Created attachment 18763 [details] Logs with a full stack trace. 2025-10-24T01:58:52.551756+00:00 addc.addom.samba.example.com winbindd[306061]: wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: TORTURE305 - NT _STATUS_DOMAIN_CONTROLLER_NOT_FOUND 2025-10-24T01:58:52.551854+00:00 addc.addom.samba.example.com winbindd[306061]: free_domain: Free updated domain[0x58ce4dc1a4d0] name[TORTURE305] S-1-5-21-97 398-379795-305 replaced by domain[0x58ce4cdb7790] name[TORTURE305] 2025-10-24T01:58:52.558471+00:00 addc.addom.samba.example.com winbindd[306061]: Bad talloc magic value - unknown value 2025-10-24T01:58:52.558544+00:00 addc.addom.samba.example.com winbindd[306061]: =============================================================== 2025-10-24T01:58:52.558558+00:00 addc.addom.samba.example.com winbindd[306061]: INTERNAL ERROR: Bad talloc magic value - unknown value in winbindd () () pid 306061 (4.24.0pre1-DEVELOPERBUILD) 2025-10-24T01:58:52.558573+00:00 addc.addom.samba.example.com winbindd[306061]: If you are running a recent Samba version, and if you think this problem is n ot yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting 2025-10-24T01:58:52.558588+00:00 addc.addom.samba.example.com winbindd[306061]: =============================================================== 2025-10-24T01:58:52.558598+00:00 addc.addom.samba.example.com winbindd[306061]: PANIC (pid 306061): Bad talloc magic value - unknown value in 4.24.0pre1-DEVE LOPERBUILD 2025-10-24T01:58:52.558772+00:00 addc.addom.samba.example.com winbindd[306061]: BACKTRACE: 16 stack frames: #0 bin/shared/private/libgenrand-private-samba.so(log_stack_trace+0x29) [0x7398e741ce59] #1 bin/shared/private/libgenrand-private-samba.so(smb_panic_log+0x256) [0x7398e741ce26] #2 bin/shared/private/libgenrand-private-samba.so(smb_panic+0x15) [0x7398e741cfe5] #3 bin/shared/private/libtalloc-private-samba.so(+0x9dca) [0x7398e7a60dca] #4 bin/shared/private/libtalloc-private-samba.so(+0x9d80) [0x7398e7a60d80] #5 bin/shared/private/libtalloc-private-samba.so(+0x497d) [0x7398e7a5b97d] #6 bin/shared/private/libtalloc-private-samba.so(+0x5ad5) [0x7398e7a5cad5] #7 bin/shared/private/libtalloc-private-samba.so(talloc_check_name+0x3c) [0x7398e7a5cb8c] #8 bin/shared/private/libtevent-private-samba.so(+0x1a7ac) [0x7398e83007ac] #9 bin/shared/private/libtevent-private-samba.so(+0x17e18) [0x7398e82fde18] #10 bin/shared/private/libtevent-private-samba.so(+0x16120) [0x7398e82fc120] #11 bin/shared/private/libtevent-private-samba.so(_tevent_loop_once+0x101) [0x7398e82f1861] #12 /data/samba/samba01/bin/winbindd(main+0x1b61) [0x58ce3a307ff1] #13 /lib/x86_64-linux-gnu/libc.so.6(+0x2a1ca) [0x7398e662a1ca] #14 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x8b) [0x7398e662a28b] #15 /data/samba/samba01/bin/winbindd(_start+0x25) [0x58ce3a27d945]
Running make TESTS="samba4.rpc.lsa" test in a loop will trigger the crash. It appears to be a race condition between. source3/windbindd/winbindd_util.c terminate_child which kills the child process, and frees the child monitor_fde. kill(c->pid, SIGTERM); c->pid = 0; if (c->sock != -1) { close(c->sock); // } // c->sock = -1; // DBG_ERR("Freed c->monitor_fde (%p), pid (%d)\n", // c->monitor_fde, c->pid); // TALLOC_FREE(c->monitor_fde); and lib/tevent/tevent_epoll.c epoll_event_loop line 632 struct tevent_fd *fde = talloc_get_type(events[i].data.ptr, struct tevent_fd); The kill makes the child socked readable as the child process has gone away. The TALLOC_FREE(c->monitor_fde);
Sigh, lets try that againn :-) Running make TESTS="samba4.rpc.lsa" test in a loop will trigger the crash. It appears to be a race condition between. source3/windbindd/winbindd_util.c terminate_child which kills the child process, and frees the child monitor_fde. kill(c->pid, SIGTERM); c->pid = 0; if (c->sock != -1) { close(c->sock); } c->sock = -1; TALLOC_FREE(c->monitor_fde); and lib/tevent/tevent_epoll.c epoll_event_loop line 632 struct tevent_fd *fde = talloc_get_type(events[i].data.ptr, struct tevent_fd); The kill makes the child socked readable as the child process has gone away, which has: source3/windbindd/winbindd_dual.c child_socket_readable registered events[i].data.ptr points to c->monitor_fde