There is a random crash bug that is hit from time to time in the durable reconnect code due to a use-after-free. vfs_default_durable_reconnect(): fsp_new() ==> this does DLIST_ADD(fsp->conn->sconn->files, fsp) if (fsp->oplock_type == LEASE_OPLOCK) { find_fsp_lease(fsp, &key, l) ==> this fills conn->fsp_fi_cache if (client guids not equal) { fsp_free(fsp) ==> this does DLIST_REMOVE(fsp->conn->sconn->files, fsp) } so after this code we have the fsp_fi_cache still pointing to the free'd memory. The next call to find_fsp_lease will use the cache and hence access the freed memory. Depending on whether (and how) the memory has been re-used, smbd will segfault.
Created attachment 11926 [details] Test git-am patch. Michael, does this fix it (currently untested).
(In reply to Jeremy Allison from comment #1) > Created attachment 11926 [details] > Test git-am patch. > > Michael, does this fix it (currently untested). Gosh Jeremy, could you be a little more patient... ;-) I spent half a day or a day to hunt this down. As you could tell from the dscription, I already had the fix. And I created the bug so that I could flag the patch I was about to send to samba-technical with a "BUG:..." line But yes, that patch should fix it. ;-)
Oh, no worries. Please overwrite my patch with yours + cherry-pick once I've pushed it :-).
(In reply to Jeremy Allison from comment #3) > Oh, no worries. Please overwrite my patch with yours + cherry-pick once I've > pushed it :-). Will do, thanks. :-)
it took a while to find that this was actually fixed. Keep in mind to comment and close bugs, if you fixed them.