13086 – Directory deletion from Mac terminal client resulted in smbd crash with vfs_fruit and vfs_glusterfs

Bug 13086 - Directory deletion from Mac terminal client resulted in smbd crash with vfs_fruit and vfs_glusterfs

Summary: Directory deletion from Mac terminal client resulted in smbd crash with vfs_f...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	VFS Modules (show other bugs)
Version:	4.7.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-13 14:39 UTC by Anoop C S
Modified:	2017-11-03 10:00 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
testparm -s (660 bytes, text/plain) 2017-10-13 14:39 UTC, Anoop C S	no flags	Details
patch for 4.7 (1.56 KB, patch) 2017-10-17 05:41 UTC, Anoop C S	slow: review+ gd: review+	Details
patch for 4.6 (1.56 KB, patch) 2017-10-17 05:43 UTC, Anoop C S	slow: review+ gd: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anoop C S 2017-10-13 14:39:33 UTC

Created attachment 13684 [details]
testparm -s

In a standalone Samba server with GlusterFS backed shares, smbd crashed while trying to delete a directory from one such share via Mac OS terminal.

# smbd --version
Version 4.8.0pre1-GIT-a826394a2f5
# gluster --version
glusterfs 4.0dev

Following backtrace was extracted using gdb from the coreudmp file:

