If we combine vfs_btrfs with (at least) vfs_catia or vfs_streams_xattr, we hit a NULL pointer in vfs_memctx_fsp_extension(). This appears to be because vfs_btrfs enables compression support, and when macOS connects it calls dos_mode_check_compressed() which calls SMB_VFS_GET_COMPRESSION with a NULL files_struct pointer. This gets passed around until it finally gets dereferenced in vfs_memctx_fsp_extension(). (gdb) bt full #0 0x00007fdef8205b3c in __libc_waitpid (pid=17952, stat_loc=stat_loc@entry=0x7ffd20930ed0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31 resultvar = 18446744073709551104 oldtype = -129026848 #1 0x00007fdef818d12b in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148 __result = <optimized out> _buffer = {__routine = 0x7fdef818d3d0 <cancel_handler>, __arg = 0x7ffd20930eac, __canceltype = 0, __prev = 0x0} _avail = 1 status = 546508544 save = <optimized out> pid = 17952 sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x560aa3468bf0} omask = {__val = {7296, 0, 140595621606208, 140595695561192, 140725149962072, 140595648565672, 244831152328, 0, 140725149962272, 140595678175569, 94603662281593, 140595648565672, 72057594037927936, 206158430224, 140725149962288, 140595693416576}} #2 0x00007fdef9ad09a8 in smb_panic_s3 (why=0x7fdefbfa8865 "internal error") at ../source3/lib/util.c:817 cmd = 0x560aa3468bf0 "/bin/sleep 999999999" result = 0 __FUNCTION__ = "smb_panic_s3" #3 0x00007fdefbf5fb62 in smb_panic (why=0x7fdefbfa8865 "internal error") at ../lib/util/fault.c:166 #4 0x00007fdefbf5f83a in fault_report (sig=11) at ../lib/util/fault.c:83 counter = 1 __FUNCTION__ = "fault_report" #5 0x00007fdefbf5f84f in sig_fault (sig=11) at ../lib/util/fault.c:94 #6 0x00007fdefc3c6890 in <signal handler called> () at /lib/x86_64-linux-gnu/libpthread.so.0 #7 0x00007fdefbb38032 in vfs_memctx_fsp_extension (handle=0x560aa3465db0, fsp=0x0) at ../source3/smbd/vfs.c:296 head = 0x5b #8 0x00007fdefbb3808f in vfs_fetch_fsp_extension (handle=0x560aa3465db0, fsp=0x0) at ../source3/smbd/vfs.c:309 head = 0x7fdef84f1620 <main_arena> #9 0x00007fdee7a8a6be in streams_xattr_get_compression (handle=0x560aa3465db0, mem_ctx=0x560aa3468b80, fsp=0x0, smb_fname=0x560aa3463730, _compression_fmt=0x7ffd2093187e) at ../source3/modules/vfs_streams_xattr.c:1662 sio = 0x560aa3465830 #10 0x00007fdefbb3cf9c in smb_vfs_call_get_compression (handle=0x560aa3465db0, mem_ctx=0x560aa3468b80, fsp=0x0, smb_fname=0x560aa3463730, _compression_fmt=0x7ffd2093187e) at ../source3/smbd/vfs.c:2400 #11 0x00007fdefbb20d92 in dos_mode_check_compressed (conn=0x560aa345f790, smb_fname=0x560aa3463730, is_compressed=0x7ffd209318bf) at ../source3/smbd/dosmode.c:588 status = {v = 2739287856} compression_fmt = 0 tmp_ctx = 0x560aa3468b80 #12 0x00007fdefbb20fa7 in dos_mode (conn=0x560aa345f790, smb_fname=0x560aa3463730) at ../source3/smbd/dosmode.c:671 compressed = false result = 0 status = {v = 3221226021} __func__ = "dos_mode" #13 0x00007fdefbb7f468 in smbd_smb2_create_send (mem_ctx=0x560aa3462b10, ev=0x560aa343e670, smb2req=0x560aa3462b10, in_oplock_level=0 '\000', in_impersonation_level=2, in_desired_access=1048705, in_file_attributes=16, in_share_access=7, in_create_disposition=1, in_create_options=1, in_name=0x560aa34622a0 "", in_context_blobs=...) at ../source3/smbd/smb2_create.c:1373 req = 0x560aa34656a0 state = 0x560aa3465830 status = {v = 0} smb1req = 0x560aa3461430 result = 0x560aa3469570 info = 1 