Bug 9903 - crash / talloc: access after free error
crash / talloc: access after free error
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: File services
4.0.6
All All
: P5 major
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-25 18:36 UTC by Nick Semenkovich
Modified: 2013-12-17 11:09 UTC (History)
2 users (show)

See Also:


Attachments
gdb; bt full (37.12 KB, text/plain)
2013-05-25 18:36 UTC, Nick Semenkovich
no flags Details
core dump file (727.24 KB, application/x-gzip)
2013-12-17 07:20 UTC, Marc Muehlfeld
no flags Details
backtrace (2.63 KB, text/plain)
2013-12-17 07:20 UTC, Marc Muehlfeld
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Semenkovich 2013-05-25 18:36:22 UTC
Created attachment 8921 [details]
gdb; bt full

Built from: 4.1.0pre1-GIT-1c9ef67

commit 1c9ef675d1a44fb9b0d599f96391abf1e21981c1
Author: Volker Lendecke <vl@samba.org>
Date:   Fri May 17 15:14:58 2013 +0200

    smbd: Fix a ISO C90 forbids mixed declarations and code warning

    Signed-off-by: Volker Lendecke <vl@samba.org>
    Reviewed-by: Matthieu Patou <mat@matws.net>

    Autobuild-User(master): Matthieu Patou <mat@samba.org>
    Autobuild-Date(master): Sat May 18 01:40:04 CEST 2013 on sn-devel-104




Crash smbd.log:


