The following command :./bin/samba-tool domain join s4.home.matws.net DC --targetdir /home/mat/workspace/samba/s4/ -Uadministrator%totoTATA123 Fails like this if no DC are present: Finding a writeable DC for domain 's4.home.matws.net' talloc: access after free error - first free may be at ../libcli/cldap/cldap.c:299 Bad talloc magic value - access after free Program received signal SIGABRT, Aborted. 0x00007ffff69b33a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. in ../nptl/sysdeps/unix/sysv/linux/raise.c (gdb) bt #0 0x00007ffff69b33a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff69b6b0b in __GI_abort () at abort.c:92 #2 0x00007ffff5a94212 in talloc_abort (reason=0x7ffff5a98ae0 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:317 #3 0x00007ffff5a9429e in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:336 #4 0x00007ffff5a9431b in talloc_chunk_from_ptr (ptr=0xfd6870) at ../lib/talloc/talloc.c:357 #5 0x00007ffff5a96673 in _talloc_free (ptr=0xfd6870, location=0x7ffff0105598 "../libcli/cldap/cldap.c:124") at ../lib/talloc/talloc.c:1348 #6 0x00007ffff0102812 in cldap_socket_destructor (c=0xfd6970) at ../libcli/cldap/cldap.c:124 #7 0x00007ffff5a95173 in _talloc_free_internal (ptr=0xfd6970, location=0x7ffff3690b78 "../source4/libcli/finddcs_cldap.c:276") at ../lib/talloc/talloc.c:826 #8 0x00007ffff5a9673f in _talloc_free (ptr=0xfd6970, location=0x7ffff3690b78 "../source4/libcli/finddcs_cldap.c:276") at ../lib/talloc/talloc.c:1370 #9 0x00007ffff367371b in finddcs_cldap_netlogon_replied (subreq=0x0) at ../source4/libcli/finddcs_cldap.c:276 #10 0x00007ffff40ed4db in _tevent_req_notify_callback (req=0xfd7430, location=0x7ffff0105e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:101 #11 0x00007ffff40ed50d in tevent_req_finish (req=0xfd7430, state=TEVENT_REQ_USER_ERROR, location=0x7ffff0105e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:110 #12 0x00007ffff40ed579 in _tevent_req_error (req=0xfd7430, error=10483072397370982581, location=0x7ffff0105e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:128 #13 0x00007ffff0cb9c9d in _tevent_req_nterror (req=0xfd7430, status=..., location=0x7ffff0105e6d "../libcli/cldap/cldap.c:989") at ../lib/util/tevent_ntstatus.c:45 #14 0x00007ffff0104bdd in cldap_netlogon_state_done (subreq=0xfd76d0) at ../libcli/cldap/cldap.c:989 #15 0x00007ffff40ed4db in _tevent_req_notify_callback (req=0xfd76d0, location=0x7ffff40f27d0 "tevent_req_timedout") at ../lib/tevent/tevent_req.c:101 #16 0x00007ffff40ed50d in tevent_req_finish (req=0xfd76d0, state=TEVENT_REQ_TIMED_OUT, location=0x7ffff40f27d0 "tevent_req_timedout") at ../lib/tevent/tevent_req.c:110 #17 0x00007ffff40ed84c in tevent_req_timedout (ev=0xfcab40, te=0xfd9670, now=..., private_data=0xfd76d0) at ../lib/tevent/tevent_req.c:242 #18 0x00007ffff40f12ce in tevent_common_loop_timer_delay (ev=0xfcab40) at ../lib/tevent/tevent_timed.c:254 #19 0x00007ffff40f08f4 in std_event_loop_once (ev=0xfcab40, location=0x7ffff40f2710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent_standard.c:558 #20 0x00007ffff40ebc10 in _tevent_loop_once (ev=0xfcab40, location=0x7ffff40f2710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent.c:505 #21 0x00007ffff40ed762 in tevent_req_poll (req=0xfd64a0, ev=0xfcab40) at ../lib/tevent/tevent_req.c:210 #22 0x00007ffff3673c22 in finddcs_cldap_recv (req=0xfd64a0, mem_ctx=0xfd12c0, io=0xfd12c0) at ../source4/libcli/finddcs_cldap.c:364 #23 0x00007ffff3673d52 in finddcs_cldap (mem_ctx=0xfd12c0, io=0xfd12c0, resolve_ctx=0xfd13f0, event_ctx=0xfcab40) at ../source4/libcli/finddcs_cldap.c:389 #24 0x00007fffe805e6e5 in py_net_finddc (self=0xf51468, args=0xf4ff38) at ../source4/libnet/py_net.c:597
