see https://gitlab.com/samba-team/samba/-/merge_requests/2908
In a cluster setup samba-bgqd async callback cups_pcap_load_async can access messaging_ctdb_fde_ev associated with already destructed global_ctdb_ctx_destructor ==26053== Invalid read of size 8 ==26053== at 0x71692E1: messaging_ctdb_fde_ev_destructor (messages_ctdb.c:181) ==26053== by 0x40B2309: _tc_free_internal (talloc.c:1158) ==26053== by 0x40B3539: _tc_free_children_internal (talloc.c:1669) ==26053== by 0x40B24C4: _tc_free_internal (talloc.c:1184) ==26053== by 0x40B3539: _tc_free_children_internal (talloc.c:1669) ==26053== by 0x40B24C4: _tc_free_internal (talloc.c:1184) ==26053== by 0x40B2685: _talloc_free_internal (talloc.c:1248) ==26053== by 0x40B3963: _talloc_free (talloc.c:1792) ==26053== by 0x4056BCA: tevent_req_received (tevent_req.c:301) ==26053== by 0x405673D: tevent_req_destructor (tevent_req.c:135) ==26053== by 0x40B2309: _tc_free_internal (talloc.c:1158) ==26053== by 0x40B3539: _tc_free_children_internal (talloc.c:1669) ==26053== by 0x40B24C4: _tc_free_internal (talloc.c:1184) ==26053== by 0x40B2685: _talloc_free_internal (talloc.c:1248) ==26053== by 0x40B3963: _talloc_free (talloc.c:1792) ==26053== by 0x1384EF: cups_pcap_load_async (print_cups.c:507) ==26053== by 0x13894B: cups_cache_reload (print_cups.c:602) ==26053== by 0x1373AE: pcap_cache_reload (pcap.c:140) ==26053== by 0x1369D2: register_printing_bq_handlers (queue_process.c:323) ==26053== by 0x122AD6: main (samba-bgqd.c:316) ==26053== Address 0xed64d48 is 120 bytes inside a block of size 128 free'd ==26053== at 0x4C370EB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==26053== by 0x40B25E1: _tc_free_internal (talloc.c:1222) ==26053== by 0x40B2685: _talloc_free_internal (talloc.c:1248) ==26053== by 0x40B3963: _talloc_free (talloc.c:1792) ==26053== by 0x71691F6: messaging_ctdb_destroy (messages_ctdb.c:141) ==26053== by 0x7169C21: msg_ctdb_ref_destructor (messages_ctdb_ref.c:142) ==26053== by 0x40B2309: _tc_free_internal (talloc.c:1158) ==26053== by 0x40B3539: _tc_free_children_internal (talloc.c:1669) ==26053== by 0x40B24C4: _tc_free_internal (talloc.c:1184) ==26053== by 0x40B2685: _talloc_free_internal (talloc.c:1248) ==26053== by 0x40B3963: _talloc_free (talloc.c:1792) ==26053== by 0x4157380: messaging_reinit (messages.c:646) ==26053== by 0x416C01E: reinit_after_fork (util.c:488) ==26053== by 0x13844C: cups_pcap_load_async (print_cups.c:498) ==26053== by 0x13894B: cups_cache_reload (print_cups.c:602) ==26053== by 0x1373AE: pcap_cache_reload (pcap.c:140) ==26053== by 0x1369D2: register_printing_bq_handlers (queue_process.c:323) ==26053== by 0x122AD6: main (samba-bgqd.c:316) ==26053== Block was alloc'd at ==26053== at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==26053== by 0x40B1989: __talloc_with_prefix (talloc.c:783) ==26053== by 0x40B1B23: __talloc (talloc.c:825) ==26053== by 0x40B1ECC: _talloc_named_const (talloc.c:982) ==26053== by 0x40B49C3: _talloc_zero (talloc.c:2421) ==26053== by 0x7168E68: messaging_ctdb_init (messages_ctdb.c:93) ==26053== by 0x716979D: messaging_ctdb_ref (messages_ctdb_ref.c:75) ==26053== by 0x415702A: messaging_init_internal (messages.c:563) ==26053== by 0x41572FD: messaging_init (messages.c:622) ==26053== by 0x4163ED3: global_messaging_context (global_contexts.c:62) ==26053== by 0x12273B: main (samba-bgqd.c:271) ==26053==
This bug was referenced in samba master: 2a104556e8489b9fc3e2185a1fbbec7f4c8d8fea
Created attachment 17743 [details] patch for v4.17 & v4.18 (same patch applies to both)
assign to Jule for inclusion in 4.17, 4.18
not sure if patch is needed for 4.16 but if it is, same patch will apply
Pushed to autobuild-v4-{18,17}-test.
This bug was referenced in samba v4-17-test: ddf64adea1358f0effb2148a03acfa5bb66cf1ea
This bug was referenced in samba v4-18-test: af00a0df70a591ef5890274ba700349abe9ec928
Closing out bug report. Thanks!
This bug was referenced in samba v4-18-stable (Release samba-4.18.0rc2): af00a0df70a591ef5890274ba700349abe9ec928
This bug was referenced in samba v4-17-stable (Release samba-4.17.6): ddf64adea1358f0effb2148a03acfa5bb66cf1ea