Bug 9571 - Unlink after open causes smbd to panic
Unlink after open causes smbd to panic
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: File services
4.0.0
All Linux
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-18 07:10 UTC by Pavel Shilovsky
Modified: 2013-01-30 20:58 UTC (History)
2 users (show)

See Also:


Attachments
broken unlink network trace (5.07 KB, application/vnd.tcpdump.pcap)
2013-01-18 07:10 UTC, Pavel Shilovsky
no flags Details
s3:smbd: fix wrong lock order in posix unlink (1.12 KB, patch)
2013-01-18 07:13 UTC, Pavel Shilovsky
no flags Details
git-am fix for 4.0.x e104e5a8192e9d9a2637035bec343de3c35ca21e -2 in master (4.06 KB, patch)
2013-01-25 00:46 UTC, Jeremy Allison
jra: review? (vl)
metze: review+
Details
git-am fix for 3.6.next (1.21 KB, patch)
2013-01-25 00:56 UTC, Jeremy Allison
metze: review+
jra: review? (vl)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Shilovsky 2013-01-18 07:10:56 UTC
Created attachment 8444 [details]
broken unlink network trace

The following testcase reproduce the problem:
1) open a file with SHARE_ALL
2) unlink the file

The backtrace:

check lock order 1 for /var/lib/samba/smbXsrv_open_global.tdb
Lock order violation: Trying /var/lib/samba/smbXsrv_open_global.tdb at
1 while /var/lib/samba/locking.tdb at 1 is locked
lock order:  1:/var/lib/samba/locking.tdb 2:<none> 3:<none>
PANIC (pid 2992): invalid lock_order
BACKTRACE: 27 stack frames:
 #0 /usr/lib/libsmbconf.so.0(log_stack_trace+0x29) [0xb716c889]
 #1 /usr/lib/libsmbconf.so.0(smb_panic_s3+0x31) [0xb716c991]
 #2 /usr/lib/libsamba-util.so.0(smb_panic+0x3a) [0xb76a478a]
 #3 /usr/lib/samba/libdbwrap.so(+0x24e1) [0xb6abc4e1]
 #4 /usr/lib/samba/libdbwrap.so(+0x265b) [0xb6abc65b]
 #5 /usr/lib/samba/libsmbd_base.so(smbXsrv_open_close+0x275) [0xb74c48b5]
 #6 /usr/lib/samba/libsmbd_base.so(+0x157d0e) [0xb74c4d0e]
 #7 /usr/lib/libtalloc.so.2(_talloc_free+0x778) [0xb6da2308]
 #8 /usr/lib/samba/libsmbd_base.so(file_free+0xbc) [0xb741034c]
 #9 /usr/lib/samba/libsmbd_base.so(close_file+0xa71) [0xb7472611]
 #10 /usr/lib/samba/libsmbd_base.so(smbd_do_setfilepathinfo+0x17ba) [0xb7459d2a]
 #11 /usr/lib/samba/libsmbd_base.so(+0xf044f) [0xb745d44f]
 #12 /usr/lib/samba/libsmbd_base.so(reply_trans2+0x565) [0xb74601d5]
 #13 /usr/lib/samba/libsmbd_base.so(+0x1211d3) [0xb748e1d3]
 #14 /usr/lib/samba/libsmbd_base.so(+0x122305) [0xb748f305]
 #15 /usr/lib/samba/libsmbd_base.so(+0x122a99) [0xb748fa99]
 #16 /usr/lib/libsmbconf.so.0(run_events_poll+0x11c) [0xb71909cc]
 #17 /usr/lib/libsmbconf.so.0(+0x40d25) [0xb7190d25]
 #18 /usr/lib/libtevent.so.0(_tevent_loop_once+0xa8) [0xb6d94318]
 #19 /usr/lib/samba/libsmbd_base.so(smbd_process+0xea7) [0xb7491157]
 #20 /usr/sbin/smbd() [0x8051b2f]
 #21 /usr/lib/libsmbconf.so.0(run_events_poll+0x358) [0xb7190c08]
 #22 /usr/lib/libsmbconf.so.0(+0x40db8) [0xb7190db8]
 #23 /usr/lib/libtevent.so.0(_tevent_loop_once+0xa8) [0xb6d94318]
 #24 /usr/sbin/smbd(main+0x1846) [0x804d746]
 #25 /lib/libc.so.6(__libc_start_main+0xf5) [0xb6c383d5]
 #26 /usr/sbin/smbd() [0x804dcd5]

The network trace is in attachment.
Comment 1 Pavel Shilovsky 2013-01-18 07:13:41 UTC
Created attachment 8445 [details]
s3:smbd: fix wrong lock order in posix unlink

This patch fixes the problem for me.
Comment 2 Jeremy Allison 2013-01-24 22:25:18 UTC
Yep. You've identified  We don't run into this as normaly we don't get a NTCreateX open followed by a POSIX close on the same SMB connection stream. I'll add an smbtorture regression test for this and get this pushed to 3.6.x, 4.0.x and master.

Jeremy.
Comment 3 Jeremy Allison 2013-01-24 23:50:36 UTC
The only change I'm going to make in this patch is to hold lck over the call to smb_set_file_disposition_info(), which is an efficiency change (so we don't drop the lock then re-acquire inside smb_set_file_disposition_info()). Won't make a difference to the ordering change.

Jeremy.
Comment 4 Jeremy Allison 2013-01-25 00:46:07 UTC
Created attachment 8480 [details]
git-am fix for 4.0.x
e104e5a8192e9d9a2637035bec343de3c35ca21e -2 in master

Contains both the fix and a regression test added to smbtorture that triggers the bug.

Jeremy.
Comment 5 Jeremy Allison 2013-01-25 00:56:58 UTC
Created attachment 8481 [details]
git-am fix for 3.6.next

Just the fix for 3.6.next, not the regression torture test.
Jeremy.
Comment 6 Stefan Metzmacher 2013-01-28 15:41:57 UTC
Comment on attachment 8481 [details]
git-am fix for 3.6.next

Looks good, it's 578909ae19d7ec9dacb960626bd1985a2915365b in master
Comment 7 Stefan Metzmacher 2013-01-28 15:42:54 UTC
Comment on attachment 8480 [details]
git-am fix for 4.0.x
e104e5a8192e9d9a2637035bec343de3c35ca21e -2 in master

Looks good, it's e104e5a8192e9d9a2637035bec343de3c35ca21e -2 in master
Comment 8 Karolin Seeger 2013-01-28 19:00:10 UTC
Pushed to v3-6-test and autobuild-v4-0-test.
Comment 9 Karolin Seeger 2013-01-28 20:45:33 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!