Bug 13245 - smbd panic in smb2_sendfile_send_data during server exit
Summary: smbd panic in smb2_sendfile_send_data during server exit
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.5.10
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-24 08:56 UTC by Lev
Modified: 2018-01-24 09:27 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lev 2018-01-24 08:56:33 UTC
Looks like smb2_sendfile_send_data calls SMB_VFS_SENDFILE for already closed file

[2018/01/23 09:30:25.918842,  1, pid=25840] ../source3/smbd/service.c:1150(close_cnum)
  nuel-5m85y52 (ipv4:172.31.53.215:60205) closed connection to service home_3 as user GFK\snbrec
[2018/01/23 09:30:25.919174,  1, pid=25840] ../source3/smbd/service.c:1150(close_cnum)
  nuel-5m85y52 (ipv4:172.31.53.215:60205) closed connection to service IPC$ as user GFK\snbrec
[2018/01/23 09:30:25.919270,  0, pid=25840] ../lib/util/fault.c:78(fault_report)
  ===============================================================
[2018/01/23 09:30:25.919315,  0, pid=25840] ../lib/util/fault.c:79(fault_report)
  INTERNAL ERROR: Signal 11 in pid 25840 (4.5.10)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2018/01/23 09:30:25.919360,  0, pid=25840] ../lib/util/fault.c:81(fault_report)
  ===============================================================
[2018/01/23 09:30:25.919390,  0, pid=25840] ../source3/lib/util.c:791(smb_panic_s3)
  PANIC (pid 25840): internal error

(gdb) bt
#0  0x00007f99d46c5c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f99d46c9028 in __GI_abort () at abort.c:89
#2  0x00007f99d5de4f5a in dump_core () at ../source3/lib/dumpcore.c:322
#3  0x00007f99d5dcf4da in smb_panic_s3 (why=0x7f99d8909cad "internal error") at ../source3/lib/util.c:822
#4  0x00007f99d88b914d in smb_panic (why=0x7f99d8909cad "internal error") at ../lib/util/fault.c:166
#5  0x00007f99d88b8e25 in fault_report (sig=11) at ../lib/util/fault.c:83
#6  0x00007f99d88b8e3a in sig_fault (sig=11) at ../lib/util/fault.c:94
#7  <signal handler called>
#8  0x00007f99d843d0f0 in smb2_sendfile_send_data (state=0x7f99dafbf010) at ../source3/smbd/smb2_read.c:205
#9  0x00007f99d7c736be in _tc_free_internal (tc=0x7f99dafbefb0, location=0x7f99d85ddcb0 "../source3/smbd/server_exit.c:221") at ../lib/talloc/talloc.c:1055
#10 0x00007f99d7c748e0 in _tc_free_children_internal (tc=0x7f99dafbea40, ptr=0x7f99dafbeaa0, location=0x7f99d85ddcb0 "../source3/smbd/server_exit.c:221") at ../lib/talloc/talloc.c:1570
#11 0x00007f99d7c73879 in _tc_free_internal (tc=0x7f99dafbea40, location=0x7f99d85ddcb0 "../source3/smbd/server_exit.c:221") at ../lib/talloc/talloc.c:1081
#12 0x00007f99d7c748e0 in _tc_free_children_internal (tc=0x7f99daecb270, ptr=0x7f99daecb2d0, location=0x7f99d85ddcb0 "../source3/smbd/server_exit.c:221") at ../lib/talloc/talloc.c:1570
#13 0x00007f99d7c73879 in _tc_free_internal (tc=0x7f99daecb270, location=0x7f99d85ddcb0 "../source3/smbd/server_exit.c:221") at ../lib/talloc/talloc.c:1081
#14 0x00007f99d7c73a44 in _talloc_free_internal (ptr=0x7f99daecb2d0, location=0x7f99d85ddcb0 "../source3/smbd/server_exit.c:221") at ../lib/talloc/talloc.c:1151
#15 0x00007f99d7c74cff in _talloc_free (ptr=0x7f99daecb2d0, location=0x7f99d85ddcb0 "../source3/smbd/server_exit.c:221") at ../lib/talloc/talloc.c:1693
#16 0x00007f99d846158a in exit_server_common (how=SERVER_EXIT_NORMAL, reason=0x7f99d6da7aaa "NT_STATUS_CONNECTION_RESET") at ../source3/smbd/server_exit.c:221
#17 0x00007f99d8461784 in smbd_exit_server_cleanly (explanation=0x7f99d6da7aaa "NT_STATUS_CONNECTION_RESET") at ../source3/smbd/server_exit.c:263
#18 0x00007f99d578ce3d in exit_server_cleanly (reason=0x7f99d6da7aaa "NT_STATUS_CONNECTION_RESET") at ../source3/lib/smbd_shim.c:131
#19 0x00007f99d84224b3 in smbd_server_connection_terminate_ex (xconn=0x7f99daecb2d0, reason=0x7f99d6da7aaa "NT_STATUS_CONNECTION_RESET", location=0x7f99d85cb4b0 "../source3/smbd/smb2_server.c:3960") at ../source3/smbd/smb2_server.c:1094
#20 0x00007f99d842c9a1 in smbd_smb2_connection_handler (ev=0x7f99daec4ff0, fde=0x7f99daec93d0, flags=3, private_data=0x7f99daecb2d0) at ../source3/smbd/smb2_server.c:3960
#21 0x00007f99d7868c16 in epoll_event_loop (epoll_ev=0x7f99daed71e0, tvalp=0x7fffa2eaa9b0) at ../lib/tevent/tevent_epoll.c:728
#22 0x00007f99d7869234 in epoll_event_loop_once (ev=0x7f99daec4ff0, location=0x7f99d85c2468 "../source3/smbd/process.c:4125") at ../lib/tevent/tevent_epoll.c:926
#23 0x00007f99d786611e in std_event_loop_once (ev=0x7f99daec4ff0, location=0x7f99d85c2468 "../source3/smbd/process.c:4125") at ../lib/tevent/tevent_standard.c:114
#24 0x00007f99d785f8c3 in _tevent_loop_once (ev=0x7f99daec4ff0, location=0x7f99d85c2468 "../source3/smbd/process.c:4125") at ../lib/tevent/tevent.c:533
#25 0x00007f99d785fb0d in tevent_common_loop_wait (ev=0x7f99daec4ff0, location=0x7f99d85c2468 "../source3/smbd/process.c:4125") at ../lib/tevent/tevent.c:637
#26 0x00007f99d78661c0 in std_event_loop_wait (ev=0x7f99daec4ff0, location=0x7f99d85c2468 "../source3/smbd/process.c:4125") at ../lib/tevent/tevent_standard.c:145
#27 0x00007f99d785fbd8 in _tevent_loop_wait (ev=0x7f99daec4ff0, location=0x7f99d85c2468 "../source3/smbd/process.c:4125") at ../lib/tevent/tevent.c:656
#28 0x00007f99d840aac2 in smbd_process (ev_ctx=0x7f99daec4ff0, msg_ctx=0x7f99daec5570, sock_fd=38, interactive=false) at ../source3/smbd/process.c:4125
#29 0x00007f99d937bd16 in smbd_accept_connection (ev=0x7f99daec4ff0, fde=0x7f99daed8750, flags=1, private_data=0x7f99daed86c0) at ../source3/smbd/server.c:1023
#30 0x00007f99d7868c16 in epoll_event_loop (epoll_ev=0x7f99daec5170, tvalp=0x7fffa2eaad70) at ../lib/tevent/tevent_epoll.c:728
#31 0x00007f99d7869234 in epoll_event_loop_once (ev=0x7f99daec4ff0, location=0x7f99d93822b7 "../source3/smbd/server.c:1390") at ../lib/tevent/tevent_epoll.c:926
#32 0x00007f99d786611e in std_event_loop_once (ev=0x7f99daec4ff0, location=0x7f99d93822b7 "../source3/smbd/server.c:1390") at ../lib/tevent/tevent_standard.c:114
#33 0x00007f99d785f8c3 in _tevent_loop_once (ev=0x7f99daec4ff0, location=0x7f99d93822b7 "../source3/smbd/server.c:1390") at ../lib/tevent/tevent.c:533
#34 0x00007f99d785fb0d in tevent_common_loop_wait (ev=0x7f99daec4ff0, location=0x7f99d93822b7 "../source3/smbd/server.c:1390") at ../lib/tevent/tevent.c:637
#35 0x00007f99d78661c0 in std_event_loop_wait (ev=0x7f99daec4ff0, location=0x7f99d93822b7 "../source3/smbd/server.c:1390") at ../lib/tevent/tevent_standard.c:145
#36 0x00007f99d785fbd8 in _tevent_loop_wait (ev=0x7f99daec4ff0, location=0x7f99d93822b7 "../source3/smbd/server.c:1390") at ../lib/tevent/tevent.c:656
#37 0x00007f99d937cb26 in smbd_parent_loop (ev_ctx=0x7f99daec4ff0, parent=0x7f99daec9490) at ../source3/smbd/server.c:1390
#38 0x00007f99d937e579 in main (argc=2, argv=0x7fffa2eab378) at ../source3/smbd/server.c:2051

