PANIC Bad talloc magic value - unknown value during disconnect.

Yogesh Kulkarni yoknfs at gmail.com
Thu Jan 23 07:22:05 UTC 2025


Hi, I am looking for help in getting RCA on this issue.

A Panic with bad talloc magic value is seen during disconnect.

Samba version : 4.13.13 ( Debian 11 - 4.13.13+dfsg-1~deb11u5 )

Environment :

Samba is deployed on a debian VM and is being mounted on a terminal server
( MSFT remote desktop ).

smbstatus output has confirmed that the same smb connection is serving
multiple tcon’s.

There are about 10 users connected to the system from the terminal server.

Modules - Propriety module, fruit, catia, streams_xattr, however the same
dumps are seen for IPC$.

Stack trace from log.smbd ( truncated for ease of reading )

[2025/01/14 21:04:00.354782,  4, pid=3759694, effective(35049, 0),
real(35049, 0), class=vfs] ../../source3/smbd/vfs.c:939(vfs_ChDir)

  vfs_ChDir to /tmp

[2025/01/14 21:04:00.354840,  5, pid=3759694, effective(35049, 0),
real(35049, 0), class=vfs] ../../source3/smbd/vfs.c:1001(vfs_ChDir)

  vfs_ChDir: vfs_ChDir got /tmp

[2025/01/14 21:04:00.354873,  2]
../../source3/smbd/close.c:824(close_normal_file)

  USER closed file /tmp (numopen=-1) NT_STATUS_INVALID_HANDLE
  <——————————— why is close_normal_file being called on a directory ?

[2025/01/14 21:04:00.354884,  3]
../../source3/smbd/service.c:1123(close_cnum)

  dl-rds-02 (ipv4:172.29.6.13:49523) closed connection to service IPC$

[2025/01/14 21:04:00.354893,  4, pid=3759694, effective(0, 0), real(0, 0),
class=vfs] ../../source3/smbd/vfs.c:939(vfs_ChDir)

  vfs_ChDir to /

[2025/01/14 21:04:00.354913,  0]
../../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn)

  Bad talloc magic value - unknown value

[2025/01/14 21:04:00.354942,  0] ../../lib/util/fault.c:159(smb_panic_log)

  ===============================================================

[2025/01/14 21:04:00.354951,  0] ../../lib/util/fault.c:160(smb_panic_log)

  INTERNAL ERROR: Bad talloc magic value - unknown value in pid 3759694
(4.13.13-Debian)

[2025/01/14 21:04:00.354966,  0] ../../lib/util/fault.c:164(smb_panic_log)

  If you are running a recent Samba version, and if you think this problem
is not yet fixed in the latest versions, please consider reporting this
bug, see https://wiki.samba.org/index.php/Bug_Reporting

[2025/01/14 21:04:00.354976,  0] ../../lib/util/fault.c:169(smb_panic_log)

  ===============================================================

[2025/01/14 21:04:00.354983,  0] ../../lib/util/fault.c:170(smb_panic_log)

  PANIC (pid 3759694): Bad talloc magic value - unknown value in
4.13.13-Debian

[2025/01/14 21:04:00.355314,  0] ../../lib/util/fault.c:274(log_stack_trace)

  BACKTRACE: 26 stack frames:

   #0 /lib/x86_64-linux-gnu/libsamba-util.so.0(log_stack_trace+0x30)
[0x7efe9419f220]

   #1 /lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x26)
[0x7efe9419f486]

   #2 /lib/x86_64-linux-gnu/libtalloc.so.2(+0x6ae7) [0x7efe93ac5ae7]

   #3 /lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_move+0x13)
[0x7efe93ac5d43]

   #4 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(vfs_ChDir+0xe7)
[0x7efe940048c7]

   #5 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(close_cnum+0x96)
[0x7efe9401c3b6]

   #6
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbXsrv_tcon_disconnect+0x4b)
[0x7efe9404ae1b]

   #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1eb111)
[0x7efe94031111]



By reading the code, I am able to conclude  -

   -

   Server receives a disconnect
   -

   The process chdir’s to the shares root dir ( for IPC it is /tmp )
   -

   Iterate over the open files to check all the files open for this
   connection file_close_conn()
   -

   Close the open files/directories for this connection, but skip conn->cwd
   ( But during the close, logs show the message which comes from
   close_normal_file()

USER closed file /tmp (numopen=-1) NT_STATUS_INVALID_HANDLE
Close of a directory coming from close_normal_file() seems to be an issue.

   -

   Once all the files/directories are closed, change dir to /
   -

   PANIC always observed at this point, in the following line of code -
   conn->cwd_fsp->fsp_name = talloc_move(conn->cwd_fsp, &cwd);
   the error comes from talloc_chunk_from_ptr() when the magic is not
   correct.


>From the dump, I see that the line where the

 0x00007efe940048c7 in vfs_ChDir (conn=conn at entry=0x563eed964ce0,
smb_fname=smb_fname at entry=0x7ffcc176e130)

    at ../../source3/smbd/vfs.c:998

I have calculated the magic value as TALLOC_MAGIC = 0xea17ed70 and SIZEOF
talloc_chunk = 88

I am trying to figure out the talloc chunk magic from the header, using 96
since the header is rounded off to the nearest multiple of 16.

(gdb) x /12gx ((char *)cwd - 96)

0x563eed819050: 0x00000000e0c1a8f4 0x0000563eed95d5a0

0x563eed819060: 0x0000000000000000 0x0000563eed964c80

0x563eed819070: 0x0000563eed819180 0x0000000000000000

0x563eed819080: 0x0000000000000000 0x00007efe9407080e

0x563eed819090: 0x00000000000000c8 0x0000000000000000

0x563eed8190a0: 0x0000000000000000 0x0000000000000000

(gdb) x /12gx ((char *)conn->cwd_fsp - 96)

0x563eed952f70: 0x0000563eed90e6b0 0x0000563eed7e9010

0x563eed952f80: 0x0000000000000000 0x0000000000000000

0x563eed952f90: 0x0000000000000000 0x0000000000000000

0x563eed952fa0: 0x0000000000000000 0x00007efe940df340

0x563eed952fb0: 0x00000000000001a0 0x0000000000000000

0x563eed952fc0: 0x0000000000000000 0x0000000000000000

No magic seen here ?? I might be missing something ?

(gdb) p *conn->cwd_fsp

shows everything zeroed out.

I looked at the code, but I am not able to point anything specific in the
code that causes this issue.

Based on the error line about the directory being closed in
close_normal_file() might be an issue. But I am not able to reproduce this.

The PANIC happens both for the shares exposed by our product as well as
IPC$.

Note that this does not happen on 4.9.5 ( Debian 10 distribution.) However,
there are code changes to the chdir itself that I have not looked into.
There are changes to the vfs_ChDir() code with hash 75f98a19537c


Thanks and regards,

Yogesh.


More information about the samba-technical mailing list