smbd segfault during failed oplock break (Re: Problems with Samba 4 Beta 1 and a possible bug that was previously reported)
Trever L. Adams
trever.adams at gmail.com
Fri Jul 6 16:43:39 MDT 2012
On 06/29/2012 02:54 AM, Andrew Bartlett wrote:
> On Fri, 2012-06-29 at 02:33 -0600, Trever L. Adams wrote:
>> On 06/29/2012 02:20 AM, Andrew Bartlett wrote:
>>> I've retitled the bug to get the attention of those who work on the file
>>> server, as this isn't a specifically AD related bug as far as I can see.
>>>
>>> If you can get it all under valgrind, it may help working out the
>>> details of the use-after-free().
>>>
>>> Thanks!
>>>
>>> Andrew Bartlett
>>>
>> Thank you Andrew. Are there any special instructions for using valgrind
>> with S4? Or can I just do like I would with any other program and just
>> put valgrind before with --memcheck=full (I probably have that a bit off)?
> Run with --trace-children=yes
>
>> The use-after-free() is still happening it seems under load even with
>> the off-line-files gone, so I think I should be able to duplicate it.
>> (In fact it seems to be more related to the "destination unreachable" I
>> mentioned an hour or so ago.)
> Thanks,
>
> Andrew Bartlett
>
I do not believe this is the segfault problem, but it just came up.
==7816== at 0x8DB8071: _itoa_word (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DBC989: vfprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DE6533: vasprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x7020F2C: ndr_print_debug_helper (ndr.c:176)
==7816== by 0x701ED11: ndr_print_uint16 (ndr_basic.c:1048)
==7816== by 0xDCD6E71: ndr_print_nbt_rdata_status (ndr_nbt.c:482)
==7816== by 0xDCD7655: ndr_print_nbt_rdata (ndr_nbt.c:622)
==7816== by 0xDCD797E: ndr_print_nbt_res_rec (ndr_nbt.c:668)
==7816== by 0xDCD8AD9: ndr_print_nbt_name_packet (ndr_nbt.c:819)
==7816== by 0x7021344: ndr_print_debug (ndr.c:252)
==7816== by 0x105C7BFF: nbt_name_reply_send (nbtsocket.c:461)
==7816== by 0x14264FB3: nbtd_node_status_reply (nodestatus.c:91)
==7816==
==7816== Conditional jump or move depends on uninitialised value(s)
==7816== at 0x8DB8078: _itoa_word (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DBC989: vfprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DE6533: vasprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x7020F2C: ndr_print_debug_helper (ndr.c:176)
==7816== by 0x701ED11: ndr_print_uint16 (ndr_basic.c:1048)
==7816== by 0xDCD6E71: ndr_print_nbt_rdata_status (ndr_nbt.c:482)
==7816== by 0xDCD7655: ndr_print_nbt_rdata (ndr_nbt.c:622)
==7816== by 0xDCD797E: ndr_print_nbt_res_rec (ndr_nbt.c:668)
==7816== by 0xDCD8AD9: ndr_print_nbt_name_packet (ndr_nbt.c:819)
==7816== by 0x7021344: ndr_print_debug (ndr.c:252)
==7816== by 0x105C7BFF: nbt_name_reply_send (nbtsocket.c:461)
==7816== by 0x14264FB3: nbtd_node_status_reply (nodestatus.c:91)
==7816==
==7816== Conditional jump or move depends on uninitialised value(s)
==7816== at 0x8DBC9E7: vfprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DE6533: vasprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x7020F2C: ndr_print_debug_helper (ndr.c:176)
==7816== by 0x701ED11: ndr_print_uint16 (ndr_basic.c:1048)
==7816== by 0xDCD6E71: ndr_print_nbt_rdata_status (ndr_nbt.c:482)
==7816== by 0xDCD7655: ndr_print_nbt_rdata (ndr_nbt.c:622)
==7816== by 0xDCD797E: ndr_print_nbt_res_rec (ndr_nbt.c:668)
==7816== by 0xDCD8AD9: ndr_print_nbt_name_packet (ndr_nbt.c:819)
==7816== by 0x7021344: ndr_print_debug (ndr.c:252)
==7816== by 0x105C7BFF: nbt_name_reply_send (nbtsocket.c:461)
==7816== by 0x14264FB3: nbtd_node_status_reply (nodestatus.c:91)