[2013/05/25 13:24:38.582662,  0] ../source3/smbd/oplock.c:333(oplock_timeout_handler)
  Oplock break failed for file betsy/Documents/Downloads/Demoto-Backsplash Only.pdf -- replying anyway
[2013/05/25 13:25:02.178940,  0] ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at ../source3/smbd/open.c:1514
[2013/05/25 13:25:02.179114,  0] ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2013/05/25 13:25:02.179259,  0] ../source3/lib/util.c:810(smb_panic_s3)
  PANIC (pid 4152): Bad talloc magic value - access after free
[2013/05/25 13:25:02.184976,  1] ../source3/smbd/service.c:1122(close_cnum)
  192.168.0.170 (ipv4:192.168.0.170:55907) closed connection to service betsy
[2013/05/25 13:25:02.211771,  0] ../source3/lib/util.c:921(log_stack_trace)
  BACKTRACE: 22 stack frames:
   #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f9ca4103caa]
   #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f9ca4103afd]
   #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f9ca5b87c49]
   #3 /usr/local/samba/lib/private/libtalloc.so.2(+0x241f) [0x7f9ca51a441f]
   #4 /usr/local/samba/lib/private/libtalloc.so.2(+0x249b) [0x7f9ca51a449b]
   #5 /usr/local/samba/lib/private/libtalloc.so.2(+0x2518) [0x7f9ca51a4518]
   #6 /usr/local/samba/lib/private/libtalloc.so.2(talloc_get_name+0x18) [0x7f9ca51a5fb8]
   #7 /usr/local/samba/lib/private/libtalloc.so.2(_talloc_get_type_abort+0x4c) [0x7f9ca51a6138]
   #8 /usr/local/samba/lib/libsmbconf.so.0(+0x3130d) [0x7f9ca411130d]
   #9 /usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5) [0x7f9ca53b0f78]
   #10 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x56) [0x7f9ca4124de3]
   #11 /usr/local/samba/lib/libsmbconf.so.0(+0x454a7) [0x7f9ca41254a7]
   #12 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4) [0x7f9ca53b00b2]
   #13 /usr/local/samba/lib/private/libsmbd_base.so(smbd_process+0x12ef) [0x7f9ca5725449]
   #14 /usr/local/samba/sbin/smbd() [0x409ec6]
   #15 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x55f) [0x7f9ca41252ec]
   #16 /usr/local/samba/lib/libsmbconf.so.0(+0x455b8) [0x7f9ca41255b8]
   #17 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4) [0x7f9ca53b00b2]
   #18 /usr/local/samba/sbin/smbd() [0x40ab30]
   #19 /usr/local/samba/sbin/smbd(main+0x1709) [0x40c38a]
   #20 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f9ca2972ea5]
   #21 /usr/local/samba/sbin/smbd() [0x4055e9]
[2013/05/25 13:25:02.212732,  0] ../source3/lib/util.c:822(smb_panic_s3)
  smb_panic(): calling panic action [/bin/sleep 99999999]
[2013/05/25 13:25:04.294102,  1] ../source3/smbd/service.c:1122(close_cnum)
  192.168.0.152 (ipv4:192.168.0.152:57569) closed connection to service sysvol
[2013/05/25 13:26:29.799740,  1] ../source3/smbd/service.c:1122(close_cnum)
  192.168.0.152 (ipv4:192.168.0.152:57569) closed connection to service sysvol
[2013/05/25 13:27:19.689165,  1] ../source3/smbd/service.c:1122(close_cnum)
  192.168.0.152 (ipv4:192.168.0.152:57569) closed connection to service sysvol
[2013/05/25 13:28:31.173121,  1] ../source3/smbd/service.c:1122(close_cnum)
  192.168.0.152 (ipv4:192.168.0.152:57569) closed connection to service sysvol
[2013/05/25 13:29:07.193624,  1] ../source3/smbd/service.c:1122(close_cnum)
  192.168.0.152 (ipv4:192.168.0.152:57569) closed connection to service sysvol
