mangle_fns is NULL and accessing it causes this panic in mangle_is_mangled(): Program received signal SIGSEGV, Segmentation fault. 0x00007f3c0dbdf57e in mangle_is_mangled (s=0x55b02fad9ec0 "pointA", p=0x55b02fad0bc0) at ../../source3/smbd/mangle.c:86 86 return mangle_fns->is_mangled(s, p); (gdb) bt \#0 0x00007f3c0dbdf57e in mangle_is_mangled (s=0x55b02fad9ec0 "pointA", p=0x55b02fad0bc0) at ../../source3/smbd/mangle.c:86 \#1 0x00007f3c0db7b7fe in unix_convert (mem_ctx=<optimized out>, conn=<optimized out>, orig_path=<optimized out>, twrp=<optimized out>, smb_fname_out=0x7ffe9f0df3b0, ucf_flags=<optimized out>) at ../../source3/smbd/filename.c:1307 \#2 0x00007f3c0dbaada2 in dfs_path_lookup (ctx=ctx@entry=0x55b02faceaa0, conn=conn@entry=0x55b02fa9b6d0, dfspath=dfspath@entry=0x55b02fa9f060 "\\\\localhost\\samba-share\\pointA", pdp=pdp@entry=0x55b02facc710, ucf_flags=ucf_flags@entry=0, _twrp=_twrp@entry=0x0, consumedcntp=0x7ffe9f0df4f4, ppreflist=0x55b02faaede0, preferral_count=0x55b02faaedd8) at ../../source3/smbd/msdfs.c:714 \#3 0x00007f3c0dbab871 in get_referred_path (ctx=ctx@entry=0x55b02faceaa0, session_info=session_info@entry=0x55b02fac0a80, dfs_path=0x55b02fa9f060 "\\\\localhost\\samba-share\\pointA", remote_address=remote_address@entry=0x55b02fa9ec00, local_address=local_address@entry=0x55b02fad0710, allow_broken_path=allow_broken_path@entry=true, jucn=0x55b02faaedc0, consumedcntp=0x7ffe9f0df4f4, self_referralp=0x7ffe9f0df4f3) at ../../source3/smbd/msdfs.c:1174 \#4 0x000055b02e41c4a4 in _dfs_GetInfo (p=p@entry=0x55b02fad3b48, r=r@entry=0x55b02fac15d0) at ../../source3/rpc_server/dfs/srv_dfs_nt.c:415 \#5 0x000055b02e41cbca in netdfs__op_dispatch_internal (dce_call=0x55b02fad7000, mem_ctx=<optimized out>, r=0x55b02fac15d0, dispatch=S3COMPAT_RPC_DISPATCH_EXTERNAL) at ./librpc/gen_ndr/ndr_dfs_scompat.c:136 \#6 0x00007f3c0e0e5ff0 in dcesrv_request (call=0x55b02fad7000) at ../../librpc/rpc/dcesrv_core.c:1957 Reproducible by: $ make -j8 testenv SELFTEST_TESTENV=fileserver:local SCREEN=1 $ ln -s 'msdfs:\\\\localhost\\dropbox' st/fileserver/share/msdfsshare/pointA $ bin/rpcclient $SERVER_IP -U% -c 'dfsgetinfo \\\\localhost\\msdfs-share localhost pointA' Patch will follow.
