tevent_abort_nesting crash in idmap_ad

[Ralph Boehme]

Hi!

Just came across the following while running selftests that involve
idmap_ad on a member server testenv:

idmap_ad calls into tldap which calls into gensec where it runs a
nested tevent loop, SBT attached.

For now I added a hack to allow nested tevent loops to
tldap_gensec_bind(), this fixes the issue.

Cheerio!
-slow
-------------- next part --------------
(gdb) bt
#0  0x00007f46ae81fb4c in __libc_waitpid (pid=3527, stat_loc=stat_loc at entry=0x7ffedd3591d0, options=options at entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
#1  0x00007f46ae7a52e2 in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
#2  0x00007f46b1709889 in smb_panic_s3 (why=0x7f46b55d9115 "internal error") at ../source3/lib/util.c:804
#3  0x00007f46b558876a in smb_panic (why=0x7f46b55d9115 "internal error") at ../lib/util/fault.c:166
#4  0x00007f46b5588442 in fault_report (sig=6) at ../lib/util/fault.c:83
#5  0x00007f46b5588457 in sig_fault (sig=6) at ../lib/util/fault.c:94
#6  <signal handler called>
#7  0x00007f46ae795cc9 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#8  0x00007f46ae7990d8 in __GI_abort () at abort.c:89
#9  0x00007f46b4ad1525 in tevent_abort (ev=0x7f46b7d94fd0, reason=0x7f46b7dcff10 "tevent_loop_once() nesting at ../source4/libcli/composite/composite.c:58") at ../lib/tevent/tevent.c:383
#10 0x00007f46b4ad17bd in tevent_abort_nesting (ev=0x7f46b7d94fd0, location=0x7f46b14df690 "../source4/libcli/composite/composite.c:58") at ../lib/tevent/tevent.c:496

#11 0x00007f46b4ad1816 in _tevent_loop_once (ev=0x7f46b7d94fd0, location=0x7f46b14df690 "../source4/libcli/composite/composite.c:58") at ../lib/tevent/tevent.c:511

