SMBD cores in create_volume_objectid

[Shilpa K]

Hello,

On a linux system running Samba 4.2, SMBD cored with following foot-prints:

#0  0x00007f3619e0f41b in push_ucs2_talloc () from
/usr/local/samba/lib/libsamba-util.so.0
#1  0x00007f36180e6387 in E_md4hash () from /usr/local/samba/lib/private/
libcliauth-samba4.so
#2  0x00007f361995c175 in create_volume_objectid () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#3  0x00007f3619aac612 in vfswrap_fsctl () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#4  0x00007f3619992a90 in smb_vfs_call_fsctl () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#5  0x00007f36199df4db in smb2_ioctl_filesys () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#6  0x00007f36199dea5d in smbd_smb2_ioctl_send () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#7  0x00007f36199ddf45 in smbd_smb2_request_process_ioctl () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#8  0x00007f36199c78d9 in smbd_smb2_request_dispatch () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#9  0x00007f36199cb572 in smbd_smb2_io_handler () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#10 0x00007f36199cb681 in smbd_smb2_connection_handler () from
/usr/local/samba/lib/private/libsmbd-base-samba4.so
#11 0x00007f3617a6c5f7 in run_events_poll () from /usr/local/samba/lib/
libsmbconf.so.0
#12 0x00007f3617a6c8c4 in s3_event_loop_once () from /usr/local/samba/lib/
libsmbconf.so.0
#13 0x00007f36190233df in _tevent_loop_once () from
/usr/local/samba/lib/private/libtevent.so.0
#14 0x00007f361902363f in tevent_common_loop_wait () from
/usr/local/samba/lib/private/libtevent.so.0
#15 0x00007f361902370a in _tevent_loop_wait () from
/usr/local/samba/lib/private/libtevent.so.0
#16 0x00007f36199ae954 in smbd_process () from /usr/local/samba/lib/private/
libsmbd-base-samba4.so
#17 0x00007f361a481890 in smbd_accept_connection ()
#18 0x00007f3617a6c5f7 in run_events_poll () from /usr/local/samba/lib/
libsmbconf.so.0
#19 0x00007f3617a6c8c4 in s3_event_loop_once () from /usr/local/samba/lib/
libsmbconf.so.0
#20 0x00007f36190233df in _tevent_loop_once () from
/usr/local/samba/lib/private/libtevent.so.0
#21 0x00007f361902363f in tevent_common_loop_wait () from
/usr/local/samba/lib/private/libtevent.so.0
#22 0x00007f361902370a in _tevent_loop_wait () from
/usr/local/samba/lib/private/libtevent.so.0
#23 0x00007f361a4825f3 in smbd_parent_loop ()
#24 0x00007f361a483d85 in main ()

This problem is easily reproducible with following steps:
1. Map a share from Windows client. Open a word document
2. From the same Windows client, using fsmgmt.msc, connect to the Samba
server and stop sharing the share mapped in step 1.
3. write something to the word document opened in step 1. Then save and
close file.

The reason for this crash is, when we stop the share from sharing,
ServicePtrs pointer for that particular service name becomes null and SMBD
tries refer this NULL entry, leading to SMBD core.

There is another instance where disconnecting a mapped drive after the
share was stopped results in SMBD cores. In this case also, ServicePtrs
pointer has become NULL for that service name. I think there may other
instances as well. Can you please let me know whether fixing each single
instance is a good idea or a more generic solution is possible for this
sort of SMBD cores.

Thanks,
Shilpa