Talloc appears to have a double free bug which causes samba4 to crash. Here is the stack trace from a running S4 which experienced the problem. (gdb) bt #0 0x00000008047f124c in thr_kill () from /lib/libc.so.7 #1 0x000000080489385b in abort () from /lib/libc.so.7 #2 0x000000080084803e in smb_panic_default (why=Could not find the frame base for "smb_panic_default". ) at ../lib/util/fault.c:149 #3 0x0000000800848078 in smb_panic ( why=0x803f574d8 "Bad talloc magic value - access after free") at ../lib/util/fault.c:162 #4 0x0000000803f4fe3c in talloc_vasprintf () from /usr/local/lib/libtalloc.so.2 #5 0x0000000803f4ff38 in talloc_asprintf () from /usr/local/lib/libtalloc.so.2 #6 0x0000000816eb4506 in wbsrv_call_loop (subreq=0x0) at ../source4/winbind/wb_server.c:78 #7 0x0000000801505a99 in tstream_read_pdu_blob_done (subreq=0x0) at ../libcli/util/tstream.c:117 #8 0x0000000807084371 in tstream_readv_done (subreq=0x0) at ../lib/tsocket/tsocket.c:604 #9 0x00000008070883f9 in tstream_bsd_readv_handler (private_data=0x821ec8260) at ../lib/tsocket/tsocket_bsd.c:1769 #10 0x0000000807087b24 in tstream_bsd_fde_handler (ev=0x80d82d760, fde=0x80dbe1260, flags=1, private_data=0x80dbe0de0) at ../lib/tsocket/tsocket_bsd.c:1487 #11 0x000000080458e0e2 in std_event_loop_once () from /usr/local/lib/libtevent.so.0 #12 0x000000080458addc in _tevent_loop_once () ---Type <return> to continue, or q <return> to quit--- from /usr/local/lib/libtevent.so.0 #13 0x000000080458ae4b in tevent_common_loop_wait () from /usr/local/lib/libtevent.so.0 #14 0x0000000810b52408 in standard_new_task (ev=0x80d82d760, lp_ctx=0x80d841860, service_name=0x816ecb604 "winbind", new_task=0x8015055e0 <task_server_callback>, private_data=0x80dbf33f0) at ../source4/smbd/process_standard.c:186 #15 0x0000000801505790 in task_server_startup (event_ctx=0x80d82d760, lp_ctx=0x80d841860, service_name=0x816ecb604 "winbind", model_ops=0x810d52a60, task_init=0x816eb47d0 <winbind_task_init>) at ../source4/smbd/service_task.c:112 #16 0x0000000801503db1 in server_service_init (name=0x80d873c70 "winbind", event_context=0x80d82d760, lp_ctx=0x80d841860, model_ops=0x810d52a60) at ../source4/smbd/service.c:63 #17 0x0000000801503f06 in server_service_startup (event_ctx=0x80d82d760, lp_ctx=0x80d841860, model=0x410421 "standard", server_services=0x80d82d460) at ../source4/smbd/service.c:95 #18 0x000000000040ac7c in binary_smbd_main (binary_name=0x410232 "samba", argc=2, argv=0x7fffffffd6f0) at ../source4/smbd/server.c:477 #19 0x000000000040ad62 in main (argc=2, argv=0x7fffffffd6f0) at ../source4/smbd/server.c:497 (gdb)
Created attachment 8828 [details] Patch Can you try this?
