The Samba-Bugzilla – Attachment 16554 Details for
Bug 14672
smbd panic when two clients open same file
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Possible patch for master (and older versions)
master-bug14672.patch (text/plain), 3.39 KB, created by
Ralph Böhme
on 2021-03-17 15:37:26 UTC
(
hide
)
Description:
Possible patch for master (and older versions)
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2021-03-17 15:37:26 UTC
Size:
3.39 KB
patch
obsolete
>From 4c8ecf9e0eb2dac47fdb590351d2330127dd7014 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 17 Mar 2021 16:22:37 +0100 >Subject: [PATCH 1/3] smbd: reset dangling watch_req pointer in poll_open_done > >We just freed subreq and a pointer to subreq is stored in open_rec->watch_req, >so we must invalidate the pointer. > >Otherwise if the poll open timer fires it will do a > > TALLOC_FREE(open_rec->watch_req); > >on the dangling pointer which may crash or do something worse like freeing some >other random talloc memory. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672 >CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843 >--- > source3/smbd/open.c | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index 5b3dc246e8a..fd4536b4914 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -3040,6 +3040,8 @@ static void poll_open_done(struct tevent_req *subreq) > > status = share_mode_watch_recv(subreq, NULL, NULL); > TALLOC_FREE(subreq); >+ open_rec->watch_req = NULL; >+ > DBG_DEBUG("dbwrap_watched_watch_recv returned %s\n", > nt_errstr(status)); > >-- >2.30.2 > > >From e22cb2f278af5ff6ca8f93ba9048b983877d5af8 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 17 Mar 2021 16:24:28 +0100 >Subject: [PATCH 2/3] smbd: cancel pending poll open timer in poll_open_done() > >The retry of the open is scheduled below, avoid rescheduling it a second time in >the open retry timeout function. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672 >CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843 >--- > source3/smbd/open.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index fd4536b4914..1659df90366 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -3041,6 +3041,7 @@ static void poll_open_done(struct tevent_req *subreq) > status = share_mode_watch_recv(subreq, NULL, NULL); > TALLOC_FREE(subreq); > open_rec->watch_req = NULL; >+ TALLOC_FREE(open_rec->te); > > DBG_DEBUG("dbwrap_watched_watch_recv returned %s\n", > nt_errstr(status)); >-- >2.30.2 > > >From 86bd2c7d62ec5dcae201d8456a2b23856855b9d9 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Tue, 16 Mar 2021 18:18:46 +0100 >Subject: [PATCH 3/3] smbd: free open_rec state in > remove_deferred_open_message_smb2_internal() > >The lifetime of open_rec (struct deferred_open_record) ojects is the time >processing the SMB open request every time the request is scheduled, ie once we >reschedule we must wipe the slate clean. In case the request gets deferred >again, a new open_rec will be created by the schedule functions. > >This ensures any timer event tied to the open_rec gets cancelled and doesn't >fire unexpectedly. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672 >CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843 >RN: smbd panic when two clients open same file >--- > source3/smbd/smb2_create.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c >index 2dd3745dd32..8ff57c94aa0 100644 >--- a/source3/smbd/smb2_create.c >+++ b/source3/smbd/smb2_create.c >@@ -1714,6 +1714,7 @@ static void remove_deferred_open_message_smb2_internal(struct smbd_smb2_request > state->open_was_deferred = false; > /* Ensure we don't have any outstanding immediate event. */ > TALLOC_FREE(state->im); >+ TALLOC_FREE(state->open_rec); > } > > void remove_deferred_open_message_smb2( >-- >2.30.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14672
:
16549
|
16550
|
16552
|
16554
|
16557