15895 – rpcd_lsad and samba-dcerpcd killed by SIGABRT

Bug 15895 - rpcd_lsad and samba-dcerpcd killed by SIGABRT

Summary: rpcd_lsad and samba-dcerpcd killed by SIGABRT

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	4.21.3
Hardware:	x64 Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-08-15 14:48 UTC by Aleksandr Kharten
Modified:	2026-01-05 16:58 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
coredump, binary, log.rpcd_lsad, rpms (32.76 MB, application/zip) 2025-08-15 14:48 UTC, Aleksandr Kharten	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Kharten 2025-08-15 14:48:47 UTC

Created attachment 18688 [details]
coredump, binary, log.rpcd_lsad, rpms

We have clustered Samba 4.21.3  running through tests. This particular test execute linux kernel compilation on samba share.

Server's smb.conf:
[global]
      clustering = Yes
      printcap name = cups
      security = USER
      workgroup = SAMBA
      idmap config * : backend = tdb
      cups options = raw
      include = /etc/samba/usershares.conf
      posix locking = No
[homes]
      browseable = No
      comment = Home Directories
      inherit acls = Yes
      read only = No
      valid users = %S %D%w%S
[printers]
      browseable = No
      comment = All Printers
      create mask = 0600
      path = /var/tmp
      printable = Yes
[print$]
      comment = Printer Drivers
      create mask = 0664
      directory mask = 0775
      force group = @printadmin
      path = /var/lib/samba/drivers
      write list = @printadmin root


After  test has passed successfully we've found bunch of coredumps of processes rpcd_lsad and samba-dcerpcd:

Sat 2025-08-09 16:58:02 EEST 550249 0 0 SIGABRT present /usr/libexec/samba/rpcd_lsad 801.5K
Sat 2025-08-09 17:44:01 EEST 575039 0 0 SIGABRT present /usr/libexec/samba/samba-dcerpcd 718.2K
Sat 2025-08-09 18:14:02 EEST 591320 0 0 SIGABRT present /usr/libexec/samba/rpcd_lsad 801.5K
Sat 2025-08-09 20:48:02 EEST 674566 0 0 SIGABRT present /usr/libexec/samba/samba-dcerpcd 718.4K
Sun 2025-08-10 03:36:02 EEST 895667 0 0 SIGABRT present /usr/libexec/samba/samba-dcerpcd 718.1K
Sun 2025-08-10 03:58:02 EEST 907551 0 0 SIGABRT present /usr/libexec/samba/rpcd_lsad 802.6K
Sun 2025-08-10 10:06:01 EEST 1107966 0 0 SIGABRT present /usr/libexec/samba/samba-dcerpcd 718.5K
Sun 2025-08-10 12:24:02 EEST 1184328 0 0 SIGABRT present /usr/libexec/samba/rpcd_lsad 802.5K

They all have same stack. Last dump of that list is in attached coredump.zip alongsde log.rpcd_lsad and rpms.