(In reply to comment #1) > Created attachment 8828 [details] > Patch > > Can you try this? Testing it now
Comment on attachment 8828 [details] Patch Reviewed-by: Stefan Metzmacher <metze@samba.org> Volker, please push this to master :-)
Created attachment 8832 [details] Patch with cp-info
Problem still exists. From the samba log: single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] talloc: access after free error - first free may be at ../source4/winbind/wb_samba3_protocol.c:361 (gdb) bt #0 0x00000008047f124c in thr_kill () from /lib/libc.so.7 #1 0x000000080489385b in abort () from /lib/libc.so.7 #2 0x000000080084803e in smb_panic_default (why=Could not find the frame base for "smb_panic_default". ) at ../lib/util/fault.c:149 #3 0x0000000800848078 in smb_panic ( why=0x803f574d8 "Bad talloc magic value - access after free") at ../lib/util/fault.c:162 #4 0x0000000803f4fe3c in talloc_vasprintf () from /usr/local/lib/libtalloc.so.2 #5 0x0000000803f4ff38 in talloc_asprintf () from /usr/local/lib/libtalloc.so.2 #6 0x0000000816eb4506 in wbsrv_call_loop (subreq=0x0) at ../source4/winbind/wb_server.c:78 #7 0x0000000801505a99 in tstream_read_pdu_blob_done (subreq=0x0) at ../libcli/util/tstream.c:117 #8 0x0000000807084371 in tstream_readv_done (subreq=0x0) at ../lib/tsocket/tsocket.c:604 #9 0x00000008070883f9 in tstream_bsd_readv_handler (private_data=0x821eca060) at ../lib/tsocket/tsocket_bsd.c:1769 #10 0x0000000807087b24 in tstream_bsd_fde_handler (ev=0x80d82d760, fde=0x820c7e5e0, flags=1, private_data=0x820c7df20) at ../lib/tsocket/tsocket_bsd.c:1487 #11 0x000000080458e0e2 in std_event_loop_once () On 04/30/13 04:13, samba-bugs@samba.org wrote: > https://bugzilla.samba.org/show_bug.cgi?id=9832 > > Stefan (metze) Metzmacher<metze@samba.org> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > AssignedTo|idra@samba.org |ks@sernet.de >
Created attachment 8840 [details] harrison.vcf
talloc: access after free error - first free may be at ../source4/winbind/wb_samba3_protocol.c:361 Bad talloc magic value - access after free PANIC: Bad talloc magic value - access after free
Pushed patch to autobuild-v4-0-test. Re-assigning to Volker. Volker, is this still an issue?
(In reply to comment #8) > Pushed patch to autobuild-v4-0-test. > > Re-assigning to Volker. > Volker, is this still an issue? Without more information we can't know. Apparently the patch did not fix the issue, but we need a backtrace.
Ah, sorry, we do have a backtrace
(In reply to comment #9) > (In reply to comment #8) > > Pushed patch to autobuild-v4-0-test. > > > > Re-assigning to Volker. > > Volker, is this still an issue? > > Without more information we can't know. Apparently the patch did not fix the > issue, but we need a backtrace. But the patch is needed anyway?
Created attachment 8858 [details] Patch More fixes for invalid talloc hierarchy.
The patch I uploaded is correct and does fix the issue reported earlier. The second backtrace is a different bug of the same nature. I will submit a better prepared patch when this second issue has gone through master.
Created attachment 8859 [details] New patch for the second issue Sorry for the confusion. I had missed the fact that the first patch had not yet been submitted to 4-0-test. I have fixed the first issue again with attachment 8858 [details], which won't apply to the just pushed patch 8832.
(In reply to comment #14) > Created attachment 8859 [details] > New patch for the second issue > > Sorry for the confusion. I had missed the fact that the first patch had not yet > been submitted to 4-0-test. I have fixed the first issue again with attachment > 8858 [details], which won't apply to the just pushed patch 8832. The first patch had been pushed to autobuild-v4-0-test yesterday, but unfortunately the autobuild failed and was re-started this morning.
(In reply to comment #15) > (In reply to comment #14) > > Created attachment 8859 [details] [details] > > New patch for the second issue > > > > Sorry for the confusion. I had missed the fact that the first patch had not yet > > been submitted to 4-0-test. I have fixed the first issue again with attachment > > 8858 [details], which won't apply to the just pushed patch 8832. > > The first patch had been pushed to autobuild-v4-0-test yesterday, but > unfortunately the autobuild failed and was re-started this morning. Any progress? It looks like this is still a problem talloc: access after free error - first free may be at ../source4/winbind/wb_samba3_protocol.c:361 Bad talloc magic value - access after free PANIC: Bad talloc magic value - access after free
hi all, i can confirm this bug with winbind enabled via nsswitch. a samaba4 stand-alone install doesn't stuck with this bug. i applied both patches and thing are fine now. applying both patches fixed the issue. thanks!
