Bug 10407 - SMBD segfault in defer_open_done()
SMBD segfault in defer_open_done()
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
x86 Linux
: P3 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2014-01-30 14:53 UTC by Tom Talpey
Modified: 2014-01-30 15:43 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Tom Talpey 2014-01-30 14:53:13 UTC
SMBD spontaneously segfaulted in the defer_open_done() routine.

Possibly related to this 4.2 report? https://bugzilla.samba.org/show_bug.cgi?id=10386

System (Ubuntu server 12.04.4 x86 LTS):
root@NAS:~# uname -a
Linux NAS 3.2.0-58-generic-pae #88-Ubuntu SMP Tue Dec 3 18:00:02 UTC 2013 i686 i686 i386 GNU/Linux

SMBD Version:
root@NAS:~# smbd --version
Version 4.1.4-SerNet-Ubuntu-7.precise 

Repro steps:
1) Connect to server from Windows 8.1 client on highly flaky network
2) Attempt a drag-and-drop large file copy from server share
3) Experience a hang due to flaky network
4) Disconnect the client.

root@NAS:~# gdb /usr/sbin/smbd /var/log/samba/cores/smbd/core
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /usr/sbin/smbd...Reading symbols from /usr/lib/debug/usr/sbin/smbd...done.
[New LWP 28484]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Core was generated by `smbd -F'.
Program terminated with signal 6, Aborted.
#0  0xb773d424 in __kernel_vsyscall ()
(gdb) bt
#0  0xb773d424 in __kernel_vsyscall ()
#1  0xb6c341df in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xb6c37825 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xb71e4c49 in dump_core () at ../source3/lib/dumpcore.c:336
#4  0xb71cbdac in smb_panic_s3 (why=0xb7624b09 "assert failed: ret") at ../source3/lib/util.c:808
#5  0xb76f8370 in smb_panic (why=0xb7624b09 "assert failed: ret") at ../lib/util/fault.c:159
#6  0xb74c06ce in defer_open_done (req=0x0) at ../source3/smbd/open.c:1582
#7  0xb73d4e20 in _tevent_req_notify_callback (req=0xb7e92088, location=0xb73d9c58 "tevent_req_timedout")
    at ../lib/tevent/tevent_req.c:101
#8  0xb73d4e4e in tevent_req_finish (req=<optimized out>, state=<optimized out>, location=0xb73d9c58 "tevent_req_timedout")
    at ../lib/tevent/tevent_req.c:110
#9  0xb73d4eb2 in tevent_req_timedout (ev=0xb7e73dd8, te=0xb7ea8330, now=..., private_data=0xb7e92088)
    at ../lib/tevent/tevent_req.c:242
#10 0xb73d7f19 in tevent_common_loop_timer_delay (ev=0xb7e73dd8) at ../lib/tevent/tevent_timed.c:341
#11 0xb71ed5bf in run_events_poll (ev=0xb7e73dd8, pollrtn=0, pfds=0xb7e7cbb8, num_pfds=4) at ../source3/lib/events.c:199
#12 0xb71ed9da in s3_event_loop_once (ev=0xb7e73dd8, location=0xb7633b8c "../source3/smbd/process.c:3626")
    at ../source3/lib/events.c:326
#13 0xb73d3e58 in _tevent_loop_once (ev=0xb7e73dd8, location=0xb7633b8c "../source3/smbd/process.c:3626")
    at ../lib/tevent/tevent.c:530
#14 0xb74e89d8 in smbd_process (ev_ctx=0xb7e73dd8, msg_ctx=0xb7e73e58, sock_fd=31, interactive=false)
    at ../source3/smbd/process.c:3626
#15 0xb77679a9 in smbd_accept_connection (ev=0xb7e73dd8, fde=0xb7e7e770, flags=1, private_data=0xb7e7e5a8)
    at ../source3/smbd/server.c:621
#16 0xb71ed848 in run_events_poll (ev=0xb7e73dd8, pollrtn=1, pfds=0xb7e7cbb8, num_pfds=3) at ../source3/lib/events.c:257
#17 0xb71ed9da in s3_event_loop_once (ev=0xb7e73dd8, location=0xb776c2a1 "../source3/smbd/server.c:943")
    at ../source3/lib/events.c:326
#18 0xb73d3e58 in _tevent_loop_once (ev=0xb7e73dd8, location=0xb776c2a1 "../source3/smbd/server.c:943")
    at ../lib/tevent/tevent.c:530
#19 0xb7769eef in smbd_parent_loop (parent=<optimized out>, ev_ctx=0xb7e73dd8) at ../source3/smbd/server.c:943
#20 main (argc=<error reading variable: Cannot access memory at address 0x6f44>, 
    argv=<error reading variable: Cannot access memory at address 0x6f48>) at ../source3/smbd/server.c:1577
(gdb) q
Comment 1 Volker Lendecke 2014-01-30 15:43:22 UTC
Hi, Tom!

Nice to see you here :-))

Yes, very likely that's a dup of 10386, which I've already seen.

Can you try current master? Recently I have removed code in that area that has caused me great pain in the past, see 10284. If that's too much effort, can you get me a network trace and a debug level 10 log of smbd?