Bug 245707 - net/samba410 PANIC Bad talloc magic value - access after free
Summary: net/samba410 PANIC Bad talloc magic value - access after free
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Timur I. Bakeyev
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-17 20:16 UTC by Matt Wheeler
Modified: 2020-08-06 15:57 UTC (History)
3 users (show)

See Also:
linimon: maintainer-feedback? (timur)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Wheeler 2020-04-17 20:16:50 UTC
samba410 PANICs repeatedly while a macOS Catalina client attempts to connect to it (I don't have a Windows box to test whether it's a fruit-specific issue or not)

This happens with both samba410 from the official pkg repos (4.10.13)
and with poudriere-compiled samba410 with bundled tevent, talloc, tab (4.10.14) (as the PANIC is in talloc so trying the bundled version seemed worth a punt at least...)

Samba is running in a jail with VNET on ZFS
Base system is FreeBSD 12.1-RELEASE r354233 GENERIC  amd64


/etc/jail.conf:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";

exec.consolelog = "/var/log/jail_${name}_console.log";

host.hostname = "${name}.sodium";

path = "/jails/${name}";

samba {
        vnet;
        vnet.interface = "ng0_${name}";
        exec.prestart += "jng bridge ${name} bge0";
        exec.poststop += "jng shutdown ${name}";

        devfs_ruleset=11;
        mount.devfs;
}


/jails/samba/usr/local/etc/smb4.conf:
[global]
        workgroup = WORKGROUP
        security = user
        netbios name = files
        server string = files.beryllium.local
        ; hostname lookups = yes

        load printers = no
        show add printer wizard = no
        time server = yes
        map to guest = Bad User
        use mmap = yes

        dos charset = 850
        unix charset = UTF-8
        mangled names = no

        log level = 0
        vfs objects = fruit streams_xattr zfsacl

        fruit:model = MacPro
        fruit:resource = file
        fruit:metadata = netatalk

; time machine
[TimeMachine]
        path = /shares/timemachine
        read only = no
        use sendfile = yes
        browseable = no
        ; hosts allow = macbook.your-local-domain.invalid fe80::/10
        fruit:time machine = yes
        fruit:time machine max size = 3T
        valid users = tm

---

Proceed with deinstalling packages? [y/N]: y
[samba.sodium] [1/4] Deinstalling samba410-4.10.13...
[samba.sodium] [1/4] Deleting files for samba410-4.10.13: 100%
[samba.sodium] [2/4] Deinstalling tevent-0.10.1...
[samba.sodium] [2/4] Deleting files for tevent-0.10.1: 100%
[samba.sodium] [3/4] Deinstalling talloc-2.3.0...
[samba.sodium] [3/4] Deleting files for talloc-2.3.0: 100%
[samba.sodium] [4/4] Deinstalling tdb-1.4.2,1...
[samba.sodium] [4/4] Deleting files for tdb-1.4.2,1: 100%
root@sodium:~ # pkg -j samba install samba410
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating local_poudriere repository catalogue...
local_poudriere repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        samba410: 4.10.14 [local_poudriere]

Number of packages to be installed: 1

The process will require 76 MiB more space.

