Bug 6989 - Bad talloc magic value - double free
Summary: Bad talloc magic value - double free
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 major (vote)
Target Milestone: ---
Assignee: Andrew Tridgell
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-15 03:44 UTC by Matthieu Patou
Modified: 2009-12-16 04:08 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-12-15 03:44:02 UTC 
pvfs_oplock_break: auto release oplock level 1 for '\scripts\showupdatelist.vbs' 0xc5f93a0
ERROR: talloc_free with references at ntvfs/posix/pvfs_wait.c:107
        reference at ntvfs/posix/pvfs_wait.c:86
talloc: double free error - first free may be at ntvfs/posix/pvfs_open.c:1002
Bad talloc magic value - double free
PANIC: Bad talloc magic value - double free
BACKTRACE: 24 stack frames:
 #0 /usr/local/samba/sbin/samba(call_backtrace+0x2b) [0x8a18057]
 #1 /usr/local/samba/sbin/samba(smb_panic+0x296) [0x8a183d8]
 #2 /usr/local/samba/sbin/samba [0x8a31a03]
 #3 /usr/local/samba/sbin/samba [0x8a31ab1]
 #4 /usr/local/samba/sbin/samba [0x8a31bbf]
 #5 /usr/local/samba/sbin/samba(talloc_get_name+0x1d) [0x8a32d29]
 #6 /usr/local/samba/sbin/samba(talloc_check_name+0x34) [0x8a32dad]
 #7 /usr/local/samba/sbin/samba(pvfs_async_setup+0x2b) [0x83d990b]
 #8 /usr/local/samba/sbin/samba(ntvfs_next_async_setup+0x5e) [0x83c0ad4]
 #9 /usr/local/samba/sbin/samba [0x83fdf72]
 #10 /usr/local/samba/sbin/samba(ntvfs_async_setup+0x55) [0x83bfdd2]
 #11 /usr/local/samba/sbin/samba [0x83d99e7]
 #12 /usr/local/samba/sbin/samba [0x873d8fc]
 #13 /usr/local/samba/sbin/samba [0x873e42e]
 #14 /usr/local/samba/sbin/samba [0x873e4a8]
 #15 /usr/local/samba/sbin/samba [0x8a38c27]
 #16 /usr/local/samba/sbin/samba [0x8a3928c]
 #17 /usr/local/samba/sbin/samba(_tevent_loop_once+0xde) [0x8a35636]
 #18 /usr/local/samba/sbin/samba(tevent_common_loop_wait+0x26) [0x8a35855]
 #19 /usr/local/samba/sbin/samba(_tevent_loop_wait+0x1d) [0x8a35913]
 #20 /usr/local/samba/sbin/samba [0x80df1ed]
 #21 /usr/local/samba/sbin/samba(main+0x38) [0x80df252]
 #22 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c81ea8]
 #23 /usr/local/samba/sbin/samba [0x80ddfc1]
Comment 1 Matthias Dieter Wallnöfer 2009-12-15 09:22:31 UTC 
First, this is the code part where the bug occurs:

> static void pvfs_wait_timeout(struct tevent_context *ev,
>                               struct tevent_timer *te, struct timeval t,
>                               void *private_data)
> {
>         struct pvfs_wait *pwait = talloc_get_type(private_data,
>                                                   struct pvfs_wait);
>         struct ntvfs_request *req = pwait->req;
>
>         pwait->reason = PVFS_WAIT_TIMEOUT;
>
>         talloc_increase_ref_count(req);
>         ntvfs_async_setup(pwait->req, pwait);
>         talloc_free(req);
> }

I doubt if the "talloc_increase_ref_count" is really needed and I think that this is the cause of the "free" problem. Since "talloc_increase_ref_count" adds the "NULL" context as parent and then a "talloc_free" isn't possible anymore (works only with exactly *one* parent). We had to change it in a "talloc_unlink" - but I don't know for which parent (for NULL?). So maybe someone who wrote the code could enlighten us how to fix.

I think I add metze to the bug - he also like tridge has a good knowledge about the s4 file server (code).
Comment 2 Andrew Tridgell 2009-12-15 15:50:10 UTC 
Hi Matthieu,

Can you give me a way to reproduce this? Maybe a smbclient command
or a smbtorture command?

Cheers, Tridge
Comment 3 Andrew Tridgell 2009-12-16 04:08:49 UTC 
I think this should be fixed with commit d31b6360d64eb821da07f4342093d1323db7b4dd

Please test the fix, and let me know if the segv happens again.

Thanks for the bug report!

Cheers, Tridge