pvfs_oplock_break: auto release oplock level 1 for '\scripts\showupdatelist.vbs' 0xc5f93a0 ERROR: talloc_free with references at ntvfs/posix/pvfs_wait.c:107 reference at ntvfs/posix/pvfs_wait.c:86 talloc: double free error - first free may be at ntvfs/posix/pvfs_open.c:1002 Bad talloc magic value - double free PANIC: Bad talloc magic value - double free BACKTRACE: 24 stack frames: #0 /usr/local/samba/sbin/samba(call_backtrace+0x2b) [0x8a18057] #1 /usr/local/samba/sbin/samba(smb_panic+0x296) [0x8a183d8] #2 /usr/local/samba/sbin/samba [0x8a31a03] #3 /usr/local/samba/sbin/samba [0x8a31ab1] #4 /usr/local/samba/sbin/samba [0x8a31bbf] #5 /usr/local/samba/sbin/samba(talloc_get_name+0x1d) [0x8a32d29] #6 /usr/local/samba/sbin/samba(talloc_check_name+0x34) [0x8a32dad] #7 /usr/local/samba/sbin/samba(pvfs_async_setup+0x2b) [0x83d990b] #8 /usr/local/samba/sbin/samba(ntvfs_next_async_setup+0x5e) [0x83c0ad4] #9 /usr/local/samba/sbin/samba [0x83fdf72] #10 /usr/local/samba/sbin/samba(ntvfs_async_setup+0x55) [0x83bfdd2] #11 /usr/local/samba/sbin/samba [0x83d99e7] #12 /usr/local/samba/sbin/samba [0x873d8fc] #13 /usr/local/samba/sbin/samba [0x873e42e] #14 /usr/local/samba/sbin/samba [0x873e4a8] #15 /usr/local/samba/sbin/samba [0x8a38c27] #16 /usr/local/samba/sbin/samba [0x8a3928c] #17 /usr/local/samba/sbin/samba(_tevent_loop_once+0xde) [0x8a35636] #18 /usr/local/samba/sbin/samba(tevent_common_loop_wait+0x26) [0x8a35855] #19 /usr/local/samba/sbin/samba(_tevent_loop_wait+0x1d) [0x8a35913] #20 /usr/local/samba/sbin/samba [0x80df1ed] #21 /usr/local/samba/sbin/samba(main+0x38) [0x80df252] #22 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c81ea8] #23 /usr/local/samba/sbin/samba [0x80ddfc1]
First, this is the code part where the bug occurs: > static void pvfs_wait_timeout(struct tevent_context *ev, > struct tevent_timer *te, struct timeval t, > void *private_data) > { > struct pvfs_wait *pwait = talloc_get_type(private_data, > struct pvfs_wait); > struct ntvfs_request *req = pwait->req; > > pwait->reason = PVFS_WAIT_TIMEOUT; > > talloc_increase_ref_count(req); > ntvfs_async_setup(pwait->req, pwait); > talloc_free(req); > } I doubt if the "talloc_increase_ref_count" is really needed and I think that this is the cause of the "free" problem. Since "talloc_increase_ref_count" adds the "NULL" context as parent and then a "talloc_free" isn't possible anymore (works only with exactly *one* parent). We had to change it in a "talloc_unlink" - but I don't know for which parent (for NULL?). So maybe someone who wrote the code could enlighten us how to fix. I think I add metze to the bug - he also like tridge has a good knowledge about the s4 file server (code).
Hi Matthieu, Can you give me a way to reproduce this? Maybe a smbclient command or a smbtorture command? Cheers, Tridge
I think this should be fixed with commit d31b6360d64eb821da07f4342093d1323db7b4dd Please test the fix, and let me know if the segv happens again. Thanks for the bug report! Cheers, Tridge