GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08 Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /usr/local/src/samba/bin/samba...done. (gdb) r Starting program: /usr/local/src/samba/bin/samba -i -M single -s /home/mat/workspace/samba/rodc_mat/etc/smb.conf [Thread debugging using libthread_db enabled] samba version 4.0.0alpha20-DEVELOPERBUILD started. Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using 'single' process model ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT talloc: access after free error - first free may be at ../lib/talloc/talloc.c:1073 Bad talloc magic value - access after free PANIC: Bad talloc magic value - access after free Program received signal SIGABRT, Aborted. 0x00007ffff3d363a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. in ../nptl/sysdeps/unix/sysv/linux/raise.c (gdb) bt #0 0x00007ffff3d363a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff3d39b0b in __GI_abort () at abort.c:92 #2 0x00007ffff66b6988 in smb_panic_default (why=0x7ffff6289bf0 "Bad talloc magic value - access after free") at ../lib/util/fault.c:149 #3 0x00007ffff66b69c6 in smb_panic (why=0x7ffff6289bf0 "Bad talloc magic value - access after free") at ../lib/util/fault.c:162 #4 0x00007ffff62851a1 in talloc_abort (reason=0x7ffff6289bf0 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:320 #5 0x00007ffff628521d in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:336 #6 0x00007ffff628529a in talloc_chunk_from_ptr (ptr=0x100f6a0) at ../lib/talloc/talloc.c:357 #7 0x00007ffff6286f28 in talloc_get_name (ptr=0x100f6a0) at ../lib/talloc/talloc.c:1152 #8 0x00007ffff62870a8 in _talloc_get_type_abort (ptr=0x100f6a0, name=0x7fffeb83cacc "struct composite_context", location=0x7fffeb83cc40 "../source4/libnet/libnet_group.c:366") at ../lib/talloc/talloc.c:1205 #9 0x00007fffeb82120f in continue_group_info (ctx=0x16f6ab0) at ../source4/libnet/libnet_group.c:366 #10 0x00007ffff1461117 in composite_error (ctx=0x16f6ab0, status=...) at ../source4/libcli/composite/composite.c:114 #11 0x00007fffeb826f37 in continue_groupinfo_getgroup (subreq=0x0) at ../source4/libnet/groupinfo.c:188 #12 0x00007ffff64924d3 in _tevent_req_notify_callback (req=0x863840, location=0x7fffee6c7e40 "default/librpc/gen_ndr/ndr_samr_c.c:4522") at ../lib/tevent/tevent_req.c:101 #13 0x00007ffff6492505 in tevent_req_finish (req=0x863840, state=TEVENT_REQ_DONE, location=0x7fffee6c7e40 "default/librpc/gen_ndr/ndr_samr_c.c:4522") at ../lib/tevent/tevent_req.c:110 #14 0x00007ffff649252c in _tevent_req_done (req=0x863840, location=0x7fffee6c7e40 "default/librpc/gen_ndr/ndr_samr_c.c:4522") at ../lib/tevent/tevent_req.c:116 #15 0x00007fffee63dff2 in dcerpc_samr_QueryGroupInfo_r_done (subreq=0x9d8380) at default/librpc/gen_ndr/ndr_samr_c.c:4522 #16 0x00007ffff64924d3 in _tevent_req_notify_callback (req=0x9d8380, location=0x7ffff42c8850 "../librpc/rpc/binding_handle.c:492") at ../lib/tevent/tevent_req.c:101 #17 0x00007ffff6492505 in tevent_req_finish (req=0x9d8380, state=TEVENT_REQ_DONE, location=0x7ffff42c8850 "../librpc/rpc/binding_handle.c:492") at ../lib/tevent/tevent_req.c:110 #18 0x00007ffff649252c in _tevent_req_done (req=0x9d8380, location=0x7ffff42c8850 "../librpc/rpc/binding_handle.c:492") at ../lib/tevent/tevent_req.c:116 #19 0x00007ffff42c50b6 in dcerpc_binding_handle_call_done (subreq=0x0) at ../librpc/rpc/binding_handle.c:492 #20 0x00007ffff64924d3 in _tevent_req_notify_callback (req=0x8198b0, location=0x7ffff42c83c0 "../librpc/rpc/binding_handle.c:163") at ../lib/tevent/tevent_req.c:101 #21 0x00007ffff6492505 in tevent_req_finish (req=0x8198b0, state=TEVENT_REQ_DONE, location=0x7ffff42c83c0 "../librpc/rpc/binding_handle.c:163") at ../lib/tevent/tevent_req.c:110 #22 0x00007ffff649252c in _tevent_req_done (req=0x8198b0, location=0x7ffff42c83c0 "../librpc/rpc/binding_handle.c:163") at ../lib/tevent/tevent_req.c:116 #23 0x00007ffff42c45a5 in dcerpc_binding_handle_raw_call_done (subreq=0x0) at ../librpc/rpc/binding_handle.c:163 #24 0x00007ffff64924d3 in _tevent_req_notify_callback (req=0x13356a0, location=0x7ffff53444e8 "../source4/librpc/rpc/dcerpc.c:298") at ../lib/tevent/tevent_req.c:101 #25 0x00007ffff6492505 in tevent_req_finish (req=0x13356a0, state=TEVENT_REQ_DONE, location=0x7ffff53444e8 "../source4/librpc/rpc/dcerpc.c:298") at ../lib/tevent/tevent_req.c:110 #26 0x00007ffff6492623 in tevent_req_trigger (ev=0x6244b0, im=0x1a5c280, private_data=0x13356a0) at ../lib/tevent/tevent_req.c:166 #27 0x00007ffff6491a38 in tevent_common_loop_immediate (ev=0x6244b0) at ../lib/tevent/tevent_immediate.c:135 #28 0x00007ffff64959e4 in std_event_loop_once (ev=0x6244b0, location=0x40faf7 "../source4/smbd/server.c:472") at ../lib/tevent/tevent_standard.c:554 #29 0x00007ffff6490c20 in _tevent_loop_once (ev=0x6244b0, location=0x40faf7 "../source4/smbd/server.c:472") at ../lib/tevent/tevent.c:504 #30 0x00007ffff6490e45 in tevent_common_loop_wait (ev=0x6244b0, location=0x40faf7 "../source4/smbd/server.c:472") at ../lib/tevent/tevent.c:605 #31 0x00007ffff6490f10 in _tevent_loop_wait (ev=0x6244b0, location=0x40faf7 "../source4/smbd/server.c:472") at ../lib/tevent/tevent.c:624 #32 0x000000000040b48c in binary_smbd_main (binary_name=0x40f4db "samba", argc=6, argv=0x7fffffffe678) at ../source4/smbd/server.c:472 #33 0x000000000040b4d2 in main (argc=6, argv=0x7fffffffe678) at ../source4/smbd/server.c:483
Highly reproducable: ./bin/wbinfo --group-info=administrator In order to trigger the bug, group has to be a non valid group but a valid user name.
Fixed with bb3d983f5bc4b49619f26af44c3c540c3030155f