Univention Bugzilla – Bug 40131
Samba PANIC: Bad talloc magic value - access after free
Last modified: 2015-12-16 13:47:20 CET
We also need to apply the patch UCS 4.1 +++ This bug was initially created as a clone of Bug #39276 +++ 2015051521000324 2015082521000274 We've seen a lot of panic's like the following on different customer systems: Release: 4.0-2 errata264 Linux cortex 3.16.0-ucs135-amd64 #1 SMP Debian 3.16.7-ckt11-1~bpo70+1.135.201507161851 (2015-07-1 x86_64 GNU/Linux samba 2:4.2.3-1.758.201507271307 [2015/08/24 16:53:53.861384, 2, pid=7762] ../source3/smbd/process.c:2780(deadtime_fn) Closing idle connection [2015/08/24 16:53:53.861763, 2, pid=7762] ../source3/smbd/service.c:1138(close_cnum) 192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service dms [2015/08/24 16:53:53.861962, 2, pid=7762] ../source3/smbd/service.c:1138(close_cnum) 192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service vollkomm [2015/08/24 16:53:53.862130, 2, pid=7762] ../source3/smbd/service.c:1138(close_cnum) 192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service users [2015/08/24 16:53:53.873479, 2, pid=7762] ../source3/smbd/service.c:1138(close_cnum) [2015/08/24 16:53:53.873562, 0, pid=7762] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn) talloc: access after free error - first free may be at ../source3/smbd/server_exit.c:228 [2015/08/24 16:53:53.873666, 0, pid=7762] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn) Bad talloc magic value - access after free [2015/08/24 16:53:53.873708, 0, pid=7762] ../source3/lib/util.c:788(smb_panic_s3) PANIC (pid 7762): Bad talloc magic value - access after free [2015/08/24 16:53:53.884830, 0, pid=7762] ../source3/lib/util.c:899(log_stack_trace) BACKTRACE: 30 stack frames: #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7fbbe6bc9b9a] #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7fbbe6bc9c70] #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7fbbe8a3946f] #3 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x233b) [0x7fbbe581433b] #4 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_check_name+0x6c) [0x7fbbe581613c] #5 /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets.so.0(+0xe6ee) [0x7fbbe67916ee] #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(close_cnum+0xcf) [0x7fbbe8628e4f] #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbXsrv_tcon_disconnect+0x12c) [0x7fbbe865241c] #8 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1617c8) [0x7fbbe86527c8] #9 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x89f6) [0x7fbbe581a9f6] #10 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0xe4) [0x7fbbe5815524] #11 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x164883) [0x7fbbe8655883] #12 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x164cfe) [0x7fbbe8655cfe] #13 /usr/lib/x86_64-linux-gnu/samba/libsmbd-shim.so.0(exit_server_cleanly+0x12) [0x7fbbe6581d12] #14 /usr/sbin/smbd(+0xa78a) [0x7fbbe909878a] #15 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x3f66d) [0x7fbbe6bdc66d] #16 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe2) [0x7fbbe5608d92] #17 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x48) [0x7fbbe6be9d68] #18 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x4d07b) [0x7fbbe6bea07b] #19 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7fbbe56084dd] #20 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fbbe560869b] #21 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbd_process+0x725) [0x7fbbe86263a5] #22 /usr/sbin/smbd(+0xb634) [0x7fbbe9099634] #23 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x187) [0x7fbbe6be9ea7] #24 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x4d129) [0x7fbbe6bea129] #25 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7fbbe56084dd] #26 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fbbe560869b] #27 /usr/sbin/smbd(main+0x14a2) [0x7fbbe9095b32] #28 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7fbbe5296ead] #29 /usr/sbin/smbd(+0x7f65) [0x7fbbe9095f65]
samba has been rebuilt in errata4.1-0 with an adjusted version of the patch from Bug 39276. Advisory: samba.yaml
I recommend that we use the latest patch from https://bugzilla.samba.org/show_bug.cgi?id=11394: https://bugzilla.samba.org/attachment.cgi?id=11677
Rebuilt with new upstream patches. Advisory updated.
The amd64 build was not successful: make[1]: Leaving directory `/var/build/temp/tmp.geXTRu2zzh/pbuilder/samba-4.3.1' dh_clean dpkg-source -b samba-4.3.1 dpkg-source: warning: diff `samba-4.3.1/debian/patches/98_bug40131_dbwrap_rbt-add-nested-traverse-protection.patch' patches file samba-4.3.1/lib/dbwrap/dbwrap_rbt.c twice dpkg-source: warning: diff `samba-4.3.1/debian/patches/98_bug40131_dbwrap_rbt-add-nested-traverse-protection.patch' patches file samba-4.3.1/lib/dbwrap/dbwrap_rbt.c twice dpkg-source: info: using source format `3.0 (quilt)' dpkg-source: info: building samba using existing ./samba_4.3.1.orig.tar.gz dpkg-source: info: local changes detected, the modified files are: samba-4.3.1/lib/dbwrap/dbwrap_rbt.c samba-4.3.1/source3/torture/torture.c samba-4.3.1/source4/dsdb/samdb/ldb_modules/partition.c dpkg-source: error: aborting due to unexpected upstream changes, see /tmp/samba_4.3.1-1.807.201512081139.diff.3XLKSE dpkg-source: info: you can integrate the local changes with dpkg-source --commit dpkg-buildpackage: error: dpkg-source -b samba-4.3.1 gave error exit status 2
Strange patch application issue in amd64, never sow this before. Splitting the patch fixed this. Advisory updated, installation ok.
Tests were successful (Windows 7 + Windows 10). YAML: OK
<http://errata.software-univention.de/ucs/4.1/35.html>