Bug 9571 - Unlink after open causes smbd to panic
Summary: Unlink after open causes smbd to panic
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0.0
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-18 07:10 UTC by Pavel Shilovsky
Modified: 2020-12-11 08:02 UTC (History)
2 users (show)

See Also:

Attachments
broken unlink network trace (5.07 KB, application/vnd.tcpdump.pcap)
2013-01-18 07:10 UTC, Pavel Shilovsky 		no flags Details
s3:smbd: fix wrong lock order in posix unlink (1.12 KB, patch)
2013-01-18 07:13 UTC, Pavel Shilovsky 		no flags Details
git-am fix for 4.0.x e104e5a8192e9d9a2637035bec343de3c35ca21e -2 in master (4.06 KB, patch)
2013-01-25 00:46 UTC, Jeremy Allison 		metze: review+
Details
git-am fix for 3.6.next (1.21 KB, patch)
2013-01-25 00:56 UTC, Jeremy Allison 		metze: review+
Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Shilovsky 2013-01-18 07:10:56 UTC 
Created attachment 8444 [details]
broken unlink network trace

The following testcase reproduce the problem:
1) open a file with SHARE_ALL
2) unlink the file

The backtrace:

check lock order 1 for /var/lib/samba/smbXsrv_open_global.tdb
Lock order violation: Trying /var/lib/samba/smbXsrv_open_global.tdb at
1 while /var/lib/samba/locking.tdb at 1 is locked
lock order:  1:/var/lib/samba/locking.tdb 2:<none> 3:<none>
PANIC (pid 2992): invalid lock_order
BACKTRACE: 27 stack frames:
 #0 /usr/lib/libsmbconf.so.0(log_stack_trace+0x29) [0xb716c889]
 #1 /usr/lib/libsmbconf.so.0(smb_panic_s3+0x31) [0xb716c991]
 #2 /usr/lib/libsamba-util.so.0(smb_panic+0x3a) [0xb76a478a]
 #3 /usr/lib/samba/libdbwrap.so(+0x24e1) [0xb6abc4e1]
 #4 /usr/lib/samba/libdbwrap.so(+0x265b) [0xb6abc65b]
 #5 /usr/lib/samba/libsmbd_base.so(smbXsrv_open_close+0x275) [0xb74c48b5]
 #6 /usr/lib/samba/libsmbd_base.so(+0x157d0e) [0xb74c4d0e]
 #7 /usr/lib/libtalloc.so.2(_talloc_free+0x778) [0xb6da2308]
 #8 /usr/lib/samba/libsmbd_base.so(file_free+0xbc) [0xb741034c]
 #9 /usr/lib/samba/libsmbd_base.so(close_file+0xa71) [0xb7472611]
 #10 /usr/lib/samba/libsmbd_base.so(smbd_do_setfilepathinfo+0x17ba) [0xb7459d2a]
 #11 /usr/lib/samba/libsmbd_base.so(+0xf044f) [0xb745d44f]
 #12 /usr/lib/samba/libsmbd_base.so(reply_trans2+0x565) [0xb74601d5]
 #13 /usr/lib/samba/libsmbd_base.so(+0x1211d3) [0xb748e1d3]
 #14 /usr/lib/samba/libsmbd_base.so(+0x122305) [0xb748f305]
 #15 /usr/lib/samba/libsmbd_base.so(+0x122a99) [0xb748fa99]
 #16 /usr/lib/libsmbconf.so.0(run_events_poll+0x11c) [0xb71909cc]
 #17 /usr/lib/libsmbconf.so.0(+0x40d25) [0xb7190d25]
 #18 /usr/lib/libtevent.so.0(_tevent_loop_once+0xa8) [0xb6d94318]
 #19 /usr/lib/samba/libsmbd_base.so(smbd_process+0xea7) [0xb7491157]
 #20 /usr/sbin/smbd() [0x8051b2f]
 #21 /usr/lib/libsmbconf.so.0(run_events_poll+0x358) [0xb7190c08]
 #22 /usr/lib/libsmbconf.so.0(+0x40db8) [0xb7190db8]
 #23 /usr/lib/libtevent.so.0(_tevent_loop_once+0xa8) [0xb6d94318]
 #24 /usr/sbin/smbd(main+0x1846) [0x804d746]
 #25 /lib/libc.so.6(__libc_start_main+0xf5) [0xb6c383d5]
 #26 /usr/sbin/smbd() [0x804dcd5]

The network trace is in attachment.
Comment 1 Pavel Shilovsky 2013-01-18 07:13:41 UTC 
Created attachment 8445 [details]
s3:smbd: fix wrong lock order in posix unlink

This patch fixes the problem for me.
Comment 2 Jeremy Allison 2013-01-24 22:25:18 UTC 
Yep. You've identified  We don't run into this as normaly we don't get a NTCreateX open followed by a POSIX close on the same SMB connection stream. I'll add an smbtorture regression test for this and get this pushed to 3.6.x, 4.0.x and master.

Jeremy.
Comment 3 Jeremy Allison 2013-01-24 23:50:36 UTC 
The only change I'm going to make in this patch is to hold lck over the call to smb_set_file_disposition_info(), which is an efficiency change (so we don't drop the lock then re-acquire inside smb_set_file_disposition_info()). Won't make a difference to the ordering change.

Jeremy.
Comment 4 Jeremy Allison 2013-01-25 00:46:07 UTC 
Created attachment 8480 [details]
git-am fix for 4.0.x
e104e5a8192e9d9a2637035bec343de3c35ca21e -2 in master

Contains both the fix and a regression test added to smbtorture that triggers the bug.

Jeremy.
Comment 5 Jeremy Allison 2013-01-25 00:56:58 UTC 
Created attachment 8481 [details]
git-am fix for 3.6.next

Just the fix for 3.6.next, not the regression torture test.
Jeremy.
Comment 6 Stefan Metzmacher 2013-01-28 15:41:57 UTC 
Comment on attachment 8481 [details]
git-am fix for 3.6.next

Looks good, it's 578909ae19d7ec9dacb960626bd1985a2915365b in master
Comment 7 Stefan Metzmacher 2013-01-28 15:42:54 UTC 
Comment on attachment 8480 [details]
git-am fix for 4.0.x
e104e5a8192e9d9a2637035bec343de3c35ca21e -2 in master

Looks good, it's e104e5a8192e9d9a2637035bec343de3c35ca21e -2 in master
Comment 8 Karolin Seeger 2013-01-28 19:00:10 UTC 
Pushed to v3-6-test and autobuild-v4-0-test.
Comment 9 Karolin Seeger 2013-01-28 20:45:33 UTC 
Pushed to v4-0-test.
Closing out bug report.

Thanks!