14910 – Segfault / panic whenever connected macOS client (Monterey) reboots if "server multi channel support" is set to Yes

Bug 14910 - Segfault / panic whenever connected macOS client (Monterey) reboots if "server multi channel support" is set to Yes

Summary: Segfault / panic whenever connected macOS client (Monterey) reboots if "serve...

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.13.14
Hardware:	x64 Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-17 16:23 UTC by Nate Stuyvesant
Modified:	2021-12-02 20:37 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nate Stuyvesant 2021-11-17 16:23:34 UTC

Did a clean installation of Ubuntu Server 21.10 then the current Ubuntu release of Samba (4.13.14-Ubuntu).

Samba is configured as a standalone server for file serving to macOS clients only. The clients are running macOS Monterey (12.0.1).

Here's the /etc/samba/smb.conf:
[global]
allow dns updates = disabled
bind interfaces only = Yes
client min protocol = SMB3_02
dcerpc endpoint servers = rpcecho
delete veto files = Yes
disable netbios = Yes
disable spoolss = Yes
dns forwarder = 192.168.1.1
dns proxy = No
# Do not need core dumps (but Samba docs say to leave it alone)
;enable core files = No
enhanced browsing = No
# Next line requires catia (needed if no Windows clients?)
fruit:encoding = native
fruit:metadata = stream
# Next line never worked
;fruit:model = Macmini7
# Do not use NFS access control entries
fruit:nfs_aces = No
# Enable extended attributes (requires streams_xattr)
fruit:resource = xattr
# Next line is already the default
;fruit:zero_file_id = Yes
# Next line appears to do nothing for macOS clients
;fstype = Samba
host msdfs = No
inherit acls = Yes
inherit permissions = Yes
interfaces = lan
lm announce = No
load printers = No
log file = /var/log/samba/log.smbd
log level = 1
logging = file
max log size = 10000
# Next 2 lines defer mDNS config to Avahi (better for icon and Time Machine)
mdns name = mdns
multicast dns register = No
name resolve order = host bcast
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = "*New Password:*" %n\n "*Reenter New Password:*" %n\n "*Password changed.*"
passwd program = /usr/bin/passwd %u
printcap cache time = 0
printcap name = /dev/null
printing = bsd
restrict anonymous = 2
rpc_daemon:spoolssd = disabled
rpc_server:epmapper = disabled
rpc_server:winreg = disabled
rpc_server:lsarpc = disabled
rpc_server:samr = disabled
rpc_server:netlogon = disabled
rpc_server:netdfs = disabled
rpc_server:dssetup = disabled
rpc_server:wkssvc = disabled
rpc_server:spoolss = disabled
rpc_server:svcctl = disabled
rpc_server:ntsvcs = disabled
rpc_server:eventlog = disabled
rpc_server:initshutdown = disabled
rpc_server:mdssvc = disabled
server max protocol = SMB3_11
server min protocol = SMB3_02
# Next line experimental until 4.15 - macOS clients support multi-channel SMB3
server multi channel support = Yes
server role = standalone server
server services = rpc, smb
server string = %h server (Samba 4.13.14, Ubuntu 21.10)
show add printer wizard = No
smb ports = 445
unix password sync = Yes
use sendfile = Yes
veto files = /._*/.DS_Store/
vfs objects = catia fruit streams_xattr

[homes]
browseable = No
comment = Home Directory
fruit:time machine = No
guest ok = No
spotlight = No
valid users = %S
writable = Yes

[Backup]
comment = Time Machine
fruit:time machine = Yes
guest ok = No
path = /external/%U
spotlight = No
valid users = %U
writable = Yes

Here's the /etc/nsmb.conf on each of the macOS clients:
signing_required = no
protocol_vers_map=6
port445=no_netbios

Here's the panic mailed to root each time a macOS client reboots while connected:
The Samba 'panic action' script, /usr/share/samba/panic-action,
was called for PID 24963 (/usr/sbin/smbd).

This means there was a problem with the program, such as a segfault.
Below is a backtrace for this process generated with gdb, which shows
the state of the program at the time the error occurred.  The Samba log
files may contain additional information about the problem.