Valgrind part related to this problem: Finding a writeable DC for domain 's4.home.matws.net' ==8120== Invalid read of size 4 ==8120== at 0x7B712D6: talloc_chunk_from_ptr (talloc.c:349) ==8120== by 0x7B73672: _talloc_free (talloc.c:1348) ==8120== by 0xD507DE0: cldap_socket_recv_dgram (cldap.c:299) ==8120== by 0xD507A2C: cldap_recvfrom_done (cldap.c:203) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B62A: tevent_req_trigger (tevent_req.c:166) ==8120== by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135) ==8120== by 0x951E8DC: std_event_loop_once (tevent_standard.c:554) ==8120== by 0x9519C0F: _tevent_loop_once (tevent.c:505) ==8120== by 0x951B761: tevent_req_poll (tevent_req.c:210) ==8120== by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364) ==8120== by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389) ==8120== by 0x15DAE6E4: py_net_finddc (py_net.c:597) ==8120== by 0x4B6568: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4B6D76: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7) ==8120== by 0x448EDE: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x43074D: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x480C72: ??? (in /usr/bin/python2.7) ==8120== by 0x47C1D0: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x4B6B9D: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7) ==8120== Address 0x1b50af40 is 64 bytes inside a block of size 120 free'd ==8120== at 0x4C282E0: free (vg_replace_malloc.c:366) ==8120== by 0x7B7259E: _talloc_free_internal (talloc.c:876) ==8120== by 0x7B73345: _talloc_free_children_internal (talloc.c:1255) ==8120== by 0x7B7231B: _talloc_free_internal (talloc.c:846) ==8120== by 0x7B7373E: _talloc_free (talloc.c:1370) ==8120== by 0x9F7872B: finddcs_cldap_netlogon_replied (finddcs_cldap.c:276) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45) ==8120== by 0xD509BDC: cldap_netlogon_state_done (cldap.c:989) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45) ==8120== by 0xD507DC4: cldap_socket_recv_dgram (cldap.c:297) ==8120== by 0xD507A2C: cldap_recvfrom_done (cldap.c:203) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B62A: tevent_req_trigger (tevent_req.c:166) ==8120== by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135) ==8120== by 0x951E8DC: std_event_loop_once (tevent_standard.c:554) ==8120== by 0x9519C0F: _tevent_loop_once (tevent.c:505) ==8120== by 0x951B761: tevent_req_poll (tevent_req.c:210) ==8120== by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364) ==8120== by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389) ==8120== { <insert_a_suppression_name_here> Memcheck:Addr4 fun:talloc_chunk_from_ptr fun:_talloc_free fun:cldap_socket_recv_dgram fun:cldap_recvfrom_done fun:_tevent_req_notify_callback fun:tevent_req_finish fun:_tevent_req_error fun:tdgram_recvfrom_done fun:_tevent_req_notify_callback fun:tevent_req_finish fun:tevent_req_trigger fun:tevent_common_loop_immediate fun:std_event_loop_once fun:_tevent_loop_once fun:tevent_req_poll fun:finddcs_cldap_recv fun:finddcs_cldap fun:py_net_finddc fun:PyEval_EvalFrameEx fun:PyEval_EvalFrameEx fun:PyEval_EvalCodeEx obj:/usr/bin/python2.7 fun:PyObject_Call obj:/usr/bin/python2.7 } ==8120== Invalid read of size 4 ==8120== at 0x7B712F0: talloc_chunk_from_ptr (talloc.c:355) ==8120== by 0x7B73672: _talloc_free (talloc.c:1348) ==8120== by 0xD507DE0: cldap_socket_recv_dgram (cldap.c:299) ==8120== by 0xD507A2C: cldap_recvfrom_done (cldap.c:203) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B62A: tevent_req_trigger (tevent_req.c:166) ==8120== by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135) ==8120== by 0x951E8DC: std_event_loop_once (tevent_standard.c:554) ==8120== by 0x9519C0F: _tevent_loop_once (tevent.c:505) ==8120== by 0x951B761: tevent_req_poll (tevent_req.c:210) ==8120== by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364) ==8120== by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389) ==8120== by 0x15DAE6E4: py_net_finddc (py_net.c:597) ==8120== by 