Bug 10878 - smbd panic at share_mode_lock_destructor
Summary: smbd panic at share_mode_lock_destructor
Status: NEEDINFO
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: SMB2 (show other bugs)
Version: 3.6.12
Hardware: All FreeBSD
: P5 major
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-14 19:11 UTC by Partha
Modified: 2014-11-07 01:14 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Partha 2014-10-14 19:11:39 UTC
smbd panic with below stack 

(gdb) bt
#0  0x0000000802d07ffc in thr_kill () from /lib/libc.so.7
#1  0x0000000802da358b in abort () from /lib/libc.so.7
#2  0x0000000000792361 in dump_core () at lib/fault.c:414
#3  0x00000000007a21ff in smb_panic (why=<optimized out>) at lib/util.c:1133
#4  0x000000000073f3d4 in share_mode_lock_destructor (lck=0x80377ef30) at locking/locking.c:911
#5  0x000000080286fe92 in _talloc_free_internal (ptr=0x80377ef30, location=0xa1bade "smbd/open.c:2893") at ../lib/talloc/talloc.c:826
#6  0x000000000050578b in open_directory (conn=0x803752850, req=0x80441fe80, smb_dname=0x80441ffe0, access_mask=1048704, share_access=7, create_disposition=<optimized out>,
    create_options=0, file_attributes=0, pinfo=0x7fffffffdc84, result=0x7fffffffdc68) at smbd/open.c:2893
#7  0x0000000000506209 in create_file_unixpath (conn=0x803752850, req=0x80441fe80, smb_fname=0x80441ffe0, access_mask=1048704, share_access=7, create_disposition=1, create_options=0,
    file_attributes=0, oplock_request=0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7fffffffdd38, pinfo=0x7fffffffdd44) at smbd/open.c:3402
#8  0x0000000000508d9b in create_file_default (conn=0x803752850, req=0x80441fe80, root_dir_fid=0, smb_fname=0x80441ffe0, access_mask=1048704, share_access=7, create_disposition=1,
    create_options=0, file_attributes=0, oplock_request=0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7fffffffe338, pinfo=0x7fffffffe0e4) at smbd/open.c:3753
#9  0x0000000000545093 in vfswrap_create_file (handle=<optimized out>, req=0x6, root_dir_fid=0, smb_fname=0x5, access_mask=2, share_access=4294956624, create_disposition=1,
    create_options=0, file_attributes=0, oplock_request=0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7fffffffe338, pinfo=0x7fffffffe0e4)
    at modules/vfs_default.c:334
#10 0x000000000050e4f0 in smb_vfs_call_create_file (handle=0x19014, req=0x6, root_dir_fid=0, smb_fname=0x5, access_mask=2, share_access=4294956624, create_disposition=1, create_options=0,
    file_attributes=0, oplock_request=0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7fffffffe338, pinfo=0x7fffffffe0e4) at smbd/vfs.c:1340
#11 0x0000000803e0a9c6 in pz_cifsaudit_create_file () from /usr/local/lib/vfs/pz_cifsaudit.so
#12 0x000000000050e4f0 in smb_vfs_call_create_file (handle=0x19014, req=0x6, root_dir_fid=0, smb_fname=0x5, access_mask=2, share_access=4294956624, create_disposition=1, create_options=0,
    file_attributes=0, oplock_request=0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7fffffffe338, pinfo=0x7fffffffe0e4) at smbd/vfs.c:1340
#13 0x0000000804018a5b in snapfs_smb_create () from /usr/local/lib/vfs/snapfs_smb.so
#14 0x000000000050e4f0 in smb_vfs_call_create_file (handle=0x19014, req=0x6, root_dir_fid=0, smb_fname=0x5, access_mask=2, share_access=4294956624, create_disposition=1, create_options=0,
    file_attributes=0, oplock_request=0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7fffffffe338, pinfo=0x7fffffffe0e4) at smbd/vfs.c:1340
#15 0x0000000804222444 in create_file_acl_common (handle=0x8037f3dd0, req=0x6, root_dir_fid=0, smb_fname=0x5, access_mask=2, share_access=4294956624, create_disposition=1,
    create_options=0, file_attributes=0, oplock_request=0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7fffffffe338, pinfo=0x7fffffffe35c)
    at ./modules/vfs_acl_common.c:1079
#16 0x000000000050e4f0 in smb_vfs_call_create_file (handle=0x19014, req=0x6, root_dir_fid=0, smb_fname=0x5, access_mask=2, share_access=4294956624, create_disposition=1, create_options=0,
    file_attributes=0, oplock_request=0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7fffffffe338, pinfo=0x7fffffffe35c) at smbd/vfs.c:1340
#17 0x00000000005368a0 in smbd_smb2_create_send (in_context_blobs=..., in_name=<optimized out>, in_create_options=<optimized out>, in_create_disposition=<optimized out>,
    in_share_access=<optimized out>, in_file_attributes=<optimized out>, in_desired_access=<optimized out>, in_impersonation_level=<optimized out>, in_oplock_level=<optimized out>,
    smb2req=<optimized out>, ev=0x80370e110, mem_ctx=<optimized out>) at smbd/smb2_create.c:707
#18 smbd_smb2_request_process_create (smb2req=0x80441f110) at smbd/smb2_create.c:229
#19 0x000000000053043b in smbd_smb2_request_dispatch (req=0x80441f110) at smbd/smb2_server.c:1459
#20 0x000000000053122e in smbd_smb2_request_incoming (subreq=0x803774410) at smbd/smb2_server.c:2661
#21 0x000000000052ee2c in smbd_smb2_request_read_done (subreq=0x803774710) at smbd/smb2_server.c:2504
#22 0x00000000005c6e21 in tstream_readv_pdu_queue_done (subreq=0x8037747d0) at ../lib/tsocket/tsocket_helpers.c:423
#23 0x00000000005c71d3 in tstream_readv_pdu_readv_done (subreq=0x8037f3110) at ../lib/tsocket/tsocket_helpers.c:316
#24 0x00000000005c6252 in tstream_readv_done (subreq=0x803776c90) at ../lib/tsocket/tsocket.c:604
#25 0x00000000007b1d80 in tevent_common_loop_immediate (ev=0x80370e110) at ../lib/tevent/tevent_immediate.c:139
#26 0x00000000007b0045 in run_events_poll (ev=0x80370e110, pollrtn=0, pfds=0x0, num_pfds=0) at lib/events.c:197
#27 0x000000000052180d in smbd_server_connection_loop_once (conn=<optimized out>) at smbd/process.c:999
#28 smbd_process (sconn=0x803711350) at smbd/process.c:3172
#29 0x0000000000a00016 in smbd_accept_connection (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at smbd/server.c:664
#30 0x00000000007b0361 in run_events_poll (ev=0x80370e110, pollrtn=<optimized out>, pfds=0x8037102d0, num_pfds=6) at lib/events.c:286
#31 0x00000000007b07cf in s3_event_loop_once (ev=0x80370e110, location=<optimized out>) at lib/events.c:349
#32 0x00000000007b0b81 in _tevent_loop_once (ev=0x80370e110, location=0xc09fc9 "smbd/server.c:970") at ../lib/tevent/tevent.c:494
#33 0x0000000000a01d3e in smbd_parent_loop (parent=<optimized out>) at smbd/server.c:970
#34 main (argc=<optimized out>, argv=<optimized out>) at smbd/server.c:1464
Comment 1 Partha 2014-10-14 19:13:28 UTC
The corresponding code of smbpanic