  ev=0x7f46b7d94fd0

#12 0x00007f46b14d22a6 in composite_wait (c=0x7f46b7dcfba0) at ../source4/libcli/composite/composite.c:58
#13 0x00007f46b14d5301 in socket_connect_recv (result=0x7f46b7dcfba0) at ../source4/lib/socket/connect.c:139
#14 0x00007f46b14d5365 in socket_connect_ev (sock=0x7f46b7dcf9f0, my_address=0x0, server_address=0x7f46b7dcfa90, flags=0, ev=0x7f46b7d94fd0) at ../source4/lib/socket/connect.c:157
#15 0x00007f46af599d1d in smb_krb5_send_and_recv_func_int (context=0x7f46b7dc6d30, ev=0x7f46b7d94fd0, hi=0x7f46b7dcf6f0, ai=0x7f46b7dcf7a0, func=0x7f46af59a3b1 <smb_krb5_send_and_recv_func>, data=0x7f46b7d94fd0, timeout=3, send_buf=0x7ffedd359e00, 
    recv_buf=0x7ffedd359df0) at ../source4/auth/kerberos/krb5_init_context.c:286
#16 0x00007f46af59a4e4 in smb_krb5_send_and_recv_func (context=0x7f46b7dc6d30, data=0x7f46b7d94fd0, hi=0x7f46b7dcf6f0, timeout=3, send_buf=0x7ffedd359e00, recv_buf=0x7ffedd359df0) at ../source4/auth/kerberos/krb5_init_context.c:431
#17 0x00007f46b38fd43b in krb5_sendto (context=0x7f46b7dc6d30, send_data=0x7ffedd359e00, handle=0x7f46b7dc4370, receive=0x7ffedd359df0) at ../source4/heimdal/lib/krb5/send_to_kdc.c:391
#18 0x00007f46b38fdb5f in krb5_sendto_context (context=0x7f46b7dc6d30, ctx=0x7f46b7dc56c0, send_data=0x7ffedd359e00, realm=0x7f46b7dc5680 "HILLHOUSE.SITE", receive=0x7ffedd359df0) at ../source4/heimdal/lib/krb5/send_to_kdc.c:626
#19 0x00007f46b38e060a in krb5_init_creds_get (context=0x7f46b7dc6d30, ctx=0x7f46b7dcf1c0) at ../source4/heimdal/lib/krb5/init_creds_pw.c:1959
#20 0x00007f46b38e08dd in krb5_get_init_creds_password (context=0x7f46b7dc6d30, creds=0x7ffedd35c350, client=0x7f46b7dc6ed0, password=0x7f46b7dc3620 "YV6<a9!]_azKf-", prompter=0x0, data=0x0, start_time=0, in_tkt_service=0x0, options=0x7f46b7dc58b0)
    at ../source4/heimdal/lib/krb5/init_creds_pw.c:2037
#21 0x00007f46b46bc7e6 in kerberos_kinit_password_cc (ctx=0x7f46b7dc6d30, cc=0x7f46b7dc6e70, principal=0x7f46b7dc6ed0, password=0x7f46b7dc3620 "YV6<a9!]_azKf-", target_service=0x0, krb_options=0x7f46b7dc58b0, expire_time=0x0, kdc_time=0x7ffedd35c450)
    at ../lib/krb5_wrap/krb5_samba.c:2061
#22 0x00007f46b0e9544d in kinit_to_ccache (parent_ctx=0x7f46b7d94410, credentials=0x7f46b7d94410, smb_krb5_context=0x7f46b7dbc340, event_ctx=0x7f46b7d94fd0, ccache=0x7f46b7dc6e70, obtained=0x7ffedd35c538, error_string=0x7ffedd35c668)
    at ../source4/auth/kerberos/kerberos_util.c:347
#23 0x00007f46b0e915fb in cli_credentials_get_named_ccache (cred=0x7f46b7d94410, event_ctx=0x7f46b7d94fd0, lp_ctx=0x7f46b7dc33d0, ccache_name=0x0, ccc=0x7ffedd35c5f0, error_string=0x7ffedd35c668) at ../auth/credentials/credentials_krb5.c:411
#24 0x00007f46b0e916b5 in cli_credentials_get_ccache (cred=0x7f46b7d94410, event_ctx=0x7f46b7d94fd0, lp_ctx=0x7f46b7dc33d0, ccc=0x7ffedd35c5f0, error_string=0x7ffedd35c668) at ../auth/credentials/credentials_krb5.c:434
#25 0x00007f46b0e91b2f in cli_credentials_get_client_gss_creds (cred=0x7f46b7d94410, event_ctx=0x7f46b7d94fd0, lp_ctx=0x7f46b7dc33d0, _gcc=0x7ffedd35c660, error_string=0x7ffedd35c668) at ../auth/credentials/credentials_krb5.c:555
#26 0x00007f46afe46a68 in gensec_gssapi_client_creds (gensec_security=0x7f46b7dbf660, ev=0x7f46b7d94fd0) at ../source4/auth/gensec/gensec_gssapi.c:264
#27 0x00007f46afe47267 in gensec_gssapi_update (gensec_security=0x7f46b7dbf660, out_mem_ctx=0x7f46b7dc0fe0, ev=0x7f46b7d94fd0, in=..., out=0x7ffedd35c8c0) at ../source4/auth/gensec/gensec_gssapi.c:425
#28 0x00007f46afe4aae5 in gensec_update_ev (gensec_security=0x7f46b7dbf660, out_mem_ctx=0x7f46b7dc0fe0, ev=0x7f46b7d94fd0, in=..., out=0x7ffedd35c8c0) at ../auth/gensec/gensec.c:303
#29 0x00007f46afe37bfc in gensec_spnego_create_negTokenInit (gensec_security=0x7f46b7dc1650, spnego_state=0x7f46b7dc0fe0, out_mem_ctx=0x7f46b7dc0fe0, ev=0x7f46b7d94fd0, in=..., out=0x7f46b7dc1040) at ../auth/gensec/spnego.c:611
#30 0x00007f46afe38689 in gensec_spnego_update (gensec_security=0x7f46b7dc1650, out_mem_ctx=0x7f46b7dc0fe0, ev=0x7f46b7d94fd0, in=..., out=0x7f46b7dc1040) at ../auth/gensec/spnego.c:828
#31 0x00007f46afe3a2bd in gensec_spnego_update_wrapper (gensec_security=0x7f46b7dc1650, out_mem_ctx=0x7f46b7dc4760, ev=0x7f46b7d94fd0, in=..., out=0x7f46b7dc4778) at ../auth/gensec/spnego.c:1474
#32 0x00007f46afe4aec9 in gensec_update_async_trigger (ctx=0x7f46b7d94fd0, im=0x7f46b7dc4800, private_data=0x7f46b7dc45d0) at ../auth/gensec/gensec.c:458
#33 0x00007f46b4ad276c in tevent_common_loop_immediate (ev=0x7f46b7d94fd0) at ../lib/tevent/tevent_immediate.c:135
#34 0x00007f46b17264b1 in run_events_poll (ev=0x7f46b7d94fd0, pollrtn=0, pfds=0x0, num_pfds=0) at ../source3/lib/events.c:192
#35 0x00007f46b1726b25 in s3_event_loop_once (ev=0x7f46b7d94fd0, location=0x7f46b4adb850 "../lib/tevent/tevent_req.c:256") at ../source3/lib/events.c:303