If the problem persists, you are encouraged to first install the
samba-dbgsym package, which contains the debugging symbols for the Samba
binaries.  Then submit the provided information as a bug report to
Ubuntu by visiting this link:
https://launchpad.net/ubuntu/+source/samba/+filebug

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007fb71b7be70f in __GI___wait4 (pid=25382, stat_loc=stat_loc@entry=0x7ffd2c2bb578, options=options@entry=0, usage=usage@entry=0x0) at ..
/sysdeps/unix/sysv/linux/wait4.c:30
#0  0x00007fb71b7be70f in __GI___wait4 (pid=25382, stat_loc=stat_loc@entry=0x7ffd2c2bb578, options=options@entry=0, usage=usage@entry=0x0) a
t ../sysdeps/unix/sysv/linux/wait4.c:30
#1  0x00007fb71b7be68b in __GI___waitpid (pid=<optimized out>, stat_loc=stat_loc@entry=0x7ffd2c2bb578, options=options@entry=0) at waitpid.c
:38
#2  0x00007fb71b72594b in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:171
#3  0x00007fb71bc4842f in smb_panic_s3 () from /lib/x86_64-linux-gnu/libsmbconf.so.0
#4  0x00007fb71bcb8fdb in smb_panic () from /lib/x86_64-linux-gnu/libsamba-util.so.0
#5  0x00007fb71bcb92b5 in ?? () from /lib/x86_64-linux-gnu/libsamba-util.so.0
#6  <signal handler called>
#7  0x0000000000000000 in ?? ()
#8  0x00007fb71b26448f in dbwrap_record_delete () from /usr/lib/x86_64-linux-gnu/samba/libdbwrap.so.0
#9  0x00007fb71be805e5 in smbXsrv_session_logoff () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#10 0x00007fb71be62e17 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#11 0x00007fb71b8ff8ea in tevent_common_invoke_immediate_handler () from /lib/x86_64-linux-gnu/libtevent.so.0
#12 0x00007fb71b8ff90e in tevent_common_loop_immediate () from /lib/x86_64-linux-gnu/libtevent.so.0
#13 0x00007fb71b905760 in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#14 0x00007fb71b903afb in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#15 0x00007fb71b8feb28 in _tevent_loop_once () from /lib/x86_64-linux-gnu/libtevent.so.0
#16 0x00007fb71b8fee0b in tevent_common_loop_wait () from /lib/x86_64-linux-gnu/libtevent.so.0
#17 0x00007fb71b903a8b in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#18 0x00007fb71be4cc38 in smbd_process () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#19 0x000055cc54ea793d in smbd_accept_connection (ev=0x55cc551e1c20, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out
>) at ../../source3/smbd/server.c:1014
#20 0x00007fb71b8ff4a1 in tevent_common_invoke_fd_handler () from /lib/x86_64-linux-gnu/libtevent.so.0
#21 0x00007fb71b90597f in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#22 0x00007fb71b903afb in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#23 0x00007fb71b8feb28 in _tevent_loop_once () from /lib/x86_64-linux-gnu/libtevent.so.0
#24 0x00007fb71b8fee0b in tevent_common_loop_wait () from /lib/x86_64-linux-gnu/libtevent.so.0
#25 0x00007fb71b903a8b in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#26 0x000055cc54ea5c3b in smbd_parent_loop (parent=0x55cc551f5040, ev_ctx=0x55cc551e1c20) at ../../source3/smbd/server.c:1361
#27 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2214
A debugging session is active.

This is what shows in /var/log/samba/log.smbd:
[2021/11/17 11:21:31.378403,  0] ../../lib/util/fault.c:159(smb_panic_log)
  ===============================================================
[2021/11/17 11:21:31.378525,  0] ../../lib/util/fault.c:160(smb_panic_log)
  INTERNAL ERROR: Signal 11: Segmentation fault in pid 24963 (4.13.14-Ubuntu)
[2021/11/17 11:21:31.378565,  0] ../../lib/util/fault.c:164(smb_panic_log)
  If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2021/11/17 11:21:31.378595,  0] ../../lib/util/fault.c:169(smb_panic_log)
  ===============================================================
[2021/11/17 11:21:31.378621,  0] ../../lib/util/fault.c:170(smb_panic_log)
  PANIC (pid 24963): Signal 11: Segmentation fault in 4.13.14-Ubuntu
[2021/11/17 11:21:31.379046,  0] ../../lib/util/fault.c:274(log_stack_trace)
  BACKTRACE: 4 stack frames:
   #0 /lib/x86_64-linux-gnu/libsamba-util.so.0(log_stack_trace+0x34) [0x7fb71bcb63f4]
   #1 /lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2a) [0x7fb71bcb8fca]
   #2 /lib/x86_64-linux-gnu/libsamba-util.so.0(+0x232b5) [0x7fb71bcb92b5]
   #3 /lib/x86_64-linux-gnu/libc.so.6(+0x46520) [0x7fb71b717520]
[2021/11/17 11:21:31.379162,  0] ../../source3/lib/util.c:838(smb_panic_s3)
  smb_panic(): calling panic action [/usr/share/samba/panic-action 24963]
gdb: warning: Couldn't determine a path for the index cache directory.
30	../sysdeps/unix/sysv/linux/wait4.c: No such file or directory.
[2021/11/17 11:21:32.341990,  0] ../../source3/lib/util.c:845(smb_panic_s3)
  smb_panic(): action returned status 0
[2021/11/17 11:21:32.342045,  0] ../../source3/lib/dumpcore.c:317(dump_core)
  coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern

It's 100% reproducible.

