Bug 14804 - winbindd can crash because idmap child state is not fully initialized
Summary: winbindd can crash because idmap child state is not fully initialized
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-18 17:32 UTC by Ralph Böhme
Modified: 2021-11-09 18:56 UTC (History)
4 users (show)

See Also:

Attachments
Patch for 4.14 and 4.15 cherry-picked from master (5.57 KB, patch)
2021-09-05 13:03 UTC, Ralph Böhme 		vl: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2021-08-18 17:32:51 UTC 
SBT:

The Samba 'panic action' script, /usr/share/samba/scripts/panic-action,
was called for pid 5905 (/usr/sbin/winbindd).

Below is a backtrace for this process generated with gdb, which shows
the state of the program at the time the error occured.  You are
encouraged to submit this information as a bug report to the Samba Team.
via https://bugzilla.samba.org
For information about the procedure for submitting bug reports, please see
https://wiki.samba.org/index.php/Bug_Reporting
If you think this is a Sernet-Samba-Package bug or if you want commercial
Samba support please send a mail to samba@sernet.de.

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
0x00007fca6459f4fc in waitpid () from /lib64/libc.so.6
#0  0x00007fca6459f4fc in waitpid () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fca6451cf62 in do_system () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007fca67049414 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:840
        lp_sub = <optimized out>
        cmd = 0x559a5dab1520 "/usr/share/samba/scripts/panic-action 5905"
        result = <optimized out>
        __FUNCTION__ = "smb_panic_s3"
#3  0x00007fca69bae921 in smb_panic (why=why@entry=0x7fff907e79d0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:197
No locals.
#4  0x00007fca69bae9aa in fault_report (sig=<optimized out>) at ../../lib/util/fault.c:81
        signal_string = "Signal 11: Segmentation fault\000\062\066\066\060\064\060\066\060\062-2346345224-122503247-501]\000\000\000\377\177\000\000lpUd\312\177\000\000\002", '\000' <repeats 23 times>, "\253\215\356g\312\177\000\000`\200~\220\377\177\000\000\200\340\211d\312\177\000"
        counter = 1
#5  sig_fault (sig=11) at ../../lib/util/fault.c:92
No locals.
#6  <signal handler called>
No symbol table info available.
#7  dcerpc_binding_handle_call_send (mem_ctx=<optimized out>, ev=ev@entry=0x559a5da7bb30, h=h@entry=0x0, object=object@entry=0x0, table=0x7fca69771620 <ndr_table_winbind>, opnum=opnum@entry=8, r_mem=0x559a5da9ab20, r_ptr=r_ptr@entry=0x559a5daac9f8) at ../../librpc/rpc/binding_handle.c:376
        req = 0x559a5daae570
        state = 0x559a5daae720
        subreq = <optimized out>
        ndr_err = <optimized out>
#8  0x00007fca6a9d28b4 in dcerpc_wbint_GetNssInfo_r_send (mem_ctx=<optimized out>, ev=ev@entry=0x559a5da7bb30, h=h@entry=0x0, r=0x559a5daac9f8) at librpc/gen_ndr/ndr_winbind_c.c:1856
        req = 0x559a5daae240
        state = 0x559a5daae3f0
        subreq = <optimized out>
#9  0x00007fca6a9d2b7a in dcerpc_wbint_GetNssInfo_send (mem_ctx=mem_ctx@entry=0x559a5daa9fe0, ev=0x559a5da7bb30, h=0x0, _info=_info@entry=0x559a5daaa150) at librpc/gen_ndr/ndr_winbind_c.c:1954
        req = 0x559a5daac830
        state = 0x559a5daac9e0
        subreq = <optimized out>
#10 0x0000559a5be7ff34 in wb_queryuser_got_domain (subreq=<optimized out>) at ../../source3/winbindd/wb_queryuser.c:199
        req = 0x559a5daa9e30
        state = 0x559a5daa9fe0
        info = 0x559a5daaa150
        type = SID_NAME_USER
        child_binding_handle = <optimized out>
        status = {v = 0}
#11 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daaba80, location=location@entry=0x559a5becb820 "../../source3/winbindd/wb_lookupsid.c:83") at ../../lib/tevent/tevent_req.c:141
No locals.
#12 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daaba80, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x559a5becb820 "../../source3/winbindd/wb_lookupsid.c:83") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daabd00
#13 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daaba80, location=location@entry=0x559a5becb820 "../../source3/winbindd/wb_lookupsid.c:83") at ../../lib/tevent/tevent_req.c:199
No locals.
#14 0x0000559a5be7c21d in wb_lookupsid_done (subreq=<optimized out>) at ../../source3/winbindd/wb_lookupsid.c:83
        req = 0x559a5daaba80
        state = <optimized out>
        status = {v = 0}
        result = {v = 0}
#15 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daabe10, location=location@entry=0x7fca6a9d8f18 "librpc/gen_ndr/ndr_winbind_c.c:386") at ../../lib/tevent/tevent_req.c:141
No locals.
#16 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daabe10, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x7fca6a9d8f18 "librpc/gen_ndr/ndr_winbind_c.c:386") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daac080
#17 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daabe10, location=location@entry=0x7fca6a9d8f18 "librpc/gen_ndr/ndr_winbind_c.c:386") at ../../lib/tevent/tevent_req.c:199
No locals.
#18 0x00007fca6a9d02cb in dcerpc_wbint_LookupSid_done (subreq=<optimized out>) at librpc/gen_ndr/ndr_winbind_c.c:386
        req = 0x559a5daabe10
        state = 0x559a5daabfc0
        status = {v = 0}
        mem_ctx = <optimized out>