Terminated
[2013/05/25 13:31:33.514811,  0] ../source3/lib/util.c:830(smb_panic_s3)
  smb_panic(): action returned status 143
[2013/05/25 13:31:33.515025,  0] ../source3/lib/dumpcore.c:317(dump_core)
  dumping core in /usr/local/samba/var/cores/smbd
[2013/05/25 13:31:33.592143,  1] ../source3/smbd/server.c:456(remove_child_pid)
  Scheduled cleanup of brl and lock database after unclean shutdown
[2013/05/25 13:31:53.598941,  1] ../source3/smbd/server.c:409(cleanup_timeout_fn)
  Cleaning up brl and lock database after unclean shutdown
Comment 1 Nick Semenkovich 2013-07-31 20:23:24 UTC
Haven't seen this in a while. Likely fixed/invalid.
Comment 2 Mattias Merilai 2013-10-29 08:37:16 UTC
Oct 29 10:14:18 [smbd] [2013/10/29 10:14:18.717705,  0] ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)_
Oct 29 10:14:18 [smbd] talloc: access after free error - first free may be at ../source3/smbd/open.c:1529_
Oct 29 10:14:18 [smbd] [2013/10/29 10:14:18.718340,  0] ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)_
Oct 29 10:14:18 [smbd] Bad talloc magic value - access after free_
Oct 29 10:14:18 [smbd] [2013/10/29 10:14:18.718743,  0] ../source3/lib/util.c:785(smb_panic_s3)_
Oct 29 10:14:18 [smbd] PANIC (pid 21033): Bad talloc magic value - access after free_
Oct 29 10:14:18 [smbd] [2013/10/29 10:14:18.721530,  0] ../source3/lib/util.c:896(log_stack_trace)_
Oct 29 10:14:18 [smbd] BACKTRACE: 19 stack frames:_
Oct 29 10:14:18 [smbd] #0 /usr/lib64/libsmbconf.so.0(log_stack_trace+0x18) [0x7b4c71eba361]_
Oct 29 10:14:18 [smbd] #1 /usr/lib64/libsmbconf.so.0(smb_panic_s3+0x4c) [0x7b4c71eba43a]_
Oct 29 10:14:18 [smbd] #2 /usr/lib64/libsamba-util.so.0(smb_panic+0x2d) [0x7b4c7335c784]_
Oct 29 10:14:18 [smbd] #3 /usr/lib64/libtalloc.so.2(+0x2ac8) [0x7b4c70b1bac8]_
Oct 29 10:14:18 [smbd] #4 /usr/lib64/libtalloc.so.2(talloc_get_name+0x7) [0x7b4c70b1bea6]_
Oct 29 10:14:18 [smbd] #5 /usr/lib64/libtalloc.so.2(_talloc_get_type_abort+0x4e) [0x7b4c70b1c55c]_
Oct 29 10:14:18 [smbd] #6 /usr/lib64/libsmbconf.so.0(+0x2d4de) [0x7b4c71ec14de]_
Oct 29 10:14:18 [smbd] #7 /usr/lib64/libtevent.so.0(tevent_common_loop_immediate+0xf1) [0x7b4c709107c6]_
Oct 29 10:14:18 [smbd] #8 /usr/lib64/libsmbconf.so.0(run_events_poll+0x45) [0x7b4c71ecbadd]_
Oct 29 10:14:18 [smbd] #9 /usr/lib64/libsmbconf.so.0(+0x37d58) [0x7b4c71ecbd58]_
Oct 29 10:14:18 [smbd] #10 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x5f) [0x7b4c70910081]_
Oct 29 10:14:18 [smbd] #11 /usr/lib64/samba/libsmbd_base.so(smbd_process+0xc38) [0x7b4c72f96e5d]_
Oct 29 10:14:18 [smbd] #12 /usr/sbin/smbd(+0xa418) [0x73a19e17418]_
Oct 29 10:14:18 [smbd] #13 /usr/lib64/libsmbconf.so.0(run_events_poll+0x250) [0x7b4c71ecbce8]_
Oct 29 10:14:18 [smbd] #14 /usr/lib64/libsmbconf.so.0(+0x37e09) [0x7b4c71ecbe09]_
Oct 29 10:14:18 [smbd] #15 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x5f) [0x7b4c70910081]_
Oct 29 10:14:18 [smbd] #16 /usr/sbin/smbd(main+0x14cc) [0x73a19e1485c]_
Oct 29 10:14:18 [smbd] #17 /lib64/libc.so.6(__libc_start_main+0xf5) [0x7b4c70588665]_
Oct 29 10:14:18 [smbd] #18 /usr/sbin/smbd(+0x78fd) [0x73a19e148fd]_
Oct 29 10:14:18 [smbd] [2013/10/29 10:14:18.727452,  0] ../source3/lib/dumpcore.c:317(dump_core)_
Oct 29 10:14:18 [smbd] dumping core in /var/log/samba/cores/smbd_


