Bug 12198 - smbd panic on connection force close if set_current_service() fails
Summary: smbd panic on connection force close if set_current_service() fails
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.2.14
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-01 07:26 UTC by Lev
Modified: 2016-09-04 12:19 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lev 2016-09-01 07:26:54 UTC 
conn_force_tdis() calls smbXsrv_tcon_disconnect() that in turn calls set_current_service(). If set_current_service() fails, close_cnum() is not called, so conn is not freed. smbXsrv_tcon_disconnect() sets tcon->compat = NULL, but conn still remains child of tcon in talloc tree. Then conn_force_tdis() frees tcon, that also frees conn. But in this flow conn_free() was not called, so freed conn is left in the sconn->connections list, and later smbd panics with segmentation fault.

[2016/08/29 12:22:17.619846,  1, pid=15109] ../source3/smbd/conn_idle.c:120(conn_force_tdis)
  conn_force_tdis: Forcing close of share 'UXB010' (wire_id=0x2bc2f7ab)
[2016/08/29 12:22:17.619873,  0, pid=15109] ../source3/smbd/smbXsrv_tcon.c:974(smbXsrv_tcon_disconnect)
  smbXsrv_tcon_disconnect(0x2bc2f7ab, 'UXB010'): set_current_service() failed: NT_STATUS_INTERNAL_ERROR
[2016/08/29 12:22:17.619908,  0, pid=15109] ../source3/smbd/conn_idle.c:140(conn_force_tdis)
  conn_force_tdis: smbXsrv_tcon_disconnect() of share 'UXB010' (wire_id=0x2bc2f7ab) failed: NT_STATUS_INTERNAL_ERROR

[2016/08/29 12:22:17.619942,  1, pid=15109] ../source3/smbd/conn_idle.c:120(conn_force_tdis)
  conn_force_tdis: Forcing close of share 'UXB010' (wire_id=0xabfe169e)
[2016/08/29 12:22:17.619968,  0, pid=15109] ../source3/smbd/smbXsrv_tcon.c:974(smbXsrv_tcon_disconnect)
  smbXsrv_tcon_disconnect(0xabfe169e, 'UXB010'): set_current_service() failed: NT_STATUS_INTERNAL_ERROR
[2016/08/29 12:22:17.619993,  0, pid=15109] ../source3/smbd/conn_idle.c:140(conn_force_tdis)
  conn_force_tdis: smbXsrv_tcon_disconnect() of share 'UXB010' (wire_id=0xabfe169e) failed: NT_STATUS_INTERNAL_ERROR
  
[2016/08/29 12:22:17.621520,  0, pid=15109] ../lib/util/fault.c:78(fault_report)
  ===============================================================
[2016/08/29 12:22:17.621563,  0, pid=15109] ../lib/util/fault.c:79(fault_report)
  INTERNAL ERROR: Signal 11 in pid 15109 (4.2.12)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2016/08/29 12:22:17.621573,  0, pid=15109] ../lib/util/fault.c:81(fault_report)
  ===============================================================
[2016/08/29 12:22:17.621584,  0, pid=15109] ../source3/lib/util.c:788(smb_panic_s3)
  PANIC (pid 15109): internal error
[2016/08/29 12:22:17.621998,  0, pid=15109] ../source3/lib/util.c:907(log_stack_trace)
  BACKTRACE: 30 stack frames:
   #0 /usr/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7ff120cb4fab]
   #1 /usr/lib/libsmbconf.so.0(smb_panic_s3+0x70) [0x7ff120cb4de1]
   #2 /usr/lib/libsamba-util.so.0(smb_panic+0x28) [0x7ff12312a202]
   #3 /usr/lib/libsamba-util.so.0(+0x2beda) [0x7ff123129eda]
   #4 /usr/lib/libsamba-util.so.0(+0x2beef) [0x7ff123129eef]
   #5 /lib/x86_64-linux-gnu/libpthread.so.0(+0x10340) [0x7ff12334a340]
   #6 /usr/lib/samba/libsmbd-base-samba4.so(conn_force_tdis+0xe4) [0x7ff122be8d4f]
   #7 /usr/lib/samba/libsmbd-base-samba4.so(msg_force_tdis+0x53) [0x7ff122be8903]
   #8 /usr/lib/libsmbconf.so.0(messaging_dispatch_rec+0x123) [0x7ff120cc40d0]
   #9 /usr/lib/libsmbconf.so.0(+0x315f6) [0x7ff120cc25f6]
   #10 /usr/lib/libsmbconf.so.0(+0x346b4) [0x7ff120cc56b4]
   #11 /usr/lib/libsmbconf.so.0(+0x61cad) [0x7ff120cf2cad]
   #12 /usr/lib/libsmbconf.so.0(+0x604b8) [0x7ff120cf14b8]
   #13 /usr/lib/libsmbconf.so.0(+0x653fc) [0x7ff120cf63fc]
   #14 /usr/lib/libsmbconf.so.0(run_events_poll+0x54f) [0x7ff120cd63a5]
   #15 /usr/lib/libsmbconf.so.0(+0x45631) [0x7ff120cd6631]
   #16 /usr/lib/samba/libtevent.so.0(_tevent_loop_once+0xf4) [0x7ff1222f5863]
   #17 /usr/lib/samba/libtevent.so.0(tevent_common_loop_wait+0x25) [0x7ff1222f5aad]
   #18 /usr/lib/samba/libtevent.so.0(_tevent_loop_wait+0x2b) [0x7ff1222f5b78]
   #19 /usr/lib/samba/libsmbd-base-samba4.so(smbd_process+0xb1f) [0x7ff122c95699]
   #20 smbd(+0xb2d8) [0x7ff1239952d8]
   #21 /usr/lib/libsmbconf.so.0(run_events_poll+0x54f) [0x7ff120cd63a5]
   #22 /usr/lib/libsmbconf.so.0(+0x45631) [0x7ff120cd6631]
   #23 /usr/lib/samba/libtevent.so.0(_tevent_loop_once+0xf4) [0x7ff1222f5863]
   #24 /usr/lib/samba/libtevent.so.0(tevent_common_loop_wait+0x25) [0x7ff1222f5aad]
   #25 /usr/lib/samba/libtevent.so.0(_tevent_loop_wait+0x2b) [0x7ff1222f5b78]
   #26 smbd(+0xc0f3) [0x7ff1239960f3]
   #27 smbd(main+0x1844) [0x7ff123997aee]
   #28 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7ff11f59bec5]
   #29 smbd(+0x5f69) [0x7ff12398ff69]
Comment 1 Jeremy Allison 2016-09-01 21:06:56 UTC 
Why does set_current_service() fail ? Does the vfs_ChDir() fail ?
Comment 2 Lev 2016-09-01 21:12:01 UTC 
Yes, the share was exposed as both NFS and SMB share, and the customer changed volume access rights on NFS client. As a result smbd's chdir failed with errno=EACCESS.
Comment 3 Jeremy Allison 2016-09-01 21:50:41 UTC 
OK, the problem here is that if we ignore the error in set_current_service() we are not in the correct directory to correctly process any delete_on_close or disconnect scripts that need to be run. So we can't then call close_cnum() safely.

Maybe we should just call conn_free() directly from the error clause inside conn_force_tdis() ?
Comment 4 Lev 2016-09-04 12:19:58 UTC 
Yes, calling conn_free directly from conn_force_tdis() fixes the memory corruption in this flow. 
But notice, that in this case postexec scripts also do not run, although they  run from root (/) and not from a share directory.
-Lev.