Bug 1614132

Summary: smbd crashes with "assert failed: dirp->fsp->dptr->dir_hnd == dirp"
Product: Red Hat Enterprise Linux 7 Reporter: Muneaki Sugaya <msugaya>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: Andrej Dzilský <adzilsky>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: adzilsky, asn, gdeschner, jarrpa, jstephen
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: samba-4.8.3-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 08:00:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Muneaki Sugaya 2018-08-09 03:43:30 UTC 
Description of problem:

smbd crashes with "assert failed: dirp->fsp->dptr->dir_hnd == dirp"

~~~
(gdb) bt
#0  0x00007fc6bc6671f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fc6bc6688e8 in __GI_abort () at abort.c:90
#2  0x00007fc6bdfed5ee in dump_core () at ../source3/lib/dumpcore.c:338
#3  0x00007fc6bdfde7f7 in smb_panic_s3 (why=<optimized out>) at ../source3/lib/util.c:814
#4  0x00007fc6c00b995f in smb_panic (why=why@entry=0x7fc6bfd8dcf0 "assert failed: dirp->fsp->dptr->dir_hnd == dirp") at ../lib/util/fault.c:166
#5  0x00007fc6bfbeb7e7 in smb_Dir_destructor (dirp=dirp@entry=0x7fc6c0ed7c60) at ../source3/smbd/dir.c:1617
#6  0x00007fc6bce120b3 in _tc_free_internal (tc=0x7fc6c0ed7c00, location=0x7fc6bfd8dbf1 "../source3/smbd/dir.c:2160") at ../talloc.c:1078
#7  0x00007fc6bfbee9b7 in can_delete_directory_fsp (fsp=fsp@entry=0x7fc6c0ed6fd0) at ../source3/smbd/dir.c:2160
#8  0x00007fc6bfc72448 in can_set_delete_on_close (fsp=fsp@entry=0x7fc6c0ed6fd0, dosmode=dosmode@entry=16) at ../source3/smbd/file_access.c:244
#9  0x00007fc6bfc255c3 in smb_set_file_disposition_info (conn=conn@entry=0x7fc6c0ebc630, pdata=<optimized out>, total_data=total_data@entry=1, fsp=fsp@entry=0x7fc6c0ed6fd0, 
    smb_fname=smb_fname@entry=0x7fc6c0ee2820) at ../source3/smbd/trans2.c:6491
#10 0x00007fc6bfc35ca2 in smbd_do_setfilepathinfo (conn=conn@entry=0x7fc6c0ebc630, req=req@entry=0x7fc6c0ee1df0, mem_ctx=<optimized out>, info_level=<optimized out>, 
    fsp=fsp@entry=0x7fc6c0ed6fd0, smb_fname=0x7fc6c0ee2820, ppdata=ppdata@entry=0x7ffc4b8ccfe8, total_data=total_data@entry=1, ret_data_size=ret_data_size@entry=0x7ffc4b8ccfdc)
    at ../source3/smbd/trans2.c:8464
#11 0x00007fc6bfc8ea80 in smbd_smb2_setinfo_send (in_additional_information=0, in_input_buffer=..., in_file_info_class=13 '\r', in_info_type=1 '\001', fsp=0x7fc6c0ed6fd0, 
    smb2req=0x7fc6c0ee2a80, ev=0x7fc6c0e960f0, mem_ctx=0x7fc6c0ee2a80) at ../source3/smbd/smb2_setinfo.c:514
#12 smbd_smb2_request_process_setinfo (req=req@entry=0x7fc6c0ee2a80) at ../source3/smbd/smb2_setinfo.c:107
#13 0x00007fc6bfc76a45 in smbd_smb2_request_dispatch (req=req@entry=0x7fc6c0ee2a80) at ../source3/smbd/smb2_server.c:2662
#14 0x00007fc6bfc78e62 in smbd_smb2_io_handler (fde_flags=<optimized out>, xconn=0x7fc6c0e9fa00) at ../source3/smbd/smb2_server.c:3872
#15 smbd_smb2_connection_handler (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../source3/smbd/smb2_server.c:3910