#19 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daac190, location=location@entry=0x7fca6a9d7bd8 "librpc/gen_ndr/ndr_winbind_c.c:267") at ../../lib/tevent/tevent_req.c:141
No locals.
#20 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daac190, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x7fca6a9d7bd8 "librpc/gen_ndr/ndr_winbind_c.c:267") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daac3b0
#21 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daac190, location=location@entry=0x7fca6a9d7bd8 "librpc/gen_ndr/ndr_winbind_c.c:267") at ../../lib/tevent/tevent_req.c:199
No locals.
#22 0x00007fca6a9cf19c in dcerpc_wbint_LookupSid_r_done (subreq=<optimized out>) at librpc/gen_ndr/ndr_winbind_c.c:267
        req = 0x559a5daac190
        status = {v = 0}
#23 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daac4c0, location=location@entry=0x7fca6c9f7dc8 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:141
No locals.
#24 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daac4c0, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x7fca6c9f7dc8 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daac720
#25 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daac4c0, location=location@entry=0x7fca6c9f7dc8 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:199
No locals.
#26 0x00007fca6c9ec0b6 in dcerpc_binding_handle_call_done (subreq=<optimized out>) at ../../librpc/rpc/binding_handle.c:520
        req = 0x559a5daac4c0
        state = 0x559a5daac670
        h = 0x559a5da93b20
        error = {v = 0}
        out_flags = 0
        ndr_err = <optimized out>
#27 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daacca0, location=location@entry=0x7fca6c9f7a78 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:141
No locals.
#28 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daacca0, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x7fca6c9f7a78 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daaced0
#29 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daacca0, location=location@entry=0x7fca6c9f7a78 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:199
No locals.
#30 0x00007fca6c9ebb2d in dcerpc_binding_handle_raw_call_done (subreq=<optimized out>) at ../../librpc/rpc/binding_handle.c:203
        req = 0x559a5daacca0
        state = <optimized out>
        error = {v = 0}
#31 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daacfe0, location=location@entry=0x559a5bec4640 "../../source3/winbindd/winbindd_dual_ndr.c:208") at ../../lib/tevent/tevent_req.c:141
No locals.
#32 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daacfe0, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x559a5bec4640 "../../source3/winbindd/winbindd_dual_ndr.c:208") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daada80
#33 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daacfe0, location=location@entry=0x559a5bec4640 "../../source3/winbindd/winbindd_dual_ndr.c:208") at ../../lib/tevent/tevent_req.c:199
No locals.
#34 0x0000559a5be70cbb in wbint_bh_raw_call_domain_done (subreq=<optimized out>) at ../../source3/winbindd/winbindd_dual_ndr.c:208
        req = 0x559a5daacfe0
        state = 0x559a5daad190
        ret = 0
        err = 32714
#35 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daadb90, location=location@entry=0x559a5bec2a28 "../../source3/winbindd/winbindd_dual.c:736") at ../../lib/tevent/tevent_req.c:141
No locals.
#36 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daadb90, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x559a5bec2a28 "../../source3/winbindd/winbindd_dual.c:736") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daadde0
#37 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daadb90, location=location@entry=0x559a5bec2a28 "../../source3/winbindd/winbindd_dual.c:736") at ../../lib/tevent/tevent_req.c:199
No locals.
#38 0x0000559a5be6e82f in wb_domain_request_done (subreq=<optimized out>) at ../../source3/winbindd/winbindd_dual.c:736
        req = 0x559a5daadb90
        state = <optimized out>
        ret = 0
        err = 0
#39 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daadef0, location=location@entry=0x559a5bec1418 "../../source3/winbindd/winbindd_dual.c:300") at ../../lib/tevent/tevent_req.c:141
No locals.
#40 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daadef0, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x559a5bec1418 "../../source3/winbindd/winbindd_dual.c:300") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daae130
#41 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daadef0, location=location@entry=0x559a5bec1418 "../../source3/winbindd/winbindd_dual.c:300") at ../../lib/tevent/tevent_req.c:199
No locals.
#42 0x0000559a5be6cb17 in wb_child_request_done (subreq=0x559a5daaee20) at ../../source3/winbindd/winbindd_dual.c:300
        req = 0x559a5daadef0
        state = <optimized out>
        ret = <optimized out>
        err = 0
#43 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daaee20, location=location@entry=0x7fca6530dd88 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:141
No locals.
#44 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daaee20, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x7fca6530dd88 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daaf050