#36 0x00007f46b4ad18b3 in _tevent_loop_once (ev=0x7f46b7d94fd0, location=0x7f46b4adb850 "../lib/tevent/tevent_req.c:256") at ../lib/tevent/tevent.c:533

  ev=0x7f46b7d94fd0

#37 0x00007f46b4ad370e in tevent_req_poll (req=0x7f46b7dc5cc0, ev=0x7f46b7d94fd0) at ../lib/tevent/tevent_req.c:256
#38 0x00007f46a4e32c37 in tldap_gensec_bind (ctx=0x7f46b7dc3280, creds=0x7f46b7d94410, target_service=0x7f46a4e393bb "ldap", target_hostname=0x7f46b7d7d2d2 "samba-ad.hillhouse.site", target_principal=0x0, lp_ctx=0x7f46b7dc33d0, gensec_features=6)
    at ../source3/lib/tldap_gensec_bind.c:367
#39 0x00007f46a4e33b85 in idmap_ad_get_tldap_ctx (mem_ctx=0x7f46b7d94690, domname=0x7f46b7d9e8b0 "hillhouse", pld=0x7f46b7d94698) at ../source3/winbindd/idmap_ad.c:319
#40 0x00007f46a4e33eb8 in idmap_ad_context_create (mem_ctx=0x7f46b7d95450, dom=0x7f46b7d95450, domname=0x7f46b7d9e8b0 "hillhouse", pctx=0x7ffedd35cfa8) at ../source3/winbindd/idmap_ad.c:368
#41 0x00007f46a4e3426c in idmap_ad_get_context (dom=0x7f46b7d95450, pctx=0x7ffedd35d040) at ../source3/winbindd/idmap_ad.c:424
#42 0x00007f46a4e35006 in idmap_ad_sids_to_unixids (dom=0x7f46b7d95450, ids=0x7f46b7dbc1c0) at ../source3/winbindd/idmap_ad.c:654
#43 0x00007f46a4e35abe in idmap_ad_sids_to_unixids_retry (dom=0x7f46b7d95450, ids=0x7f46b7dbc1c0) at ../source3/winbindd/idmap_ad.c:817
#44 0x00007f46b7595772 in _wbint_Sids2UnixIDs (p=0x7ffedd35d270, r=0x7f46b7d93c00) at ../source3/winbindd/winbindd_dual_srv.c:177
#45 0x00007f46b75f0d56 in api_wbint_Sids2UnixIDs (p=0x7ffedd35d270) at default/librpc/gen_ndr/srv_winbind.c:391
#46 0x00007f46b7595202 in winbindd_dual_ndrcmd (domain=0x0, state=0x7ffedd35d5c8) at ../source3/winbindd/winbindd_dual_ndr.c:322
#47 0x00007f46b759113f in child_process_request (child=0x7f46b7858d00 <static_idmap_child>, state=0x7ffedd35d5c8) at ../source3/winbindd/winbindd_dual.c:513
#48 0x00007f46b7593b73 in child_handler (ev=0x7f46b7d768d0, fde=0x7f46b7d785a0, flags=1, private_data=0x7ffedd35d5c0) at ../source3/winbindd/winbindd_dual.c:1394
#49 0x00007f46b4adac34 in epoll_event_loop (epoll_ev=0x7f46b7d76210, tvalp=0x7ffedd35d4b0) at ../lib/tevent/tevent_epoll.c:728
#50 0x00007f46b4adb252 in epoll_event_loop_once (ev=0x7f46b7d768d0, location=0x7f46b7615528 "../source3/winbindd/winbindd_dual.c:1593") at ../lib/tevent/tevent_epoll.c:926
#51 0x00007f46b4ad813c in std_event_loop_once (ev=0x7f46b7d768d0, location=0x7f46b7615528 "../source3/winbindd/winbindd_dual.c:1593") at ../lib/tevent/tevent_standard.c:114
#52 0x00007f46b4ad18b3 in _tevent_loop_once (ev=0x7f46b7d768d0, location=0x7f46b7615528 "../source3/winbindd/winbindd_dual.c:1593") at ../lib/tevent/tevent.c:533

