15119 – core dump vfs_fsync_done ... talloc_chunk_from_ptr

Bug 15119 - core dump vfs_fsync_done ... talloc_chunk_from_ptr

Summary: core dump vfs_fsync_done ... talloc_chunk_from_ptr

Status:	RESOLVED DUPLICATE of bug 15172

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.15.7
Hardware:	All FreeBSD

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-07-12 14:43 UTC by Peter Eriksson
Modified:	2022-09-15 21:32 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Eriksson 2022-07-12 14:43:33 UTC

Found a number of core dumps from smbd 4.15.7 on one of my servers in vfs_fsync_done() -> talloc_chunk_from_ptr().  

Active vfs objects from smb.conf:

   vfs objects = shadow_copy2 zfsacl full_audit



(gdb) bt
#0  0x0000000804cb669a in thr_kill () from /lib/libc.so.7
#1  0x0000000804cb4af4 in raise () from /lib/libc.so.7
#2  0x0000000804c2a719 in abort () from /lib/libc.so.7
#3  0x0000000802e7ce98 in dump_core () at ../../source3/lib/dumpcore.c:338
#4  0x0000000802e8b6ee in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:704
#5  0x0000000801d66680 in smb_panic (why=0x8021e7450 "Bad talloc magic value - access after free") at ../../lib/util/fault.c:197
#6  0x00000008021e36c6 in talloc_abort (reason=reason@entry=0x8021e7450 "Bad talloc magic value - access after free") at ../../lib/talloc/talloc.c:509
#7  0x00000008021e36e1 in talloc_abort_access_after_free () at ../../lib/talloc/talloc.c:514
#8  0x00000008021e4c16 in talloc_chunk_from_ptr (ptr=0x810159180) at ../../lib/talloc/talloc.c:531
#9  __talloc_get_name (ptr=0x810159180) at ../../lib/talloc/talloc.c:1562
#10 _talloc_get_type_abort (ptr=0x810159180, name=name@entry=0x801857420 "struct tevent_req", location=location@entry=0x8018f35b8 "../../source3/modules/vfs_default.c:1154")
    at ../../lib/talloc/talloc.c:1619
#11 0x000000080180b8e2 in vfs_fsync_done (subreq=0x815349080) at ../../source3/modules/vfs_default.c:1154
#12 0x000000080282550c in _tevent_req_notify_callback (req=req@entry=0x815349080, location=location@entry=0x805f315d0 "../../lib/pthreadpool/pthreadpool_tevent.c:422")
    at ../../lib/tevent/tevent_req.c:141
#13 0x00000008028255b9 in tevent_req_finish (req=0x815349080, state=state@entry=TEVENT_REQ_DONE, 
    location=location@entry=0x805f315d0 "../../lib/pthreadpool/pthreadpool_tevent.c:422") at ../../lib/tevent/tevent_req.c:193
#14 0x00000008028255d3 in _tevent_req_done (req=<optimized out>, location=location@entry=0x805f315d0 "../../lib/pthreadpool/pthreadpool_tevent.c:422")
    at ../../lib/tevent/tevent_req.c:199
#15 0x0000000805f2fc0f in pthreadpool_tevent_job_done (ctx=ctx@entry=0x810150060, im=im@entry=0x8153492e0, private_data=private_data@entry=0x815349240)
    at ../../lib/pthreadpool/pthreadpool_tevent.c:422
#16 0x0000000802824d7c in tevent_common_invoke_immediate_handler (im=0x8153492e0, removed=removed@entry=0x0) at ../../lib/tevent/tevent_immediate.c:190
#17 0x0000000802824da5 in tevent_common_loop_immediate (ev=ev@entry=0x810150060) at ../../lib/tevent/tevent_immediate.c:236
#18 0x0000000802826ab1 in poll_event_loop_once (ev=0x810150060, location=<optimized out>) at ../../lib/tevent/tevent_poll.c:617
#19 0x0000000802823de4 in _tevent_loop_once (ev=ev@entry=0x810150060, location=location@entry=0x801882438 "../../source3/smbd/process.c:4247") at ../../lib/tevent/tevent.c:790
#20 0x0000000802823fd7 in tevent_common_loop_wait (ev=0x810150060, location=0x801882438 "../../source3/smbd/process.c:4247") at ../../lib/tevent/tevent.c:913
#21 0x0000000802824039 in _tevent_loop_wait (ev=ev@entry=0x810150060, location=location@entry=0x801882438 "../../source3/smbd/process.c:4247") at ../../lib/tevent/tevent.c:932
#22 0x0000000801738cf5 in smbd_process (ev_ctx=ev_ctx@entry=0x810150060, msg_ctx=msg_ctx@entry=0x8100d7220, dce_ctx=dce_ctx@entry=0x810107da0, sock_fd=sock_fd@entry=51, 
    interactive=interactive@entry=false) at ../../source3/smbd/process.c:4247
#23 0x000000000102ea77 in smbd_accept_connection (ev=0x810150060, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/server.c:1022
#24 0x000000080282482d in tevent_common_invoke_fd_handler (fde=fde@entry=0x8100db580, flags=<optimized out>, removed=removed@entry=0x0) at ../../lib/tevent/tevent_fd.c:142
#25 0x000000080282700f in poll_event_loop_poll (tvalp=0x7fffffffe6a0, ev=0x810150060) at ../../lib/tevent/tevent_poll.c:569
#26 poll_event_loop_once (ev=0x810150060, location=<optimized out>) at ../../lib/tevent/tevent_poll.c:626
#27 0x0000000802823de4 in _tevent_loop_once (ev=ev@entry=0x810150060, location=location@entry=0x1037248 "../../source3/smbd/server.c:1366") at ../../lib/tevent/tevent.c:790
#28 0x0000000802823fd7 in tevent_common_loop_wait (ev=0x810150060, location=0x1037248 "../../source3/smbd/server.c:1366") at ../../lib/tevent/tevent.c:913
#29 0x0000000802824039 in _tevent_loop_wait (ev=ev@entry=0x810150060, location=location@entry=0x1037248 "../../source3/smbd/server.c:1366") at ../../lib/tevent/tevent.c:932
#30 0x0000000001030673 in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x810150060) at ../../source3/smbd/server.c:1366
#31 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2186