Backtrace:
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007f726f4a15a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f726f454d06 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f726f4287f3 in __GI_abort () at abort.c:79
#4  0x00007f727031bf54 in dump_core () at ../../source3/lib/dumpcore.c:339
#5  0x00007f7270328314 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:716
#6  0x00007f7270368e1e in smb_panic (why=why@entry=0x7ffc08b70cd0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:209
#7  0x00007f7270368fd8 in fault_report (sig=11) at ../../lib/util/fault.c:83
#8  sig_fault (sig=11) at ../../lib/util/fault.c:94
#9  <signal handler called>
#10 0x00007f726f4a434c in __pthread_mutex_unlock_full (mutex=0x7f726bb9dfd8, decr=1) at pthread_mutex_unlock.c:163
#11 0x00007f726f4a4625 in __GI___pthread_mutex_unlock_usercnt (mutex=<optimized out>, decr=decr@entry=1) at pthread_mutex_unlock.c:56
#12 0x00007f726f4a46ee in ___pthread_mutex_unlock (mutex=<optimized out>) at pthread_mutex_unlock.c:369
#13 0x00007f726ee32140 in tdb_mutex_unlock (rw=<optimized out>, pret=<synthetic pointer>, len=1, off=35364, tdb=0x5593324260d0)
    at ../../common/mutex.c:347
#14 fcntl_unlock (rw=0, len=1, off=35364, tdb=0x5593324260d0) at ../../common/lock.c:125
#15 tdb_brunlock (tdb=0x5593324260d0, rw_type=0, offset=35364, len=1) at ../../common/lock.c:234
#16 0x00007f726ee32436 in tdb_brunlock (len=1, offset=<optimized out>, rw_type=<optimized out>, tdb=0x5593324260d0)
    at ../../common/lock.c:229
#17 tdb_nest_unlock (tdb=tdb@entry=0x5593324260d0, offset=<optimized out>, ltype=<optimized out>, mark_lock=mark_lock@entry=false)
    at ../../common/lock.c:552
#18 0x00007f726ee35714 in tdb_nest_unlock (mark_lock=false, ltype=0, offset=<optimized out>, tdb=0x5593324260d0) at ../../common/lock.c:169
#19 0x00007f726ee35927 in tdb_parse_record (tdb=0x5593324260d0, key=..., parser=parser@entry=0x7f727031e640 <gencache_parse_fn>, 
    private_data=private_data@entry=0x7ffc08b71410) at ../../common/tdb.c:340
#20 0x00007f7270326305 in gencache_parse (keystr=keystr@entry=0x55933242b840 "IDMAP/SID2XID/S-1-5-7", 
    parser=parser@entry=0x7f727031e700 <gencache_get_data_blob_parser>, private_data=private_data@entry=0x7ffc08b71450)
    at ../../source3/lib/gencache.c:431
#21 0x00007f7270326446 in gencache_get_data_blob (keystr=keystr@entry=0x55933242b840 "IDMAP/SID2XID/S-1-5-7", 
    mem_ctx=mem_ctx@entry=0x55933242a410, blob=blob@entry=0x7ffc08b714b0, timeout=timeout@entry=0x7ffc08b71508, 
    was_expired=was_expired@entry=0x0) at ../../source3/lib/gencache.c:511
#22 0x00007f7270326522 in gencache_get (keystr=keystr@entry=0x55933242b840 "IDMAP/SID2XID/S-1-5-7", mem_ctx=0x55933242a410, 
    value=value@entry=0x7ffc08b71518, ptimeout=ptimeout@entry=0x7ffc08b71508) at ../../source3/lib/gencache.c:563
#23 0x00007f727032662e in idmap_cache_find_sid2unixid (sid=sid@entry=0x5593324068e0, id=id@entry=0x55933242b750, 
    expired=expired@entry=0x7ffc08b71653) at ../../source3/lib/idmap_cache.c:53
#24 0x00007f727027681a in sids_to_unixids (sids=0x5593324068e0, num_sids=3, ids=ids@entry=0x55933242b750)
    at ../../source3/passdb/lookup_sid.c:1432
#25 0x00007f727056ff30 in auth3_session_info_create (mem_ctx=mem_ctx@entry=0x0, user_info_dc=<optimized out>, 
    original_user_name=original_user_name@entry=0x7f7270578d77 "", session_info_flags=<optimized out>, session_info_flags@entry=13, 
    session_info_out=session_info_out@entry=0x7f7270583038 <anonymous_info>) at ../../source3/auth/auth_util.c:1022
#26 0x00007f72705720f1 in make_new_session_info_anonymous (session_info=0x7f7270583038 <anonymous_info>, mem_ctx=0x0)
    at ../../source3/auth/auth_util.c:1611
#27 init_guest_session_info (mem_ctx=0x0) at ../../source3/auth/auth_util.c:1786
#28 init_guest_session_info (mem_ctx=mem_ctx@entry=0x0) at ../../source3/auth/auth_util.c:1772
#29 0x00007f72708d0506 in rpc_worker_main (argc=<optimized out>, argv=<optimized out>, daemon_config_name=<optimized out>, num_workers=5, 
    idle_seconds=60, get_interfaces=0x559330c7da50 <lsad_interfaces>, get_servers=0x559330c82ff0 <lsad_servers>, private_data=0x0)
    at ../../source3/rpc_server/rpc_worker.c:1191
#30 0x0000559330c7d8c0 in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/rpc_server/rpcd_lsad.c:132


Segfault happens inside pthread_mutex_unlock during DEQUE_MUTEX operation. Probably because of mutex has empty robust futex link.

(gdb) frame 10
#10 0x00007f726f4a434c in __pthread_mutex_unlock_full (mutex=0x7f726bb9dfd8, decr=1) at pthread_mutex_unlock.c:163
163         DEQUEUE_MUTEX (mutex);
(gdb) l
158         THREAD_SETMEM (THREAD_SELF, robust_head.list_op_pending,
159                    &mutex->__data.__list.__next);
160         /* We must set op_pending before we dequeue the mutex.  Also see
161          comments at ENQUEUE_MUTEX.  */
162         __asm ("" ::: "memory");
163         DEQUEUE_MUTEX (mutex);
164   
165         mutex->__data.__owner = newowner;
166         if (decr)
167         /* One less user.  */


It was 1st such crash in a long period. And we were yet unable to reproduce it.