==7816== by 0x1426516E: nbtd_query_status (nodestatus.c:124)
==7816==
==7816== Conditional jump or move depends on uninitialised value(s)
==7816== at 0x8DBC5A3: vfprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DE6533: vasprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x7020F2C: ndr_print_debug_helper (ndr.c:176)
==7816== by 0x701ED11: ndr_print_uint16 (ndr_basic.c:1048)
==7816== by 0xDCD6E71: ndr_print_nbt_rdata_status (ndr_nbt.c:482)
==7816== by 0xDCD7655: ndr_print_nbt_rdata (ndr_nbt.c:622)
==7816== by 0xDCD797E: ndr_print_nbt_res_rec (ndr_nbt.c:668)
==7816== by 0xDCD8AD9: ndr_print_nbt_name_packet (ndr_nbt.c:819)
==7816== by 0x7021344: ndr_print_debug (ndr.c:252)
==7816== by 0x105C7BFF: nbt_name_reply_send (nbtsocket.c:461)
==7816== by 0x14264FB3: nbtd_node_status_reply (nodestatus.c:91)
==7816== by 0x1426516E: nbtd_query_status (nodestatus.c:124)
==7816==
==7816== Conditional jump or move depends on uninitialised value(s)
==7816== at 0x8DBC61D: vfprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DE6533: vasprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x7020F2C: ndr_print_debug_helper (ndr.c:176)
==7816== by 0x701ED11: ndr_print_uint16 (ndr_basic.c:1048)
==7816== by 0xDCD6E71: ndr_print_nbt_rdata_status (ndr_nbt.c:482)
==7816== by 0xDCD7655: ndr_print_nbt_rdata (ndr_nbt.c:622)
==7816== by 0xDCD797E: ndr_print_nbt_res_rec (ndr_nbt.c:668)
==7816== by 0xDCD8AD9: ndr_print_nbt_name_packet (ndr_nbt.c:819)
==7816== by 0x7021344: ndr_print_debug (ndr.c:252)
==7816== by 0x105C7BFF: nbt_name_reply_send (nbtsocket.c:461)
==7816== by 0x14264FB3: nbtd_node_status_reply (nodestatus.c:91)
==7816== by 0x1426516E: nbtd_query_status (nodestatus.c:124)
==7816==
==7816== Use of uninitialised value of size 8
==7816== at 0x8DB80CB: _itoa_word (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DBC989: vfprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DE6533: vasprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x7020F2C: ndr_print_debug_helper (ndr.c:176)
==7816== by 0x701ED11: ndr_print_uint16 (ndr_basic.c:1048)
==7816== by 0xDCD6E71: ndr_print_nbt_rdata_status (ndr_nbt.c:482)
==7816== by 0xDCD7655: ndr_print_nbt_rdata (ndr_nbt.c:622)
==7816== by 0xDCD797E: ndr_print_nbt_res_rec (ndr_nbt.c:668)
==7816== by 0xDCD8AD9: ndr_print_nbt_name_packet (ndr_nbt.c:819)
==7816== by 0x7021344: ndr_print_debug (ndr.c:252)
==7816== by 0x105C7BFF: nbt_name_reply_send (nbtsocket.c:461)
==7816== by 0x14264FB3: nbtd_node_status_reply (nodestatus.c:91)
==7816==
==7816== Conditional jump or move depends on uninitialised value(s)
==7816== at 0x8DB80D5: _itoa_word (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DBC989: vfprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x8DE6533: vasprintf (in /usr/lib64/libc-2.15.so)
==7816== by 0x7020F2C: ndr_print_debug_helper (ndr.c:176)
==7816== by 0x701ED11: ndr_print_uint16 (ndr_basic.c:1048)
==7816== by 0xDCD6E71: ndr_print_nbt_rdata_status (ndr_nbt.c:482)
==7816== by 0xDCD7655: ndr_print_nbt_rdata (ndr_nbt.c:622)
==7816== by 0xDCD797E: ndr_print_nbt_res_rec (ndr_nbt.c:668)
==7816== by 0xDCD8AD9: ndr_print_nbt_name_packet (ndr_nbt.c:819)
==7816== by 0x7021344: ndr_print_debug (ndr.c:252)
==7816== by 0x105C7BFF: nbt_name_reply_send (nbtsocket.c:461)
==7816== by 0x14264FB3: nbtd_node_status_reply (nodestatus.c:91)
==7816==
--
"If people see that you mean them no harm, they'll never hurt you, nine
times out of ten!" -- Unknown
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120706/af3b20de/attachment.pgp>
More information about the samba-technical
mailing list