15836 – PANIC: assert failed at source3/smbd/smb2_oplock.c(156): sconn->oplocks.exclusive_open>=0

Bug 15836 - PANIC: assert failed at source3/smbd/smb2_oplock.c(156): sconn->oplocks.exclusive_open>=0

Summary: PANIC: assert failed at source3/smbd/smb2_oplock.c(156): sconn->oplocks.exclu...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.22.0
Hardware:	x64 Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Duplicates (1):	15846 (view as bug list)
Depends on:
Blocks:

Reported:	2025-03-19 21:06 UTC by timo
Modified:	2025-04-17 17:16 UTC (History)
CC List:	4 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/4013

Attachments
Patch for 4.22 cherry-picked from master (5.22 KB, patch) 2025-03-28 08:53 UTC, Ralph Böhme	metze: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description timo 2025-03-19 21:06:16 UTC

Since version 4.22.0, samba panics when one specific client (a HP Color LaserJet Pro MFP M477fdw printer) tries to access a share.

The issue is not present in version 4.21.x.

The panic log:

[2025/03/15 23:41:09.323009,  0] source3/smbd/smb2_oplock.c:156(release_file_oplock)
  PANIC: assert failed at source3/smbd/smb2_oplock.c(156): sconn->oplocks.exclusive_open>=0
[2025/03/15 23:41:09.323109,  0] lib/util/fault.c:178(smb_panic_log)
  ===============================================================
[2025/03/15 23:41:09.323132,  0] lib/util/fault.c:179(smb_panic_log)
  INTERNAL ERROR: assert failed: sconn->oplocks.exclusive_open>=0 in smbd (smbd[192.168.10) (client [192.168.10.20]) pid 1500210 (4.22.0-Debian-4.22.0+dfsg-1)
[2025/03/15 23:41:09.323153,  0] lib/util/fault.c:186(smb_panic_log)
  If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2025/03/15 23:41:09.323190,  0] lib/util/fault.c:191(smb_panic_log)
  ===============================================================
[2025/03/15 23:41:09.323210,  0] lib/util/fault.c:192(smb_panic_log)
  PANIC (pid 1500210): assert failed: sconn->oplocks.exclusive_open>=0 in 4.22.0-Debian-4.22.0+dfsg-1
[2025/03/15 23:41:09.324071,  0] lib/util/fault.c:303(log_stack_trace)
  BACKTRACE: 26 stack frames:
   #0 /usr/lib/x86_64-linux-gnu/samba/libgenrand-private-samba.so.0(log_stack_trace+0x2d) [0x7f9cc1a2e5bd]
   #1 /usr/lib/x86_64-linux-gnu/samba/libgenrand-private-samba.so.0(smb_panic+0xd) [0x7f9cc1a2e85d]
   #2 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base-private-samba.so.0(release_file_oplock+0xf5) [0x7f9cc1ec3f45]
   #3 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base-private-samba.so.0(close_file_smb+0x6f8) [0x7f9cc1e62ff8]
   #4 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base-private-samba.so.0(+0xc333e) [0x7f9cc1e9c33e]
   #5 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base-private-samba.so.0(smbd_smb2_request_process_close+0x1ee) [0x7f9cc1e9cd7e]
   #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base-private-samba.so.0(smbd_smb2_request_dispatch+0x1b04) [0x7f9cc1e8f184]
   #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base-private-samba.so.0(+0xb77f2) [0x7f9cc1e907f2]
   #8 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_invoke_fd_handler+0x95) [0x7f9cc1b9c815]
   #9 /lib/x86_64-linux-gnu/libtevent.so.0(+0xfa76) [0x7f9cc1ba3a76]
   #10 /lib/x86_64-linux-gnu/libtevent.so.0(+0xd48b) [0x7f9cc1ba148b]
   #11 /lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x93) [0x7f9cc1b9b953]
   #12 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f9cc1b9bc4b]
   #13 /lib/x86_64-linux-gnu/libtevent.so.0(+0xd41b) [0x7f9cc1ba141b]
   #14 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base-private-samba.so.0(smbd_process+0x895) [0x7f9cc1e7d0e5]
   #15 smbd: client [192.168.10.20](+0xa1e7) [0x563947b541e7]
   #16 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_invoke_fd_handler+0x95) [0x7f9cc1b9c815]
   #17 /lib/x86_64-linux-gnu/libtevent.so.0(+0xfa76) [0x7f9cc1ba3a76]
   #18 /lib/x86_64-linux-gnu/libtevent.so.0(+0xd48b) [0x7f9cc1ba148b]
   #19 /lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x93) [0x7f9cc1b9b953]
   #20 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f9cc1b9bc4b]
   #21 /lib/x86_64-linux-gnu/libtevent.so.0(+0xd41b) [0x7f9cc1ba141b]
   #22 smbd: client [192.168.10.20](main+0x14a0) [0x563947b51330]
   #23 /lib/x86_64-linux-gnu/libc.so.6(+0x29ca8) [0x7f9cc180cca8]
   #24 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x7f9cc180cd65]
   #25 smbd: client [192.168.10.20](_start+0x21) [0x563947b51e31]
[2025/03/15 23:41:09.324416,  0] source3/lib/util.c:700(call_panic_action)
  call_panic_action: Calling panic action [/usr/share/samba/panic-action 1500210]
[2025/03/15 23:41:09.367958,  0] source3/lib/util.c:723(call_panic_action)
  call_panic_action: action returned status 0
[2025/03/15 23:41:09.368245,  0] source3/lib/dumpcore.c:316(dump_core)
  dumping core in /var/log/samba/cores/smbd