(gdb) frame 11
#11 0x000000080180b8e2 in vfs_fsync_done (subreq=0x815349080) at ../../source3/modules/vfs_default.c:1154
1154	../../source3/modules/vfs_default.c: No such file or directory.

(gdb) print *subreq
$1 = {async = {fn = 0x80180b8b9 <vfs_fsync_done>, private_data = 0x810159180}, data = 0x815349240, private_print = 0x0, private_cancel = 0x0, private_cleanup = {fn = 0x0, 
    state = TEVENT_REQ_INIT}, internal = {private_type = 0x805f314e8 "struct pthreadpool_tevent_job_state", 
    create_location = 0x805f31630 "../../lib/pthreadpool/pthreadpool_tevent.c:299", finish_location = 0x805f315d0 "../../lib/pthreadpool/pthreadpool_tevent.c:422", 
    cancel_location = 0x0, state = TEVENT_REQ_DONE, error = 0, trigger = 0x815349170, defer_callback_ev = 0x0, timer = 0x0, profile = 0x0}}


(gdb) frame 12
#12 0x000000080282550c in _tevent_req_notify_callback (req=req@entry=0x815349080, location=location@entry=0x805f315d0 "../../lib/pthreadpool/pthreadpool_tevent.c:422")
    at ../../lib/tevent/tevent_req.c:141
141	../../lib/tevent/tevent_req.c: No such file or directory.
(gdb) print *req
$2 = {async = {fn = 0x80180b8b9 <vfs_fsync_done>, private_data = 0x810159180}, data = 0x815349240, private_print = 0x0, private_cancel = 0x0, private_cleanup = {fn = 0x0, 
    state = TEVENT_REQ_INIT}, internal = {private_type = 0x805f314e8 "struct pthreadpool_tevent_job_state", 
    create_location = 0x805f31630 "../../lib/pthreadpool/pthreadpool_tevent.c:299", finish_location = 0x805f315d0 "../../lib/pthreadpool/pthreadpool_tevent.c:422", 
    cancel_location = 0x0, state = TEVENT_REQ_DONE, error = 0, trigger = 0x815349170, defer_callback_ev = 0x0, timer = 0x0, profile = 0x0}}
(gdb) print location
$9 = 0x805f315d0 "../../lib/pthreadpool/pthreadpool_tevent.c:422"

Comment 1 Jeremy Allison 2022-09-15 21:32:58 UTC


*** This bug has been marked as a duplicate of bug 15172 ***