[Pkg-samba-maint] Bug#541171: smbd SIGSEGV when breaking oplocks

[Petr Vandrovec]

Package: samba
Version: 2:3.4.0-2+b1

Hello,
   whenever I try to access same file from both Linux locally and from 
XP remotely (for example building software from same tree, once on 
Linux, once on Windows), samba commits suicide in oplocks code:

push_file_id_24 (buf=0x7fffdacbf2c0 "\22\b", id=0x30) at lib/file_id.c:71
71      lib/file_id.c: No such file or directory.
         in lib/file_id.c
(gdb) bt
#0  push_file_id_24 (buf=0x7fffdacbf2c0 "\22\b", id=0x30) at 
lib/file_id.c:71
#1  0x00000000006fc295 in break_kernel_oplock (msg_ctx=0x1d1e500, 
fsp=0x0) at smbd/oplock.c:43
#2  0x00000000006d4f97 in tevent_common_check_signal (ev=0x1d1e440) at 
../lib/tevent/tevent_signal.c:311
#3  0x00000000006d34b5 in run_events (ev=0x7fffdacbf2c0, selrtn=-1, 
read_fds=0x7fffdacbf4f0, write_fds=0x7fffdacbf470) at lib/events.c:89
#4  0x0000000000509a23 in smbd_server_connection_loop_once () at 
smbd/process.c:798
#5  smbd_process () at smbd/process.c:2151
#6  0x0000000000943e95 in smbd_accept_connection (ev=<value optimized 
out>, fde=<value optimized out>, flags=<value optimized out>, 
private_data=<value optimized out>) at smbd/server.c:394
#7  0x00000000006d35b6 in run_events (ev=0x1d1e440, selrtn=1, 
read_fds=0x7fffdacbf8e0, write_fds=0x7fffdacbf860) at lib/events.c:126
#8  0x00000000006d37ff in s3_event_loop_once (ev=0x1d1e440, 
location=<value optimized out>) at lib/events.c:185
#9  0x00000000006d3bdc in _tevent_loop_once (ev=0x1d1e440, 
location=0xa78def "smbd/server.c:680") at ../lib/tevent/tevent.c:478
#10 0x000000000094492d in smbd_parent_loop (argc=<value optimized out>, 
argv=<value optimized out>) at smbd/server.c:680
#11 main (argc=<value optimized out>, argv=<value optimized out>) at 
smbd/server.c:1250

tevent_common_check_signal invoked this tevent_signal:

(gdb) print *se
$3 = {prev = 0x0, next = 0x1cb8af0, event_ctx = 0x1d1e440, signum = 35, 
sa_flags = 4, handler = 0x6fc8f0 <linux_oplock_signal_handler>, 
private_data = 0x1d28060, handler_name = 0x9f4705 
"linux_oplock_signal_handler",
   location = 0x9f46ed "smbd/oplock_linux.c:210", additional_data = 
0x1d37720}

For signal 35 it says:

(gdb) print i
$14 = 35
(gdb) print sig_state->signal_count[35]
$19 = {count = 27, seen = 25}
(gdb) print count
$20 = 2

So count was 2, and it matches with expected state.  But code to call 
handlers says:

for (j=0;j<count;j++) {
   /* note the use of the sig_info array as a
      ring buffer */
   int ofs = ((count-1) + j) % SA_INFO_QUEUE_COUNT;
   se->handler(ev, se, i, 1,
               (void*)&sig_state->sig_info[i][ofs],
               se->private_data);
}

So for count=2 it will try to access elements (2-1)+0 = 1, and (2-1)+1 = 
  2.  But elements 0 & 1 are ones which are valid:

(gdb) print sig_state->sig_info[35][0]._sifields._sigpoll.si_fd
$43 = 31
(gdb) print sig_state->sig_info[35][1]._sifields._sigpoll.si_fd
$44 = 32
(gdb) print sig_state->sig_info[35][2]._sifields._sigpoll.si_fd
$45 = 1918967843

I admit that I have troubles understanding what this code tries to do, 
but as far as I can tell second index to sig_info[i][xxx] array should 
be using some different indices.

As far as I can tell attached patch could do the trick.  Unfortunately 
Samba is FTBFS on my box (seems to be completely confused about talloc.h 
& libtalloc.so) so I could not even compile-test it...
								Petr
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: samba.diff
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20090811/dbffaad6/attachment.txt>