Comment 1 Chris Boot 2021-11-23 11:59:11 UTC

I am also seeing the same issue, with a slightly different environment:

Samba 4.13.14-Debian (from Debian unstable / testing)
macOS Monterey 12.1 Beta (21C5039b) on an M1 MacBook Pro

My smb.conf, via testparm to strip out the junk and with irrelevant shares removed:

[global]
        allow insecure wide links = Yes
        client ipc signing = required
        client signing = required
        debug pid = Yes
        disable netbios = Yes
        kerberos method = system keytab
        logging = file
        mdns name = mdns
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        realm = AD.BOOTC.NET
        security = ADS
        server multi channel support = Yes
        server role = member server
        unix password sync = Yes
        usershare allow guests = Yes
        winbind nss info = rfc2307
        winbind use default domain = Yes
        workgroup = BOOTC
        fruit:model = RackMac
        idmap config *:range = 70001-80000
        idmap config bootc:range = 500-40000
        idmap config bootc:unix_nss_info = yes
        idmap config bootc:schema_mode = rfc2307
        idmap config bootc:backend = ad
        idmap config * : backend = tdb
        map archive = No
        smb encrypt = required
        vfs objects = catia fruit streams_xattr io_uring

[Time Machine]
        comment = Time Machine
        path = /tank/time_machine/%U
        read only = No
        fruit:time machine max size = 2T
        fruit:time machine = yes

The stack trace in my case looks similar but slightly different:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007f74df793c46 in wait4 () from /lib/x86_64-linux-gnu/libc.so.6
#0  0x00007f74df793c46 in wait4 () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f74df712a73 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f74dfbe20cf in smb_panic_s3 () from /lib/x86_64-linux-gnu/libsmbconf.so.0
#3  0x00007f74dfc77627 in smb_panic () from /lib/x86_64-linux-gnu/libsamba-util.so.0
#4  0x00007f74dfc77831 in ?? () from /lib/x86_64-linux-gnu/libsamba-util.so.0
#5  <signal handler called>
#6  0x00007f74df8df070 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
#7  0x00007f74df318a5b in dbwrap_record_delete () from /usr/lib/x86_64-linux-gnu/samba/libdbwrap.so.0
#8  0x00007f74dfe41ff1 in smbXsrv_session_logoff () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#9  0x00007f74dfe28533 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#10 0x00007f74df897b4a in tevent_common_invoke_immediate_handler () from /lib/x86_64-linux-gnu/libtevent.so.0
#11 0x00007f74df897b6a in tevent_common_loop_immediate () from /lib/x86_64-linux-gnu/libtevent.so.0
#12 0x00007f74df89d84c in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#13 0x00007f74df89bc07 in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#14 0x00007f74df896df4 in _tevent_loop_once () from /lib/x86_64-linux-gnu/libtevent.so.0
#15 0x00007f74df89709b in tevent_common_loop_wait () from /lib/x86_64-linux-gnu/libtevent.so.0
#16 0x00007f74df89bba7 in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#17 0x00007f74dfe13518 in smbd_process () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#18 0x000055b548928ae5 in ?? ()
#19 0x00007f74df89770d in tevent_common_invoke_fd_handler () from /lib/x86_64-linux-gnu/libtevent.so.0
#20 0x00007f74df89da77 in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#21 0x00007f74df89bc07 in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#22 0x00007f74df896df4 in _tevent_loop_once () from /lib/x86_64-linux-gnu/libtevent.so.0
#23 0x00007f74df89709b in tevent_common_loop_wait () from /lib/x86_64-linux-gnu/libtevent.so.0
#24 0x00007f74df89bba7 in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#25 0x000055b548925d33 in main ()