#53 0x00007f46b75946bc in fork_domain_child (child=0x7f46b7858d00 <static_idmap_child>) at ../source3/winbindd/winbindd_dual.c:1593
#54 0x00007f46b7590136 in wb_child_request_trigger (req=0x7f46b7d8a620, private_data=0x0) at ../source3/winbindd/winbindd_dual.c:173
#55 0x00007f46b4ad2ae4 in tevent_queue_immediate_trigger (ev=0x7f46b7d768d0, im=0x7f46b7d84220, private_data=0x7f46b7d84180) at ../lib/tevent/tevent_queue.c:149
---Type <return> to continue, or q <return> to quit---
#56 0x00007f46b4ad276c in tevent_common_loop_immediate (ev=0x7f46b7d768d0) at ../lib/tevent/tevent_immediate.c:135
#57 0x00007f46b4adb1b8 in epoll_event_loop_once (ev=0x7f46b7d768d0, location=0x7f46b75ff728 "../source3/winbindd/winbindd.c:1810") at ../lib/tevent/tevent_epoll.c:907
#58 0x00007f46b4ad813c in std_event_loop_once (ev=0x7f46b7d768d0, location=0x7f46b75ff728 "../source3/winbindd/winbindd.c:1810") at ../lib/tevent/tevent_standard.c:114
#59 0x00007f46b4ad18b3 in _tevent_loop_once (ev=0x7f46b7d768d0, location=0x7f46b75ff728 "../source3/winbindd/winbindd.c:1810") at ../lib/tevent/tevent.c:533
#60 0x00007f46b755a927 in main (argc=1, argv=0x7ffedd35f0b8) at ../source3/winbindd/winbindd.c:1810
-------------- next part --------------
From 42bf1349dc7ed88801b742ec28a06d9427494237 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 10 Jun 2016 18:05:18 +0200
Subject: [PATCH] HACK: nested tevent loop in tldap

---
 source3/lib/tldap_gensec_bind.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source3/lib/tldap_gensec_bind.c b/source3/lib/tldap_gensec_bind.c
index 07f7956..1c3f4a2 100644
--- a/source3/lib/tldap_gensec_bind.c
+++ b/source3/lib/tldap_gensec_bind.c
@@ -17,6 +17,8 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#define TEVENT_DEPRECATED
+#include <tevent.h>
 #include "tldap_gensec_bind.h"
 #include "tldap_util.h"
 #include "lib/util/tevent_unix.h"
@@ -358,6 +360,8 @@ TLDAPRC tldap_gensec_bind(
 	if (ev == NULL) {
 		goto fail;
 	}
+	tevent_loop_allow_nesting(ev);
+
 	req = tldap_gensec_bind_send(frame, ev, ctx, creds, target_service,
 				     target_hostname, target_principal, lp_ctx,
 				     gensec_features);
-- 
1.9.1