nmbd diyng with SIGSEGV on Itanium2

Jay Fenlason fenlason at redhat.com
Wed May 18 15:26:35 GMT 2005


On Wed, May 18, 2005 at 11:13:24AM +0200, Miroslav Zubcic wrote:
> Jay Fenlason <fenlason at redhat.com> writes:
> 
> > This sounds suspiciously like a bug I fixed.  Did you look at
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150582
> > and try the rpms I put on people.redhat.com?
> 
> I have built RPMS on ia64, but I cannot install them right now (not in
> the company's work time, and only one test server is busy, waiting for
> a bug manifestation with debigging symbols for Jeremy ...).
> 
> OTOH, bug report in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150582
> is IMHO only /similar/ to my bug. My nmbd(8) does not crash randomly,
> but on normal restart - IF and only if it has been up and running for
> more than 3 days (default wins TTL?). If I remove wins.dat entries for
> a domain, browser, PDC etc, then nmbd is started without SIGSEGV.
> 
> Second, internal trace in bug #150582 shows that nmbd is dying in
> function "expire_workgroups_and_servers". My nmbd is dying in
> "update_name_ttl":
> 
> [2005/05/12 10:46:41, 0] lib/util.c:smb_panic2(1512)
>   BACKTRACE: 9 stack frames:
>    #0 nmbd(smb_panic2-0xa15fe0) [0x2000000800138c10]
>    #1 nmbd [0x200000080010e0f0]
>    #2 [0xa0000000000107e0]
>    #3 nmbd(update_name_ttl-0xaf72c0) [0x2000000800057950]
>    #4 nmbd(wins_process_name_registration_request-0xada080) [0x2000000800074ba0]
>    #5 nmbd(run_packet_queue-0xaea750) [0x20000008000644e0]
>    #6 nmbd(main-0xb0a290) [0x2000000800044610]
>    #7 /lib/tls/libc.so.6.1(__libc_start_main-0x56d6f0) [0x20000008005e1550]
>    #8 nmbd(_start-0xb0d550) [0x2000000800041700]
> 
> I have find one more workaround for this problem: If I set wins TTL to
> zero like this:
> 
>  "UPRAVA.HAC.HR#00" 0 255.255.255.255 e4R
>  "UPRAVA.HAC.HR#1b" 0 10.10.50.30 64R
>  "UPRAVA.HAC.HR#1c" 0 10.10.50.30 e4R
>  "UPRAVA.HAC.HR#1e" 0 255.255.255.255 e4R
> 
> ... instead of automatic default:
> 
>  "UPRAVA.HAC.HR#00" 1116178439 255.255.255.255 e4R
>  "UPRAVA.HAC.HR#1b" 1115876845 10.10.50.30 64R
>  "UPRAVA.HAC.HR#1c" 1115876845 10.10.50.30 e4R
>  "UPRAVA.HAC.HR#1e" 1116178054 255.255.255.255 e4R
> 
> Then, bug is not triggering after 3 days, because i suspect function
> update_name_ttl is not used at all, just like when there is no entries
> in wins.dat at all.
> 
> BTW, I'm using almost vanilla Red Hat samba 3.0.10 SRPM package, but
> with one small patch which is not directly connected with this bug:
> http://samba.org/~jerry/patches/post-3.0.10/domain_admin-join.patch
> 
> As I see now, this important patch doesn't apply on 3.0.13 from
> Fenlason's SRPMS - it has *many* rejects. :-( I have picky
> customer/firm which has switched from samba Red Hat 8 with samba 2.2
> to official RHEL 4 with samba 3, only after this "domain admins join"
> functionality was possible thanks to Jerry and his patch. They want to
> have per-tehnician account for joining machines in samba domain, not
> one - the root, and I cannot convince them to the opposite.

Here's the patch, which I found by diffing the 3.0.10 sources against
3.0.14a because it was faster than trying to chase down a patch file
that I didn't keep once the patch was included in the upstream Samba.

The problem is that the old code contains an "aliasing violation",
which causes gcc-4 to emit bad code that causes memory corruption.
I've done some looking for similar bugs, but I've been busy and
haven't been able to look as well as I'd like.

Try adding this patch to your custom 3.0.10 rpm and see if it fixes
the problem.

			-- JF

-------------- next part --------------
--- samba-3.0.10/source/nmbd/nmbd_winsproxy.c	2004-12-15 09:33:13.000000000 -0500
+++ samba-3.0.14a/source/nmbd/nmbd_winsproxy.c	2005-03-11 08:47:05.000000000 -0500
@@ -190,12 +190,15 @@
                                          struct packet_struct *incoming_packet,
                                          struct nmb_name *question_name)
 {
-	long *ud[(sizeof(struct userdata_struct) + sizeof(struct subrec *) + 
-		sizeof(struct packet_struct *))/sizeof(long *) + 1];
-	struct userdata_struct *userdata = (struct userdata_struct *)ud;
+	union {
+	    struct userdata_struct ud;
+	    char c[sizeof(struct userdata_struct) + sizeof(struct subrec *) + 
+		sizeof(struct packet_struct *)+sizeof(long*)];
+	} ud;
+	struct userdata_struct *userdata = &ud.ud;
 	unstring qname;
 
-	memset(ud, '\0', sizeof(ud));
+	memset(&ud, '\0', sizeof(ud));
  
 	userdata->copy_fn = wins_proxy_userdata_copy_fn;
 	userdata->free_fn = wins_proxy_userdata_free_fn;


More information about the samba-technical mailing list