(In reply to comment #17) > (In reply to comment #15) > > (In reply to comment #14) > > > Created attachment 8859 [details] [details] [details] > > > New patch for the second issue > > > > > > Sorry for the confusion. I had missed the fact that the first patch had not yet > > > been submitted to 4-0-test. I have fixed the first issue again with attachment > > > 8858 [details], which won't apply to the just pushed patch 8832. > > > > The first patch had been pushed to autobuild-v4-0-test yesterday, but > > unfortunately the autobuild failed and was re-started this morning. > > Any progress? It looks like this is still a problem > > talloc: access after free error - first free may be at > ../source4/winbind/wb_samba3_protocol.c:361 > Bad talloc magic value - access after free > PANIC: Bad talloc magic value - access after free Did you apply both patches? https://bugzilla.samba.org/attachment.cgi?id=8832 and https://bugzilla.samba.org/attachment.cgi?id=8859 ?
Yes, I did apply both patches to FreeBSD ports version 4.0.4_1 and things are just fine.
(In reply to comment #20) > Yes, I did apply both patches to FreeBSD ports version 4.0.4_1 and things are > just fine. This question was more for Christopher Harrison :-)
I applied one of them but not both. Let me apply both and get back to you later if this fixed the issue. -C On 5/15/13 4:26 AM, samba-bugs@samba.org wrote: > https://bugzilla.samba.org/show_bug.cgi?id=9832 > > --- Comment #21 from Volker Lendecke <vl@samba.org> 2013-05-15 09:26:11 UTC --- > (In reply to comment #20) >> Yes, I did apply both patches to FreeBSD ports version 4.0.4_1 and things are >> just fine. > This question was more for Christopher Harrison :-) >
Created attachment 8927 [details] 2nd patch with cherry-pick information
Comment on attachment 8927 [details] 2nd patch with cherry-pick information LGTM.
Re-assigning to Karolin for inclusion in 4.0.next. Jeremy.
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks!
Hi, This floods my server log running DC on 4.1.2. I don’t know if it is the same problem like bug 9832? Kinglok, Fong ======================================================= [2013/11/25 10:53:03.708423, 0] ../source3/lib/dumpcore.c:317(dump_core) dumping core in /usr/local/samba/var/cores/smbd [2013/11/25 10:53:04.106077, 0] ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn) talloc: access after free error - first free may be at ../source3/smbd/open.c:1569 [2013/11/25 10:53:04.106163, 0] ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn) Bad talloc magic value - access after free [2013/11/25 10:53:04.106194, 0] ../source3/lib/util.c:785(smb_panic_s3) PANIC (pid 20650): Bad talloc magic value - access after free [2013/11/25 10:53:04.106573, 0] ../source3/lib/util.c:896(log_stack_trace) BACKTRACE: 22 stack frames: #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f8ffd32f2d2] #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f8ffd32f14b] #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f8ffed9f17f] #3 /usr/local/samba/lib/private/libtalloc.so.2(+0x241d) [0x7f8ffe3c041d] #4 /usr/local/samba/lib/private/libtalloc.so.2(+0x2499) [0x7f8ffe3c0499] #5 /usr/local/samba/lib/private/libtalloc.so.2(+0x2516) [0x7f8ffe3c0516] #6 /usr/local/samba/lib/private/libtalloc.so.2(talloc_get_name+0x18) [0x7f8ffe3c1fb6] #7 /usr/local/samba/lib/private/libtalloc.so.2(_talloc_get_type_abort+0x4c) [0x7f8ffe3c2136] #8 /usr/local/samba/lib/libsmbconf.so.0(+0x33ccf) [0x7f8ffd33accf] #9 /usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5) [0x7f8ffe5cc358] #10 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x56) [0x7f8ffd34b3f9] #11 /usr/local/samba/lib/libsmbconf.so.0(+0x44abd) [0x7f8ffd34babd] #12 