(gdb) f 8
#8  0x00007f99d843d0f0 in smb2_sendfile_send_data (state=0x7f99dafbf010) at ../source3/smbd/smb2_read.c:205

(gdb) p *fsp
$1 = {next = 0x0, prev = 0x0, fnum = 0, op = 0x0, conn = 0x0, fh = 0x0, num_smb_operations = 0, file_id = {devid = 0, inode = 0, extid = 0}, initial_allocation_size = 0, file_pid = 0, vuid = 0, wcp = 0x0, open_time = {tv_sec = 0, 
    tv_usec = 0}, access_mask = 0, share_access = 0, kernel_share_modes_taken = false, update_write_time_triggered = false, update_write_time_event = 0x0, update_write_time_on_close = false, close_write_time = {tv_sec = 0, tv_nsec = 0}, 
  write_time_forced = false, oplock_type = 0, lease = 0x0, sent_oplock_break = 0, oplock_timeout = 0x0, last_lock_failure = {context = {smblctx = 0, tid = 0, pid = {pid = 0, task_id = 0, vnn = 0, unique_id = 0}}, start = 0, size = 0, 
    fnum = 0, lock_type = READ_LOCK, lock_flav = WINDOWS_LOCK}, current_lock_count = 0, can_lock = false, can_read = false, can_write = false, modified = false, is_directory = false, aio_write_behind = false, 
  initial_delete_on_close = false, delete_on_close = false, posix_flags = 0, is_sparse = false, backup_intent = false, aapl_copyfile_supported = false, use_ofd_locks = false, fsp_name = 0x0, name_hash = 0, mid = 0, vfs_extension = 0x0, 
  fake_file_handle = 0x0, notify = 0x0, base_fsp = 0x0, brlock_seqnum = 0, brlock_rec = 0x31, dptr = 0x7f99d4a517b8 <main_arena+88>, print_file = 0x7f99d4a517b8 <main_arena+88>, num_aio_requests = 0, aio_requests = 0x0, 
  deferred_close = 0x4a0}

(gdb) p fsp->conn
$2 = (struct connection_struct *) 0x0