Issue #311: Segfault shutting down SSSD - sssd

SSSD / sssd

#311 Segfault shutting down SSSD

Closed: Fixed None Opened 14 years ago by sgallagh.

Looks like a double-free in the failover code. Looks like the talloc_destructor be_svc_data_destroy() is trying to free svc->callbacks, but it's already been freed somewhere else.

#0  0x000000341e6326b5 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = <value optimized out>
        selftid = <value optimized out>
#1  0x000000341e633e95 in abort () at abort.c:92
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x341e41f440, sa_sigaction = 0x341e41f440}, sa_mask = {__val = {140736471352000, 140736471352024, 8334561280, 3864868537, 4212225, 223847934728, 
              139822404943872, 224084937056, 4294967295, 30991968, 1, 223866817832, 0, 30997888, 0, 0}}, sa_flags = 505469824, sa_restorer = 0x3400000001}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x000000341f601d8c in talloc_abort (reason=0x341f607980 "Bad talloc magic value - double free") at talloc.c:199
No locals.
#3  0x000000341f601c69 in talloc_abort_double_free () at talloc.c:218
No locals.
#4  talloc_chunk_from_ptr () at talloc.c:239
        pp = 0x1d8fd80 ""
        tc = 0x1d8fd30
#5  _talloc_free () at talloc.c:1118
        tc = <value optimized out>
#6  0x000000000040e015 in be_svc_data_destroy (memptr=0x1d91f40) at ../../server/providers/data_provider_fo.c:94
        svc = 0x1d91f40
#7  0x000000341f602d3e in _talloc_free_internal (ptr=0x1d91f40, location=0x341f6078e7 "talloc.c:1861") at talloc.c:600
        d = <value optimized out>
        tc = 0x1d91ef0
#8  0x000000341f602bcb in _talloc_free_internal (ptr=0x1d79b50, location=0x341f6078e7 "talloc.c:1861") at talloc.c:631
        child = 0x1d91f40
        new_parent = 0x0
        tc = 0x1d79b00
#9  0x000000341f602bcb in _talloc_free_internal (ptr=0x1d79930, location=0x341f6078e7 "talloc.c:1861") at talloc.c:631
        child = 0x1d79b50
        new_parent = 0x0
        tc = 0x1d798e0
#10 0x000000341f602bcb in _talloc_free_internal (ptr=0x1d775b0, location=0x341f6078e7 "talloc.c:1861") at talloc.c:631
        child = 0x1d79930
        new_parent = 0x0
        tc = 0x1d77560
#11 0x000000341f602bcb in _talloc_free_internal (ptr=0x1d77480, location=0x341f6078e7 "talloc.c:1861") at talloc.c:631
        child = 0x1d775b0
        new_parent = 0x0
        tc = 0x1d77430
#12 0x000000341f601a6b in _talloc_free_internal (location=<value optimized out>, ptr=<value optimized out>) at talloc.c:631
        child = 0x1d77480
        new_parent = 0x0
        tc = 0x1d77250
#13 _talloc_free (location=<value optimized out>, ptr=<value optimized out>) at talloc.c:1133
        tc = <value optimized out>
#14 0x000000341e635b72 in __run_exit_handlers (status=<value optimized out>, listp=<value optimized out>, run_list_atexit=<value optimized out>) at exit.c:78
        atfct = <value optimized out>
        onfct = <value optimized out>
        cxafct = <value optimized out>
#15 exit (status=<value optimized out>, listp=<value optimized out>, run_list_atexit=<value optimized out>) at exit.c:100
No locals.
#16 0x0000000000438a3e in sig_term (sig=15) at ../../server/util/server.c:194
        done_sigterm = 0
        __FUNCTION__ = "sig_term"
#17 <signal handler called>
No symbol table info available.
#18 0x000000341e6de513 in __epoll_wait_nocancel () at ../sysdeps/unix/syscall-template.S:82
No locals.
#19 0x00000034216054d6 in epoll_event_loop (tvalp=<value optimized out>, std_ev=0x1d77540) at tevent_standard.c:264
        ret = <value optimized out>
        i = <value optimized out>
        events = {{events = 17, data = {ptr = 0x1d9d440, fd = 31052864, u32 = 31052864, u64 = 31052864}}}
        timeout = <value optimized out>
#20 std_event_loop_once (tvalp=<value optimized out>, std_ev=0x1d77540) at tevent_standard.c:544
        tval = {tv_sec = 240, tv_usec = 831694}
#21 0x0000003421602780 in _tevent_loop_once (ev=0x1d77480, location=0x4481b8 "../../server/util/server.c:431") at tevent.c:490
        ret = <value optimized out>
        nesting_stack_ptr = 0x0
#22 0x00000034216027fb in tevent_common_loop_wait (ev=0x1d77480, location=0x4481b8 "../../server/util/server.c:431") at tevent.c:591
        ret = <value optimized out>
#23 0x00000000004398d8 in server_loop (main_ctx=0x1d775b0) at ../../server/util/server.c:431
No locals.
#24 0x000000000040debd in main (argc=7, argv=0x7fffc361ce08) at ../../server/providers/data_provider_be.c:1187
        opt = -1
        pc = 0x1d76030
        be_domain = 0x1d764f0 "sgallagh"
        srv_name = 0x1d760f0 "sssd[be[sgallagh]]"
        conf_entry = 0x1d76160 "config/domain/sgallagh"
        main_ctx = 0x1d775b0
        ret = 0
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x64dc20, val = 0, descrip = 0x43d747 "Help options:", argDescrip = 0x0}, {longName = 0x43d755 "debug-level", 
            shortName = 100 'd', argInfo = 2, arg = 0x64dd00, val = 0, descrip = 0x43d761 "Debug level", argDescrip = 0x0}, {longName = 0x43d76d "debug-to-files", shortName = 102 'f', argInfo = 0, 
            arg = 0x64dd08, val = 0, descrip = 0x43d780 "Send the debug output to files instead of stderr", argDescrip = 0x0}, {longName = 0x43d7b1 "debug-timestamps", shortName = 0 '\000', argInfo = 0, 
            arg = 0x64dd04, val = 0, descrip = 0x43d7c2 "Add debug timestamps", argDescrip = 0x0}, {longName = 0x43d7d7 "domain", shortName = 0 '\000', argInfo = 1, arg = 0x7fffc361cce0, val = 0, 
            descrip = 0x43d7e0 "Domain of the information provider (mandatory)", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
        __FUNCTION__ = "main"



