Bug 8853 - SIGABRT in source4/librpc/rpc/dcerpc_smb.c:smb_trans_callback/pipe_dead
Summary: SIGABRT in source4/librpc/rpc/dcerpc_smb.c:smb_trans_callback/pipe_dead
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.0 alpha 18
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Reported: 2012-04-10 13:59 UTC by Arvid Requate
Modified: 2012-06-04 12:55 UTC (History)
1 user (show)

See Also:

backtrace of the winbind core (4.78 KB, text/plain)
2012-04-10 13:59 UTC, Arvid Requate
no flags Details
patch proposal to handle smb == NULL in pipe_dead (656 bytes, patch)
2012-04-10 14:01 UTC, Arvid Requate
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2012-04-10 13:59:04 UTC
A coredump of the winbind server service shows the attached backtrace in gdb.
The backtrace indicates that the abort occurred due to a NULL-valued (dcecli_connection *)->transport.private_data in the source4/librpc/rpc/dcerpc_smb.c:pipe_dead function, which was called by source4/librpc/rpc/dcerpc_smb.c:smb_trans_callback as a reaction to NT_STATUS_IO_TIMEOUT.
Comment 1 Arvid Requate 2012-04-10 13:59:57 UTC
Created attachment 7447 [details]
backtrace of the winbind core

Maybe it's important to note that the following two patches to winbind were not yet included during compilation of the samba sources:
 * http://gitweb.samba.org/samba.git/?p=samba.git;a=commit;h=692c42c42731b017310e07549489c3ab0bca7d12
 * http://gitweb.samba.org/samba.git/?p=samba.git;a=commit;h=71587285ccf78547ee4830b03d8a1493412504a5
Comment 2 Arvid Requate 2012-04-10 14:01:18 UTC
Created attachment 7448 [details]
patch proposal to handle smb == NULL in pipe_dead
Comment 3 Andrew Bartlett 2012-04-10 20:58:20 UTC
Does it still work if you use talloc_get_type_abort()?

What I'm getting at is: is this a wild (non)talloc pointer, which talloc_get_type() returns NULL for, or is this really a NULL pointer to begin with?
Comment 4 Stefan Metzmacher 2012-04-11 06:05:27 UTC
talloc_get_type_abort() would be correct.

There're so many fixes in master (alpha19), which might fix this problem.
Comment 5 Arvid Requate 2012-04-11 09:23:02 UTC
The backtrace indicates that it was a NULL pointer. I guess that it is supposed to be a talloc pointer, as e.g. smb_read_callback uses talloc_get_type to fetch it. Using talloc_get_type_abort would result in a segfault as well? Anyway..

@Metze: I'm following the commits and looking out for commit sets to pull. We have been publishing a couple of updates for really important ones. I'll check again.
Comment 6 Stefan Metzmacher 2012-06-04 11:07:22 UTC
Arvid, can we close this one? I really think this is fixed in master...
Comment 7 Arvid Requate 2012-06-04 12:45:31 UTC
I'm fine with that, if it would happen again then I would reopen :-)
Comment 8 Stefan Metzmacher 2012-06-04 12:55:15 UTC