Bug 8286 - smb crash on premature end of smb2 connection
Summary: smb crash on premature end of smb2 connection
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.6.0rc2
Hardware: All All
: P5 major
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2011-07-04 15:55 UTC by Christian Ambach
Modified: 2011-07-05 17:42 UTC (History)
1 user (show)

See Also:

Patch for 3.6 (1.27 KB, patch)
2011-07-04 21:26 UTC, Christian Ambach
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Ambach 2011-07-04 15:55:04 UTC
On premature end of a smb2 connection, smbd crashes when trying to clean up:

#7  0x00007f1a98d8c4ae in get_share_mode_lock (mem_ctx=<value optimized out>, id=..., servicepath=0x0, smb_fname=0x0, old_write_time=0x0)
    at locking/locking.c:978
#8  0x00007f1a98b381d7 in close_remove_share_mode (req=0x0, fsp=0x7f1a9b44de40, close_type=SHUTDOWN_CLOSE) at smbd/close.c:298
#9  close_normal_file (req=0x0, fsp=0x7f1a9b44de40, close_type=SHUTDOWN_CLOSE) at smbd/close.c:658
#10 0x00007f1a98b390f5 in close_file (req=0x0, fsp=0x7f1a9b44de40, close_type=SHUTDOWN_CLOSE) at smbd/close.c:1105
#11 0x00007f1a98add2fc in file_close_conn (conn=0x7f1a9b46c7d0) at smbd/files.c:156
#12 0x00007f1a98b51e7c in close_cnum (conn=0x7f1a9b46c7d0, vuid=35017) at smbd/service.c:1286
#13 0x00007f1a98b693fa in smbd_smb2_tcon_destructor (tcon=0x7f1a9b4571f0) at smbd/smb2_tcon.c:137
#14 0x00007f1a9678ffe5 in _talloc_free_internal (ptr=0x7f1a9b4571f0, location=0x7f1a9909d809 "smbd/smb2_sesssetup.c:138") at ../lib/talloc/talloc.c:826
#15 0x00007f1a98b66c6c in smbd_smb2_session_destructor (session=0x7f1a9b44bf50) at smbd/smb2_sesssetup.c:138
#16 0x00007f1a9678ffe5 in _talloc_free_internal (ptr=0x7f1a9b44bf50, location=0x7f1a99279f0e "smbd/server_exit.c:163") at ../lib/talloc/talloc.c:826
#17 0x00007f1a9678fd93 in _talloc_free_children_internal (ptr=0x7f1a9b440580, location=0x7f1a99279f0e "smbd/server_exit.c:163")
    at ../lib/talloc/talloc.c:1268
#18 _talloc_free_internal (ptr=0x7f1a9b440580, location=0x7f1a99279f0e "smbd/server_exit.c:163") at ../lib/talloc/talloc.c:845
#19 0x00007f1a9906d7c7 in exit_server_common (how=SERVER_EXIT_NORMAL, reason=0x7f1a990b5ed0 "NT_STATUS_INVALID_PARAMETER") at smbd/server_exit.c:163
#20 0x00007f1a9906da7e in exit_server_cleanly (explanation=0x7f1a9b47d010 "") at smbd/server_exit.c:205
#21 0x00007f1a98b651db in smbd_server_connection_terminate_ex (sconn=<value optimized out>, reason=0x7f1a990b5ed0 "NT_STATUS_INVALID_PARAMETER", 
    location=0x7f1a9909c821 "smbd/smb2_server.c:2186") at smbd/smb2_server.c:583
#22 0x00007f1a98b5141e in process_smb (sconn=0x7f1a9b440580, inbuf=0x7f1a9b47ce30 "", nread=101, unread_bytes=0, seqnum=<value optimized out>, 
    encrypted=false, deferred_pcd=0x0) at smbd/process.c:1675

lock_db is already null when the destructor tries to clean up the locks

Patch coming through autobuild
Comment 1 Christian Ambach 2011-07-04 21:26:52 UTC
Created attachment 6665 [details]
Patch for 3.6
Comment 2 Stefan Metzmacher 2011-07-05 07:10:40 UTC
Comment on attachment 6665 [details]
Patch for 3.6

Looks good
Comment 3 Stefan Metzmacher 2011-07-05 07:11:40 UTC
Do you have a backtrace of the problem?
Comment 4 Stefan Metzmacher 2011-07-05 07:15:16 UTC
(In reply to comment #3)
> Do you have a backtrace of the problem?

Ups, sorry I just need to read the bug report...
Comment 5 Stefan Metzmacher 2011-07-05 07:16:20 UTC
Karolin, please pick this one.
Comment 6 Karolin Seeger 2011-07-05 17:42:17 UTC
Pushed to v3-6-test.
Closing out bug report.