13558 – smbd panic during assertion check on lock reference count

Bug 13558 - smbd panic during assertion check on lock reference count

Summary: smbd panic during assertion check on lock reference count

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.7.1
Hardware:	x64 Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-03 05:58 UTC by Anoop C S
Modified:	2018-08-03 09:03 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anoop C S 2018-08-03 05:58:00 UTC

This bug report tracks the progress in debugging the following back trace from https://bugzilla.samba.org/show_bug.cgi?id=13439#c1 :

(gdb) bt
#0  0x00007fc8c5088207 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fc8c50898f8 in __GI_abort () at abort.c:90
#2  0x00007fc8c6a2d14e in dump_core () at ../source3/lib/dumpcore.c:338
#3  0x00007fc8c6a1db77 in smb_panic_s3 (why=<optimized out>) at ../source3/lib/util.c:827
#4  0x00007fc8c8b18eaf in smb_panic (why=why@entry=0x7fc8c8874688 "assert failed: lock_ref_count >= 0") at ../lib/util/fault.c:166
#5  0x00007fc8c876e1ce in decrement_lock_ref_count (fsp=fsp@entry=0x563d640c0af0) at ../source3/locking/posix.c:456
#6  0x00007fc8c876e40f in decrement_posix_lock_count (fsp=0x563d640c0af0, smblctx=14833) at ../source3/locking/posix.c:1238
#7  0x00007fc8c87703fc in release_posix_lock_posix_flavour (fsp=0x563d640c0af0, u_offset=<optimized out>, u_count=<optimized out>, 
    lock_ctx=lock_ctx@entry=0x7ffc582da310, plocks=plocks@entry=0x563d640be790, num_locks=num_locks@entry=1)
    at ../source3/locking/posix.c:1409
#8  0x00007fc8c876c6a7 in brl_unlock_posix (plock=0x7ffc582da310, br_lck=0x563d640be450, msg_ctx=0x563d6406b200)
    at ../source3/locking/brlock.c:1287
#9  brl_unlock (msg_ctx=msg_ctx@entry=0x563d6406b200, br_lck=br_lck@entry=0x563d640be450, smblctx=smblctx@entry=14833, pid=..., 
    start=start@entry=0, size=size@entry=9223372036854775808, lock_flav=lock_flav@entry=POSIX_LOCK) at ../source3/locking/brlock.c:1381
#10 0x00007fc8c87683d0 in do_unlock (msg_ctx=0x563d6406b200, fsp=fsp@entry=0x563d640c0af0, smblctx=smblctx@entry=14833, 
    count=count@entry=9223372036854775808, offset=offset@entry=0, lock_flav=lock_flav@entry=POSIX_LOCK)
    at ../source3/locking/locking.c:325
#11 0x00007fc8c86edcd6 in smb_set_posix_lock (fsp=0x563d640c0af0, total_data=24, pdata=0x563d640b3860 "\002", req=0x563d640bde50, 
    conn=0x0) at ../source3/smbd/trans2.c:7241
#12 smbd_do_setfilepathinfo (conn=conn@entry=0x563d640b2320, req=req@entry=0x563d640bde50, mem_ctx=mem_ctx@entry=0x563d640bde50, 
    info_level=info_level@entry=520, fsp=fsp@entry=0x563d640c0af0, smb_fname=<optimized out>, ppdata=ppdata@entry=0x563d640c1920, 
    total_data=total_data@entry=24, ret_data_size=ret_data_size@entry=0x7ffc582da620) at ../source3/smbd/trans2.c:8639
#13 0x00007fc8c86f020c in call_trans2setfilepathinfo (max_data_bytes=1000, total_data=24, ppdata=0x563d640c1920, 
    total_params=<optimized out>, pparams=0x563d640c1910, tran_call=<optimized out>, req=0x563d640bde50, conn=0x563d640b2320)
    at ../source3/smbd/trans2.c:8880
#14 handle_trans2 (conn=conn@entry=0x563d640b2320, req=req@entry=0x563d640bde50, state=state@entry=0x563d640c18b0)
    at ../source3/smbd/trans2.c:9420
#15 0x00007fc8c86f29ed in reply_trans2 (req=req@entry=0x563d640bde50) at ../source3/smbd/trans2.c:9649
#16 0x00007fc8c871ac90 in switch_message (type=<optimized out>, req=req@entry=0x563d640bde50) at ../source3/smbd/process.c:1727
#17 0x00007fc8c871ca30 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=102, inbuf=0x0, 
    xconn=0x563d640a6440) at ../source3/smbd/process.c:1763
#18 process_smb (xconn=xconn@entry=0x563d640a2cd0, inbuf=<optimized out>, nread=102, unread_bytes=0, seqnum=0, 
    encrypted=<optimized out>, deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2010
#19 0x00007fc8c871e111 in smbd_server_connection_read_handler (xconn=0x563d640a2cd0, fd=45) at ../source3/smbd/process.c:2610
#20 0x00007fc8c5429edb in epoll_event_loop (tvalp=0x7ffc582da8c0, epoll_ev=0x563d640a1af0) at ../tevent_epoll.c:728
#21 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:930
#22 0x00007fc8c54282a7 in std_event_loop_once (ev=0x563d6406aef0, location=0x7fc8c8848798 "../source3/smbd/process.c:4127")
---Type <return> to continue, or q <return> to quit---
    at ../tevent_standard.c:114
#23 0x00007fc8c542407d in _tevent_loop_once (ev=ev@entry=0x563d6406aef0, 
    location=location@entry=0x7fc8c8848798 "../source3/smbd/process.c:4127") at ../tevent.c:726
#24 0x00007fc8c54242ab in tevent_common_loop_wait (ev=0x563d6406aef0, location=0x7fc8c8848798 "../source3/smbd/process.c:4127")
    at ../tevent.c:849
#25 0x00007fc8c5428247 in std_event_loop_wait (ev=0x563d6406aef0, location=0x7fc8c8848798 "../source3/smbd/process.c:4127")
    at ../tevent_standard.c:145
#26 0x00007fc8c871f444 in smbd_process (ev_ctx=ev_ctx@entry=0x563d6406aef0, msg_ctx=msg_ctx@entry=0x563d6406b200, 
    sock_fd=sock_fd@entry=45, interactive=interactive@entry=false) at ../source3/smbd/process.c:4127
#27 0x0000563d62d511d4 in smbd_accept_connection (ev=0x563d6406aef0, fde=<optimized out>, flags=<optimized out>, 
    private_data=<optimized out>) at ../source3/smbd/server.c:1030
#28 0x00007fc8c5429edb in epoll_event_loop (tvalp=0x7ffc582dab50, epoll_ev=0x563d6406b0e0) at ../tevent_epoll.c:728
#29 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:930
#30 0x00007fc8c54282a7 in std_event_loop_once (ev=0x563d6406aef0, location=0x563d62d55083 "../source3/smbd/server.c:1397")
    at ../tevent_standard.c:114
#31 0x00007fc8c542407d in _tevent_loop_once (ev=ev@entry=0x563d6406aef0, 
    location=location@entry=0x563d62d55083 "../source3/smbd/server.c:1397") at ../tevent.c:726
#32 0x00007fc8c54242ab in tevent_common_loop_wait (ev=0x563d6406aef0, location=0x563d62d55083 "../source3/smbd/server.c:1397")
    at ../tevent.c:849
#33 0x00007fc8c5428247 in std_event_loop_wait (ev=0x563d6406aef0, location=0x563d62d55083 "../source3/smbd/server.c:1397")
    at ../tevent_standard.c:145
#34 0x0000563d62d4c25e in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x563d6406aef0) at ../source3/smbd/server.c:1397
#35 main (argc=<optimized out>, argv=<optimized out>) at ../source3/smbd/server.c:2164