Comment 2 Chris Boot 2021-11-23 12:11:20 UTC

Here's a different view of the same backtrace via coredumpctl with more debug symbols available:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007f74df6ef536 in __GI_abort () at abort.c:79
#2  0x00007f74dfbc0360 in dump_core () from /lib/x86_64-linux-gnu/libsmbconf.so.0
#3  0x00007f74dfbe20b1 in smb_panic_s3 () from /lib/x86_64-linux-gnu/libsmbconf.so.0
#4  0x00007f74dfc77627 in smb_panic (why=why@entry=0x7ffe1d496490 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:184
#5  0x00007f74dfc77831 in fault_report (sig=11) at ../../lib/util/fault.c:82
#6  sig_fault (sig=11) at ../../lib/util/fault.c:93
#7  <signal handler called>
#8  0x00007f74df8df070 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
#9  0x00007f74df318a5b in dbwrap_record_delete () from /usr/lib/x86_64-linux-gnu/samba/libdbwrap.so.0
#10 0x00007f74dfe41ff1 in smbXsrv_session_logoff () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#11 0x00007f74dfe28533 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#12 0x00007f74df897b4a in tevent_common_invoke_immediate_handler (im=0x55b549232ff0, removed=removed@entry=0x0) at ../../tevent_immediate.c:166
#13 0x00007f74df897b6a in tevent_common_loop_immediate (ev=ev@entry=0x55b54902ac20) at ../../tevent_immediate.c:203
#14 0x00007f74df89d84c in epoll_event_loop_once (ev=0x55b54902ac20, location=<optimized out>) at ../../tevent_epoll.c:918
#15 0x00007f74df89bc07 in std_event_loop_once (ev=0x55b54902ac20, location=0x7f74dff54208 "../../source3/smbd/process.c:4212") at ../../tevent_standard.c:110
#16 0x00007f74df896df4 in _tevent_loop_once (ev=ev@entry=0x55b54902ac20, location=location@entry=0x7f74dff54208 "../../source3/smbd/process.c:4212") at ../../tevent.c:772
#17 0x00007f74df89709b in tevent_common_loop_wait (ev=0x55b54902ac20, location=0x7f74dff54208 "../../source3/smbd/process.c:4212") at ../../tevent.c:895
#18 0x00007f74df89bba7 in std_event_loop_wait (ev=0x55b54902ac20, location=0x7f74dff54208 "../../source3/smbd/process.c:4212") at ../../tevent_standard.c:141
#19 0x00007f74dfe13518 in smbd_process () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#20 0x000055b548928ae5 in ?? ()
#21 0x00007f74df89770d in tevent_common_invoke_fd_handler (fde=fde@entry=0x55b549078880, flags=1, removed=removed@entry=0x0) at ../../tevent_fd.c:138
#22 0x00007f74df89da77 in epoll_event_loop (tvalp=0x7ffe1d496fa0, epoll_ev=0x55b54903d1a0) at ../../tevent_epoll.c:736
#23 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../tevent_epoll.c:937
#24 0x00007f74df89bc07 in std_event_loop_once (ev=0x55b54902ac20, location=0x55b54892f4f8 "../../source3/smbd/server.c:1361") at ../../tevent_standard.c:110
#25 0x00007f74df896df4 in _tevent_loop_once (ev=ev@entry=0x55b54902ac20, location=location@entry=0x55b54892f4f8 "../../source3/smbd/server.c:1361") at ../../tevent.c:772
#26 0x00007f74df89709b in tevent_common_loop_wait (ev=0x55b54902ac20, location=0x55b54892f4f8 "../../source3/smbd/server.c:1361") at ../../tevent.c:895
#27 0x00007f74df89bba7 in std_event_loop_wait (ev=0x55b54902ac20, location=0x55b54892f4f8 "../../source3/smbd/server.c:1361") at ../../tevent_standard.c:141
#28 0x000055b548925d33 in main ()

Comment 3 Nate Stuyvesant 2021-12-01 17:33:42 UTC

The segfault panic appears to only happen when my macOS (Monterey 12.0.1) clients reboot while a share on Samba 4.13.14-Ubuntu is mounted AND this is enabled in the smb.conf:
server multi channel support = Yes

I did the following to correct the issue:
- Commented out that line in the /etc/samba/smb.conf file (defaults to No)
- Restarted the service
- Mounted a share from a macOS client
- Rebooted macOS client

No segfault panic.

Comment 4 Stefan Metzmacher 2021-12-02 09:11:45 UTC

Just don't use multichannel in 4.13

Comment 5 Nate Stuyvesant 2021-12-02 14:05:24 UTC

As mentioned, I turned it off for my configuration and things have stabilized.

Would like server multi channel support to work in the future as macOS's SMB client supports it (and presumably this would improve performance).

Marking this as RESOLVED is not correct unless you're throwing in the towel on server multi channel support.

Comment 6 Volker Lendecke 2021-12-02 20:37:31 UTC

https://www.samba.org/samba/history/samba-4.15.0.html has:

"server multi channel support" no longer experimental

Closing this again as INVALID, Samba never claimed this to be stable in 4.13. Please try 4.15. If you still have problems there, please re-open.