First Last Prev Next    This bug is not in your last search results.
Bug 39276 - Samba PANIC: Bad talloc magic value - access after free
Samba PANIC: Bad talloc magic value - access after free
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-4-errata
Assigned To: Arvid Requate
Stefan Gohmann
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks: 40131
  Show dependency treegraph
 
Reported: 2015-08-27 12:50 CEST by Janis Meybohm
Modified: 2015-12-16 15:39 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
smbd coredump from customer system (4.97 MB, application/gzip)
2015-08-27 12:50 CEST, Janis Meybohm 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-08-27 12:50:56 CEST 
Created attachment 7134 [details]
smbd coredump from customer system

2015051521000324
2015082521000274

We've seen a lot of panic's like the following on different customer systems:

Release:        4.0-2 errata264
Linux cortex 3.16.0-ucs135-amd64 #1 SMP Debian 3.16.7-ckt11-1~bpo70+1.135.201507161851 (2015-07-1 x86_64 GNU/Linux

samba 2:4.2.3-1.758.201507271307 
[2015/08/24 16:53:53.861384,  2, pid=7762] ../source3/smbd/process.c:2780(deadtime_fn)
  Closing idle connection
[2015/08/24 16:53:53.861763,  2, pid=7762] ../source3/smbd/service.c:1138(close_cnum)
  192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service dms
[2015/08/24 16:53:53.861962,  2, pid=7762] ../source3/smbd/service.c:1138(close_cnum)
  192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service vollkomm
[2015/08/24 16:53:53.862130,  2, pid=7762] ../source3/smbd/service.c:1138(close_cnum)
  192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service users
[2015/08/24 16:53:53.873479,  2, pid=7762] ../source3/smbd/service.c:1138(close_cnum)
[2015/08/24 16:53:53.873562,  0, pid=7762] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at ../source3/smbd/server_exit.c:228
[2015/08/24 16:53:53.873666,  0, pid=7762] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2015/08/24 16:53:53.873708,  0, pid=7762] ../source3/lib/util.c:788(smb_panic_s3)
  PANIC (pid 7762): Bad talloc magic value - access after free
[2015/08/24 16:53:53.884830,  0, pid=7762] ../source3/lib/util.c:899(log_stack_trace)
  BACKTRACE: 30 stack frames:
   #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7fbbe6bc9b9a]
   #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7fbbe6bc9c70]
   #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7fbbe8a3946f]
   #3 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x233b) [0x7fbbe581433b]
   #4 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_check_name+0x6c) [0x7fbbe581613c]
   #5 /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets.so.0(+0xe6ee) [0x7fbbe67916ee]
   #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(close_cnum+0xcf) [0x7fbbe8628e4f]
   #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbXsrv_tcon_disconnect+0x12c) [0x7fbbe865241c]
   #8 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1617c8) [0x7fbbe86527c8]
   #9 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x89f6) [0x7fbbe581a9f6]
   #10 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0xe4) [0x7fbbe5815524]
   #11 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x164883) [0x7fbbe8655883]
   #12 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x164cfe) [0x7fbbe8655cfe]
   #13 /usr/lib/x86_64-linux-gnu/samba/libsmbd-shim.so.0(exit_server_cleanly+0x12) [0x7fbbe6581d12]
   #14 /usr/sbin/smbd(+0xa78a) [0x7fbbe909878a]
   #15 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x3f66d) [0x7fbbe6bdc66d]
   #16 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe2) [0x7fbbe5608d92]
   #17 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x48) [0x7fbbe6be9d68]
   #18 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x4d07b) [0x7fbbe6bea07b]
   #19 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7fbbe56084dd]
   #20 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fbbe560869b]
   #21 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbd_process+0x725) [0x7fbbe86263a5]
   #22 /usr/sbin/smbd(+0xb634) [0x7fbbe9099634]
   #23 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x187) [0x7fbbe6be9ea7]
   #24 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x4d129) [0x7fbbe6bea129]
   #25 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7fbbe56084dd]
   #26 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fbbe560869b]
   #27 /usr/sbin/smbd(main+0x14a2) [0x7fbbe9095b32]
   #28 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7fbbe5296ead]
   #29 /usr/sbin/smbd(+0x7f65) [0x7fbbe9095f65]
Comment 1 Stefan Gohmann univentionstaff 2015-08-31 07:49:27 CEST 
(gdb) bt
#0  0x00007fbbe52aa165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007fbbe52ad3e0 in *__GI_abort () at abort.c:92
#2  0x00007fbbe6be163b in dump_core () at ../source3/lib/dumpcore.c:337
#3  0x00007fbbe6bc9cd9 in smb_panic_s3 (why=<optimized out>) at ../source3/lib/util.c:811
