Created attachment 17464 [details] Log file for the client Mac machine Attempting to back up to Samba, versions ranging from 4.13.13 on Debian, up to 4.16.4 on Arch Linux, causes smbd to panic and restart. The log seems to indicate a use after free.
Created attachment 17465 [details] Core dump from the most recent crash And here's the core dump.
(In reply to Christopher Snowhill from comment #1) The coredump is most easily analyed on the system were it was created by running: # gdb /usr/sbin/smbd /core/file > bt full ... > exit Thanks!
gdb says: "/var/log/samba/cores/smbd/core": not in executable format: file format not recognized So I guess it's useless after all. The log does contain a backtrace, though.
(In reply to Christopher Snowhill from comment #3) Oh, crap, I have to specify smbd first. Let me check that. Sorry.
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 tid = <optimized out> ret = 0 pd = <optimized out> old_mask = {__val = {550764085248}} ret = <optimized out> #1 0x00007fbdb2d91543 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 No locals. #2 0x00007fbdb2d41998 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 ret = <optimized out> #3 0x00007fbdb2d2b53d in __GI_abort () at abort.c:79 save_stage = 1 act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20}, sa_mask = {__val = {32, 0 <repeats 15 times>}}, sa_flags = 268435456, sa_restorer = 0x0} #4 0x00007fbdb31fa0e1 in dump_core () from /usr/lib/libsmbconf.so.0 No symbol table info available. #5 0x00007fbdb3204af6 in smb_panic_s3 () from /usr/lib/libsmbconf.so.0 No symbol table info available. #6 0x00007fbdb30d287f in smb_panic () from /usr/lib/libsamba-util.so.0 No symbol table info available. #7 0x00007fbdb2f16322 in ?? () from /usr/lib/libtalloc.so.2 No symbol table info available. #8 0x00007fbdb32f5c0e in ?? () from /usr/lib/samba/libsmbd-base-samba4.so No symbol table info available. #9 0x00007fbdb2ef6bdb in tevent_common_invoke_immediate_handler () from /usr/lib/libtevent.so.0 No symbol table info available. #10 0x00007fbdb2ef6bfb in tevent_common_loop_immediate () from /usr/lib/libtevent.so.0 No symbol table info available. #11 0x00007fbdb2efa503 in ?? () from /usr/lib/libtevent.so.0 No symbol table info available. #12 0x00007fbdb2ef292d in ?? () from /usr/lib/libtevent.so.0 No symbol table info available. #13 0x00007fbdb2ef4e96 in _tevent_loop_once () from /usr/lib/libtevent.so.0 No symbol table info available. #14 0x00007fbdb2ef4f9c in tevent_common_loop_wait () from /usr/lib/libtevent.so.0 No symbol table info available. #15 0x00007fbdb2ef299d in ?? () from /usr/lib/libtevent.so.0 No symbol table info available. #16 0x00007fbdb3382edc in smbd_process () from /usr/lib/samba/libsmbd-base-samba4.so No symbol table info available. #17 0x0000555e243a9c9c in ?? () No symbol table info available. #18 0x00007fbdb2ef6986 in tevent_common_invoke_fd_handler () from /usr/lib/libtevent.so.0 No symbol table info available. #19 0x00007fbdb2efa738 in ?? () from /usr/lib/libtevent.so.0 No symbol table info available. #20 0x00007fbdb2ef292d in ?? () from /usr/lib/libtevent.so.0 No symbol table info available. #21 0x00007fbdb2ef4e96 in _tevent_loop_once () from /usr/lib/libtevent.so.0 No symbol table info available. #22 0x00007fbdb2ef4f9c in tevent_common_loop_wait () from /usr/lib/libtevent.so.0 No symbol table info available. #23 0x00007fbdb2ef299d in ?? () from /usr/lib/libtevent.so.0 No symbol table info available. #24 0x0000555e243a7d27 in main () No symbol table info available. I can't supply debug information where there is none for my distribution to supply.