Version:
reported on 4.6.x and also seen on 4.7.1

Steps to reproduce:
Unknown

Comment 1 Anoop C S 2018-08-03 07:04:04 UTC

(gdb) f 5
#5  0x00007fc8c876e1ce in decrement_lock_ref_count (fsp=fsp@entry=0x563d640c0af0) at ../source3/locking/posix.c:456
456		SMB_ASSERT(lock_ref_count >= 0);
(gdb) p lock_ref_count
$1 = -1
(gdb) f 8
#8  0x00007fc8c876c6a7 in brl_unlock_posix (plock=0x7ffc582da310, br_lck=0x563d640be450, msg_ctx=0x563d6406b200)
    at ../source3/locking/brlock.c:1287
1287			release_posix_lock_posix_flavour(br_lck->fsp,
(gdb) p plock->start
$2 = 0
(gdb) p plock->size
$3 = S
(gdb) f 7
#7  0x00007fc8c87703fc in release_posix_lock_posix_flavour (fsp=0x563d640c0af0, u_offset=<optimized out>, u_count=<optimized out>, 
    lock_ctx=lock_ctx@entry=0x7ffc582da310, plocks=plocks@entry=0x563d640be790, num_locks=num_locks@entry=1)
    at ../source3/locking/posix.c:1409
1409			decrement_posix_lock_count(fsp, lock_ctx->smblctx);
(gdb) p offset
$4 = 0
(gdb) p count
$5 = 9223372036854775807  <-- capped at 64 bit signed max inside posix_lock_in_range()