Bug 8799 - talloc access after free in dcerpc_bh_raw_call_done / dcerpc_connection_dead
talloc access after free in dcerpc_bh_raw_call_done / dcerpc_connection_dead
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: DCE-RPCs and pipes
unspecified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
samba4-qa@samba.org
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-07 14:42 UTC by Arvid Requate
Modified: 2012-04-10 11:02 UTC (History)
1 user (show)

See Also:


Attachments
Ths was observed with a pre-alpha18 git snapshot. The full backtrace is attached. (4.88 KB, text/plain)
2012-03-07 14:44 UTC, Arvid Requate
no flags Details
relevant part of log.samba at loglevel 2 (11.15 KB, text/plain)
2012-03-07 14:45 UTC, Arvid Requate
no flags Details
Backtrace with commit 7b1fb088421565f1752acde02377237e4ca19248 applied (4.87 KB, text/plain)
2012-03-13 10:51 UTC, Janis Meybohm
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2012-03-07 14:42:56 UTC
On a number of Samba 4 DCs core dumps have been observed that are related to a termination of the source4/winbind service. After the core dump the unix domain sockets below /var/run/samba/winbindd not opened any longer. Maybe related to this is "samba-tool drs showrepl" shows a number of WERR_INVALID_PARAM errors.

Maybe also related: Several occurences of

  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT

and 

  dcerpc_fault WERR_EPT_S_CANT_PERFORM_OP in drsuapi_DsReplicaSync

can be found in log.samba can be found a couple of times per day, not only before the core dump happens.
Comment 1 Arvid Requate 2012-03-07 14:44:56 UTC
Created attachment 7361 [details]
Ths was observed with a pre-alpha18 git snapshot. The full backtrace is attached.
Comment 2 Arvid Requate 2012-03-07 14:45:34 UTC
Created attachment 7362 [details]
relevant part of log.samba at loglevel 2
Comment 3 Stefan Metzmacher 2012-03-07 20:23:45 UTC
Does 7b1fb088421565f1752acde02377237e4ca19248 fixes at least the segfault?
Comment 4 Janis Meybohm 2012-03-13 10:51:44 UTC
Created attachment 7383 [details]
Backtrace with commit 7b1fb088421565f1752acde02377237e4ca19248 applied

(In reply to comment #3)
> Does 7b1fb088421565f1752acde02377237e4ca19248 fixes at least the segfault?

No, the segfault still occurs. Find a updated backtrace attached.
Comment 5 Matthias Dieter Wallnöfer 2012-03-15 09:18:36 UTC
metze,

shouldn't this have been fixed by your recent rpc library rework?
Comment 6 Stefan Metzmacher 2012-03-15 15:44:26 UTC
I hope so, ebcfa61d9f712db8400acd722dfc43c07021c9b0 and the s4:librp/rpc patches before should fix it.
Comment 7 Matthias Dieter Wallnöfer 2012-03-15 20:41:38 UTC
Should have been fixed as well.
Comment 8 Janis Meybohm 2012-03-27 13:52:14 UTC
The patches seem to fix the segfaults but the error messages still occur (~every 10 seconds on 3 Samba 4 DCs):
---
[2012/03/27 15:49:17,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:27,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:28,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:37,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:47,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:48,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:57,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
---
Comment 9 Arvid Requate 2012-04-10 11:02:20 UTC
Comment 8 has been split of as Bug 8851.