Bug 8286 - smb crash on premature end of smb2 connection
Summary: smb crash on premature end of smb2 connection
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.6.0rc2
Hardware: All All
: P5 major
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-04 15:55 UTC by Christian Ambach
Modified: 2011-07-05 17:42 UTC (History)
1 user (show)

See Also:

Attachments
Patch for 3.6 (1.27 KB, patch)
2011-07-04 21:26 UTC, Christian Ambach 		metze: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Ambach 2011-07-04 15:55:04 UTC 
On premature end of a smb2 connection, smbd crashes when trying to clean up:

#7  0x00007f1a98d8c4ae in get_share_mode_lock (mem_ctx=<value optimized out>, id=..., servicepath=0x0, smb_fname=0x0, old_write_time=0x0)
    at locking/locking.c:978
#8  0x00007f1a98b381d7 in close_remove_share_mode (req=0x0, fsp=0x7f1a9b44de40, close_type=SHUTDOWN_CLOSE) at smbd/close.c:298
#9  close_normal_file (req=0x0, fsp=0x7f1a9b44de40, close_type=SHUTDOWN_CLOSE) at smbd/close.c:658
#10 0x00007f1a98b390f5 in close_file (req=0x0, fsp=0x7f1a9b44de40, close_type=SHUTDOWN_CLOSE) at smbd/close.c:1105
#11 0x00007f1a98add2fc in file_close_conn (conn=0x7f1a9b46c7d0) at smbd/files.c:156
#12 0x00007f1a98b51e7c in close_cnum (conn=0x7f1a9b46c7d0, vuid=35017) at smbd/service.c:1286
#13 0x00007f1a98b693fa in smbd_smb2_tcon_destructor (tcon=0x7f1a9b4571f0) at smbd/smb2_tcon.c:137
#14 0x00007f1a9678ffe5 in _talloc_free_internal (ptr=0x7f1a9b4571f0, location=0x7f1a9909d809 "smbd/smb2_sesssetup.c:138") at ../lib/talloc/talloc.c:826
#15 0x00007f1a98b66c6c in smbd_smb2_session_destructor (session=0x7f1a9b44bf50) at smbd/smb2_sesssetup.c:138
#16 0x00007f1a9678ffe5 in _talloc_free_internal (ptr=0x7f1a9b44bf50, location=0x7f1a99279f0e "smbd/server_exit.c:163") at ../lib/talloc/talloc.c:826
#17 0x00007f1a9678fd93 in _talloc_free_children_internal (ptr=0x7f1a9b440580, location=0x7f1a99279f0e "smbd/server_exit.c:163")
    at ../lib/talloc/talloc.c:1268
#18 _talloc_free_internal (ptr=0x7f1a9b440580, location=0x7f1a99279f0e "smbd/server_exit.c:163") at ../lib/talloc/talloc.c:845
#19 0x00007f1a9906d7c7 in exit_server_common (how=SERVER_EXIT_NORMAL, reason=0x7f1a990b5ed0 "NT_STATUS_INVALID_PARAMETER") at smbd/server_exit.c:163
#20 0x00007f1a9906da7e in exit_server_cleanly (explanation=0x7f1a9b47d010 "") at smbd/server_exit.c:205
#21 0x00007f1a98b651db in smbd_server_connection_terminate_ex (sconn=<value optimized out>, reason=0x7f1a990b5ed0 "NT_STATUS_INVALID_PARAMETER", 
    location=0x7f1a9909c821 "smbd/smb2_server.c:2186") at smbd/smb2_server.c:583
#22 0x00007f1a98b5141e in process_smb (sconn=0x7f1a9b440580, inbuf=0x7f1a9b47ce30 "", nread=101, unread_bytes=0, seqnum=<value optimized out>, 
    encrypted=false, deferred_pcd=0x0) at smbd/process.c:1675


lock_db is already null when the destructor tries to clean up the locks

Patch coming through autobuild
Comment 1 Christian Ambach 2011-07-04 21:26:52 UTC 
Created attachment 6665 [details]
Patch for 3.6
Comment 2 Stefan Metzmacher 2011-07-05 07:10:40 UTC 
Comment on attachment 6665 [details]
Patch for 3.6

Looks good
Comment 3 Stefan Metzmacher 2011-07-05 07:11:40 UTC 
Do you have a backtrace of the problem?
Comment 4 Stefan Metzmacher 2011-07-05 07:15:16 UTC 
(In reply to comment #3)
> Do you have a backtrace of the problem?

Ups, sorry I just need to read the bug report...
Comment 5 Stefan Metzmacher 2011-07-05 07:16:20 UTC 
Karolin, please pick this one.
Comment 6 Karolin Seeger 2011-07-05 17:42:17 UTC 
Pushed to v3-6-test.
Closing out bug report.

Thanks!