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4) [0x7f8ffe5cb492] #13 /usr/local/samba/lib/private/libsmbd_base.so(smbd_process+0x12ef) [0x7f8ffe94237b] #14 /usr/local/samba/sbin/smbd(+0xa12d) [0x7f8fff40512d] #15 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x55f) [0x7f8ffd34b902] #16 /usr/local/samba/lib/libsmbconf.so.0(+0x44bce) [0x7f8ffd34bbce] #17 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4) [0x7f8ffe5cb492] #18 /usr/local/samba/sbin/smbd(+0xad97) [0x7f8fff405d97] #19 /usr/local/samba/sbin/smbd(main+0x1753) [0x7f8fff40763b] #20 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f8ffbbc1ead] #21 /usr/local/samba/sbin/smbd(+0x5ed9) [0x7f8fff400ed9] [2013/11/25 10:53:04.106797, 0] ../source3/lib/dumpcore.c:317(dump_core) dumping core in /usr/local/samba/var/cores/smbd
(In reply to comment #28) > Hi, > > This floods my server log running DC on 4.1.2. I don’t know if it is the same > problem like bug 9832? > > Kinglok, Fong > > > > ======================================================= > > [2013/11/25 10:53:03.708423, 0] ../source3/lib/dumpcore.c:317(dump_core) > dumping core in /usr/local/samba/var/cores/smbd > [2013/11/25 10:53:04.106077, 0] > ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn) > talloc: access after free error - first free may be at > ../source3/smbd/open.c:1569 > [2013/11/25 10:53:04.106163, 0] > ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn) > Bad talloc magic value - access after free > [2013/11/25 10:53:04.106194, 0] ../source3/lib/util.c:785(smb_panic_s3) > PANIC (pid 20650): Bad talloc magic value - access after free > [2013/11/25 10:53:04.106573, 0] ../source3/lib/util.c:896(log_stack_trace) > BACKTRACE: 22 stack frames: > #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) > [0x7f8ffd32f2d2] > #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f8ffd32f14b] > #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f8ffed9f17f] > #3 /usr/local/samba/lib/private/libtalloc.so.2(+0x241d) [0x7f8ffe3c041d] > #4 /usr/local/samba/lib/private/libtalloc.so.2(+0x2499) [0x7f8ffe3c0499] > #5 /usr/local/samba/lib/private/libtalloc.so.2(+0x2516) [0x7f8ffe3c0516] > #6 /usr/local/samba/lib/private/libtalloc.so.2(talloc_get_name+0x18) > [0x7f8ffe3c1fb6] > #7 /usr/local/samba/lib/private/libtalloc.so.2(_talloc_get_type_abort+0x4c) > [0x7f8ffe3c2136] > #8 /usr/local/samba/lib/libsmbconf.so.0(+0x33ccf) [0x7f8ffd33accf] > #9 > /usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5) > [0x7f8ffe5cc358] > #10 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x56) > [0x7f8ffd34b3f9] > #11 /usr/local/samba/lib/libsmbconf.so.0(+0x44abd) [0x7f8ffd34babd] > #12 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4) > [0x7f8ffe5cb492] > #13 /usr/local/samba/lib/private/libsmbd_base.so(smbd_process+0x12ef) > [0x7f8ffe94237b] > #14 /usr/local/samba/sbin/smbd(+0xa12d) [0x7f8fff40512d] > #15 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x55f) > [0x7f8ffd34b902] > #16 /usr/local/samba/lib/libsmbconf.so.0(+0x44bce) [0x7f8ffd34bbce] > #17 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4) > [0x7f8ffe5cb492] > #18 /usr/local/samba/sbin/smbd(+0xad97) [0x7f8fff405d97] > #19 /usr/local/samba/sbin/smbd(main+0x1753) [0x7f8fff40763b] > #20 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f8ffbbc1ead] > #21 /usr/local/samba/sbin/smbd(+0x5ed9) [0x7f8fff400ed9] > [2013/11/25 10:53:04.106797, 0] ../source3/lib/dumpcore.c:317(dump_core) > dumping core in /usr/local/samba/var/cores/smbd But 10284 has a patch that fixes a double-free: https://bugzilla.samba.org/attachment.cgi?id=9466. Maybe your is the same?
After applying the patch (https://bugzilla.samba.org/attachment.cgi?id=9466), I confirm the problem is solved. Thanks!