[PATCH]: s3: smbd: Fix delete-on-close after smb2_find

Ralph Wuerthner ralphw at de.ibm.com
Fri Nov 3 15:10:23 UTC 2017 

Hi!

On a customer system I came recently across the following Samba panic:

[2017/11/03 14:27:35.930242,  0, pid=446, effective(12000500, 12000513), 
real(12000500, 0)] ../source3/lib/util.c:791(smb_panic_s3)
    PANIC (pid 446): assert failed: dirp->fsp->dptr->dir_hnd == dirp
[2017/11/03 14:27:35.930722,  0, pid=446, effective(12000500, 12000513), 
real(12000500, 0)] ../source3/lib/util.c:902(log_stack_trace)
    BACKTRACE: 27 stack frames:
     #0 /usr/lpp/mmfs/lib64/libsmbconf.so.0(log_stack_trace+0x1a) 
[0x7f3a05013e7a]
     #1 /usr/lpp/mmfs/lib64/libsmbconf.so.0(smb_panic_s3+0x20) 
[0x7f3a05013f50]
     #2 /usr/lpp/mmfs/lib64/libsamba-util.so.0(smb_panic+0x2f) 
[0x7f3a07919bdf]
     #3 /usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(+0xbb127) 
[0x7f3a07461127]
     #4 /usr/lpp/mmfs/lib64/samba/libtalloc.so.2(_talloc_free+0x440) 
[0x7f3a06d8fed0]
     #5 
/usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(can_delete_directory_fsp+0x137) 
[0x7f3a07464357]
     #6 
/usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(can_set_delete_on_close+0x168) 
[0x7f3a074e85b8]
     #7 /usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(+0xf4b73) 
[0x7f3a0749ab73]
     #8 
/usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(smbd_do_setfilepathinfo+0x169b) 
[0x7f3a074ab0ab]
     #9 
/usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(smbd_smb2_request_process_setinfo+0x630) 
[0x7f3a07504c30]
     #10 
/usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(smbd_smb2_request_dispatch+0xcb5) 
[0x7f3a074ecb05]
     #11 /usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(+0x148f22) 
[0x7f3a074eef22]
     #12 /usr/lpp/mmfs/lib64/samba/libtevent.so.0(+0x9c9b) [0x7f3a06984c9b]
     #13 /usr/lpp/mmfs/lib64/samba/libtevent.so.0(+0x8167) [0x7f3a06983167]
     #14 
/usr/lpp/mmfs/lib64/samba/libtevent.so.0(_tevent_loop_once+0x8d) 
[0x7f3a0697f31d]
     #15 
/usr/lpp/mmfs/lib64/samba/libtevent.so.0(tevent_common_loop_wait+0x1b) 
[0x7f3a0697f4bb]
     #16 /usr/lpp/mmfs/lib64/samba/libtevent.so.0(+0x8107) [0x7f3a06983107]
     #17 
/usr/lpp/mmfs/lib64/samba/libsmbd-base-samba4.so(smbd_process+0x721) 
[0x7f3a074db991]
     #18 /usr/lpp/mmfs/bin/smbd(+0xb588) [0x7f3a07fbc588]
     #19 /usr/lpp/mmfs/lib64/samba/libtevent.so.0(+0x9c9b) [0x7f3a06984c9b]
     #20 /usr/lpp/mmfs/lib64/samba/libtevent.so.0(+0x8167) [0x7f3a06983167]
     #21 
/usr/lpp/mmfs/lib64/samba/libtevent.so.0(_tevent_loop_once+0x8d) 
[0x7f3a0697f31d]
     #22 
/usr/lpp/mmfs/lib64/samba/libtevent.so.0(tevent_common_loop_wait+0x1b) 
[0x7f3a0697f4bb]
     #23 /usr/lpp/mmfs/lib64/samba/libtevent.so.0(+0x8107) [0x7f3a06983107]
     #24 /usr/lpp/mmfs/bin/smbd(main+0x1580) [0x7f3a07fb8fc0]
     #25 /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f3a03accb35]
     #26 /usr/lpp/mmfs/bin/smbd(+0x82c9) [0x7f3a07fb92c9]

I was able to recreate the panic on my test system with the attached 
'smb2.delete-on-close-perms.FIND and set DOC.FIND and set DOC' 
smbtorture test. Please see also my proposed fix. Both patches apply on 
master.

--
Regards

     Ralph Wuerthner

-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-delete-on-close-after-smb2_find.patch
Type: text/x-patch
Size: 4640 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171103/1f36c0f4/fix-delete-on-close-after-smb2_find.bin>

More information about the samba-technical mailing list