15664 – Panic in vfs_offload_token_db_fetch_fsp()

Bug 15664 - Panic in vfs_offload_token_db_fetch_fsp()

Summary: Panic in vfs_offload_token_db_fetch_fsp()

Status:	ASSIGNED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.17.10
Hardware:	All Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:	https://gitlab.com/samba-team/samba/-...
Keywords:

Depends on:
Blocks:

Reported:	2024-06-13 17:50 UTC by Sri
Modified:	2024-06-19 14:35 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Patches for v4-20-test (5.43 KB, text/plain) 2024-06-19 08:55 UTC, Stefan Metzmacher	vl: review+ npower: review+ slow: review+	Details
Patches for v4-19-test (5.43 KB, text/plain) 2024-06-19 08:57 UTC, Stefan Metzmacher	vl: review+ npower: review+ slow: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sri 2024-06-13 17:50:07 UTC

Samba 4.17.10 in domain member mode on Linux.  IOCTL causes panic with the following backtrace:


#0  0x00007f6ecaf28387 in raise () from /lib64/libc.so.6
#1  0x00007f6ecaf29a78 in abort () from /lib64/libc.so.6
#2  0x00007f6ecddda3a9 in dump_core () at ../../source3/lib/dumpcore.c:338
#3  0x00007f6ecdde7e6c in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:713
#4  0x00007f6ecbd3488a in smb_panic (why=why@entry=0x7ffdc71af6d0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:198
#5  0x00007f6ecbd34915 in fault_report (sig=<optimized out>) at ../../lib/util/fault.c:82
#6  sig_fault (sig=11) at ../../lib/util/fault.c:93
#7  <signal handler called>
#8  vfs_offload_token_db_fetch_fsp (ctx=0x0, token_blob=token_blob@entry=0x56504b49db60, fsp=fsp@entry=0x7ffdc71b04b8)
    at ../../source3/modules/offload_token.c:203
#9  0x00007f6ece4d0688 in vfswrap_offload_write_send (handle=<optimized out>, mem_ctx=<optimized out>, ev=0x56504b3d0230, fsctl=1327346,
    token=0x56504b49db60, transfer_offset=0, dest_fsp=0x56504b4e1950, dest_off=0, to_copy=505856) at ../../source3/modules/vfs_default.c:2255
#10 0x00007f6ece54b7b1 in fsctl_srv_copychunk_loop (req=req@entry=0x56504b49d950) at ../../source3/smbd/smb2_ioctl_network_fs.c:199
#11 0x00007f6ece54c301 in fsctl_srv_copychunk_send (smb2req=<optimized out>, in_max_output=12, in_input=0x56504b49ca68, dst_fsp=0x56504b4e1950,
    ctl_code=1263409488, ev=0x56504b3d0230, mem_ctx=0x56504b49ca50) at ../../source3/smbd/smb2_ioctl_network_fs.c:165
#12 smb2_ioctl_network_fs (ctl_code=ctl_code@entry=1327346, ev=ev@entry=0x56504b3d0230, req=req@entry=0x56504b49c890, state=0x56504b49ca50)
    at ../../source3/smbd/smb2_ioctl_network_fs.c:632
#13 0x00007f6ece549499 in smbd_smb2_ioctl_send (in_flags=1, in_max_output=12, in_input=..., in_ctl_code=1327346, fsp=0x56504b4e1950,
    smb2req=0x56504b4d9080, ev=0x56504b3d0230, mem_ctx=0x56504b4d9080) at ../../source3/smbd/smb2_ioctl.c:465
#14 smbd_smb2_request_process_ioctl (req=req@entry=0x56504b4d9080) at ../../source3/smbd/smb2_ioctl.c:224
#15 0x00007f6ece535f07 in smbd_smb2_request_dispatch (req=req@entry=0x56504b4d9080) at ../../source3/smbd/smb2_server.c:3452
#16 0x00007f6ece538000 in smbd_smb2_io_handler (fde_flags=<optimized out>, xconn=0x56504b4c3f40) at ../../source3/smbd/smb2_server.c:5045
#17 smbd_smb2_connection_handler (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>)
    at ../../source3/smbd/smb2_server.c:5083
#18 0x00007f6ecb2c7824 in tevent_common_invoke_fd_handler () from /lib64/libtevent.so.0
#19 0x00007f6ecb2cdf87 in epoll_event_loop_once () from /lib64/libtevent.so.0
#20 0x00007f6ecb2cbf87 in std_event_loop_once () from /lib64/libtevent.so.0
#21 0x00007f6ecb2c6c6d in _tevent_loop_once () from /lib64/libtevent.so.0
#22 0x00007f6ecb2c6ecb in tevent_common_loop_wait () from /lib64/libtevent.so.0
#23 0x00007f6ecb2cbf27 in std_event_loop_wait () from /lib64/libtevent.so.0
#24 0x00007f6ece5243d4 in smbd_process (ev_ctx=ev_ctx@entry=0x56504b3d0230, msg_ctx=msg_ctx@entry=0x56504b3df870, sock_fd=sock_fd@entry=39,
    interactive=interactive@entry=false) at ../../source3/smbd/smb2_process.c:2048
#25 0x00005650493e3d08 in smbd_accept_connection (ev=0x56504b3d0230, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>)
    at ../../source3/smbd/server.c:1037
#26 0x00007f6ecb2c7824 in tevent_common_invoke_fd_handler () from /lib64/libtevent.so.0
#27 0x00007f6ecb2cdf87 in epoll_event_loop_once () from /lib64/libtevent.so.0
#28 0x00007f6ecb2cbf87 in std_event_loop_once () from /lib64/libtevent.so.0
#29 0x00007f6ecb2c6c6d in _tevent_loop_once () from /lib64/libtevent.so.0
#30 0x00007f6ecb2c6ecb in tevent_common_loop_wait () from /lib64/libtevent.so.0
#31 0x00007f6ecb2cbf27 in std_event_loop_wait () from /lib64/libtevent.so.0
#32 0x00005650493e0c57 in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x56504b3d0230) at ../../source3/smbd/server.c:1381
#33 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2125

Comment 1 Samba QA Contact 2024-06-17 18:03:04 UTC

This bug was referenced in samba master:

372476aeb003e9c608cd2c0a78a9c577b57ba8f4
462b74da79c51f9ba6dbd24e603aa904485d5123

Comment 2 Stefan Metzmacher 2024-06-19 08:55:54 UTC

Created attachment 18344 [details]
Patches for v4-20-test

Comment 3 Stefan Metzmacher 2024-06-19 08:57:13 UTC

Created attachment 18345 [details]
Patches for v4-19-test

Comment 4 Ralph Böhme 2024-06-19 09:14:52 UTC

Reassigning to Jule for inclusion in 4.19 and 4.20.

Comment 5 Jule Anger 2024-06-19 09:26:55 UTC

Pushed to autobuild-v4-{20,19}-test.

Comment 6 Samba QA Contact 2024-06-19 14:08:13 UTC

This bug was referenced in samba v4-20-test:

d7e0b5933fa4a76f004ef62fa55b260cbb825e80
b3ce5a86489e53ab6874ef52cfde79be3bff249b

Comment 7 Samba QA Contact 2024-06-19 14:35:18 UTC

This bug was referenced in samba v4-20-stable (Release samba-4.20.2):

d7e0b5933fa4a76f004ef62fa55b260cbb825e80
b3ce5a86489e53ab6874ef52cfde79be3bff249b