#45 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daaee20, location=location@entry=0x7fca6530dd88 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:199
No locals.
#46 0x00007fca6530d233 in wb_simple_trans_read_done (subreq=<optimized out>) at ../../nsswitch/wb_reqtrans.c:432
        req = 0x559a5daaee20
        state = <optimized out>
        ret = 4068
        err = 0
#47 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daaf810, location=location@entry=0x7fca6530d910 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:141
No locals.
#48 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daaf810, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x7fca6530d910 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daafa30
#49 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daaf810, location=location@entry=0x7fca6530d910 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:199
No locals.
#50 0x00007fca6530cb37 in wb_resp_read_done (subreq=<optimized out>) at ../../nsswitch/wb_reqtrans.c:275
        req = 0x559a5daaf810
        state = 0x559a5daaf9c0
        buf = 0x559a5daafe70 "N\003\253]\232U"
        err = 0
#51 0x00007fca6c7d1cd5 in _tevent_req_notify_callback (req=req@entry=0x559a5daafb40, location=location@entry=0x7fca5eed63a0 "../../lib/async_req/async_sock.c:567") at ../../lib/tevent/tevent_req.c:141
No locals.
#52 0x00007fca6c7d1d6e in tevent_req_finish (req=req@entry=0x559a5daafb40, state=state@entry=TEVENT_REQ_DONE, location=location@entry=0x7fca5eed63a0 "../../lib/async_req/async_sock.c:567") at ../../lib/tevent/tevent_req.c:193
        p = 0x559a5daafd80
#53 0x00007fca6c7d1d8a in _tevent_req_done (req=req@entry=0x559a5daafb40, location=location@entry=0x7fca5eed63a0 "../../lib/async_req/async_sock.c:567") at ../../lib/tevent/tevent_req.c:199
No locals.
#54 0x00007fca5eed4f79 in read_packet_handler (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../lib/async_req/async_sock.c:567
        req = 0x559a5daafb40
        state = 0x559a5daafcf0
        total = 4068
        nread = <optimized out>
        more = <optimized out>
        tmp = <optimized out>
#55 0x00007fca6c7d111c in tevent_common_invoke_fd_handler (fde=0x559a5daa9740, flags=<optimized out>, removed=removed@entry=0x0) at ../../lib/tevent/tevent_fd.c:138
        handler_ev = 0x559a5da7bb30
#56 0x00007fca6c7d74a5 in epoll_event_loop (tvalp=0x7fff907e8ea0, epoll_ev=0x559a5da7bd00) at ../../lib/tevent/tevent_epoll.c:736
        fde = <optimized out>
        flags = <optimized out>
        mpx_fde = <optimized out>
        ret = <optimized out>
        i = 0
        timeout = <optimized out>
        wait_errno = 17
        events = {{events = 1, data = {ptr = 0x559a5daa9740, fd = 1571460928, u32 = 1571460928, u64 = 94121484785472}}}
#57 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:937
        epoll_ev = 0x559a5da7bd00
        tval = {tv_sec = 4, tv_usec = 885563}
        panic_triggered = false
#58 0x00007fca6c7d5217 in std_event_loop_once (ev=0x559a5da7bb30, location=0x559a5be99a70 "../../source3/winbindd/winbindd.c:2026") at ../../lib/tevent/tevent_standard.c:110
        glue_ptr = <optimized out>
        glue = 0x559a5da7bc70
        ret = <optimized out>
#59 0x00007fca6c7d0946 in _tevent_loop_once (ev=0x559a5da7bb30, location=location@entry=0x559a5be99a70 "../../source3/winbindd/winbindd.c:2026") at ../../lib/tevent/tevent.c:772
        ret = <optimized out>
        nesting_stack_ptr = 0x0
#60 0x0000559a5be20cb7 in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/winbindd/winbindd.c:2026
        is_daemon = false
        Fork = false
        log_stdout = false
        no_process_group = true
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fca65d6a160 <poptHelpOptions>, val = 0, descrip = 0x559a5be971bb "Help options:", argDescrip = 0x0}, {longName = 0x559a5be971d0 "stdout", shortName = 83 'S', argInfo = 0, arg = 0x0, val = 1003, descrip = 0x559a5be971c9 "Log to stdout", argDescrip = 0x0}, {longName = 0x559a5be971d7 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, val = 1001, descrip = 0x559a5be971e2 "Daemon in foreground mode", argDescrip = 0x0}, {longName = 0x559a5be971fc "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1002, descrip = 0x559a5be98d00 "Don't create a new process group", argDescrip = 0x0}, {longName = 0x559a5bed9ee9 "daemon", shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x559a5be9720d "Become a daemon (default)", argDescrip = 0x0}, {longName = 0x559a5be97227 "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 105, descrip = 0x559a5be97233 "Interactive mode", argDescrip = 0x0}, {longName = 0x559a5be97244 "no-caching", shortName = 110 'n', argInfo = 0, arg = 0x0, val = 110, descrip = 0x559a5be9724f "Disable caching", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fca6a3a2280 <popt_common_samba>, val = 0, descrip = 0x559a5be9725f "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
        lp_sub = <optimized out>
        pc = <optimized out>
        opt = <optimized out>
        frame = 0x559a5da8d6d0
        status = <optimized out>
        ok = <optimized out>
        ep_server = <optimized out>
        dce_ctx = <optimized out>
        __FUNCTION__ = "main"
        __func__ = "main"

