Bug 8799 - talloc access after free in dcerpc_bh_raw_call_done / dcerpc_connection_dead
Summary: talloc access after free in dcerpc_bh_raw_call_done / dcerpc_connection_dead
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-07 14:42 UTC by Arvid Requate
Modified: 2012-04-10 11:02 UTC (History)
1 user (show)

See Also:

Attachments
Ths was observed with a pre-alpha18 git snapshot. The full backtrace is attached. (4.88 KB, text/plain)
2012-03-07 14:44 UTC, Arvid Requate 		no flags Details
relevant part of log.samba at loglevel 2 (11.15 KB, text/plain)
2012-03-07 14:45 UTC, Arvid Requate 		no flags Details
Backtrace with commit 7b1fb088421565f1752acde02377237e4ca19248 applied (4.87 KB, text/plain)
2012-03-13 10:51 UTC, Janis Meybohm 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2012-03-07 14:42:56 UTC 
On a number of Samba 4 DCs core dumps have been observed that are related to a termination of the source4/winbind service. After the core dump the unix domain sockets below /var/run/samba/winbindd not opened any longer. Maybe related to this is "samba-tool drs showrepl" shows a number of WERR_INVALID_PARAM errors.

Maybe also related: Several occurences of

  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT

and 

  dcerpc_fault WERR_EPT_S_CANT_PERFORM_OP in drsuapi_DsReplicaSync

can be found in log.samba can be found a couple of times per day, not only before the core dump happens.
Comment 1 Arvid Requate 2012-03-07 14:44:56 UTC 
Created attachment 7361 [details]
Ths was observed with a pre-alpha18 git snapshot. The full backtrace is attached.
Comment 2 Arvid Requate 2012-03-07 14:45:34 UTC 
Created attachment 7362 [details]
relevant part of log.samba at loglevel 2
Comment 3 Stefan Metzmacher 2012-03-07 20:23:45 UTC 
Does 7b1fb088421565f1752acde02377237e4ca19248 fixes at least the segfault?
Comment 4 Janis Meybohm 2012-03-13 10:51:44 UTC 
Created attachment 7383 [details]
Backtrace with commit 7b1fb088421565f1752acde02377237e4ca19248 applied

(In reply to comment #3)
> Does 7b1fb088421565f1752acde02377237e4ca19248 fixes at least the segfault?

No, the segfault still occurs. Find a updated backtrace attached.
Comment 5 Matthias Dieter Wallnöfer 2012-03-15 09:18:36 UTC 
metze,

shouldn't this have been fixed by your recent rpc library rework?
Comment 6 Stefan Metzmacher 2012-03-15 15:44:26 UTC 
I hope so, ebcfa61d9f712db8400acd722dfc43c07021c9b0 and the s4:librp/rpc patches before should fix it.
Comment 7 Matthias Dieter Wallnöfer 2012-03-15 20:41:38 UTC 
Should have been fixed as well.
Comment 8 Janis Meybohm 2012-03-27 13:52:14 UTC 
The patches seem to fix the segfaults but the error messages still occur (~every 10 seconds on 3 Samba 4 DCs):
---
[2012/03/27 15:49:17,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:27,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:28,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:37,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:47,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:48,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
[2012/03/27 15:49:57,  0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_IO_TIMEOUT
---
Comment 9 Arvid Requate 2012-04-10 11:02:20 UTC 
Comment 8 has been split of as Bug 8851.