[Samba] Crash (talloc error) after failed chdir

Javier Amor Garcia jamor at zentyal.com
Mon Feb 15 17:29:36 UTC 2016


Hello,

This is a problem with both samba 4.3.3 and 4.3.4.
I have a crash that seems triggered after a NT_STATUS_DENIED on a chdir 
operation. After that the server begins to shutdown itself with the 
message "Server exit (failed to receive smb request)", to close all the 
connections and when closing it crashes due a talloc error.

I cannot reproduce myself this error and it occurs randomly after normal 
share usage.

Can someone help me with this?. I have no idea of how to tackle this issue.

I have the samba.log and the crash core file.

I will show you now a extracted version of samba.log:

[2016/02/04 10:16:01.924336,  3] ../source3 
smbd/service.c:198(set_current_service)  chdir 
(/home/samba/shares/Public) failed, reason: Permission denied 
[2016/02/04 10:16:01.924353,  3] 
../source3/smbd/error.c:82(error_packet_set)
   NT error packet at ../source3/smbd/process.c(1609) cmd=50 (SMBtrans2) 
NT_STATUS_ACCESS_DENIED
[2016/02/04 10:16:01.924489,  3] ../source3/smbd/process.c:1880(process_smb)
   Transaction 8 of length 39 (0 toread)
[2016/02/04 10:16:01.924509,  3] 
../source3/smbd/process.c:1490(switch_message)
   switch message SMBtdis (pid 6434) conn 0x55b77847cf40
[2016/02/04 10:16:01.924566,  2] ../source3/smbd/service.c:1140(close_cnum)
   127.0.0.1 (ipv4:127.0.0.1:46248) closed connection to service Public
[2016/02/04 10:16:01.925188,  3] 
../source3/smbd/server_exit.c:252(exit_server_common)
   Server exit (failed to receive smb request)

[2016/02/04 10:16:02.441466,  3] 
../source3/smbd/smb2_notify.c:250(smbd_smb2_notify_send)
   smbd_smb2_notify_send: notify change called on libro unico/2016, 
filter = FILE_NAME|DIR_NAME|ATTRIBUTES|LAST_WRITE, recursive = 0
[2016/02/04 10:16:04.222287,  2] 
../source3/smbd/close.c:780(close_normal_file)
   EPS-SRL\alessandro.cum closed file 
eps-srl.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI 
(numopen=0) NT_STATUS_OK
[2016/02/04 10:16:04.222403,  2] ../source3/smbd/service.c:1140(close_cnum)
   192.168.200.196 (ipv4:192.168.200.196:53114) closed connection to 
service sysvol
[2016/02/04 10:16:04.223375,  3] ../source3/smbd/service.c:1140(close_cnum)
   192.168.200.5 (ipv4:192.168.200.5:63124) closed connection to service 
IPC$
[2016/02/04 10:16:04.223792,  2] ../source3/smbd/service.c:1140(close_cnum)
   192.168.200.170 (ipv4:192.168.200.170:64356) closed connection to 
service tanja.albisser
[2016/02/04 10:16:04.224350,  3] 
../source3/smbd/server_exit.c:252(exit_server_common)
   Server exit (termination signal)

[After that more closing of connections like this one ]

[ Then several lines like this:]
[2016/02/04 10:16:07.000719,  3] 
../source3/smbd/server_exit.c:252(exit_server_common)
   Server exit (termination signal)

[Then in one of them a talloc error]
[2016/02/04 10:16:07.078509,  3] 
../source3/smbd/server_exit.c:252(exit_server_common)
   Server exit (termination signal)
   talloc: access after free error - first free may be at 
../source3/smbd/server_exit.c:230
[2016/02/04 10:16:07.109919,  0] 
../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn)
   Bad talloc magic value - access after free

[After that several 'Server exit' lines like the previous ones]
[2016/02/04 10:16:07.136338,  3] 
../source3/smbd/server_exit.c:252(exit_server_common)
   Server exit (termination signal)

[And finally a crash notice and a trace]

[2016/02/04 10:16:07.718734,  0] ../source3/lib/util.c:900(log_stack_trace)
   BACKTRACE: 32 stack frames:
    #0 
/usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0(log_stack_trace+0x1a) [0x7f4414eba17a]
    #1 
/usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0(smb_panic_s3+0x20) 
[0x7f4414eba250]
    #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) 
[0x7f4415c2f59f]
    #3 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x1caf) [0x7f44129e4caf]
    #4 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_check_name+0x6c) 
[0x7f44129e6a4c]
    #5 /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets.so.0(+0xcdd0) 
[0x7f4413948dd0]
    #6 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(close_cnum+0xbb) 
[0x7f44158078eb]
    #7 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbXsrv_tcon_disconnect+0x124) 
[0x7f4415831254]
    #8 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x149530) 
[0x7f4415831530]
    #9 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x91c9) [0x7f44129ec1c9]
    #10 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x8de3) [0x7f44129ebde3]
    #11 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x8de3) [0x7f44129ebde3]
    #12 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x8de3) [0x7f44129ebde3]
    #13 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113) 
[0x7f44129e6243]
    #14 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x14c3f7) 
[0x7f44158343f7]
    #15 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x14c78e) 
[0x7f441583478e]
    #16 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-shim.so.0(exit_server_cleanly+0x12) 
[0x7f4413739ca2]
    #17 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x116180) 
[0x7f44157fe180]
    #18 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_check_signal+0x257) 
[0x7f44127dc067]
    #19 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x24) 
[0x7f4413b81314]
    #20 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x2d614) [0x7f4413b81614]
    #21 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) 
[0x7f44127d8a4d]
    #22 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) 
[0x7f44127d8beb]
    #23 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbd_process+0x6c9) 
[0x7f4415804ee9]
    #24 /usr/sbin/smbd(+0xb726) [0x55b773b3c726]
    #25 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x16c) 
[0x7f4413b8145c]
    #26 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x2d6b0) [0x7f4413b816b0]
    #27 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) 
[0x7f44127d8a4d]
    #28 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) 
[0x7f44127d8beb]
    #29 /usr/sbin/smbd(main+0x15b4) [0x55b773b386e4]
    #30 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) 
[0x7f4412431ec5]
    #31 /usr/sbin/smbd(+0x7ab6) [0x55b773b38ab6]
[2016/02/04 10:16:07.725089,  3] 
../source3/smbd/server_exit.c:252(exit_server_common)
   Server exit (termination signal)

------------------

After that the server restart itself but shares cannot be accessed until 
we restart it manually.