0x4B6568: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4B6D76: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7) ==8120== by 0x448EDE: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x43074D: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x480C72: ??? (in /usr/bin/python2.7) ==8120== by 0x47C1D0: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x4B6B9D: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7) ==8120== Address 0x1b50af40 is 64 bytes inside a block of size 120 free'd ==8120== at 0x4C282E0: free (vg_replace_malloc.c:366) ==8120== by 0x7B7259E: _talloc_free_internal (talloc.c:876) ==8120== by 0x7B73345: _talloc_free_children_internal (talloc.c:1255) ==8120== by 0x7B7231B: _talloc_free_internal (talloc.c:846) ==8120== by 0x7B7373E: _talloc_free (talloc.c:1370) ==8120== by 0x9F7872B: finddcs_cldap_netlogon_replied (finddcs_cldap.c:276) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45) ==8120== by 0xD509BDC: cldap_netlogon_state_done (cldap.c:989) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45) ==8120== by 0xD507DC4: cldap_socket_recv_dgram (cldap.c:297) ==8120== by 0xD507A2C: cldap_recvfrom_done (cldap.c:203) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B62A: tevent_req_trigger (tevent_req.c:166) ==8120== by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135) ==8120== by 0x951E8DC: std_event_loop_once (tevent_standard.c:554) ==8120== by 0x9519C0F: _tevent_loop_once (tevent.c:505) ==8120== by 0x951B761: tevent_req_poll (tevent_req.c:210) ==8120== by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364) ==8120== by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389) ==8120== { <insert_a_suppression_name_here> Memcheck:Addr4 fun:talloc_chunk_from_ptr fun:_talloc_free fun:cldap_socket_recv_dgram fun:cldap_recvfrom_done fun:_tevent_req_notify_callback fun:tevent_req_finish fun:_tevent_req_error fun:tdgram_recvfrom_done fun:_tevent_req_notify_callback fun:tevent_req_finish fun:tevent_req_trigger fun:tevent_common_loop_immediate fun:std_event_loop_once fun:_tevent_loop_once fun:tevent_req_poll fun:finddcs_cldap_recv fun:finddcs_cldap fun:py_net_finddc fun:PyEval_EvalFrameEx fun:PyEval_EvalFrameEx fun:PyEval_EvalCodeEx obj:/usr/bin/python2.7 fun:PyObject_Call obj:/usr/bin/python2.7 } ==8120== Invalid read of size 8 ==8120== at 0x7B712FE: talloc_chunk_from_ptr (talloc.c:356) ==8120== by 0x7B73672: _talloc_free (talloc.c:1348) ==8120== by 0xD507DE0: cldap_socket_recv_dgram (cldap.c:299) ==8120== by 0xD507A2C: cldap_recvfrom_done (cldap.c:203) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B62A: tevent_req_trigger (tevent_req.c:166) ==8120== by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135) ==8120== by 0x951E8DC: std_event_loop_once (tevent_standard.c:554) ==8120== by 0x9519C0F: _tevent_loop_once (tevent.c:505) ==8120== by 0x951B761: tevent_req_poll (tevent_req.c:210) ==8120== by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364) ==8120== by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389) ==8120== by 0x15DAE6E4: py_net_finddc (py_net.c:597) ==8120== by 0x4B6568: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4B6D76: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7) ==8120== by 0x448EDE: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x43074D: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x480C72: ??? (in /usr/bin/python2.7) ==8120== by 0x47C1D0: ??? (in /usr/bin/python2.7) ==8120== by 0x41AD29: PyObject_Call (in /usr/bin/python2.7) ==8120== by 0x4B6B9D: PyEval_EvalFrameEx (in /usr/bin/python2.7) ==8120== by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7) ==8120== Address 0x1b50af30 is 48 bytes inside a block of size 120 free'd ==8120== at 0x4C282E0: free (vg_replace_malloc.c:366) ==8120== by 0x7B7259E: _talloc_free_internal (talloc.c:876) ==8120== by 