winbindd panic

Ephi Dror Ephi.Dror at datadomain.com
Mon Sep 15 21:40:33 GMT 2008


Hello,

Hello Everyone,

We experienced couple times a winbindd panics and would like to get your opinion to how similar are they to the one recently fixed in 3.0.32 and if you feel that 3.0.32 fixes this too or there is another scenario here which needs more investigation.

Here are the panic details (we experienced the same crash twice in couple of systems that run 3.0.25)

- The panic is due to double free in talloc module.

- The scenario starts in process_loop for write event calling rw_callback()

In rw_callback(),sys_write() failed and the finished functioned called.

winbindd.core:
--------------
(gdb) bt
#0  0x00002aaaab9b8b93 in raise () from /lib64/libc.so.6
#1  0x00002aaaab9ba039 in abort () from /lib64/libc.so.6
#2  0x000055555561d162 in dump_core () at lib/fault.c:222
#3  0x000055555562ea65 in smb_panic (why=<value optimized out>) at
lib/util.c:1648
#4  0x000055555561cd72 in fault_report (sig=6) at lib/fault.c:47
#5  0x000055555561cd90 in sig_fault (sig=6) at lib/fault.c:75
#6  <signal handler called>
#7  0x00002aaaab9b8b93 in raise () from /lib64/libc.so.6
#8  0x00002aaaab9ba039 in abort () from /lib64/libc.so.6
#9  0x00005555556165ef in talloc_get_name (ptr=0xfba) at
lib/talloc/talloc.c:126
#10 0x000055555561663d in talloc_check_name (ptr=0xfba,
    name=0x55555574ea63 "struct winbindd_async_request") at
lib/talloc/talloc.c:638
#11 0x0000555555630e71 in talloc_check_name_abort (ptr=0xfba, name=0xfba "")
    at lib/util.c:2972
#12 0x00005555555d24a3 in async_main_request_sent (private_data=0xfba,
success=0)
    at nsswitch/winbindd_dual.c:141
#13 0x00005555555ab59d in rw_callback (event=0x5555558e7780, flags=2)
    at nsswitch/winbindd.c:374
#14 0x00005555555ac296 in process_loop () at nsswitch/winbindd.c:832
#15 0x00005555555acc7a in main (argc=-2321424, argv=<value optimized out>,
    envp=<value optimized out>) at nsswitch/winbindd.c:1115

Frame 9:
--------
Actual crash is in line 126
120 static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
121 {
122   const char *pp = (const char *)ptr;
123   struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE);
124   if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~0xF)) != TALLOC_MAGIC)) {
125    if (tc->flags & TALLOC_FLAG_FREE) {
126     TALLOC_ABORT("Bad talloc magic value - double free");
127    } else {
128     TALLOC_ABORT("Bad talloc magic value - unknown value");
129    }
130   }
131   return tc;

We found out that in our panic, flags = 0xe814ec73 which means ALLOC_MAGIC | TALLOC_FLAG_LOOP |TALLOC_FLAG_FREE

What it means is that we are working on a request that already marked as freed.

The request in question is:
-----------------------------
gdb) p/x 0x555555935ba0-80
$52 = 0x555555935b50
(gdb) p *(struct talloc_chunk*)0x555555935b50
$53 = {next = 0x55555592b690, prev = 0x2aaaabbac7c8, parent = 0x5555558fb8a0,
child = 0x0, refs          = 0x0, destructor = 0, name = 0x55555574ea63 "struct
winbindd_async_request", size = 64, flags          = 3893685363}
(gdb) p/x *(struct talloc_chunk*)0x555555935b50
$54 = {next = 0x55555592b690, prev = 0x2aaaabbac7c8, parent = 0x5555558fb8a0,
child = 0x0, refs = 0x0, destructor = 0x0, name = 0x55555574ea63, size = 0x40,
flags = 0xe814ec73}
(gdb) p *(( struct winbindd_async_request*)0x555555935ba0)->request
$55 = {length = 2088, cmd = WINBINDD_DUAL_UID2SID, pid = 0, flags = 0,
domain_name = '\0' <repeats 255 times>, data = {winsreq = '\0' <repeats 255
times>, username = '\0' <repeats 255 times>,
    groupname = '\0' <repeats 255 times>, uid = 0, gid = 0, auth = {user = '\0'
<repeats 255 times>, pass = '\0' <repeats 255 times>, require_membership_of_sid
= '\0' <repeats 1023 times>,
      krb5_cc_type = '\0' <repeats 255 times>, uid = 0}, auth_crap = {chal =
"\000\000\000\000\000\000\000", logon_parameters = 0, user = '\0' <repeats 255
times>, domain = '\0' <repeats 255 times>,
      lm_resp = '\0' <repeats 255 times>, lm_resp_len = 0, nt_resp = '\0'
<repeats 255 times>, nt_resp_len = 0, workstation = '\0' <repeats 255 times>,
      require_membership_of_sid = '\0' <repeats 255 times>}, chauthtok = {user =
'\0' <repeats 255 times>, oldpass = '\0' <repeats 255 times>, newpass = '\0'
<repeats 255 times>}, chng_pswd_auth_crap = {
      user = '\0' <repeats 255 times>, domain = '\0' <repeats 255 times>,
new_nt_pswd = '\0' <repeats 515 times>, new_nt_pswd_len = 0, old_nt_hash_enc =
'\0' <repeats 15 times>, old_nt_hash_enc_len = 0,
      new_lm_pswd = '\0' <repeats 515 times>, new_lm_pswd_len = 0,
old_lm_hash_enc = '\0' <repeats 15 times>, old_lm_hash_enc_len = 0}, logoff =
{user = '\0' <repeats 255 times>,
      krb5ccname = '\0' <repeats 255 times>, uid = 0}, sid = '\0' <repeats 255
times>, name = {dom_name = '\0' <repeats 255 times>, name = '\0' <repeats 255
times>}, num_entries = 0, acct_mgt = {
      username = '\0' <repeats 255 times>, groupname = '\0' <repeats 255
times>}, init_conn = {is_primary = 0, dcname = '\0' <repeats 255 times>},
dual_sid2id = {sid = '\0' <repeats 255 times>,
      name = '\0' <repeats 255 times>}, dual_idmapset = {sid = '\0' <repeats 255
times>, type = 0, id = 0}, list_all_domains = 0, ccache_ntlm_auth = {uid = 0,
user = '\0' <repeats 255 times>,
      initial_blob_len = 0, challenge_blob_len = 0}, padding = '\0' <repeats
1559 times>}, extra_data = {padding = 0, data = 0x0}, extra_len = 0, null_term =
0 '\0'}


Cheers,
Ephi





More information about the samba-technical mailing list