Bug 14701 - tevent_common_invoke_fd_handler memory error coredump
Summary: tevent_common_invoke_fd_handler memory error coredump
Status: RESOLVED DUPLICATE of bug 14475
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: CTDB (show other bugs)
Version: 4.11.7
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Amitay Isaacs
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-05-10 02:36 UTC by zhangjingjun
Modified: 2021-07-20 13:40 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description zhangjingjun 2021-05-10 02:36:15 UTC
We are having issues with our ctdb running on CentOS 7.

#0  0x00007f4bdabd41f7 in raise () from /lib64/libc.so.6

#1  0x00007f4bdabd58e8 in abort () from /lib64/libc.so.6

#2  0x00007f4bdd69e01f in smb_panic_default (why=0x7f4bdd6ee1f9 "internal error") at ../../lib/util/fault.c:164

#3  smb_panic (why=why@entry=0x7f4bdd6ee1f9 "internal error") at ../../lib/util/fault.c:177

#4  0x00007f4bdd69e1fe in fault_report (sig=<optimized out>) at ../../lib/util/fault.c:88

#5  sig_fault (sig=6) at ../../lib/util/fault.c:99

#6  <signal handler called>

#7  0x00007f4bdabd41f7 in raise () from /lib64/libc.so.6

#8  0x00007f4bdabd58e8 in abort () from /lib64/libc.so.6

#9  0x00007f4bddb03bdc in talloc_abort (reason=0x7f4bddb0b368 "Bad talloc magic value - unknown value") at ../../lib/talloc/talloc.c:505

#10 0x00007f4bddb03cd3 in talloc_abort_unknown_value () at ../../lib/talloc/talloc.c:518

#11 talloc_chunk_from_ptr (ptr=<optimized out>) at ../../lib/talloc/talloc.c:534

#12 _talloc_set_destructor (ptr=<optimized out>, destructor=0x0) at ../../lib/talloc/talloc.c:936

#13 0x00007f4bde1300a9 in tevent_common_invoke_fd_handler (fde=0x557613f97da0, flags=1, removed=0x0) at ../../lib/tevent/tevent_fd.c:153

#14 0x00007f4bde13a60d in epoll_event_loop (epoll_ev=0x557613f80330, tvalp=0x7ffdb3a9eeb0) at ../../lib/tevent/tevent_epoll.c:736

#15 0x00007f4bde13ac53 in epoll_event_loop_once (ev=0x557613f761a0, location=0x5576131d9600 "../../ctdb/server/ctdb_daemon.c:1450") at ../../lib/tevent/tevent_epoll.c:937

#16 0x00007f4bde1375a5 in std_event_loop_once (ev=0x557613f761a0, location=0x5576131d9600 "../../ctdb/server/ctdb_daemon.c:1450") at ../../lib/tevent/tevent_standard.c:110

#17 0x00007f4bde12f2e4 in _tevent_loop_once (ev=0x557613f761a0, location=0x5576131d9600 "../../ctdb/server/ctdb_daemon.c:1450") at ../../lib/tevent/tevent.c:772

#18 0x00007f4bde12f5f4 in tevent_common_loop_wait (ev=0x557613f761a0, location=0x5576131d9600 "../../ctdb/server/ctdb_daemon.c:1450") at ../../lib/tevent/tevent.c:895

int tevent_common_invoke_fd_handler(struct tevent_fd *fde, uint16_t flags,
				    bool *removed)
	struct tevent_context *handler_ev = fde->event_ctx;

	if (removed != NULL) {
		*removed = false;

	if (fde->event_ctx == NULL) {
		return 0;

	fde->busy = true;
	if (fde->wrapper != NULL) {
		handler_ev = fde->wrapper->wrap_ev;

		tevent_wrapper_push_use_internal(handler_ev, fde->wrapper);
	fde->handler(handler_ev, fde, flags, fde->private_data);
	if (fde->wrapper != NULL) {
		tevent_wrapper_pop_use_internal(handler_ev, fde->wrapper);
	fde->busy = false;

	if (fde->destroyed) {
		talloc_set_destructor(fde, NULL);
		if (removed != NULL) {
			*removed = true;

	return 0;
I found that fde has been released in fde->handler, but fde is still being used afterwards

Comment 1 Amitay Isaacs 2021-05-14 05:59:32 UTC
CTDB 2.5.x is out of support.  You should be running CTDB 4.x.x.

What version of CTDB are you running?
Comment 2 zhangjingjun 2021-05-17 08:22:46 UTC
(In reply to Amitay Isaacs from comment #1)
CTDB 4.11.7
Comment 3 Amitay Isaacs 2021-05-18 08:33:33 UTC
Do you have full stack trace? The stack trace you have posted does not show any ctdb functions.

Also, note that CTDB 4.11.x is out of support.  You are recommended to update to 4.12.x or later releases.  Please check Samba wiki (https://wiki.samba.org) for currently supported releases.
Comment 4 Volker Lendecke 2021-05-18 08:54:04 UTC
(In reply to Amitay Isaacs from comment #3)

Amitay, have you seen my update to bug 14475? That's a use-after-free, and whatever results from that. Not necessarily related of course.
Comment 5 Amitay Isaacs 2021-05-28 07:57:46 UTC
This appears to be a duplicate of bug 14475.  The fixes for that bug will be in releases 4.13.10 and 4.14.5.

Please upgrade to those releases when they become available.

*** This bug has been marked as a duplicate of bug 14475 ***
Comment 6 zhangjingjun 2021-07-20 13:40:17 UTC
I found that this is a problem with tevent 0.10.0. After we rolled back tevent to 0.9.36, there was no problem.

The problem is the one shown on my screenshot