I've also reported this bug here: 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100604

Comment 1 Michael Tokarev 2025-03-20 07:33:51 UTC

It is interesting that when forcing SMB2 protocol on samba, and a connect is made from a win11 client, I see a lot of leases for almost every file in the share:

Locked files:
Pid          User(ID)   DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/tinycdb/git/debian/libcdb1/usr/share/doc/libcdb1   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/tinycdb/git/debian/libcdb-dev/usr   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/ups/test/apcupsd/apcupsd-3.14.10/src/drivers/snmplite   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/rbldnsd/sorbs   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/rbldnsd/tmp   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/tinycdb/git/debian/libcdb-dev/usr/lib   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/tdb/tdb-1.2.1/libreplace   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/ups/test/apcupsd/apcupsd-3.14.10/platforms/openbsd   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/sysstats/rrd-mars   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/ups/test/apcupsd/apcupsd-3.14.10/src/drivers/pcnet/packets   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/ups/test/apcupsd/apcupsd-3.14.10/platforms/darwin   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/tdb/tdb-1.2.1/docs   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/tinycdb/git/debian/tinycdb/usr/share/man   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/tdb/tdb-1.2.1/include   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/execenv/libcap-1.10/libcap/include/sys   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/sredir   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/netcat/netcat-1.10/data   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/tinycdb/git/debian   Thu Mar 20 10:27:32 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/acc/acc2   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/chat/uucp   Thu Mar 20 10:27:31 2025
1914078      1000       DENY_NONE  0x100081    RDONLY     LEASE(RH)        /home/mjt   sav/src/ups/test/apcupsd/apcupsd-3.14.10/examples/status   Thu Mar 20 10:27:32 2025
...many many more files are listed...

This is after a plain connect in win explorer, no fancy stuff like hitting "Folder Properties" menu item in Explorer (which will walk through all files recursively to calculate folder size) or the like.

I don't see this happening with the default server min protocol = SMB3.

Comment 2 Ralph Böhme 2025-03-20 11:31:41 UTC

Can someone who can reproduce this please submit the following:
- smb.conf
- network trace including full connection and minimal reproducer from the affected client (and only that one)
- client specific Samba debug log of minimal reproducer with level 10

<https://wiki.samba.org/index.php/Client_specific_logging>
<https://wiki.samba.org/index.php/Capture_Packets#Tracing_SMB_traffic_of_a_specific_client>

Comment 3 timo 2025-03-21 21:27:11 UTC

Hereby the requested logs.

https://www.van-roermund.nl/temp/samba_panic_logs.zip

I included two logs:
- once with samba 4.21, which works as expected
- once with samba 4.22, whereby samba panics

Note: in the second case, the printer presumably repeatedly tries to access the share. Samba crashes (panics) a few times and eventually (after > 1 minute) the scan seems to succeed.

Comment 4 Ralph Böhme 2025-03-22 17:58:54 UTC

(In reply to timo from comment #3)
Thanks! That nailed it.

Comment 5 timo 2025-03-23 17:21:17 UTC

Great! Thanks for your efforts.

I will validate/confirm the fix when a new release is available.

Comment 6 timo 2025-03-27 23:37:49 UTC

I've just validated that the latest version of the patch resolves the issue. Thanks!

Comment 7 Samba QA Contact 2025-03-28 07:54:13 UTC

This bug was referenced in samba master:

9ecaa4095643729bf5f9c93316d577b603190449
4b3f45e13f9c11920924c034a457ea2cb8e15e18

Comment 8 Ralph Böhme 2025-03-28 08:53:33 UTC

Created attachment 18621 [details]
Patch for 4.22 cherry-picked from master

Comment 9 Jule Anger 2025-03-28 13:54:07 UTC

Pushed to autobuild-v4-22-test.

Comment 10 Samba QA Contact 2025-03-28 14:54:14 UTC

This bug was referenced in samba v4-22-test:

400ac7b108d49629b030b6600f0c4193b4c952d4
a2f2a714848d2257a7abe1e487b455e0caeb7526

Comment 11 Jule Anger 2025-03-28 16:18:47 UTC

Closing out bug report.

Thanks!

Comment 12 Ralph Böhme 2025-04-10 09:05:37 UTC

*** Bug 15846 has been marked as a duplicate of this bug. ***

Comment 13 Samba QA Contact 2025-04-17 17:16:15 UTC

This bug was referenced in samba v4-22-stable (Release samba-4.22.1):

400ac7b108d49629b030b6600f0c4193b4c952d4
a2f2a714848d2257a7abe1e487b455e0caeb7526