The problem is in wb_queryuser_got_domain() we call idmap_child_handle() assuming it is already initialized via wb_sids2xids_send() -> wb_parent_idmap_setup_send().

Unfortunately in wb_sids2xids_send() we skip the call to wb_parent_idmap_setup_send() if all sids are in the cache...

Working on a fix, need bugnumber...
Comment 1 Samba QA Contact 2021-09-02 15:21:03 UTC 
This bug was referenced in samba master:

39c2ec72cb77945c3eb611fb1d7d7e9aad52bdfd
d0f6d54354b02f5591706814fbd1e4844788fdfa
Comment 2 Ralph Böhme 2021-09-05 13:03:02 UTC 
Created attachment 16771 [details]
Patch for 4.14 and 4.15 cherry-picked from master
Comment 3 Jule Anger 2021-09-06 11:58:48 UTC 
Pushed to autobuild-v4-{15,14}-test.
Comment 4 Samba QA Contact 2021-09-06 20:43:46 UTC 
This bug was referenced in samba v4-15-test:

591bd2f340519ec5354c18031436e0d9dba63f5d
cf4845f9b35d8b6706f474d8a7b09c0151367985
Comment 5 Samba QA Contact 2021-09-07 08:43:29 UTC 
This bug was referenced in samba v4-15-stable (Release samba-4.15.0rc5):

591bd2f340519ec5354c18031436e0d9dba63f5d
cf4845f9b35d8b6706f474d8a7b09c0151367985
Comment 6 Samba QA Contact 2021-09-07 11:13:45 UTC 
This bug was referenced in samba v4-14-test:

7d1dd87a6538f8c7f1e4938b0ff52cbd231fff90
446f89510f2e55a551e2975a6cbf01c6a023ba0c
Comment 7 Jule Anger 2021-09-07 11:51:29 UTC 
Closing out bug report.

Thanks!
Comment 8 Samba QA Contact 2021-10-05 13:25:57 UTC 
This bug was referenced in samba v4-14-stable (Release samba-4.14.8):

7d1dd87a6538f8c7f1e4938b0ff52cbd231fff90
446f89510f2e55a551e2975a6cbf01c6a023ba0c
Comment 9 Samba QA Contact 2021-11-09 18:18:41 UTC 
This bug was referenced in samba v4-13-stable (Release samba-4.13.14):

4a68c748e47e906f0d812a1572168e677afc1eb4
4a39d8a1610b635760ac182be894d206eb0a1ee7
Comment 10 Samba QA Contact 2021-11-09 18:56:50 UTC 
This bug was referenced in samba v4-13-test:

4a68c748e47e906f0d812a1572168e677afc1eb4
4a39d8a1610b635760ac182be894d206eb0a1ee7