This bug report tracks the progress in debugging the following back trace from https://bugzilla.samba.org/show_bug.cgi?id=13439#c1 : (gdb) bt #0 0x00007fc8c5088207 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007fc8c50898f8 in __GI_abort () at abort.c:90 #2 0x00007fc8c6a2d14e in dump_core () at ../source3/lib/dumpcore.c:338 #3 0x00007fc8c6a1db77 in smb_panic_s3 (why=<optimized out>) at ../source3/lib/util.c:827 #4 0x00007fc8c8b18eaf in smb_panic (why=why@entry=0x7fc8c8874688 "assert failed: lock_ref_count >= 0") at ../lib/util/fault.c:166 #5 0x00007fc8c876e1ce in decrement_lock_ref_count (fsp=fsp@entry=0x563d640c0af0) at ../source3/locking/posix.c:456 #6 0x00007fc8c876e40f in decrement_posix_lock_count (fsp=0x563d640c0af0, smblctx=14833) at ../source3/locking/posix.c:1238 #7 0x00007fc8c87703fc in release_posix_lock_posix_flavour (fsp=0x563d640c0af0, u_offset=<optimized out>, u_count=<optimized out>, lock_ctx=lock_ctx@entry=0x7ffc582da310, plocks=plocks@entry=0x563d640be790, num_locks=num_locks@entry=1) at ../source3/locking/posix.c:1409 #8 0x00007fc8c876c6a7 in brl_unlock_posix (plock=0x7ffc582da310, br_lck=0x563d640be450, msg_ctx=0x563d6406b200) at ../source3/locking/brlock.c:1287 #9 brl_unlock (msg_ctx=msg_ctx@entry=0x563d6406b200, br_lck=br_lck@entry=0x563d640be450, smblctx=smblctx@entry=14833, pid=..., start=start@entry=0, size=size@entry=9223372036854775808, lock_flav=lock_flav@entry=POSIX_LOCK) at ../source3/locking/brlock.c:1381 #10 0x00007fc8c87683d0 in do_unlock (msg_ctx=0x563d6406b200, fsp=fsp@entry=0x563d640c0af0, smblctx=smblctx@entry=14833, count=count@entry=9223372036854775808, offset=offset@entry=0, lock_flav=lock_flav@entry=POSIX_LOCK) at ../source3/locking/locking.c:325 #11 0x00007fc8c86edcd6 in smb_set_posix_lock (fsp=0x563d640c0af0, total_data=24, pdata=0x563d640b3860 "\002", req=0x563d640bde50, conn=0x0) at ../source3/smbd/trans2.c:7241 #12 smbd_do_setfilepathinfo (conn=conn@entry=0x563d640b2320, req=req@entry=0x563d640bde50, mem_ctx=mem_ctx@entry=0x563d640bde50, info_level=info_level@entry=520, fsp=fsp@entry=0x563d640c0af0, smb_fname=<optimized out>, ppdata=ppdata@entry=0x563d640c1920, total_data=total_data@entry=24, ret_data_size=ret_data_size@entry=0x7ffc582da620) at ../source3/smbd/trans2.c:8639 #13 0x00007fc8c86f020c in call_trans2setfilepathinfo (max_data_bytes=1000, total_data=24, ppdata=0x563d640c1920, total_params=<optimized out>, pparams=0x563d640c1910, tran_call=<optimized out>, req=0x563d640bde50, conn=0x563d640b2320) at ../source3/smbd/trans2.c:8880 #14 handle_trans2 (conn=conn@entry=0x563d640b2320, req=req@entry=0x563d640bde50, state=state@entry=0x563d640c18b0) at ../source3/smbd/trans2.c:9420 #15 0x00007fc8c86f29ed in reply_trans2 (req=req@entry=0x563d640bde50) at ../source3/smbd/trans2.c:9649 #16 0x00007fc8c871ac90 in switch_message (type=<optimized out>, req=req@entry=0x563d640bde50) at ../source3/smbd/process.c:1727 #17 0x00007fc8c871ca30 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=102, inbuf=0x0, xconn=0x563d640a6440) at ../source3/smbd/process.c:1763 #18 process_smb (xconn=xconn@entry=0x563d640a2cd0, inbuf=<optimized out>, nread=102, unread_bytes=0, seqnum=0, encrypted=<optimized out>, deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2010 #19 0x00007fc8c871e111 in