#4  0x00007fbbe8a3946f in smb_panic (why=0x7fbbe581e2a0 "Bad talloc magic value - access after free") at ../lib/util/fault.c:166
#5  0x00007fbbe581433b in talloc_abort_access_after_free () at ../talloc.c:359
#6  talloc_chunk_from_ptr (ptr=<optimized out>) at ../talloc.c:380
#7  0x00007fbbe581613c in talloc_chunk_from_ptr (ptr=0x7fbbeaa051b0) at ../talloc.c:378
#8  __talloc_get_name (ptr=0x7fbbeaa051b0) at ../talloc.c:1366
#9  talloc_check_name (ptr=0x7fbbeaa051b0, name=name@entry=0x7fbbe6796a87 "struct tsocket_address_bsd") at ../talloc.c:1389
#10 0x00007fbbe67916ee in tsocket_address_bsd_string (addr=0x7fbbeb293d90, mem_ctx=0x7fbbeb02a4a0) at ../lib/tsocket/tsocket_bsd.c:593
#11 0x00007fbbe8628e4f in close_cnum (conn=0x7fbbeb197c60, vuid=0) at ../source3/smbd/service.c:1134
#12 0x00007fbbe865241c in smbXsrv_tcon_disconnect (tcon=tcon@entry=0x7fbbea80f1f0, vuid=vuid@entry=0) at ../source3/smbd/smbXsrv_tcon.c:979
#13 0x00007fbbe86527c8 in smbXsrv_tcon_destructor (tcon=0x7fbbea80f1f0) at ../source3/smbd/smbXsrv_tcon.c:688
#14 0x00007fbbe581a9f6 in _talloc_free_internal (location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233", ptr=0x7fbbea80f1f0) at ../talloc.c:993
#15 _talloc_free_children_internal (location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233", ptr=0x7fbbea950050, tc=0x7fbbea94fff0) at ../talloc.c:1472
#16 _talloc_free_internal (location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233", ptr=0x7fbbea950050) at ../talloc.c:1019
#17 _talloc_free_children_internal (tc=0x7fbbeb7c6c40, ptr=0x7fbbeb7c6ca0, location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233") at ../talloc.c:1472
#18 0x00007fbbe5815524 in _talloc_free_internal (location=<optimized out>, ptr=<optimized out>) at ../talloc.c:1019
#19 _talloc_free (ptr=0x7fbbeb7c6ca0, location=0x7fbbe877a1e8 "../source3/smbd/server_exit.c:233") at ../talloc.c:1594
#20 0x00007fbbe8655883 in exit_server_common (how=how@entry=SERVER_EXIT_NORMAL, reason=0x0) at ../source3/smbd/server_exit.c:233
#21 0x00007fbbe8655cfe in smbd_exit_server_cleanly (explanation=<optimized out>) at ../source3/smbd/server_exit.c:266
#22 0x00007fbbe6581d12 in exit_server_cleanly (reason=reason@entry=0x0) at ../source3/lib/smbd_shim.c:131
#23 0x00007fbbe909878a in msg_exit_server (msg=<optimized out>, private_data=<optimized out>, msg_type=<optimized out>, server_id=..., data=<optimized out>) at ../source3/smbd/server.c:144
#24 0x00007fbbe6bdc66d in messaging_defer_callback_trigger (ev=<optimized out>, im=<optimized out>, private_data=<optimized out>) at ../source3/lib/messages.c:869
#25 0x00007fbbe5608d92 in tevent_common_loop_immediate (ev=ev@entry=0x7fbbe9f03c60) at ../tevent_immediate.c:135
#26 0x00007fbbe6be9d68 in run_events_poll (ev=0x7fbbe9f03c60, pollrtn=0, pfds=0x0, num_pfds=0) at ../source3/lib/events.c:192
#27 0x00007fbbe6bea07b in s3_event_loop_once (ev=0x7fbbe9f03c60, location=<optimized out>) at ../source3/lib/events.c:303
#28 0x00007fbbe56084dd in _tevent_loop_once (ev=ev@entry=0x7fbbe9f03c60, location=location@entry=0x7fbbe8762370 "../source3/smbd/process.c:3993") at ../tevent.c:533
#29 0x00007fbbe560869b in tevent_common_loop_wait (ev=0x7fbbe9f03c60, location=0x7fbbe8762370 "../source3/smbd/process.c:3993") at ../tevent.c:637
#30 0x00007fbbe86263a5 in smbd_process (ev_ctx=ev_ctx@entry=0x7fbbe9f03c60, msg_ctx=msg_ctx@entry=0x7fbbe9f03d50, sock_fd=sock_fd@entry=9, interactive=interactive@entry=false)
    at ../source3/smbd/process.c:3993
#31 0x00007fbbe9099634 in smbd_accept_connection (ev=0x7fbbe9f03c60, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../source3/smbd/server.c:627
#32 0x00007fbbe6be9ea7 in run_events_poll (num_pfds=7, pfds=0x7fbbeb1f5300, ev=0x7fbbe9f03c60, pollrtn=<optimized out>) at ../source3/lib/events.c:257
#33 run_events_poll (ev=0x7fbbe9f03c60, pollrtn=<optimized out>, pfds=0x7fbbeb1f5300, num_pfds=7) at ../source3/lib/events.c:179
#34 0x00007fbbe6bea129 in s3_event_loop_once (ev=0x7fbbe9f03c60, location=<optimized out>) at ../source3/lib/events.c:326
#35 0x00007fbbe56084dd in _tevent_loop_once (ev=ev@entry=0x7fbbe9f03c60, location=location@entry=0x7fbbe909c05f "../source3/smbd/server.c:985") at ../tevent.c:533
#36 0x00007fbbe560869b in tevent_common_loop_wait (ev=0x7fbbe9f03c60, location=0x7fbbe909c05f "../source3/smbd/server.c:985") at ../tevent.c:637
#37 0x00007fbbe9095b32 in smbd_parent_loop (ev_ctx=0x7fbbe9f03c60, parent=<optimized out>) at ../source3/smbd/server.c:985
#38 main (argc=<optimized out>, argv=<optimized out>) at ../source3/smbd/server.c:1626
(gdb)
Comment 2 Stefan Gohmann univentionstaff 2015-08-31 08:03:25 CEST 
Which SMB file protocol does the customer use (samba/max/protocol)? SMB2 should be used.
Comment 3 Janis Meybohm univentionstaff 2015-08-31 09:10:43 CEST 
(In reply to Stefan Gohmann from comment #2)
> Which SMB file protocol does the customer use (samba/max/protocol)? SMB2
> should be used.