I also have loaded the core in gdb and I get this trace:

#0  0x00007f4412446cc9 in __GI_raise (sig=sig at entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f441244a0d8 in __GI_abort () at abort.c:89
#2  0x00007f4413b7907b in dump_core () at ../source3/lib/dumpcore.c:337
#3  0x00007f4414eba2b7 in smb_panic_s3 (why=<optimized out>) at 
../source3/lib/util.c:812
#4  0x00007f4415c2f59f in smb_panic (why=0x7f44129eede8 "Bad talloc 
magic value - access after free") at ../lib/util/fault.c:166
#5  0x00007f44129e4caf in ?? () from 
/usr/lib/x86_64-linux-gnu/libtalloc.so.2
#6  0x00007f44129e6a4c in talloc_check_name () from 
/usr/lib/x86_64-linux-gnu/libtalloc.so.2
#7  0x00007f4413948dd0 in tsocket_address_bsd_string 
(addr=0x55b7768251d0, mem_ctx=0x55b776d5abb0) at 
../lib/tsocket/tsocket_bsd.c:572
#8  0x00007f44158078eb in close_cnum (conn=0x55b7783c3240, vuid=0) at 
../source3/smbd/service.c:1136
#9  0x00007f4415831254 in smbXsrv_tcon_disconnect 
(tcon=tcon at entry=0x55b776b32bb0, vuid=vuid at entry=0) at 
../source3/smbd/smbXsrv_tcon.c:984
#10 0x00007f4415831530 in smbXsrv_tcon_destructor (tcon=0x55b776b32bb0) 
at ../source3/smbd/smbXsrv_tcon.c:693
#11 0x00007f44129ec1c9 in ?? () from 
/usr/lib/x86_64-linux-gnu/libtalloc.so.2
#12 0x00007f44129ebde3 in ?? () from 
/usr/lib/x86_64-linux-gnu/libtalloc.so.2
#13 0x00007f44129ebde3 in ?? () from 
/usr/lib/x86_64-linux-gnu/libtalloc.so.2
#14 0x00007f44129ebde3 in ?? () from 
/usr/lib/x86_64-linux-gnu/libtalloc.so.2
#15 0x00007f44129e6243 in _talloc_free () from 
/usr/lib/x86_64-linux-gnu/libtalloc.so.2
#16 0x00007f44158343f7 in exit_server_common 
(how=how at entry=SERVER_EXIT_NORMAL, reason=0x7f4415906e61 "termination 
signal") at ../source3/smbd/server_exit.c:235
#17 0x00007f441583478e in smbd_exit_server_cleanly 
(explanation=<optimized out>) at ../source3/smbd/server_exit.c:269
#18 0x00007f4413739ca2 in exit_server_cleanly 
(reason=reason at entry=0x7f4415906e61 "termination signal") at 
../source3/lib/smbd_shim.c:131
#19 0x00007f44157fe180 in smbd_sig_term_handler (ev=<optimized out>, 
se=<optimized out>, signum=<optimized out>, count=<optimized out>, 
siginfo=<optimized out>, private_data=<optimized out>)
     at ../source3/smbd/process.c:970
#20 0x00007f44127dc067 in tevent_common_check_signal () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
#21 0x00007f4413b81314 in run_events_poll (ev=0x55b775cf9390, pollrtn=0, 
pfds=0x0, num_pfds=0) at ../source3/lib/events.c:187
#22 0x00007f4413b81614 in s3_event_loop_once (ev=0x55b775cf9390, 
location=<optimized out>) at ../source3/lib/events.c:303
#23 0x00007f44127d8a4d in _tevent_loop_once () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
#24 0x00007f44127d8beb in tevent_common_loop_wait () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
#25 0x00007f4415804ee9 in smbd_process (ev_ctx=0x55b775cf9390, 
msg_ctx=<optimized out>, sock_fd=50, interactive=<optimized out>) at 
../source3/smbd/process.c:4031
#26 0x000055b773b3c726 in smbd_accept_connection (ev=0x55b775cf9390, 
fde=<optimized out>, flags=<optimized out>, private_data=<optimized 
out>) at ../source3/smbd/server.c:646
#27 0x00007f4413b8145c in run_events_poll (ev=0x55b775cf9390, 
pollrtn=<optimized out>, pfds=0x55b7770726e0, num_pfds=9) at 
../source3/lib/events.c:257
#28 0x00007f4413b816b0 in s3_event_loop_once (ev=0x55b775cf9390, 
location=<optimized out>) at ../source3/lib/events.c:326
#29 0x00007f44127d8a4d in _tevent_loop_once () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
#30 0x00007f44127d8beb in tevent_common_loop_wait () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
#31 0x000055b773b386e4 in smbd_parent_loop (parent=<optimized out>, 
ev_ctx=0x55b775cf9390) at ../source3/smbd/server.c:1011
#32 main (argc=<optimized out>, argv=<optimized out>) at 
../source3/smbd/server.c:1663


Thanks,

Javier




More information about the samba mailing list