When multiple users are logging in, I get these a lot on 4.1.0.
Comment 3 Mattias Merilai 2013-12-03 06:23:47 UTC
still happening on 4.1.2
Comment 4 Marc Muehlfeld 2013-12-17 07:19:08 UTC
I can confirm that problem. Yesterday I switched to 4.1.3 and tonight I hit the following twice:


[2013/12/17 04:04:54.376628,  0, pid=20181] ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at ../source3/smbd/open.c:1569
[2013/12/17 04:04:54.376768,  0, pid=20181] ../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2013/12/17 04:04:54.376831,  0, pid=20181] ../source3/lib/util.c:785(smb_panic_s3)
  PANIC (pid 20181): Bad talloc magic value - access after free
[2013/12/17 04:04:54.377302,  0, pid=20181] ../source3/lib/util.c:896(log_stack_trace)
  BACKTRACE: 22 stack frames:
   #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7ff412cf6a02]
   #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6d) [0x7ff412cf6871]
   #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7ff414756c79]
   #3 /usr/local/samba/lib/samba/libtalloc.so.2(+0x20a9) [0x7ff413d8a0a9]
   #4 /usr/local/samba/lib/samba/libtalloc.so.2(+0x2125) [0x7ff413d8a125]
   #5 /usr/local/samba/lib/samba/libtalloc.so.2(+0x21a3) [0x7ff413d8a1a3]
   #6 /usr/local/samba/lib/samba/libtalloc.so.2(talloc_get_name+0x18) [0x7ff413d8bc83]
   #7 /usr/local/samba/lib/samba/libtalloc.so.2(_talloc_get_type_abort+0x4c) [0x7ff413d8be03]
   #8 /usr/local/samba/lib/libsmbconf.so.0(+0x315f7) [0x7ff412d025f7]
   #9 /usr/local/samba/lib/samba/libtevent.so.0(tevent_common_loop_immediate+0x1f9) [0x7ff413f94ee4]
   #10 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x57) [0x7ff412d13057]
   #11 /usr/local/samba/lib/libsmbconf.so.0(+0x42704) [0x7ff412d13704]
   #12 /usr/local/samba/lib/samba/libtevent.so.0(_tevent_loop_once+0xfc) [0x7ff413f93fa9]
   #13 /usr/local/samba/lib/samba/libsmbd_base.so(smbd_process+0x1331) [0x7ff4142faf55]
   #14 /usr/sbin/smbd(+0x99ea) [0x7ff414dbe9ea]
   #15 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x544) [0x7ff412d13544]
   #16 /usr/local/samba/lib/libsmbconf.so.0(+0x4281a) [0x7ff412d1381a]
   #17 /usr/local/samba/lib/samba/libtevent.so.0(_tevent_loop_once+0xfc) [0x7ff413f93fa9]
   #18 /usr/sbin/smbd(+0xa669) [0x7ff414dbf669]
   #19 /usr/sbin/smbd(main+0x15d1) [0x7ff414dc0d8b]
   #20 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7ff41158ad1d]
   #21 /usr/sbin/smbd(+0x56c9) [0x7ff414dba6c9]
[2013/12/17 04:04:54.377820,  0, pid=20181] ../source3/lib/util.c:797(smb_panic_s3)
  smb_panic(): calling panic action [/usr/local/bin/panic-action 20181]
[2013/12/17 04:04:54.681254,  0, pid=20181] ../source3/lib/util.c:805(smb_panic_s3)
  smb_panic(): action returned status 0
[2013/12/17 04:04:54.681466,  0, pid=20181] ../source3/lib/dumpcore.c:317(dump_core)
  dumping core in /var/log/samba//cores/smbd
Comment 5 Marc Muehlfeld 2013-12-17 07:20:19 UTC
Created attachment 9527 [details]
core dump file
Comment 6 Marc Muehlfeld 2013-12-17 07:20:58 UTC
Created attachment 9528 [details]
backtrace
Comment 7 Volker Lendecke 2013-12-17 10:24:15 UTC
This is different from bug 10250 or bug 10284? Please note that because it's a security release only, 4.1.3 does not contain the patches from those bugs.
Comment 8 Marc Muehlfeld 2013-12-17 10:44:48 UTC
(In reply to comment #7)
> This is different from bug 10250 or bug 10284? Please note that because it's a
> security release only, 4.1.3 does not contain the patches from those bugs.

You are right. 
The patches from Bug 10250 and bug 10284 were pushed shortly *after* 4.1.2 was released. And as 4.1.3 was a security release, it wasn't included, of course.


But the patch from 10284 doesn't apply to 4.1.3:
# patch -p 1 < patch.txt
patching file source3/lib/msg_channel.c
Hunk #7 FAILED at 228.
1 out of 9 hunks FAILED -- saving rejects to file source3/lib/msg_channel.c.rej
Comment 9 Volker Lendecke 2013-12-17 10:52:11 UTC
It is possible that you have to apply the patch from 10250 before you apply 10284.
Comment 10 Volker Lendecke 2013-12-17 10:52:39 UTC
The question remains -- is this a different crash than those two?
Comment 11 Marc Muehlfeld 2013-12-17 11:09:20 UTC
(In reply to comment #9)
> It is possible that you have to apply the patch from 10250 before you apply
> 10284.

10250 before 10284 applies fine. Thanks.




(In reply to comment #10)
> The question remains -- is this a different crash than those two?

I guess it isn't, if 4.1.2 and 4.1.3 didn't contain the patch(es). I upgraded last night from a patched 4.1.1 to plain 4.1.3 and didn't mentioned that the patches are not included yet. That's why I thought this could be a new/different issue and hooked up to this bug report, as it contained the same errors and was still open.

I'll recheck 4.1.3 with the two patches in the next two nights and give feedback.