Customer is using NT1 because of better compatibility with windows applications launched from samba share. But I've seen similar backtraces in environments where max prococol is SMB2.
Comment 4 Arvid Requate univentionstaff 2015-11-30 16:26:26 CET 
Samba has been rebuilt in errata4.0-4 with the upstream patch applied.

Advisory: samba.yaml
Comment 5 Stefan Gohmann univentionstaff 2015-12-08 06:57:22 CET 
See from https://bugzilla.samba.org/show_bug.cgi?id=11394 for an updated patch:

https://attachments.samba.org/attachment.cgi?id=11678
Comment 6 Arvid Requate univentionstaff 2015-12-08 12:15:24 CET 
Rebuilt with new upstream patches.
Advisory updated.
Comment 7 Stefan Gohmann univentionstaff 2015-12-09 06:27:09 CET 
See Bug #40131, the amd64 build fails for 4.0-4 too.
Comment 8 Arvid Requate univentionstaff 2015-12-10 10:57:02 CET 
Package rebuilt, Advisory updated, installation ok.
Comment 9 Stefan Gohmann univentionstaff 2015-12-15 06:19:35 CET 
Tests were successful (Windows 7 + Windows 10).

YAML: OK
Comment 10 Janek Walkenhorst univentionstaff 2015-12-16 15:39:51 CET 
<http://errata.software-univention.de/ucs/4.0/374.html>
First Last Prev Next    This bug is not in your last search results.