0x7B73345: _talloc_free_children_internal (talloc.c:1255) ==8120== by 0x7B7231B: _talloc_free_internal (talloc.c:846) ==8120== by 0x7B7373E: _talloc_free (talloc.c:1370) ==8120== by 0x9F7872B: finddcs_cldap_netlogon_replied (finddcs_cldap.c:276) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45) ==8120== by 0xD509BDC: cldap_netlogon_state_done (cldap.c:989) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45) ==8120== by 0xD507DC4: cldap_socket_recv_dgram (cldap.c:297) ==8120== by 0xD507A2C: cldap_recvfrom_done (cldap.c:203) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B578: _tevent_req_error (tevent_req.c:128) ==8120== by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233) ==8120== by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101) ==8120== by 0x951B50C: tevent_req_finish (tevent_req.c:110) ==8120== by 0x951B62A: tevent_req_trigger (tevent_req.c:166) ==8120== by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135) ==8120== by 0x951E8DC: std_event_loop_once (tevent_standard.c:554) ==8120== by 0x9519C0F: _tevent_loop_once (tevent.c:505) ==8120== by 0x951B761: tevent_req_poll (tevent_req.c:210) ==8120== by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364) ==8120== by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389) ==8120== { <insert_a_suppression_name_here> Memcheck:Addr8 fun:talloc_chunk_from_ptr fun:_talloc_free fun:cldap_socket_recv_dgram fun:cldap_recvfrom_done fun:_tevent_req_notify_callback fun:tevent_req_finish fun:_tevent_req_error fun:tdgram_recvfrom_done fun:_tevent_req_notify_callback fun:tevent_req_finish fun:tevent_req_trigger fun:tevent_common_loop_immediate fun:std_event_loop_once fun:_tevent_loop_once fun:tevent_req_poll fun:finddcs_cldap_recv fun:finddcs_cldap fun:py_net_finddc fun:PyEval_EvalFrameEx fun:PyEval_EvalFrameEx fun:PyEval_EvalCodeEx obj:/usr/bin/python2.7 fun:PyObject_Call obj:/usr/bin/python2.7 } talloc: access after free error - first free may be at ../source4/libcli/finddcs_cldap.c:276 Bad talloc magic value - access after free ==8120== ==8120== HEAP SUMMARY: ==8120== in use at exit: 8,729,484 bytes in 9,361 blocks ==8120== total heap usage: 25,384 allocs, 16,023 frees, 20,102,187 bytes allocated ==8120== ==8120== LEAK SUMMARY: ==8120== definitely lost: 0 bytes in 0 blocks ==8120== indirectly lost: 0 bytes in 0 blocks ==8120== possibly lost: 1,699,201 bytes in 1,200 blocks ==8120== still reachable: 7,030,283 bytes in 8,161 blocks ==8120== suppressed: 0 bytes in 0 blocks ==8120== Rerun with --leak-check=full to see details of leaked memory ==8120== ==8120== For counts of detected and suppressed errors, rerun with: -v ==8120== Use --track-origins=yes to see where uninitialised values come from ==8120== ERROR SUMMARY: 928 errors from 91 contexts (suppressed: 333 from 9) Aborted
Here is two interesting backtraces I got the first one by putting a break point at finddcs_cldap_netlogon_replied. It shows that this function is called due to an error while receving the cldap response. #0 finddcs_cldap_netlogon_replied (subreq=0xfdd0a0) at ../source4/libcli/finddcs_cldap.c:272 #1 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdd0a0, location=0x7ffff0104e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:101 #2 0x00007ffff40ec50d in tevent_req_finish (req=0xfdd0a0, state=TEVENT_REQ_USER_ERROR, location=0x7ffff0104e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:110 #3 0x00007ffff40ec579 in _tevent_req_error (req=0xfdd0a0, error=10483072397370982966, location=0x7ffff0104e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:128 #4 0x00007ffff0cb8c9d in _tevent_req_nterror (req=0xfdd0a0, status=..., location=0x7ffff0104e6d "../libcli/cldap/cldap.c:989") at ../lib/util/tevent_ntstatus.c:45 #5 0x00007ffff0103bdd in cldap_netlogon_state_done (subreq=0xfdd3b0) at ../libcli/cldap/cldap.c:989 #6 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdd3b0, location=0x7ffff01046d0 "../libcli/cldap/cldap.c:297") at ../lib/tevent/tevent_req.c:101 #7 0x00007ffff40ec50d in tevent_req_finish (req=0xfdd3b0, state=TEVENT_REQ_USER_ERROR, location=0x7ffff01046d0 "../libcli/cldap/cldap.c:297") at ../lib/tevent/tevent_req.c:110 #8 0x00007ffff40ec579 in _tevent_req_error (req=0xfdd3b0, error=10483072397370982966, location=0x7ffff01046d0 "../libcli/cldap/cldap.c:297") at ../lib/tevent/tevent_req.c:128 #9 0x00007ffff0cb8c9d in _tevent_req_nterror (req=0xfdd3b0, status=..., location=0x7ffff01046d0 "../libcli/cldap/cldap.c:297") at ../lib/util/tevent_ntstatus.c:45 #10 0x00007ffff0101dc5 in cldap_socket_recv_dgram (c=0xfdc4f0, in=0xfdc860) at ../libcli/cldap/cldap.c:297 #11 0x00007ffff0101a2d in cldap_recvfrom_done (subreq=0x0) at ../libcli/cldap/cldap.c:203 #12 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdc620, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:101 #13 0x00007ffff40ec50d in tevent_req_finish (req=0xfdc620, state=TEVENT_REQ_USER_ERROR, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:110 #14 0x00007ffff40ec579 in _tevent_req_error (req=0xfdc620, error=111, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:128 #15 0x00007fffefb69460 in tdgram_recvfrom_done (subreq=0xfdcaf0) at ../lib/tsocket/tsocket.c:233 #16 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdcaf0, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:101 #17 0x00007ffff40ec50d in tevent_req_finish (req=0xfdcaf0, state=TEVENT_REQ_USER_ERROR, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:110 #18 0x00007ffff40ec579 in _tevent_req_error (req=0xfdcaf0, error=111, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:128 #19 0x00007fffefb6c647 in tdgram_bsd_recvfrom_handler (private_data=0xfdcaf0) at ../lib/tsocket/tsocket_bsd.c:888 #20 0x00007fffefb6bfa6 in tdgram_bsd_fde_handler (ev=0xfd3dd0, fde=0xfdeac0, flags=1, private_data=0xfdc590) at ../lib/tsocket/tsocket_bsd.c:681 #21 0x00007ffff40ef202 in epoll_event_loop (std_ev=0xfd36d0, tvalp=0x7fffffffc690) at ../lib/tevent/tevent_standard.c:326 #22 0x00007ffff40ef948 in std_event_loop_once (ev=0xfd3dd0, location=0x7ffff40f1710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent_standard.c:565 #23 0x00007ffff40eac10 in _tevent_loop_once (ev=0xfd3dd0, location=0x7ffff40f1710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent.c:505 #24 0x00007ffff40ec762 in tevent_req_poll (req=0xfd9e80, ev=0xfd3dd0) at ../lib/tevent/tevent_req.c:210 #25 0x00007ffff3672c33 in finddcs_cldap_recv (req=0xfd9e80, mem_ctx=0xfd5dc0, io=0xfd5dc0) at ../source4/libcli/finddcs_cldap.c:364 #26 0x00007ffff3672d63 in finddcs_cldap (mem_ctx=0xfd5dc0, io=0xfd5dc0, resolve_ctx=0xfd5ef0, event_ctx=0xfd3dd0) at ../source4/libcli/finddcs_cldap.c:389 #27 0x00007fffe805d6e5 in py_net_finddc (self=0xf4f508, args=0xf50f80) at ../source4/libnet/py_net.c:597 This backtrace is obtained due to the abort in GDB, it shows the poll function has been called a second time even if the first was in error. #0 0x00007ffff69b33a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff69b6b0b in __GI_abort () at abort.c:92 #2 0x00007ffff5a94212 in talloc_abort (reason=0x7ffff5a98ae0 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:317 #3 0x00007ffff5a9429e in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:336 #4 0x00007ffff5a9431b in talloc_chunk_from_ptr (ptr=0xfdc860) at ../lib/talloc/talloc.c:357 #5 0x00007ffff5a96673 in _talloc_free (ptr=0xfdc860, location=0x7ffff01046ec "../libcli/cldap/cldap.c:299") at ../lib/talloc/talloc.c:1348 #6 0x00007ffff0101de1 in cldap_socket_recv_dgram (c=0xfdc4f0, in=0xfdc860) at ../libcli/cldap/cldap.c:299 #7 0x00007ffff0101a2d in cldap_recvfrom_done (subreq=0x0) at ../libcli/cldap/cldap.c:203 #8 