Smbd crash while closing connection
Shilpa K
shilpa.krishnareddy at gmail.com
Wed Feb 25 04:22:21 MST 2015
Hi Volker,
Actually, code changes are in multiple places to tailor Samba for our site
specific use. This particular crash seems to have been reported couple of
times (with 3.3 and 3.5.15):
https://bugzilla.samba.org/show_bug.cgi?id=6724
https://lists.samba.org/archive/samba-technical/2012-May/083909.html
Like Richard suggests in the above technical list, is it ok to return when
the service name is NULL?
Thanks,
Shilpa
On Wed, Feb 25, 2015 at 4:28 PM, Volker Lendecke <Volker.Lendecke at sernet.de>
wrote:
> On Wed, Feb 25, 2015 at 02:53:33PM +0530, Shilpa K wrote:
> > Hello,
> >
> > We have encountered smbd crash with following foot prints:
> >
> > Thread 7 (Thread 8038021c0 (LWP 101981)):
> > #0 0x0000000802e17ffc in thr_kill () from /lib/libc.so.7
> > #1 0x0000000802eb358b in abort () from /lib/libc.so.7
> > #2 0x0000000000798f41 in dump_core () at lib/fault.c:414
> > #3 0x00000000007a96ff in smb_panic (why=<optimized out>) at
> lib/util.c:1133
> > #4 0x00000000007995e2 in fault_report (sig=<optimized out>) at
> lib/fault.c:53
> > #5 sig_fault (sig=11) at lib/fault.c:76
> > #6 <signal handler called>
> > #7 0x0000000802e9320a in strlcpy () from /lib/libc.so.7
> > #8 0x00000000007b459b in connections_fetch_entry
> > (mem_ctx=0x803875050, conn=0x803849c50, name=0x0) at lib/conn_tdb.c:63
> > #9 0x00000000004b4de4 in yield_connection (conn=0x803849c50,
> > name=0x0) at smbd/connection.c:37
> > #10 0x000000000052556b in close_cnum (conn=0x803849c50, vuid=36947) at
> > smbd/service.c:1383
> > #11 0x0000000000539ec8 in smbd_smb2_tcon_destructor (tcon=0x8038674d0)
> > at smbd/smb2_tcon.c:138
> > #12 0x000000080297fe72 in _talloc_free_internal (ptr=0x8038674d0,
> > location=0xa3565a "smbd/smb2_tcon.c:339") at
> > ../lib/talloc/talloc.c:826
> > #13 0x00000000005395be in smbd_smb2_request_process_tdis
> > (req=0x80424d110) at smbd/smb2_tcon.c:339
> > #14 0x0000000000535206 in smbd_smb2_request_dispatch (req=0x80424d110)
> > at smbd/smb2_server.c:1544
> > #15 0x0000000000535b4e in smbd_smb2_request_incoming
> > (subreq=0x80386c510) at smbd/smb2_server.c:2771
> > #16 0x0000000000533b7c in smbd_smb2_request_read_done
> > (subreq=0x80386c390) at smbd/smb2_server.c:2614
> > #17 0x00000000005cd861 in tstream_readv_pdu_queue_done
> > (subreq=0x80386ced0) at ../lib/tsocket/tsocket_helpers.c:423
> > #18 0x00000000005cdc13 in tstream_readv_pdu_readv_done
> > (subreq=0x80386cb10) at ../lib/tsocket/tsocket_helpers.c:316
> > #19 0x00000000005ccc92 in tstream_readv_done (subreq=0x80386cf90) at
> > ../lib/tsocket/tsocket.c:604
> > #20 0x00000000007b91c0 in tevent_common_loop_immediate
> > (ev=0x80380e110) at ../lib/tevent/tevent_immediate.c:139
> > #21 0x00000000007b7485 in run_events_poll (ev=0x80380e110, pollrtn=0,
> > pfds=0x0, num_pfds=0) at lib/events.c:197
> > #22 0x0000000000523d5d in smbd_server_connection_loop_once
> > (conn=<optimized out>) at smbd/process.c:1005
> > #23 smbd_process (sconn=0x803811350) at smbd/process.c:3181
> > #24 0x0000000000a078d2 in smbd_accept_connection (ev=<optimized out>,
> > fde=<optimized out>, flags=<optimized out>, private_data=<optimized
> > out>) at smbd/server.c:675
> > #25 0x00000000007b77a1 in run_events_poll (ev=0x80380e110,
> > pollrtn=<optimized out>, pfds=0x803810990, num_pfds=7) at
> > lib/events.c:286
> > #26 0x00000000007b7c0f in s3_event_loop_once (ev=0x80380e110,
> > location=<optimized out>) at lib/events.c:349
> > #27 0x00000000007b7fc1 in _tevent_loop_once (ev=0x80380e110,
> > location=0xc15096 "smbd/server.c:981") at ../lib/tevent/tevent.c:494
> > #28 0x0000000000a095ee in smbd_parent_loop (parent=<optimized out>) at
> > smbd/server.c:981
> > #29 main (argc=<optimized out>, argv=<optimized out>) at
> smbd/server.c:1475
> >
> >
> > It is failing at below line as name is NULL:
> >
> > strlcpy(ckey.name, name, sizeof(ckey.name));
> >
> > I see that we are passing service name based on service number to
> >
> > yield_connection(conn, lp_servicename(SNUM(conn)));
> >
> >
> > In this case, snum is 1:
> > (gdb) p (conn)->params->service
> > $3 = 1
> >
> > The corresponding entry in ServicePtrs is NULL:
> >
> > (gdb) p *ServicePtrs[1]
> > $4 = {valid = false, autoloaded = false, usershare = 0,
> usershare_last_mod
> > = {tv_sec = 0, tv_nsec = 0}, szService = 0x0, szPath = 0x0, szUsername =
> > 0x0, szInvalidUsers = 0x0,
> > szValidUsers = 0x0, szAdminUsers = 0x0,............
> >
> > Can you please let me know as to why ServicePtrs entry can become NULL?
> >
> > BTW, we are running Samba 3.6.12 version with additional code changes.
>
> What area have your code changes happened? I'm asking
> because I've never seen this reported with unmodified
> 3.6.12. Can you post your changes somewhere?
>
> Thanks,
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>
More information about the samba-technical
mailing list