14701 – tevent_common_invoke_fd_handler memory error coredump

Bug 14701 - tevent_common_invoke_fd_handler memory error coredump

Summary: tevent_common_invoke_fd_handler memory error coredump

Status:	RESOLVED DUPLICATE of bug 14475

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	CTDB (show other bugs)
Version:	4.11.7
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Amitay Isaacs
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-05-10 02:36 UTC by zhangjingjun
Modified:	2021-07-20 13:40 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhangjingjun 2021-05-10 02:36:15 UTC

Hi
We are having issues with our ctdb running on CentOS 7.


#0  0x00007f4bdabd41f7 in raise () from /lib64/libc.so.6

#1  0x00007f4bdabd58e8 in abort () from /lib64/libc.so.6

#2  0x00007f4bdd69e01f in smb_panic_default (why=0x7f4bdd6ee1f9 "internal error") at ../../lib/util/fault.c:164

#3  smb_panic (why=why@entry=0x7f4bdd6ee1f9 "internal error") at ../../lib/util/fault.c:177

#4  0x00007f4bdd69e1fe in fault_report (sig=<optimized out>) at ../../lib/util/fault.c:88

#5  sig_fault (sig=6) at ../../lib/util/fault.c:99

#6  <signal handler called>

#7  0x00007f4bdabd41f7 in raise () from /lib64/libc.so.6

#8  0x00007f4bdabd58e8 in abort () from /lib64/libc.so.6

#9  0x00007f4bddb03bdc in talloc_abort (reason=0x7f4bddb0b368 "Bad talloc magic value - unknown value") at ../../lib/talloc/talloc.c:505

#10 0x00007f4bddb03cd3 in talloc_abort_unknown_value () at ../../lib/talloc/talloc.c:518

#11 talloc_chunk_from_ptr (ptr=<optimized out>) at ../../lib/talloc/talloc.c:534

#12 _talloc_set_destructor (ptr=<optimized out>, destructor=0x0) at ../../lib/talloc/talloc.c:936

#13 0x00007f4bde1300a9 in tevent_common_invoke_fd_handler (fde=0x557613f97da0, flags=1, removed=0x0) at ../../lib/tevent/tevent_fd.c:153

#14 0x00007f4bde13a60d in epoll_event_loop (epoll_ev=0x557613f80330, tvalp=0x7ffdb3a9eeb0) at ../../lib/tevent/tevent_epoll.c:736

#15 0x00007f4bde13ac53 in epoll_event_loop_once (ev=0x557613f761a0, location=0x5576131d9600 "../../ctdb/server/ctdb_daemon.c:1450") at ../../lib/tevent/tevent_epoll.c:937

#16 0x00007f4bde1375a5 in std_event_loop_once (ev=0x557613f761a0, location=0x5576131d9600 "../../ctdb/server/ctdb_daemon.c:1450") at ../../lib/tevent/tevent_standard.c:110

#17 0x00007f4bde12f2e4 in _tevent_loop_once (ev=0x557613f761a0, location=0x5576131d9600 "../../ctdb/server/ctdb_daemon.c:1450") at ../../lib/tevent/tevent.c:772

#18 0x00007f4bde12f5f4 in tevent_common_loop_wait (ev=0x557613f761a0, location=0x5576131d9600 "../../ctdb/server/ctdb_daemon.c:1450") at ../../lib/tevent/tevent.c:895


int tevent_common_invoke_fd_handler(struct tevent_fd *fde, uint16_t flags,
				    bool *removed)
{
	struct tevent_context *handler_ev = fde->event_ctx;

	if (removed != NULL) {
		*removed = false;
	}

	if (fde->event_ctx == NULL) {
		return 0;
	}

	fde->busy = true;
	if (fde->wrapper != NULL) {
		handler_ev = fde->wrapper->wrap_ev;

		tevent_wrapper_push_use_internal(handler_ev, fde->wrapper);
		fde->wrapper->ops->before_fd_handler(
					fde->wrapper->wrap_ev,
					fde->wrapper->private_state,
					fde->wrapper->main_ev,
					fde,
					flags,
					fde->handler_name,
					fde->location);
	}
	fde->handler(handler_ev, fde, flags, fde->private_data);
	if (fde->wrapper != NULL) {
		fde->wrapper->ops->after_fd_handler(
					fde->wrapper->wrap_ev,
					fde->wrapper->private_state,
					fde->wrapper->main_ev,
					fde,
					flags,
					fde->handler_name,
					fde->location);
		tevent_wrapper_pop_use_internal(handler_ev, fde->wrapper);
	}
	fde->busy = false;

	if (fde->destroyed) {
		talloc_set_destructor(fde, NULL);
		TALLOC_FREE(fde);
		if (removed != NULL) {
			*removed = true;
		}
	}

	return 0;
}
I found that fde has been released in fde->handler, but fde is still being used afterwards

zhangjingjun

Comment 1 Amitay Isaacs 2021-05-14 05:59:32 UTC

CTDB 2.5.x is out of support.  You should be running CTDB 4.x.x.

What version of CTDB are you running?

Comment 2 zhangjingjun 2021-05-17 08:22:46 UTC

(In reply to Amitay Isaacs from comment #1)
CTDB 4.11.7

Comment 3 Amitay Isaacs 2021-05-18 08:33:33 UTC

Do you have full stack trace? The stack trace you have posted does not show any ctdb functions.

Also, note that CTDB 4.11.x is out of support.  You are recommended to update to 4.12.x or later releases.  Please check Samba wiki (https://wiki.samba.org) for currently supported releases.

Comment 4 Volker Lendecke 2021-05-18 08:54:04 UTC

(In reply to Amitay Isaacs from comment #3)

Amitay, have you seen my update to bug 14475? That's a use-after-free, and whatever results from that. Not necessarily related of course.

Comment 5 Amitay Isaacs 2021-05-28 07:57:46 UTC

This appears to be a duplicate of bug 14475.  The fixes for that bug will be in releases 4.13.10 and 4.14.5.

Please upgrade to those releases when they become available.

*** This bug has been marked as a duplicate of bug 14475 ***

Comment 6 zhangjingjun 2021-07-20 13:40:17 UTC

I found that this is a problem with tevent 0.10.0. After we rolled back tevent to 0.9.36, there was no problem.

The problem is the one shown on my screenshot