conn_force_tdis() calls smbXsrv_tcon_disconnect() that in turn calls set_current_service(). If set_current_service() fails, close_cnum() is not called, so conn is not freed. smbXsrv_tcon_disconnect() sets tcon->compat = NULL, but conn still remains child of tcon in talloc tree. Then conn_force_tdis() frees tcon, that also frees conn. But in this flow conn_free() was not called, so freed conn is left in the sconn->connections list, and later smbd panics with segmentation fault. [2016/08/29 12:22:17.619846, 1, pid=15109] ../source3/smbd/conn_idle.c:120(conn_force_tdis) conn_force_tdis: Forcing close of share 'UXB010' (wire_id=0x2bc2f7ab) [2016/08/29 12:22:17.619873, 0, pid=15109] ../source3/smbd/smbXsrv_tcon.c:974(smbXsrv_tcon_disconnect) smbXsrv_tcon_disconnect(0x2bc2f7ab, 'UXB010'): set_current_service() failed: NT_STATUS_INTERNAL_ERROR [2016/08/29 12:22:17.619908, 0, pid=15109] ../source3/smbd/conn_idle.c:140(conn_force_tdis) conn_force_tdis: smbXsrv_tcon_disconnect() of share 'UXB010' (wire_id=0x2bc2f7ab) failed: NT_STATUS_INTERNAL_ERROR [2016/08/29 12:22:17.619942, 1, pid=15109] ../source3/smbd/conn_idle.c:120(conn_force_tdis) conn_force_tdis: Forcing close of share 'UXB010' (wire_id=0xabfe169e) [2016/08/29 12:22:17.619968, 0, pid=15109] ../source3/smbd/smbXsrv_tcon.c:974(smbXsrv_tcon_disconnect) smbXsrv_tcon_disconnect(0xabfe169e, 'UXB010'): set_current_service() failed: NT_STATUS_INTERNAL_ERROR [2016/08/29 12:22:17.619993, 0, pid=15109] ../source3/smbd/conn_idle.c:140(conn_force_tdis) conn_force_tdis: smbXsrv_tcon_disconnect() of share 'UXB010' (wire_id=0xabfe169e) failed: NT_STATUS_INTERNAL_ERROR [2016/08/29 12:22:17.621520, 0, pid=15109] ../lib/util/fault.c:78(fault_report) =============================================================== [2016/08/29 12:22:17.621563, 0, pid=15109] ../lib/util/fault.c:79(fault_report) INTERNAL ERROR: Signal 11 in pid 15109 (4.2.12) Please read the Trouble-Shooting section of the Samba HOWTO [2016/08/29 12:22:17.621573, 0, pid=15109] ../lib/util/fault.c:81(fault_report) =============================================================== [2016/08/29 12:22:17.621584, 0, pid=15109] ../source3/lib/util.c:788(smb_panic_s3) PANIC (pid 15109): internal error [2016/08/29 12:22:17.621998, 0, pid=15109] ../source3/lib/util.c:907(log_stack_trace) BACKTRACE: 30 stack frames: #0 /usr/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7ff120cb4fab] #1 /usr/lib/libsmbconf.so.0(smb_panic_s3+0x70) [0x7ff120cb4de1] #2 /usr/lib/libsamba-util.so.0(smb_panic+0x28) [0x7ff12312a202] #3 /usr/lib/libsamba-util.so.0(+0x2beda) [0x7ff123129eda] #4 /usr/lib/libsamba-util.so.0(+0x2beef) [0x7ff123129eef] #5 /lib/x86_64-linux-gnu/libpthread.so.0(+0x10340) [0x7ff12334a340] #6 /usr/lib/samba/libsmbd-base-samba4.so(conn_force_tdis+0xe4) [0x7ff122be8d4f] #7 /usr/lib/samba/libsmbd-base-samba4.so(msg_force_tdis+0x53) [0x7ff122be8903] #8 /usr/lib/libsmbconf.so.0(messaging_dispatch_rec+0x123) [0x7ff120cc40d0] #9 /usr/lib/libsmbconf.so.0(+0x315f6) [0x7ff120cc25f6] #10 /usr/lib/libsmbconf.so.0(+0x346b4) [0x7ff120cc56b4] #11 /usr/lib/libsmbconf.so.0(+0x61cad) [0x7ff120cf2cad] #12 /usr/lib/libsmbconf.so.0(+0x604b8) [0x7ff120cf14b8] #13 /usr/lib/libsmbconf.so.0(+0x653fc) [0x7ff120cf63fc] #14 /usr/lib/libsmbconf.so.0(run_events_poll+0x54f) [0x7ff120cd63a5] #15 /usr/lib/libsmbconf.so.0(+0x45631) [0x7ff120cd6631] #16 /usr/lib/samba/libtevent.so.0(_tevent_loop_once+0xf4) [0x7ff1222f5863] #17 /usr/lib/samba/libtevent.so.0(tevent_common_loop_wait+0x25) [0x7ff1222f5aad] #18 /usr/lib/samba/libtevent.so.0(_tevent_loop_wait+0x2b) [0x7ff1222f5b78] #19 /usr/lib/samba/libsmbd-base-samba4.so(smbd_process+0xb1f) [0x7ff122c95699] #20 smbd(+0xb2d8) [0x7ff1239952d8] #21 /usr/lib/libsmbconf.so.0(run_events_poll+0x54f) [0x7ff120cd63a5] #22 /usr/lib/libsmbconf.so.0(+0x45631) [0x7ff120cd6631] #23 /usr/lib/samba/libtevent.so.0(_tevent_loop_once+0xf4) [0x7ff1222f5863] #24 /usr/lib/samba/libtevent.so.0(tevent_common_loop_wait+0x25) [0x7ff1222f5aad] #25 /usr/lib/samba/libtevent.so.0(_tevent_loop_wait+0x2b) [0x7ff1222f5b78] #26 smbd(+0xc0f3) [0x7ff1239960f3] #27 smbd(main+0x1844) [0x7ff123997aee] #28 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7ff11f59bec5] #29 smbd(+0x5f69) [0x7ff12398ff69]
Why does set_current_service() fail ? Does the vfs_ChDir() fail ?
Yes, the share was exposed as both NFS and SMB share, and the customer changed volume access rights on NFS client. As a result smbd's chdir failed with errno=EACCESS.
OK, the problem here is that if we ignore the error in set_current_service() we are not in the correct directory to correctly process any delete_on_close or disconnect scripts that need to be run. So we can't then call close_cnum() safely. Maybe we should just call conn_free() directly from the error clause inside conn_force_tdis() ?
Yes, calling conn_free directly from conn_force_tdis() fixes the memory corruption in this flow. But notice, that in this case postexec scripts also do not run, although they run from root (/) and not from a share directory. -Lev.