requested_oplock_level = 0 dhnc = 0x0 dh2c = 0x0 dhnq = 0x0 dh2q = 0x0 rqls = 0x0 replay_operation = false __FUNCTION__ = "smbd_smb2_create_send" __func__ = "smbd_smb2_create_send" #14 0x00007fdefbb7ba0e in smbd_smb2_request_process_create (smb2req=0x560aa3462b10) at ../source3/smbd/smb2_create.c:227 inbody = 0x560aa3469990 "9" indyniov = 0x560aa3462c48 in_oplock_level = 0 '\000' in_impersonation_level = 2 in_desired_access = 1048705 in_file_attributes = 16 in_share_access = 7 ---Type <return> to continue, or q <return> to quit--- in_create_disposition = 1 in_create_options = 1 in_name_offset = 120 in_name_length = 0 in_name_buffer = {data = 0x560aa34699c8 "", length = 0} in_name_string = 0x560aa34622a0 "" in_name_string_size = 0 name_offset = 0 name_available_length = 32 in_context_offset = 128 in_context_length = 24 in_context_buffer = {data = 0x560aa34699d0 "", length = 24} in_context_blobs = {num_blobs = 1, blobs = 0x560aa345fb10} context_offset = 8 context_available_length = 24 dyn_offset = 120 status = {v = 0} ok = true tsubreq = 0xaa34423b0 #15 0x00007fdefbb6eee0 in smbd_smb2_request_dispatch (req=0x560aa3462b10) at ../source3/smbd/smb2_server.c:2597 xconn = 0x560aa3446d40 call = 0x7fdefbf23278 <smbd_smb2_table+120> intf_v = 0x560aa3462c18 inhdr = 0x560aa3469950 "\376SMB@" opcode = 5 flags = 0 mid = 4 status = {v = 0} session_status = {v = 0} allowed_flags = 805306380 return_value = {v = 2739262976} x = 0x560aa3442140 signing_required = false encryption_desired = false encryption_required = false __FUNCTION__ = "smbd_smb2_request_dispatch" #16 0x00007fdefbb72c93 in smbd_smb2_io_handler (xconn=0x560aa3446d40, fde_flags=1) at ../source3/smbd/smb2_server.c:3890 sconn = 0x560aa3446070 state = 0x560aa3446e08 req = 0x560aa3462b10 min_recvfile_size = 4294967295 ret = 152 err = 0 retry = false status = {v = 0} now = 131486116510878190 __FUNCTION__ = "smbd_smb2_io_handler" #17 0x00007fdefbb72d99 in smbd_smb2_connection_handler (ev=0x560aa343e670, fde=0x560aa3457a60, flags=1, private_data=0x560aa3446d40) at ../source3/smbd/smb2_server.c:3928 xconn = 0x560aa3446d40 status = {v = 59} #18 0x00007fdefb1383c3 in epoll_event_loop (epoll_ev=0x560aa3445030, tvalp=0x7ffd20932090) at ../lib/tevent/tevent_epoll.c:728 fde = 0x560aa3457a60 flags = 1 mpx_fde = 0x0 ret = 1 i = 0 events = {{events = 1, data = {ptr = 0x560aa3457a60, fd = -1555727776, u32 = 2739239520, u64 = 94603688901216}}} timeout = 59635 wait_errno = 0 #19 0x00007fdefb1389f9 in epoll_event_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_epoll.c:930 epoll_ev = 0x560aa3445030 tval = {tv_sec = 59, tv_usec = 634948} panic_triggered = false #20 0x00007fdefb135702 in std_event_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_standard.c:114 glue_ptr = 0x560aa3440020 ---Type <return> to continue, or q <return> to quit--- glue = 0x560aa3440020 ret = 32734 #21 0x00007fdefb12e515 in _tevent_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:726 ret = 0 nesting_stack_ptr = 0x0 #22 0x00007fdefb12e825 in tevent_common_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:849 ret = 0 #23 0x00007fdefb1357a4 in std_event_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_standard.c:145 glue_ptr = 0x560aa3440020 glue = 0x560aa3440020 ret = 22026 #24 0x00007fdefb12e8c8 in _tevent_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:868 #25 0x00007fdefbb5743f in smbd_process (ev_ctx=0x560aa343e670, msg_ctx=0x560aa3440320, sock_fd=36, interactive=false) at ../source3/smbd/process.c:4126 trace_state = {ev = 0x560aa343e670, frame = 0x560aa346a230} client = 0x560aa3457100 sconn = 0x560aa3446070 xconn = 0x560aa3446d40 locaddr = 0x560aa3457d00 "\300\240E\243\nV" remaddr = 0x560aa3457d80 "10.20.0.146" ret = 22026 status = {v = 0} tv = {tv_sec = 1504138050, tv_usec = 246828} now = 131486116502468280 chroot_dir = 0x560aa34453f0 "s3fs" rc = -1555823840 __func__ = "smbd_process" __FUNCTION__ = "smbd_process" #26 0x0000560aa1afcc0d in smbd_accept_connection (ev=0x560aa343e670, fde=0x560aa3458ca0, flags=1, private_data=0x560aa3458ba0) at ../source3/smbd/server.c:1026 status = {v = 0} s = 0x0 msg_ctx = 0x560aa3440320 addr = {ss_family = 2, __ss_align = 0, __ss_padding = "\360\233\023\373\336\177\000\000p\346C\243\nV\000\000pxE\243\nV\000\000 \026O\370\336\177\000\000`\000\000\000\000\000\000\000p#\223 \375\177\000\000S<\233 \375\177\000\000\063ٯ\241\nV\000\000p%\223 \375\177\000\000\320#\223 \001\000\000\000\220#\223 \375\177\000\000p%\223 \375\177\000\000\220#\223 \375\177\000\000\363\354\022\373\336\177\000"} in_addrlen = 16 fd = 36 pid = 0 __FUNCTION__ = "smbd_accept_connection" #27 0x00007fdefb1383c3 in epoll_event_loop (epoll_ev=0x560aa3445660, tvalp=0x7ffd20932420) at ../lib/tevent/tevent_epoll.c:728 fde = 0x560aa3458ca0 flags = 1 mpx_fde = 0x0 ret = 1 i = 0 events = {{events = 1, data = {ptr = 0x560aa3458ca0, fd = -1555723104, u32 = 2739244192, u64 = 94603688905888}}} timeout = 1000 wait_errno = 0 #28 0x00007fdefb1389f9 in epoll_event_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_epoll.c:930 epoll_ev = 0x560aa3445660 tval = {tv_sec = 0, tv_usec = 999990} panic_triggered = false #29 0x00007fdefb135702 in std_event_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_standard.c:114 glue_ptr = 0x560aa3440020 glue = 0x560aa3440020 ret = 32734 #30 0x00007fdefb12e515 in _tevent_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:726 ret = 0 nesting_stack_ptr = 0x0 #31 0x00007fdefb12e825 in tevent_common_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:849 ret = 0 #32 0x00007fdefb1357a4 in std_event_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_standard.c:145 glue_ptr = 0x560aa3440020 glue = 0x560aa3440020 ret = 32765 #33 0x00007fdefb12e8c8 in _tevent_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:868 ---Type <return> to continue, or q <return> to quit--- #34 0x0000560aa1afd9d5 in smbd_parent_loop (ev_ctx=0x560aa343e670, parent=0x560aa3446070) at ../source3/smbd/server.c:1393 trace_state = {frame = 0x560aa3430040} ret = 0 __FUNCTION__ = "smbd_parent_loop" #35 0x0000560aa1affbf3 in main (argc=1, argv=0x7ffd20932a18) at ../source3/smbd/server.c:2160 is_daemon = true interactive = false Fork = true no_process_group = false log_stdout = false ports = 0x0 profile_level = 0x0 opt = -1 pc = 0x560aa342fa70 print_build_options = false main_server_id = {pid = 17945, task_id = 0, vnn = 4294967295, unique_id = 14794411679533500616} long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fdef8918480 <poptHelpOptions>, val = 0, descrip = 0x560aa1b0420b "Help options:", argDescrip = 0x0}, {longName = 0x560aa1b04219 "daemon", shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x560aa1b04220 "Become a daemon (default)", argDescrip = 0x0}, {longName = 0x560aa1b0423a "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1001, descrip = 0x560aa1b04248 "Run interactive (not a daemon)", argDescrip = 0x0}, {longName = 0x560aa1b04267 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, val = 1002, descrip = 0x560aa1b04278 "Run daemon in foreground (for daemontools, etc.)", argDescrip = 0x0}, {longName = 0x560aa1b042a9 "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1003, descrip = 0x560aa1b042c0 "Don't create a new process group", argDescrip = 0x0}, {longName = 0x560aa1b042e1 "log-stdout", shortName = 83 'S', argInfo = 0, arg = 0x0, val = 1004, descrip = 0x560aa1b042ec "Log to stdout", argDescrip = 0x0}, {longName = 0x560aa1b042fa "build-options", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 98, descrip = 0x560aa1b04308 "Print build options", argDescrip = 0x0}, {longName = 0x560aa1b0431c "port", shortName = 112 'p', argInfo = 1, arg = 0x7ffd209325e0, val = 0, descrip = 0x560aa1b04321 "Listen on the specified ports", argDescrip = 0x0}, {longName = 0x560aa1b0433f "profiling-level", shortName = 80 'P', argInfo = 1, arg = 0x7ffd209325e8, val = 0, descrip = 0x560aa1b0434f "Set profiling level", argDescrip = 0x560aa1b04363 "PROFILE_LEVEL"}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fdefc3b6180 <popt_common_samba>, val = 0, descrip = 0x560aa1b04371 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} parent = 0x560aa3446070 frame = 0x560aa342d3d0 status = {v = 0} ev_ctx = 0x560aa343e670 msg_ctx = 0x560aa3440320 server_id = {pid = 17947, task_id = 0, vnn = 4294967295, unique_id = 7118057808384568755} se = 0x560aa3446f80 profiling_level = 0 np_dir = 0x560aa34509b0 "" smbd_shim_fns = {cancel_pending_lock_requests_by_fid = 0x7fdefbb34e01 <smbd_cancel_pending_lock_requests_by_fid>, send_stat_cache_delete_message = 0x7fdefbb3f0fd <smbd_send_stat_cache_delete_message>, change_to_root_user = 0x7fdefbb1f138 <smbd_change_to_root_user>, become_authenticated_pipe_user = 0x7fdefbb1f1ee <smbd_become_authenticated_pipe_user>, unbecome_authenticated_pipe_user = 0x7fdefbb1f2e0 <smbd_unbecome_authenticated_pipe_user>, contend_level2_oplocks_begin = 0x7fdefbbafd1b <smbd_contend_level2_oplocks_begin>, contend_level2_oplocks_end = 0x7fdefbbafd8e <smbd_contend_level2_oplocks_end>, become_root = 0x7fdefbb1f500 <smbd_become_root>, unbecome_root = 0x7fdefbb1f528 <smbd_unbecome_root>, exit_server = 0x7fdefbba44d4 <smbd_exit_server>, exit_server_cleanly = 0x7fdefbba44f1 <smbd_exit_server_cleanly>} __FUNCTION__ = "main" __func__ = "main"
Created attachment 13521 [details] Patch to fix the segfault
Comment on attachment 13521 [details] Patch to fix the segfault LGTM. I'll post on samba-technical with your Signed-off and my Reviewed-by.
FWIW, this isn't just a problem with macOS clients. Windows and smbclient crash smbd too, given an appropriate array of VFS modules.
Justin, this unfortunately causes samba3.smbtorture_s3.plain(nt4_dc).OPLOCK2 to fail. I'll look closely..
Comment on attachment 13521 [details] Patch to fix the segfault Breaks OPLOCK2 test case :-(.
Created attachment 13560 [details] git-am fix for master. Justin, I think this might fix it. get/set compression has no place in the streams_xattr module (compression always acts on base file and all contents) and the second patch makes catia cope with fsp == NULL (as the underlying btrfs module already does). Your patch was more elegant, but I think this might also fix the underlying issue and keep the tests going.
Yes, your patch is working for me as well.
Pushed to v4-{6,7}-test with review from slow@samba.org