(gdb) up
#6  0x000000000040e015 in be_svc_data_destroy (memptr=0x1d91f40) at ../../server/providers/data_provider_fo.c:94
94          talloc_free(svc->callbacks);
(gdb) print svc
$1 = (struct be_svc_data *) 0x1d91f40
(gdb) print svc->callbacks
$2 = (struct be_svc_callback *) 0x1d8fd80
(gdb) print *svc->callbacks
$3 = {prev = 0x0, next = 0x0, svc = 0x0, fn = 0x7f2aea2e64b5 <ipa_resolve_callback>, private_data = 0x1d930e0}

sgallagh commented 14 years ago

Fixed by 4acbe2d

fixedin: => 1.0.0
milestone: NEEDS_TRIAGE => SSSD 1.0
resolution: => fixed
status: new => closed

dpal commented 12 years ago

Fields changed

rhbz: => 0

Metadata Update from @sgallagh:
- Issue assigned to mnagy
- Issue set to the milestone: SSSD 1.0

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1353

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

mnagy

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

SSSD 1.0

type

defect

component

Failover

version

0.99.0

selected

None

testsupdated

patch

None

rhbz

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#311 Segfault shutting down SSSD Closed: Fixed None Opened 14 years ago by sgallagh.

Metadata

#311 Segfault shutting down SSSD

Closed: Fixed None Opened 14 years ago by sgallagh.