#16 0x00007fc6bc9ffedb in epoll_event_loop (tvalp=0x7ffc4b8cd180, epoll_ev=0x7fc6c0e99e60) at ../tevent_epoll.c:728
#17 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:930
#18 0x00007fc6bc9fe2a7 in std_event_loop_once (ev=0x7fc6c0e960f0, location=0x7fc6bfdb4a28 "../source3/smbd/process.c:4125") at ../tevent_standard.c:114
#19 0x00007fc6bc9fa0cd in _tevent_loop_once (ev=ev@entry=0x7fc6c0e960f0, location=location@entry=0x7fc6bfdb4a28 "../source3/smbd/process.c:4125") at ../tevent.c:721
#20 0x00007fc6bc9fa2fb in tevent_common_loop_wait (ev=0x7fc6c0e960f0, location=0x7fc6bfdb4a28 "../source3/smbd/process.c:4125") at ../tevent.c:844
#21 0x00007fc6bc9fe247 in std_event_loop_wait (ev=0x7fc6c0e960f0, location=0x7fc6bfdb4a28 "../source3/smbd/process.c:4125") at ../tevent_standard.c:145
#22 0x00007fc6bfc66f74 in smbd_process (ev_ctx=ev_ctx@entry=0x7fc6c0e960f0, msg_ctx=msg_ctx@entry=0x7fc6c0e96520, sock_fd=sock_fd@entry=40, interactive=interactive@entry=false)
    at ../source3/smbd/process.c:4125
#23 0x00007fc6c095da74 in smbd_accept_connection (ev=0x7fc6c0e960f0, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../source3/smbd/server.c:1017
#24 0x00007fc6bc9ffedb in epoll_event_loop (tvalp=0x7ffc4b8cd410, epoll_ev=0x7fc6c0e96370) at ../tevent_epoll.c:728
#25 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:930
#26 0x00007fc6bc9fe2a7 in std_event_loop_once (ev=0x7fc6c0e960f0, location=0x7fc6c09615d9 "../source3/smbd/server.c:1384") at ../tevent_standard.c:114
#27 0x00007fc6bc9fa0cd in _tevent_loop_once (ev=ev@entry=0x7fc6c0e960f0, location=location@entry=0x7fc6c09615d9 "../source3/smbd/server.c:1384") at ../tevent.c:721
#28 0x00007fc6bc9fa2fb in tevent_common_loop_wait (ev=0x7fc6c0e960f0, location=0x7fc6c09615d9 "../source3/smbd/server.c:1384") at ../tevent.c:844
#29 0x00007fc6bc9fe247 in std_event_loop_wait (ev=0x7fc6c0e960f0, location=0x7fc6c09615d9 "../source3/smbd/server.c:1384") at ../tevent_standard.c:145
#30 0x00007fc6c0958a95 in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x7fc6c0e960f0) at ../source3/smbd/server.c:1384
#31 main (argc=<optimized out>, argv=<optimized out>) at ../source3/smbd/server.c:2038
(gdb) 
~~~

Version-Release number of selected component (if applicable):
samba-4.6.2-11.el7_4.x86_64


How reproducible:
often

Steps to Reproduce:
N/A

Actual results:
smbd crashes.

Expected results:
smbd doesn't crash.


Additional info:

The following has the same call traces.
===
[PATCH]: s3: smbd: Fix delete-on-close after smb2_find
https://lists.samba.org/archive/samba-technical/2017-November/123654.html
===

There is a fix. 
===
Bug 13118 - Setting delete on close on a directory handle in the middle of an SMB2 find crashes smbd. 
https://bugzilla.samba.org/show_bug.cgi?id=13118
===
Comment 2 Andreas Schneider 2018-08-09 08:37:37 UTC 
This will be fixed with RHEL 7.6.
Comment 7 errata-xmlrpc 2018-10-30 08:00:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3056