According to a user on the samba mailinglist, this also happens in rpcd_spoolss: Stack trace of thread 128214: #0 0x00007ff4f4560a9f raise (libc.so.6) #1 0x00007ff4f4533e05 abort (libc.so.6) #2 0x00007ff4f93265e9 dump_core (libsmbconf-sernet-samba.so) #3 0x00007ff4f933371f smb_panic_s3 (libsmbconf-sernet-samba.so) #4 0x00007ff4f8c4f658 smb_panic (libsamba-util-sernet-samba.so) #5 0x00007ff4f8c4f6e0 sig_fault (libsamba-util-sernet-samba.so) #6 0x00007ff4f48e9ce0 __restore_rt (libpthread.so.0) #7 0x00007ff4f789e7a9 mangle_is_mangled (libsmbd-base-sernet-samba.so) #8 0x00007ff4f7832403 unix_convert (libsmbd-base-sernet-samba.so) #9 0x0000559d1517bdd1 driver_unix_convert (rpcd_spoolss) #10 0x0000559d1517cd6c move_driver_file_to_download_area (rpcd_spoolss) #11 0x0000559d1517f02a move_driver_to_download_area (rpcd_spoolss) #12 0x0000559d151a6f46 _spoolss_AddPrinterDriverEx (rpcd_spoolss) #13 0x0000559d151ad5cd spoolss__op_dispatch_internal (rpcd_spoolss) #14 0x0000559d151adf16 spoolss__op_dispatch (rpcd_spoolss) #15 0x00007ff4f90d3971 dcesrv_loop_next_packet (libdcerpc-server-core-sernet-samba.so) #16 0x00007ff4f90d3ff3 dcesrv_read_fragment_done (libdcerpc-server-core-sernet-samba.so) #17 0x00007ff4fa1f1aeb _tevent_req_notify_callback (libtevent-sernet-samba.so) #18 0x00007ff4fa1f1b93 tevent_req_finish (libtevent-sernet-samba.so) #19 0x00007ff4fa1f1baf _tevent_req_done (libtevent-sernet-samba.so) #20 0x00007ff4f613f9c0 dcerpc_read_ncacn_packet_done (libdcerpc-binding-sernet-samba.so) #21 0x00007ff4fa1f1aeb _tevent_req_notify_callback (libtevent-sernet-samba.so) #22 0x00007ff4fa1f1b93 tevent_req_finish (libtevent-sernet-samba.so) #23 0x00007ff4fa1f1baf _tevent_req_done (libtevent-sernet-samba.so) #24 0x00007ff4f8eb98b7 tstream_readv_pdu_ask_for_next_vector (libsamba-sockets-sernet-samba.so) #25 0x00007ff4f8eb9a0c tstream_readv_pdu_readv_done (libsamba-sockets-sernet-samba.so) #26 0x00007ff4fa1f1aeb _tevent_req_notify_callback (libtevent-sernet-samba.so) #27 0x00007ff4fa1f1b93 tevent_req_finish (libtevent-sernet-samba.so) #28 0x00007ff4fa1f1baf _tevent_req_done (libtevent-sernet-samba.so) #29 0x00007ff4f8eb894d tstream_readv_done (libsamba-sockets-sernet-samba.so) #30 0x00007ff4fa1f1aeb _tevent_req_notify_callback (libtevent-sernet-samba.so) #31 0x00007ff4fa1f1b93 tevent_req_finish (libtevent-sernet-samba.so) #32 0x00007ff4fa1f1c3e tevent_req_trigger (libtevent-sernet-samba.so) #33 0x00007ff4fa1f1383 tevent_common_invoke_immediate_handler (libtevent-sernet-samba.so) #34 0x00007ff4fa1f13a7 tevent_common_loop_immediate (libtevent-sernet-samba.so) #35 0x00007ff4fa1f7294 epoll_event_loop_once (libtevent-sernet-samba.so) #36 0x00007ff4fa1f518f std_event_loop_once (libtevent-sernet-samba.so) #37 0x00007ff4fa1f0486 _tevent_loop_once (libtevent-sernet-samba.so) #38 0x00007ff4f8837ff0 rpc_worker_main (libRPC-WORKER-sernet-samba.so) #39 0x0000559d1518e3ec main (rpcd_spoolss) #40 0x00007ff4f454ccf3 __libc_start_main (libc.so.6) #41 0x0000559d15172bbe _start (rpcd_spoolss)
Created attachment 17412 [details] Potential patch Does this help?
Yep. That works. I am evaluating if we need more: mangle_reset_cache(); reset_stat_cache(); flush_dfree_cache(); Any comments?
(In reply to Pavel Filipenský from comment #3) > Yep. That works. I am evaluating if we need more: > > mangle_reset_cache(); > reset_stat_cache(); > flush_dfree_cache(); > > Any comments? No, I don't think those are required. mangle_reset_cache() is a bad function name for initializing those pointers, but that's what it is.
I am the user who reported the crash in rpcd_spoolss. We are using the Sernet packages on Rocky Linux. So I cannot test the patch.
This bug was referenced in samba master: 11d3d2aeac599ebbedd5332c5520465970319448
Created attachment 17417 [details] patch for v4-16
Pushed to autobuild-v4-16-test.
This bug was referenced in samba v4-16-test: c5569b4f7a5a93da1fdeaba50a3ac6771200de62
Closing out bug report. Thanks!
This bug was referenced in samba v4-16-stable (Release samba-4.16.3): c5569b4f7a5a93da1fdeaba50a3ac6771200de62