Bug 15354 - mdssvc may crash when initializing
Summary: mdssvc may crash when initializing
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.17.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-04-06 08:43 UTC by Ralph Böhme
Modified: 2023-05-11 07:11 UTC (History)
1 user (show)

See Also:

Patch for 4.17 and 4.18 cherry-picked from master (3.12 KB, patch)
2023-04-11 13:42 UTC, Ralph Böhme
jra: review+

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Ralph Böhme 2023-04-06 12:36:39 UTC
The posix_pending_close_db is NULL and we crash when trying to close a
file descriptor:

   #4 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_parse_record+0xe) [0x7fbc5d05c8ae]
   #5 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_fetch_int32+0x38) [0x7fbc5d05d438]
   #6 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close_posix+0x7b) [0x7fbc5e276f8b]
   #7 /usr/lib64/samba/libsmbd-base-samba4.so(+0x57900) [0x7fbc5e28a900]
   #8 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close+0x68) [0x7fbc5e2b7ea8]
   #9 /usr/lib64/samba/libsmbd-base-samba4.so(+0x62608) [0x7fbc5e295608]
   #10 /usr/lib64/samba/libtalloc-samba4.so(_talloc_free+0x51b) [0x7fbc5d9f439b]
   #11 /usr/lib64/samba/vfs/fruit.so(+0xcac2) [0x7fbc45fcdac2]
   #12 /usr/lib64/samba/vfs/fruit.so(+0xcbdd) [0x7fbc45fcdbdd]
   #13 /usr/lib64/samba/vfs/fruit.so(+0xf603) [0x7fbc45fd0603]
   #14 /usr/lib64/samba/libsmbd-base-samba4.so(+0x56375) [0x7fbc5e289375]
   #15 /usr/lib64/samba/vfs/nothingtoseeherereally.so(+0x196c) [0x7fbc467f996c]
   #16 /usr/lib64/samba/vfs/streams_xattr.so(+0x51fc) [0x7fbc461e71fc]
   #17 /usr/lib64/samba/libsmbd-base-samba4.so(+0xade3a) [0x7fbc5e2e0e3a]
   #18 /usr/lib64/samba/libsmbd-base-samba4.so(create_conn_struct_cwd+0x44) [0x7fbc5e2e1cf4]
   #19 /usr/libexec/samba/rpcd_mdssvc(mds_init_ctx+0x2c3) [0x563fdac08f03]
   #20 /usr/libexec/samba/rpcd_mdssvc(_mdssvc_open+0x141) [0x563fdac0b4d1]

The corresponding open is done as part of initializing a connection_struct
object, where we chdir() and stat() the root path of the share. The stat() in
vfs_fruit causes an expensive metadata request on the path which triggers an
internal open of a pathref handle. Note that this only affects servers that have
fruit:metadata = netatalk set, which is the default unfortunately.
Comment 2 Samba QA Contact 2023-04-07 21:13:04 UTC
This bug was referenced in samba master:

Comment 3 Ralph Böhme 2023-04-11 13:42:50 UTC
Created attachment 17857 [details]
Patch for 4.17 and 4.18 cherry-picked from master
Comment 4 Jeremy Allison 2023-04-11 20:44:56 UTC
Re-assigning to Jule for inclusion in 4.17.next, 4.18.next.
Comment 5 Jule Anger 2023-04-14 12:24:38 UTC
Pushed to autobuild-v4-{18,17}-test.
Comment 6 Samba QA Contact 2023-04-14 13:31:13 UTC
This bug was referenced in samba v4-17-test:

Comment 7 Samba QA Contact 2023-04-16 16:40:04 UTC
This bug was referenced in samba v4-18-test:

Comment 8 Jule Anger 2023-04-17 07:24:47 UTC
Closing out bug report.

Comment 9 Samba QA Contact 2023-04-19 10:24:36 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.2):

Comment 10 Samba QA Contact 2023-05-11 07:11:27 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.8):