 static int share_mode_lock_destructor(struct share_mode_lock *lck)
{
	NTSTATUS status;
	TDB_DATA data;

	if (!lck->modified) {
		return 0;
	}

	data = unparse_share_modes(lck);

	if (data.dptr == NULL) {
		if (!lck->fresh) {
			/* There has been an entry before, delete it */

			status = lck->record->delete_rec(lck->record);
			if (!NT_STATUS_IS_OK(status)) {
				char *errmsg;

				DEBUG(0, ("delete_rec returned %s\n",
					  nt_errstr(status)));

				if (asprintf(&errmsg, "could not delete share "
					     "entry: %s\n",
					     nt_errstr(status)) == -1) {
					smb_panic("could not delete share"
						  "entry");
				}
				smb_panic(errmsg);
			}
		}
		goto done;
	}

	status = lck->record->store(lck->record, data, TDB_REPLACE);
	if (!NT_STATUS_IS_OK(status)) {
		char *errmsg;

		DEBUG(0, ("store returned %s\n", nt_errstr(status)));

		if (asprintf(&errmsg, "could not store share mode entry: %s",
			     nt_errstr(status)) == -1) {
			smb_panic("could not store share mode entry");
		}
		smb_panic(errmsg); >>>>>>> HERE
	}

 done:

	return 0;
}
Comment 2 Partha 2014-10-15 03:55:31 UTC
I see the number of dead record size is more and there were only few free records with less size

tdb> open locking.tdb
tdb> info
Size of file/data: 2414198784/20956
Number of records: 63
Smallest/average/largest keys: 24/24/24
Smallest/average/largest data: 257/308/1084
Smallest/average/largest padding: 24/112/368
Number of dead records: 717
Smallest/average/largest dead records: 352/3366957/2413768680
Number of free records: 19
Smallest/average/largest free records: 12/165/372
Number of hash chains: 10007
Smallest/average/largest hash chains: 0/0/2
Number of uncoalesced records: 7
Smallest/average/largest uncoalesced runs: 1/2/4
Percentage keys/data/padding/free/dead/rechdrs&tailers/hashes: 0/0/0/0/100/0/0
tdb>
Comment 3 Jeremy Allison 2014-11-07 01:14:11 UTC
Is this reproducible, or did it only happen once ?

If it is reproducible, can you reproduce on 4.0.x or 4.1.x ?

Jeremy.