Univention Bugzilla – Bug 39276
Samba PANIC: Bad talloc magic value - access after free
Last modified: 2015-12-16 15:39:51 CET
Created attachment 7134 [details] smbd coredump from customer system 2015051521000324 2015082521000274 We've seen a lot of panic's like the following on different customer systems: Release: 4.0-2 errata264 Linux cortex 3.16.0-ucs135-amd64 #1 SMP Debian 3.16.7-ckt11-1~bpo70+1.135.201507161851 (2015-07-1 x86_64 GNU/Linux samba 2:4.2.3-1.758.201507271307 [2015/08/24 16:53:53.861384, 2, pid=7762] ../source3/smbd/process.c:2780(deadtime_fn) Closing idle connection [2015/08/24 16:53:53.861763, 2, pid=7762] ../source3/smbd/service.c:1138(close_cnum) 192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service dms [2015/08/24 16:53:53.861962, 2, pid=7762] ../source3/smbd/service.c:1138(close_cnum) 192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service vollkomm [2015/08/24 16:53:53.862130, 2, pid=7762] ../source3/smbd/service.c:1138(close_cnum) 192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service users [2015/08/24 16:53:53.873479, 2, pid=7762] ../source3/smbd/service.c:1138(close_cnum) [2015/08/24 16:53:53.873562, 0, pid=7762] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn) talloc: access after free error - first free may be at ../source3/smbd/server_exit.c:228 [2015/08/24 16:53:53.873666, 0, pid=7762] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn) Bad talloc magic value - access after free [2015/08/24 16:53:53.873708, 0, pid=7762] ../source3/lib/util.c:788(smb_panic_s3) PANIC (pid 7762): Bad talloc magic value - access after free [2015/08/24 16:53:53.884830, 0, pid=7762] ../source3/lib/util.c:899(log_stack_trace) BACKTRACE: 30 stack frames: #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7fbbe6bc9b9a] #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7fbbe6bc9c70] #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7fbbe8a3946f] #3 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x233b) [0x7fbbe581433b] #4 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_check_name+0x6c) [0x7fbbe581613c] #5 /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets.so.0(+0xe6ee) [0x7fbbe67916ee] #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(close_cnum+0xcf) [0x7fbbe8628e4f] #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbXsrv_tcon_disconnect+0x12c) [0x7fbbe865241c] #8 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1617c8) [0x7fbbe86527c8] #9 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x89f6) [0x7fbbe581a9f6] #10 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0xe4) [0x7fbbe5815524] #11 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x164883) [0x7fbbe8655883] #12 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x164cfe) [0x7fbbe8655cfe] #13 /usr/lib/x86_64-linux-gnu/samba/libsmbd-shim.so.0(exit_server_cleanly+0x12) [0x7fbbe6581d12] #14 /usr/sbin/smbd(+0xa78a) [0x7fbbe909878a] #15 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x3f66d) [0x7fbbe6bdc66d] #16 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe2) [0x7fbbe5608d92] #17 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x48) [0x7fbbe6be9d68] #18 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x4d07b) [0x7fbbe6bea07b] #19 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7fbbe56084dd] #20 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fbbe560869b] #21 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbd_process+0x725) [0x7fbbe86263a5] #22 /usr/sbin/smbd(+0xb634) [0x7fbbe9099634] #23 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x187) [0x7fbbe6be9ea7] #24 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x4d129) [0x7fbbe6bea129] #25 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7fbbe56084dd] #26 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fbbe560869b] #27 /usr/sbin/smbd(main+0x14a2) [0x7fbbe9095b32] #28 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7fbbe5296ead] #29 /usr/sbin/smbd(+0x7f65) [0x7fbbe9095f65]
(gdb) bt #0 0x00007fbbe52aa165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007fbbe52ad3e0 in *__GI_abort () at abort.c:92 #2 0x00007fbbe6be163b in dump_core () at ../source3/lib/dumpcore.c:337 #3 0x00007fbbe6bc9cd9 in smb_panic_s3 (why=<optimized out>) at ../source3/lib/util.c:811 #4 0x00007fbbe8a3946f in smb_panic (why=0x7fbbe581e2a0 "Bad talloc magic value - access after free") at ../lib/util/fault.c:166 #5 0x00007fbbe581433b in talloc_abort_access_after_free () at ../talloc.c:359 #6 talloc_chunk_from_ptr (ptr=<optimized out>) at ../talloc.c:380 #7 0x00007fbbe581613c in talloc_chunk_from_ptr (ptr=0x7fbbeaa051b0) at ../talloc.c:378 #8 __talloc_get_name (ptr=0x7fbbeaa051b0) at ../talloc.c:1366 #9 talloc_check_name (ptr=0x7fbbeaa051b0, name=name@entry=0x7fbbe6796a87 "struct tsocket_address_bsd") at ../talloc.c:1389 #10 0x00007fbbe67916ee in tsocket_address_bsd_string (addr=0x7fbbeb293d90, mem_ctx=0x7fbbeb02a4a0) at ../lib/tsocket/tsocket_bsd.c:593 #11 0x00007fbbe8628e4f in close_cnum (conn=0x7fbbeb197c60, vuid=0) at ../source3/smbd/service.c:1134 #12 0x00007fbbe865241c in smbXsrv_tcon_disconnect (tcon=tcon@entry=0x7fbbea80f1f0, vuid=vuid@entry=0) at ../source3/smbd/smbXsrv_tcon.c:979 #13 0x00007fbbe86527c8 in smbXsrv_tcon_destructor (tcon=0x7fbbea80f1f0) at ../source3/smbd/smbXsrv_tcon.c:688 #14 0x00007fbbe581a9f6 in _talloc_free_internal (location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233", ptr=0x7fbbea80f1f0) at ../talloc.c:993 #15 _talloc_free_children_internal (location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233", ptr=0x7fbbea950050, tc=0x7fbbea94fff0) at ../talloc.c:1472 #16 _talloc_free_internal (location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233", ptr=0x7fbbea950050) at ../talloc.c:1019 #17 _talloc_free_children_internal (tc=0x7fbbeb7c6c40, ptr=0x7fbbeb7c6ca0, location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233") at ../talloc.c:1472 #18 0x00007fbbe5815524 in _talloc_free_internal (location=<optimized out>, ptr=<optimized out>) at ../talloc.c:1019 #19 _talloc_free (ptr=0x7fbbeb7c6ca0, location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233") at ../talloc.c:1594 #20 0x00007fbbe8655883 in exit_server_common (how=how@entry=SERVER_EXIT_NORMAL, reason=0x0) at ../source3/smbd/server_exit.c:233 #21 0x00007fbbe8655cfe in smbd_exit_server_cleanly (explanation=<optimized out>) at ../source3/smbd/server_exit.c:266 #22 0x00007fbbe6581d12 in exit_server_cleanly (reason=reason@entry=0x0) at ../source3/lib/smbd_shim.c:131 #23 0x00007fbbe909878a in msg_exit_server (msg=<optimized out>, private_data=<optimized out>, msg_type=<optimized out>, server_id=..., data=<optimized out>) at ../source3/smbd/server.c:144 #24 0x00007fbbe6bdc66d in messaging_defer_callback_trigger (ev=<optimized out>, im=<optimized out>, private_data=<optimized out>) at ../source3/lib/messages.c:869 #25 0x00007fbbe5608d92 in tevent_common_loop_immediate (ev=ev@entry=0x7fbbe9f03c60) at ../tevent_immediate.c:135 #26 0x00007fbbe6be9d68 in run_events_poll (ev=0x7fbbe9f03c60, pollrtn=0, pfds=0x0, num_pfds=0) at ../source3/lib/events.c:192 #27 0x00007fbbe6bea07b in s3_event_loop_once (ev=0x7fbbe9f03c60, location=<optimized out>) at ../source3/lib/events.c:303 #28 0x00007fbbe56084dd in _tevent_loop_once (ev=ev@entry=0x7fbbe9f03c60, location=location@entry=0x7fbbe8762370 "../source3/smbd/process.c:3993") at ../tevent.c:533 #29 0x00007fbbe560869b in tevent_common_loop_wait (ev=0x7fbbe9f03c60, location=0x7fbbe8762370 "../source3/smbd/process.c:3993") at ../tevent.c:637 #30 0x00007fbbe86263a5 in smbd_process (ev_ctx=ev_ctx@entry=0x7fbbe9f03c60, msg_ctx=msg_ctx@entry=0x7fbbe9f03d50, sock_fd=sock_fd@entry=9, interactive=interactive@entry=false) at ../source3/smbd/process.c:3993 #31 0x00007fbbe9099634 in smbd_accept_connection (ev=0x7fbbe9f03c60, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../source3/smbd/server.c:627 #32 0x00007fbbe6be9ea7 in run_events_poll (num_pfds=7, pfds=0x7fbbeb1f5300, ev=0x7fbbe9f03c60, pollrtn=<optimized out>) at ../source3/lib/events.c:257 #33 run_events_poll (ev=0x7fbbe9f03c60, pollrtn=<optimized out>, pfds=0x7fbbeb1f5300, num_pfds=7) at ../source3/lib/events.c:179 #34 0x00007fbbe6bea129 in s3_event_loop_once (ev=0x7fbbe9f03c60, location=<optimized out>) at ../source3/lib/events.c:326 #35 0x00007fbbe56084dd in _tevent_loop_once (ev=ev@entry=0x7fbbe9f03c60, location=location@entry=0x7fbbe909c05f "../source3/smbd/server.c:985") at ../tevent.c:533 #36 0x00007fbbe560869b in tevent_common_loop_wait (ev=0x7fbbe9f03c60, location=0x7fbbe909c05f "../source3/smbd/server.c:985") at ../tevent.c:637 #37 0x00007fbbe9095b32 in smbd_parent_loop (ev_ctx=0x7fbbe9f03c60, parent=<optimized out>) at ../source3/smbd/server.c:985 #38 main (argc=<optimized out>, argv=<optimized out>) at ../source3/smbd/server.c:1626 (gdb)
Which SMB file protocol does the customer use (samba/max/protocol)? SMB2 should be used.
(In reply to Stefan Gohmann from comment #2) > Which SMB file protocol does the customer use (samba/max/protocol)? SMB2 > should be used. Customer is using NT1 because of better compatibility with windows applications launched from samba share. But I've seen similar backtraces in environments where max prococol is SMB2.
Samba has been rebuilt in errata4.0-4 with the upstream patch applied. Advisory: samba.yaml
See from https://bugzilla.samba.org/show_bug.cgi?id=11394 for an updated patch: https://attachments.samba.org/attachment.cgi?id=11678
Rebuilt with new upstream patches. Advisory updated.
See Bug #40131, the amd64 build fails for 4.0-4 too.
Package rebuilt, Advisory updated, installation ok.
Tests were successful (Windows 7 + Windows 10). YAML: OK
<http://errata.software-univention.de/ucs/4.0/374.html>