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdc620, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:101 #9 0x00007ffff40ec50d in tevent_req_finish (req=0xfdc620, state=TEVENT_REQ_USER_ERROR, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:110 #10 0x00007ffff40ec579 in _tevent_req_error (req=0xfdc620, error=111, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:128 #11 0x00007fffefb69460 in tdgram_recvfrom_done (subreq=0xfdcaf0) at ../lib/tsocket/tsocket.c:233 #12 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdcaf0, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:101 #13 0x00007ffff40ec50d in tevent_req_finish (req=0xfdcaf0, state=TEVENT_REQ_USER_ERROR, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:110 #14 0x00007ffff40ec579 in _tevent_req_error (req=0xfdcaf0, error=111, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:128 #15 0x00007fffefb6c647 in tdgram_bsd_recvfrom_handler (private_data=0xfdcaf0) at ../lib/tsocket/tsocket_bsd.c:888 #16 0x00007fffefb6bfa6 in tdgram_bsd_fde_handler (ev=0xfd3dd0, fde=0xfdeac0, flags=1, private_data=0xfdc590) at ../lib/tsocket/tsocket_bsd.c:681 #17 0x00007ffff40ef202 in epoll_event_loop (std_ev=0xfd36d0, tvalp=0x7fffffffc690) at ../lib/tevent/tevent_standard.c:326 #18 0x00007ffff40ef948 in std_event_loop_once (ev=0xfd3dd0, location=0x7ffff40f1710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent_standard.c:565 #19 0x00007ffff40eac10 in _tevent_loop_once (ev=0xfd3dd0, location=0x7ffff40f1710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent.c:505 #20 0x00007ffff40ec762 in tevent_req_poll (req=0xfd9e80, ev=0xfd3dd0) at ../lib/tevent/tevent_req.c:210 #21 0x00007ffff3672c33 in finddcs_cldap_recv (req=0xfd9e80, mem_ctx=0xfd5dc0, io=0xfd5dc0) at ../source4/libcli/finddcs_cldap.c:364 #22 0x00007ffff3672d63 in finddcs_cldap (mem_ctx=0xfd5dc0, io=0xfd5dc0, resolve_ctx=0xfd5ef0, event_ctx=0xfd3dd0) at ../source4/libcli/finddcs_cldap.c:389 #23 0x00007fffe805d6e5 in py_net_finddc (self=0xf4f508, args=0xf50f80) at ../source4/libnet/py_net.c:597
Please retry, could have been fixed!
This could also happen in 3.6.x and maybe in 3.5.x
The problem happened in cldap_socket_recv_dgram() between the lines 297 and 299. tevent_req_nterror(....); done: talloc_free(in); } tevent_req_nterror() triggers the callback finddcs_cldap_netlogon_replied(), which invalidates the data 'in' points to. 15:08 < metze> tevent_req_nterror() calls the callback function 15:08 < metze> which calls TALLOC_FREE(state->cldap) 15:09 < metze> and also other things 15:09 < metze> which implicitly free the memory 'in' points to 15:10 < metze> then the next cldap socket gets the same memory 15:10 < metze> so 'in' points to the new cldap socket 15:10 < metze> and calls talloc_free on it 15:10 < metze> got it?
Created attachment 7086 [details] Patch for v3-5-test
Created attachment 7087 [details] Patch for v3-6-test (not tested yet)
Matthieu or Jeremy could you please test the 3.6 fix?
Comment on attachment 7087 [details] Patch for v3-6-test (not tested yet) Jeremy, please test and review, thanks
Jeremy, is there a chance to get the review done until Thursday? Or to re-assign to another developer for patch review (not sure whether it makes sense or not in this case)? The fix could be included in 3.6.2 then. Thanks, Karolin
Comment on attachment 7087 [details] Patch for v3-6-test (not tested yet) Checked this over carefully (can't test exactly as reporter as samba-tool doesn't exist in 3.6.x) and it fixes an obvious use-after-free. talloc_move nulls out the &in parameter so the TALLOC_FREE change from talloc_free is obviously correct.
Comment on attachment 7086 [details] Patch for v3-5-test As the 3.6.x patch, this is correct.
Re-assigning to Karolin for inclusion in 3.5.next and 3.6.next. Jeremy.
Pushed to both branches. Closing out bug report. Thanks!