(In reply to Christopher Snowhill from comment #5) Okay, here's a full debugging backtrace of the core dump now, from a release build. I'll probably have to do full debug unoptimized builds to get more: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 tid = <optimized out> ret = 0 pd = <optimized out> old_mask = {__val = {553334145024}} ret = <optimized out> #1 0x00007f3156df5543 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 No locals. #2 0x00007f3156da5998 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 ret = <optimized out> #3 0x00007f3156d8f53d in __GI_abort () at abort.c:79 save_stage = 1 act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20}, sa_mask = {__val = {32, 0 <repeats 15 times>}}, sa_flags = 268435456, sa_restorer = 0x0} #4 0x00007f315725e0e1 in dump_core () at ../../source3/lib/dumpcore.c:338 called = true __FUNCTION__ = "dump_core" #5 0x00007f3157268af6 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:704 lp_sub = <optimized out> cmd = <optimized out> result = <optimized out> __FUNCTION__ = "smb_panic_s3" #6 0x00007f315713687f in smb_panic (why=0x7f3156f80040 "Bad talloc magic value - access after free") at ../../lib/util/fault.c:197 No locals. #7 0x00007f3156f7a322 in talloc_abort (reason=<optimized out>) at ../../talloc.c:509 No locals. #8 talloc_abort_unknown_value () at ../../talloc.c:519 No locals. #9 talloc_chunk_from_ptr (ptr=<optimized out>) at ../../talloc.c:535 pp = <optimized out> tc = <optimized out> pp = <optimized out> tc = <optimized out> #10 __talloc_get_name (ptr=<optimized out>) at ../../talloc.c:1562 tc = <optimized out> tc = <optimized out> #11 _talloc_get_type_abort (ptr=<optimized out>, name=name@entry=0x7f315744e57e "struct tevent_req", location=location@entry=0x7f31574527a8 "../../source3/modules/vfs_default.c:1154") at ../../talloc.c:1619 pname = <optimized out> #12 0x00007f3157359c0e in vfs_fsync_done (subreq=0x5637bfd88df0) at ../../source3/modules/vfs_default.c:1154 req = <optimized out> state = <optimized out> ret = <optimized out> #13 0x00007f3156f5abdb in tevent_common_invoke_immediate_handler (im=0x5637bfd89050, removed=removed@entry=0x0) at ../../tevent_immediate.c:190 handler_ev = 0x5637bfd2e340 ev = 0x5637bfd2e340 cur = {prev = <optimized out>, next = <optimized out>, event_ctx = 0x5637bfd2e340, wrapper = 0x0, busy = <optimized out>, destroyed = <optimized out>, detach_ev_ctx = <optimized out>, handler = <optimized out>, private_data = <optimized out>, handler_name = <optimized out>, create_location = <optimized out>, schedule_location = <optimized out>, cancel_fn = <optimized out>, additional_data = <optimized out>, tag = <optimized out>} #14 0x00007f3156f5abfb in tevent_common_loop_immediate (ev=ev@entry=0x5637bfd2e340) at ../../tevent_immediate.c:236 im = <optimized out> ret = <optimized out> #15 0x00007f3156f5e503 in epoll_event_loop_once (ev=0x5637bfd2e340, location=<optimized out>) at ../../tevent_epoll.c:919 epoll_ev = 0x5637bfd423d0 tval = {tv_sec = 0, tv_usec = 140736771734080} panic_triggered = false #16 0x00007f3156f5692d in std_event_loop_once (ev=0x5637bfd2e340, location=0x7f3157481418 "../../source3/smbd/process.c:4243") at ../../tevent_standard.c:110 glue_ptr = <optimized out> glue = 0x5637bfd3cb60 ret = <optimized out> #17 0x00007f3156f58e96 in _tevent_loop_once (ev=ev@entry=0x5637bfd2e340, location=location@entry=0x7f3157481418 "../../source3/smbd/process.c:4243") at ../../tevent.c:825 ret = <optimized out> nesting_stack_ptr = 0x0 #18 0x00007f3156f58f9c in tevent_common_loop_wait (ev=0x5637bfd2e340, location=0x7f3157481418 "../../source3/smbd/process.c:4243") at ../../tevent.c:948 ret = <optimized out> #19 0x00007f3156f5699d in std_event_loop_wait (ev=0x5637bfd2e340, location=0x7f3157481418 "../../source3/smbd/process.c:4243") at ../../tevent_standard.c:141 glue_ptr = <optimized out> glue = 0x5637bfd3cb60 ret = <optimized out> #20 0x00007f31573e6edc in smbd_process (ev_ctx=ev_ctx@entry=0x5637bfd2e340, msg_ctx=msg_ctx@entry=0x5637bfd28360, sock_fd=sock_fd@entry=33, interactive=interactive@entry=false) at ../../source3/smbd/process.c:4243 trace_state = {ev = 0x5637bfd2e340, frame = 0x5637bfd59e60, profile_idle = {start = 0, stats = 0x0}} lp_sub = 0x7f315729eae0 <s3_global_substitution> client = 0x5637bfd3f870 sconn = 0x5637bfd53080 xconn = 0x5637bfd59b30 locaddr = <optimized out> remaddr = <optimized out> ret = <optimized out> status = <optimized out> tv = {tv_sec = 1660109472, tv_usec = 640140} now = 133045830726401400 chroot_dir = <optimized out> rc = <optimized out> __func__ = "smbd_process" __FUNCTION__ = "smbd_process" #21 0x00005637be620c9c in smbd_accept_connection (ev=0x5637bfd2e340, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/server.c:1037 status = <optimized out> s = 0x0 msg_ctx = 0x5637bfd28360 addr = {ss_family = 2, __ss_padding = "\317U\nR^\264\000\000\000\000\000\000\000\000\270\020\257V1\177\000\000P\245Կ7V\000\000@\343ҿ7V\000\000\003\260\367V1\177\000\000\340tտ7V\000\000\260\245Կ7V\000\000@\343ҿ7V\000\000\265gK\325\377\177\000\000@\343ҿ7V\000\000\070\234Կ7V\000\000\020\234Կ7V\000\000c\317\365V1\177\000\000\240B\363b\000\000\000", __ss_align = 139849889076566} in_addrlen = 16 fd = 33 pid = 0 __FUNCTION__ = "smbd_accept_connection" #22 0x00007f3156f5a986 in tevent_common_invoke_fd_handler (fde=fde@entry=0x5637bfd542a0, flags=1, removed=removed@entry=0x0) at ../../tevent_fd.c:142 handler_ev = 0x5637bfd2e340 #23 0x00007f3156f5e738 in epoll_event_loop (tvalp=0x7fffd5493bc0, epoll_ev=0x5637bfd3cbf0) at ../../tevent_epoll.c:737 fde = 0x5637bfd542a0 flags = <optimized out> mpx_fde = <optimized out> ret = <optimized out> i = 0 timeout = <optimized out> wait_errno = <optimized out> events = {{events = 1, data = {ptr = 0x5637bfd542a0, fd = -1076542816, u32 = 3218424480, u64 = 94797441614496}}} ret = <optimized out> i = <optimized out> events = <optimized out> timeout = <optimized out> wait_errno = <optimized out> fde = <optimized out> flags = <optimized out> mpx_fde = <optimized out> handled_fde = <optimized out> handled_mpx = <optimized out> #24 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../tevent_epoll.c:938 epoll_ev = 0x5637bfd3cbf0 tval = {tv_sec = 885, tv_usec = 24163} panic_triggered = false #25 0x00007f3156f5692d in std_event_loop_once (ev=0x5637bfd2e340, location=0x5637be6259d0 "../../source3/smbd/server.c:1381") at ../../tevent_standard.c:110 glue_ptr = <optimized out> glue = 0x5637bfd3cb60 ret = <optimized out> #26 0x00007f3156f58e96 in _tevent_loop_once (ev=ev@entry=0x5637bfd2e340, location=location@entry=0x5637be6259d0 "../../source3/smbd/server.c:1381") at ../../tevent.c:825 ret = <optimized out> nesting_stack_ptr = 0x0 #27 0x00007f3156f58f9c in tevent_common_loop_wait (ev=0x5637bfd2e340, location=0x5637be6259d0 "../../source3/smbd/server.c:1381") at ../../tevent.c:948 ret = <optimized out> #28 0x00007f3156f5699d in std_event_loop_wait (ev=0x5637bfd2e340, location=0x5637be6259d0 "../../source3/smbd/server.c:1381") at ../../tevent_standard.c:141 glue_ptr = <optimized out> glue = 0x5637bfd3cb60 ret = <optimized out> #29 0x00005637be61ed27 in smbd_parent_loop (parent=0x5637bfd3c500, ev_ctx=0x5637bfd2e340) at ../../source3/smbd/server.c:1381 trace_state = {frame = 0x5637bfd404b0} ret = 0 trace_state = <optimized out> ret = <optimized out> __FUNCTION__ = <optimized out> #30 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2125 cmdline_daemon_cfg = <optimized out> log_stdout = <optimized out> ports = 0x0 profile_level = 0x0 opt = <optimized out> pc = <optimized out> main_server_id = {pid = 202662, task_id = 0, vnn = 4294967295, unique_id = 8518578424082923956} long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f3156f74160 <poptHelpOptions>, val = 0, descrip = 0x5637be6234d9 "Help options:", argDescrip = 0x0}, {longName = 0x5637be6234e7 "build-options", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 98, descrip = 0x5637be6234f5 "Print build options", argDescrip = 0x0}, {longName = 0x5637be623509 "port", shortName = 112 'p', argInfo = 1, arg = 0x7fffd5493d10, val = 0, descrip = 0x5637be62350e "Listen on the specified ports", argDescrip = 0x0}, {longName = 0x5637be62352c "profiling-level", shortName = 80 'P', argInfo = 1, arg = 0x7fffd5493d08, val = 0, descrip = 0x5637be62353c "Set profiling level", argDescrip = 0x5637be623550 "PROFILE_LEVEL"}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f31574e9920 <popt_common_samba>, val = 0, descrip = 0x5637be62355e "Common Samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f31574e9320 <popt_common_daemon>, val = 0, descrip = 0x5637be623574 "Daemon options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f31574e9440 <popt_common_version>, val = 0, descrip = 0x5637be623584 "Version options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} parent = 0x5637bfd3c500 frame = <optimized out> status = <optimized out> ev_ctx = 0x5637bfd2e340 msg_ctx = <optimized out> server_id = {pid = 202662, task_id = 0, vnn = 4294967295, unique_id = 2472484126392175627} se = <optimized out> profiling_level = <optimized out> np_dir = <optimized out> lp_sub = <optimized out> ok = <optimized out> smbd_shim_fns = {send_stat_cache_delete_message = 0x7f31573d0cc0 <smbd_send_stat_cache_delete_message>, change_to_root_user = 0x7f31573b9690 <smbd_change_to_root_user>, become_authenticated_pipe_user = 0x7f31573b9730 <smbd_become_authenticated_pipe_user>, unbecome_authenticated_pipe_user = 0x7f31573b9830 <smbd_unbecome_authenticated_pipe_user>, contend_level2_oplocks_begin = 0x7f3157429a10 <smbd_contend_level2_oplocks_begin>, contend_level2_oplocks_end = 0x7f3157422800 <smbd_contend_level2_oplocks_end>, become_root = 0x7f31573b9800 <smbd_become_root>, unbecome_root = 0x7f31573b9840 <smbd_unbecome_root>, exit_server = 0x7f3157422d70 <smbd_exit_server>, exit_server_cleanly = 0x7f3157422d90 <smbd_exit_server_cleanly>} __func__ = "main" __FUNCTION__ = "main"