(gdb) bt
#0  0x00007f7f2ef661f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f7f2ef678e8 in __GI_abort () at abort.c:90
#2  0x00007f7f308ec4de in dump_core () at ../source3/lib/dumpcore.c:338
#3  0x00007f7f308dd6e7 in smb_panic_s3 (why=<optimized out>) at ../source3/lib/util.c:814
#4  0x00007f7f329b995f in smb_panic (why=why@entry=0x7f7f32a0182a "internal error") at ../lib/util/fault.c:166
#5  0x00007f7f329b9b76 in fault_report (sig=<optimized out>) at ../lib/util/fault.c:83
#6  sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
#7  <signal handler called>
#8  0x00007f7f2ef661f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#9  0x00007f7f2ef678e8 in __GI_abort () at abort.c:90
#10 0x00007f7f2efa5f47 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f7f2f0b2608 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#11 0x00007f7f2efad619 in malloc_printerr (ar_ptr=0x7f7f2f2ed760 <main_arena>, ptr=<optimized out>, 
    str=0x7f7f2f0afcd4 "free(): invalid pointer", action=3) at malloc.c:5023
#12 _int_free (av=0x7f7f2f2ed760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3845
#13 0x00007f7f2efeb80d in __closedir (dirp=<optimized out>) at ../sysdeps/posix/closedir.c:51
#14 0x00007f7f175f7d90 in fruit_rmdir (handle=0x7f7f34a3e020, smb_fname=0x7f7f34b42de0) at ../source3/modules/vfs_fruit.c:3543
#15 0x00007f7f173e3420 in catia_rmdir (handle=0x7f7f34a37f00, smb_fname=<optimized out>) at ../source3/modules/vfs_catia.c:951
#16 0x00007f7f32541065 in rmdir_internals (fsp=<optimized out>, fsp=<optimized out>, ctx=0x7f7f34b1d310) at ../source3/smbd/close.c:909
#17 close_directory (close_type=NORMAL_CLOSE, fsp=0x7f7f34b440a0, req=0x7f7f34b4ffe0) at ../source3/smbd/close.c:1170
#18 close_file (req=req@entry=0x7f7f34b4ffe0, fsp=fsp@entry=0x7f7f34b440a0, close_type=close_type@entry=NORMAL_CLOSE)
    at ../source3/smbd/close.c:1229
#19 0x00007f7f32578483 in smbd_smb2_close (req=req@entry=0x7f7f34b57330, fsp=fsp@entry=0x7f7f34b440a0, in_flags=in_flags@entry=0, 
    out_flags=0x7f7f34b42c02, out_creation_ts=0x7f7f34b42c08, out_last_access_ts=0x7f7f34b42c18, out_last_write_ts=0x7f7f34b42c28, 
    out_change_ts=0x7f7f34b42c38, out_allocation_size=0x7f7f34b42c48, out_end_of_file=0x7f7f34b42c50, 
    out_file_attributes=0x7f7f34b42c58) at ../source3/smbd/smb2_close.c:260
#20 0x00007f7f32578ccd in smbd_smb2_close_send (in_flags=0, in_fsp=0x7f7f34b440a0, smb2req=0x7f7f34b57330, ev=0x7f7f34a125a0, 
    mem_ctx=0x7f7f34b57330) at ../source3/smbd/smb2_close.c:334
#21 smbd_smb2_request_process_close (req=req@entry=0x7f7f34b57330) at ../source3/smbd/smb2_close.c:70
#22 0x00007f7f3256d13b in smbd_smb2_request_dispatch (req=req@entry=0x7f7f34b57330) at ../source3/smbd/smb2_server.c:2585
#23 0x00007f7f3256dfd5 in smbd_smb2_request_dispatch_immediate (ctx=<optimized out>, im=0x7f7f34b4c770, private_data=<optimized out>)
    at ../source3/smbd/smb2_server.c:2960
#24 0x00007f7f2f2f9aba in tevent_common_loop_immediate (ev=ev@entry=0x7f7f34a125a0) at ../tevent_immediate.c:135
#25 0x00007f7f2f2fec9d in epoll_event_loop_once (ev=0x7f7f34a125a0, location=<optimized out>) at ../tevent_epoll.c:911
#26 0x00007f7f2f2fd2a7 in std_event_loop_once (ev=0x7f7f34a125a0, location=0x7f7f326ad428 "../source3/smbd/process.c:4125")
    at ../tevent_standard.c:114
#27 0x00007f7f2f2f90cd in _tevent_loop_once (ev=ev@entry=0x7f7f34a125a0, 
---Type <return> to continue, or q <return> to quit---
    location=location@entry=0x7f7f326ad428 "../source3/smbd/process.c:4125") at ../tevent.c:721
#28 0x00007f7f2f2f92fb in tevent_common_loop_wait (ev=0x7f7f34a125a0, location=0x7f7f326ad428 "../source3/smbd/process.c:4125")
    at ../tevent.c:844
#29 0x00007f7f2f2fd247 in std_event_loop_wait (ev=0x7f7f34a125a0, location=0x7f7f326ad428 "../source3/smbd/process.c:4125")
    at ../tevent_standard.c:145
#30 0x00007f7f3255c944 in smbd_process (ev_ctx=ev_ctx@entry=0x7f7f34a125a0, msg_ctx=msg_ctx@entry=0x7f7f34a12b10, 
    sock_fd=sock_fd@entry=38, interactive=interactive@entry=false) at ../source3/smbd/process.c:4125
#31 0x00007f7f3325da74 in smbd_accept_connection (ev=0x7f7f34a125a0, fde=<optimized out>, flags=<optimized out>, 
    private_data=<optimized out>) at ../source3/smbd/server.c:1017
#32 0x00007f7f2f2feedb in epoll_event_loop (tvalp=0x7ffc6b4f5fa0, epoll_ev=0x7f7f34a12820) at ../tevent_epoll.c:728
#33 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:930
#34 0x00007f7f2f2fd2a7 in std_event_loop_once (ev=0x7f7f34a125a0, location=0x7f7f332615d9 "../source3/smbd/server.c:1384")
    at ../tevent_standard.c:114
#35 0x00007f7f2f2f90cd in _tevent_loop_once (ev=ev@entry=0x7f7f34a125a0, 
    location=location@entry=0x7f7f332615d9 "../source3/smbd/server.c:1384") at ../tevent.c:721
#36 0x00007f7f2f2f92fb in tevent_common_loop_wait (ev=0x7f7f34a125a0, location=0x7f7f332615d9 "../source3/smbd/server.c:1384")
    at ../tevent.c:844
#37 0x00007f7f2f2fd247 in std_event_loop_wait (ev=0x7f7f34a125a0, location=0x7f7f332615d9 "../source3/smbd/server.c:1384")
    at ../tevent_standard.c:145
#38 0x00007f7f33258a95 in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x7f7f34a125a0) at ../source3/smbd/server.c:1384
#39 main (argc=<optimized out>, argv=<optimized out>) at ../source3/smbd/server.c:2038

Steps to reproduce:
1. Have a basic GlusterFS volume shared via Samba using vfs fruit module (see attachment for testparm output)
2. Mount the share from Mac OS terminal as follows:
# sudo mount_smbfs //user:passwd@<server-ip>/<gluster-sharename> <mount-point>
3. Create an empty directory inside the mounted share
4. Delete the directory created from step 3

Comment 1 Anoop C S 2017-10-17 05:41:31 UTC

Created attachment 13697 [details]
patch for 4.7

Comment 2 Anoop C S 2017-10-17 05:43:56 UTC

Created attachment 13698 [details]
patch for 4.6

Comment 3 Ralph Böhme 2017-10-17 08:19:47 UTC

Reassigning to Karolin for inclusion in 4.6 and 4.7.

Comment 4 Karolin Seeger 2017-11-01 09:32:58 UTC

(In reply to Ralph Böhme from comment #3)
Pushed to autobuild-v4-{7,6}-test.

Comment 5 Karolin Seeger 2017-11-03 10:00:40 UTC

Pushed to both branches.
Closing out bug report.

Thanks!