Proceed with this action? [y/N]: y

---

[2020/04/17 19:22:13.945495,  0] ../../source3/lib/dumpcore.c:310(dump_core)
  unable to change to %N.core
  refusing to dump core
[2020/04/17 19:22:14.059962,  0] ../../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at ../../lib/util/memcache.c:218
[2020/04/17 19:22:14.060538,  0] ../../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2020/04/17 19:22:14.060812,  0] ../../source3/lib/util.c:824(smb_panic_s3)
  PANIC (pid 95605): Bad talloc magic value - access after free
[2020/04/17 19:22:14.064574,  0] ../../lib/util/fault.c:265(log_stack_trace)
  BACKTRACE: 24 stack frames:
   #0 0x8010f2947 <log_stack_trace+0x37> at /usr/local/lib/samba4/libsamba-util.so.0
   #1 0x80168e50d <smb_panic_s3+0x4d> at /usr/local/lib/samba4/libsmbconf.so.0
   #2 0x8010f2737 <smb_panic+0x17> at /usr/local/lib/samba4/libsamba-util.so.0
   #3 0x80145fd95 <talloc_set_memlimit+0x6f5> at /usr/local/lib/samba4/private/libtalloc.so.2
   #4 0x80145fe3f <talloc_set_memlimit+0x79f> at /usr/local/lib/samba4/private/libtalloc.so.2
   #5 0x801358615 <create_file_default+0x24f5> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #6 0x801357271 <create_file_default+0x1151> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #7 0x801356306 <create_file_default+0x1e6> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #8 0x80be6ae25 <samba_init_module+0x2d95> at /usr/local/lib/samba4/modules/vfs/fruit.so
   #9 0x80139620a <smbd_smb2_request_process_create+0x168a> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #10 0x80138c2d4 <smbd_smb2_request_dispatch+0x1d44> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #11 0x80138f7c1 <smbd_smb2_process_negprot+0x1951> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #12 0x801494ccd <tevent_common_invoke_fd_handler+0x8d> at /usr/local/lib/samba4/private/libtevent.so.0
   #13 0x801497ac4 <tevent_context_same_loop+0xd34> at /usr/local/lib/samba4/private/libtevent.so.0
   #14 0x801493ef1 <_tevent_loop_once+0xe1> at /usr/local/lib/samba4/private/libtevent.so.0
   #15 0x80149417b <tevent_common_loop_wait+0x5b> at /usr/local/lib/samba4/private/libtevent.so.0
   #16 0x80137a406 <smbd_process+0x886> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #17 0x1031d0f <main+0x445f> at /usr/local/sbin/smbd
   #18 0x801494ccd <tevent_common_invoke_fd_handler+0x8d> at /usr/local/lib/samba4/private/libtevent.so.0
   #19 0x801497ac4 <tevent_context_same_loop+0xd34> at /usr/local/lib/samba4/private/libtevent.so.0
   #20 0x801493ef1 <_tevent_loop_once+0xe1> at /usr/local/lib/samba4/private/libtevent.so.0
   #21 0x80149417b <tevent_common_loop_wait+0x5b> at /usr/local/lib/samba4/private/libtevent.so.0
   #22 0x103016f <main+0x28bf> at /usr/local/sbin/smbd
   #23 0x102f6af <main+0x1dff> at /usr/local/sbin/smbd
[2020/04/17 19:22:14.068335,  0] ../../source3/lib/dumpcore.c:310(dump_core)
  unable to change to %N.core
  refusing to dump core
[2020/04/17 19:22:14.072418,  0] ../../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at ../../lib/util/memcache.c:218
[2020/04/17 19:22:14.073014,  0] ../../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2020/04/17 19:22:14.073290,  0] ../../source3/lib/util.c:824(smb_panic_s3)
  PANIC (pid 96458): Bad talloc magic value - access after free
[2020/04/17 19:22:14.077131,  0] ../../lib/util/fault.c:265(log_stack_trace)
  BACKTRACE: 24 stack frames:
   #0 0x8010f2947 <log_stack_trace+0x37> at /usr/local/lib/samba4/libsamba-util.so.0
   #1 0x80168e50d <smb_panic_s3+0x4d> at /usr/local/lib/samba4/libsmbconf.so.0
   #2 0x8010f2737 <smb_panic+0x17> at /usr/local/lib/samba4/libsamba-util.so.0
   #3 0x80145fd95 <talloc_set_memlimit+0x6f5> at /usr/local/lib/samba4/private/libtalloc.so.2
   #4 0x80145fe3f <talloc_set_memlimit+0x79f> at /usr/local/lib/samba4/private/libtalloc.so.2
   #5 0x801358615 <create_file_default+0x24f5> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #6 0x801357271 <create_file_default+0x1151> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #7 0x801356306 <create_file_default+0x1e6> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #8 0x80be6ae25 <samba_init_module+0x2d95> at /usr/local/lib/samba4/modules/vfs/fruit.so
   #9 0x80139620a <smbd_smb2_request_process_create+0x168a> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #10 0x80138c2d4 <smbd_smb2_request_dispatch+0x1d44> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #11 0x80138f7c1 <smbd_smb2_process_negprot+0x1951> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #12 0x801494ccd <tevent_common_invoke_fd_handler+0x8d> at /usr/local/lib/samba4/private/libtevent.so.0
   #13 0x801497ac4 <tevent_context_same_loop+0xd34> at /usr/local/lib/samba4/private/libtevent.so.0
   #14 0x801493ef1 <_tevent_loop_once+0xe1> at /usr/local/lib/samba4/private/libtevent.so.0
   #15 0x80149417b <tevent_common_loop_wait+0x5b> at /usr/local/lib/samba4/private/libtevent.so.0
   #16 0x80137a406 <smbd_process+0x886> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #17 0x1031d0f <main+0x445f> at /usr/local/sbin/smbd
   #18 0x801494ccd <tevent_common_invoke_fd_handler+0x8d> at /usr/local/lib/samba4/private/libtevent.so.0
   #19 0x801497ac4 <tevent_context_same_loop+0xd34> at /usr/local/lib/samba4/private/libtevent.so.0
   #20 0x801493ef1 <_tevent_loop_once+0xe1> at /usr/local/lib/samba4/private/libtevent.so.0
   #21 0x80149417b <tevent_common_loop_wait+0x5b> at /usr/local/lib/samba4/private/libtevent.so.0
   #22 0x103016f <main+0x28bf> at /usr/local/sbin/smbd
   #23 0x102f6af <main+0x1dff> at /usr/local/sbin/smbd
Comment 1 Matt Wheeler 2020-08-06 15:57:01 UTC
I am still experiencing this PANIC with samba410-4.10.17