[Pkg-samba-maint] DO NOT REPLY [Bug 6651] smbd SIGSEGV when breaking oplocks

samba-bugs at samba.org samba-bugs at samba.org
Tue Aug 25 07:42:46 UTC 2009


https://bugzilla.samba.org/show_bug.cgi?id=6651





------- Comment #19 from petr at vandrovec.name  2009-08-25 02:42 CST -------
And it defaults to -pie which cannot be debugged on Debian systems as only
RedHat has PIE patches in gdb.  Oh well, another try.  That one failed because
clean build did not clean lib/tevent, so I had no symbols there.  So you can
see it is nicely reproducible...

Looks like race between client closing file and server receiving oplock break
notification - notification gets queued, client closes file, server tries to
process notification, and dies because fd is already closed (what if fd would
be already reopened for some other client, would it mean that server would ask
client to release oplock it never asked for?)

(gdb) bt
#0  0x00007f422af970b5 in __libc_waitpid (pid=26462, stat_loc=0x7fff6cf7f70c,
options=0) at ../sysdeps/unix/sysv/linux/waitpid.c:32
#1  0x00007f422af386b1 in do_system (line=0x2e09ee0 "/bin/sleep 99999") at
../sysdeps/posix/system.c:149
#2  0x000000000070f556 in smb_panic (why=<value optimized out>) at
lib/util.c:1453
#3  0x00000000006feec0 in fault_report (sig=1) at lib/fault.c:47
#4  sig_fault (sig=1) at lib/fault.c:70
#5  <signal handler called>
#6  push_file_id_24 (buf=0x7fff6cf7fc00 "", id=0x30) at lib/file_id.c:63
#7  0x000000000074cf75 in break_kernel_oplock (msg_ctx=0x2df36e0, fsp=0x0) at
smbd/oplock.c:43
#8  0x000000000072016e in tevent_common_check_signal (ev=0x2d8c430) at
../lib/tevent/tevent_signal.c:326
#9  0x000000000071e5e5 in run_events (ev=0x7fff6cf7fc00, selrtn=0,
read_fds=0x0, write_fds=0x0) at lib/events.c:94
#10 0x0000000000527cd7 in smbd_server_connection_loop_once () at
smbd/process.c:790
#11 smbd_process () at smbd/process.c:2232
#12 0x0000000000a20fbe in smbd_accept_connection (ev=<value optimized out>,
fde=<value optimized out>, flags=<value optimized out>, private_data=<value
optimized out>) at smbd/server.c:404
#13 0x000000000071e6e6 in run_events (ev=0x2d8c430, selrtn=1,
read_fds=0x7fff6cf80110, write_fds=0x7fff6cf80090) at lib/events.c:131
#14 0x000000000071e94f in s3_event_loop_once (ev=0x2d8c430, location=<value
optimized out>) at lib/events.c:194
#15 0x000000000071ed40 in _tevent_loop_once (ev=0x2d8c430, location=0xbe5cd0
"smbd/server.c:692") at ../lib/tevent/tevent.c:488
#16 0x0000000000a21a59 in smbd_parent_loop (argc=<value optimized out>,
argv=<value optimized out>) at smbd/server.c:692
#17 main (argc=<value optimized out>, argv=<value optimized out>) at
smbd/server.c:1267
(gdb) info locals
se = 0x2e03bb0
count = 2
sl = <value optimized out>
next = 0x0
clear_processed_siginfo = <value optimized out>
i = 35
(gdb) print sig_state->signal_count[35]
$2 = {count = 547, seen = 529}
(gdb) print sig_state->sig_info[35][29]
$3 = {si_signo = 35, si_errno = 0, si_code = 3, ... _sigpoll = { si_band =
1089, si_fd = 46}}}
(gdb) print sig_state->sig_info[35][30]
$4 = {si_signo = 35, si_errno = 0, si_code = 3, ... _sigpoll = { si_band =
1089, si_fd = 44}}}

petr-dev3:/usr/src/git/samba/source3# ls -la /proc/25557/fd/44
lr-x------ 1 root root 64 2009-08-25 00:32 /proc/25557/fd/44 ->
/home/petr/vmk1/bora/public/vmware_pack_end.h
petr-dev3:/usr/src/git/samba/source3# ls -la /proc/25557/fd/46
ls: cannot access /proc/25557/fd/46: No such file or directory

Just for confirmation that [29] is indeed first used event:

(gdb) print sig_state->sig_info[35][28]
$7 = {si_signo = 0, si_errno = 0, si_code = 0, _sifields = {_pad = {0 <repeats
28 times>}, _kill = {si_pid = 0, si_uid = 0}, _timer = {si_tid = 0, si_overrun
= 0, si_sigval = {sival_int = 0, 
        sival_ptr = 0x0}}, _rt = {si_pid = 0, si_uid = 0, si_sigval =
{sival_int = 0, sival_ptr = 0x0}}, _sigchld = {si_pid = 0, si_uid = 0,
si_status = 0, si_utime = 0, si_stime = 0}, _sigfault = {
      si_addr = 0x0}, _sigpoll = {si_band = 0, si_fd = 0}}}

count is 2 as there were 2 oplock break request queued when code started
processing them.  Before I attached gdb apparently 16 more got queued.


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.



More information about the Pkg-samba-maint mailing list