smbd_server_connection_read_handler (xconn=0x563d640a2cd0, fd=45) at ../source3/smbd/process.c:2610 #20 0x00007fc8c5429edb in epoll_event_loop (tvalp=0x7ffc582da8c0, epoll_ev=0x563d640a1af0) at ../tevent_epoll.c:728 #21 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:930 #22 0x00007fc8c54282a7 in std_event_loop_once (ev=0x563d6406aef0, location=0x7fc8c8848798 "../source3/smbd/process.c:4127") ---Type <return> to continue, or q <return> to quit--- at ../tevent_standard.c:114 #23 0x00007fc8c542407d in _tevent_loop_once (ev=ev@entry=0x563d6406aef0, location=location@entry=0x7fc8c8848798 "../source3/smbd/process.c:4127") at ../tevent.c:726 #24 0x00007fc8c54242ab in tevent_common_loop_wait (ev=0x563d6406aef0, location=0x7fc8c8848798 "../source3/smbd/process.c:4127") at ../tevent.c:849 #25 0x00007fc8c5428247 in std_event_loop_wait (ev=0x563d6406aef0, location=0x7fc8c8848798 "../source3/smbd/process.c:4127") at ../tevent_standard.c:145 #26 0x00007fc8c871f444 in smbd_process (ev_ctx=ev_ctx@entry=0x563d6406aef0, msg_ctx=msg_ctx@entry=0x563d6406b200, sock_fd=sock_fd@entry=45, interactive=interactive@entry=false) at ../source3/smbd/process.c:4127 #27 0x0000563d62d511d4 in smbd_accept_connection (ev=0x563d6406aef0, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../source3/smbd/server.c:1030 #28 0x00007fc8c5429edb in epoll_event_loop (tvalp=0x7ffc582dab50, epoll_ev=0x563d6406b0e0) at ../tevent_epoll.c:728 #29 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:930 #30 0x00007fc8c54282a7 in std_event_loop_once (ev=0x563d6406aef0, location=0x563d62d55083 "../source3/smbd/server.c:1397") at ../tevent_standard.c:114 #31 0x00007fc8c542407d in _tevent_loop_once (ev=ev@entry=0x563d6406aef0, location=location@entry=0x563d62d55083 "../source3/smbd/server.c:1397") at ../tevent.c:726 #32 0x00007fc8c54242ab in tevent_common_loop_wait (ev=0x563d6406aef0, location=0x563d62d55083 "../source3/smbd/server.c:1397") at ../tevent.c:849 #33 0x00007fc8c5428247 in std_event_loop_wait (ev=0x563d6406aef0, location=0x563d62d55083 "../source3/smbd/server.c:1397") at ../tevent_standard.c:145 #34 0x0000563d62d4c25e in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x563d6406aef0) at ../source3/smbd/server.c:1397 #35 main (argc=<optimized out>, argv=<optimized out>) at ../source3/smbd/server.c:2164 Version: reported on 4.6.x and also seen on 4.7.1 Steps to reproduce: Unknown
(gdb) f 5 #5 0x00007fc8c876e1ce in decrement_lock_ref_count (fsp=fsp@entry=0x563d640c0af0) at ../source3/locking/posix.c:456 456 SMB_ASSERT(lock_ref_count >= 0); (gdb) p lock_ref_count $1 = -1 (gdb) f 8 #8 0x00007fc8c876c6a7 in brl_unlock_posix (plock=0x7ffc582da310, br_lck=0x563d640be450, msg_ctx=0x563d6406b200) at ../source3/locking/brlock.c:1287 1287 release_posix_lock_posix_flavour(br_lck->fsp, (gdb) p plock->start $2 = 0 (gdb) p plock->size $3 = S (gdb) f 7 #7 0x00007fc8c87703fc in release_posix_lock_posix_flavour (fsp=0x563d640c0af0, u_offset=<optimized out>, u_count=<optimized out>, lock_ctx=lock_ctx@entry=0x7ffc582da310, plocks=plocks@entry=0x563d640be790, num_locks=num_locks@entry=1) at ../source3/locking/posix.c:1409 1409 decrement_posix_lock_count(fsp, lock_ctx->smblctx); (gdb) p offset $4 = 0 (gdb) p count $5 = 9223372036854775807 <-- capped at 64 bit signed max inside posix_lock_in_range()