The branch, master has been updated via e104e5a Regression test for bug #9571 - Unlink after open causes smbd to panic via 578909a Fix bug #9571 - Unlink after open causes smbd to panic. from 34854ae Fix bug #9588 - ACLs are not inherited to directories for DFS shares.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e104e5a8192e9d9a2637035bec343de3c35ca21e Author: Jeremy Allison <j...@samba.org> Date: Thu Jan 24 16:20:14 2013 -0800 Regression test for bug #9571 - Unlink after open causes smbd to panic Replicates the protocol activity that triggers the crash. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Mon Jan 28 15:33:17 CET 2013 on sn-devel-104 commit 578909ae19d7ec9dacb960626bd1985a2915365b Author: Pavel Shilovsky <pias...@etersoft.ru> Date: Wed Jan 16 15:02:26 2013 +0400 Fix bug #9571 - Unlink after open causes smbd to panic. s3:smbd: fix wrong lock order in posix unlink Signed-off-by: Pavel Shilovsky <pias...@etersoft.ru> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/smbd/trans2.c | 6 +++--- source3/torture/torture.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 9c77f4d..92d047a 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -7663,8 +7663,8 @@ static NTSTATUS smb_posix_unlink(connection_struct *conn, continue; } /* Fail with sharing violation. */ - close_file(req, fsp, NORMAL_CLOSE); TALLOC_FREE(lck); + close_file(req, fsp, NORMAL_CLOSE); return NT_STATUS_SHARING_VIOLATION; } } @@ -7678,12 +7678,12 @@ static NTSTATUS smb_posix_unlink(connection_struct *conn, fsp, smb_fname); + TALLOC_FREE(lck); + if (!NT_STATUS_IS_OK(status)) { close_file(req, fsp, NORMAL_CLOSE); - TALLOC_FREE(lck); return status; } - TALLOC_FREE(lck); return close_file(req, fsp, NORMAL_CLOSE); } diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 799c911..b59ac30 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -5368,6 +5368,8 @@ static bool run_simple_posix_open_test(int dummy) bool correct = false; NTSTATUS status; size_t nread; + const char *fname_windows = "windows_file"; + uint16_t fnum2 = (uint16_t)-1; printf("Starting simple POSIX open test\n"); @@ -5390,6 +5392,8 @@ static bool run_simple_posix_open_test(int dummy) cli_posix_unlink(cli1, hname); cli_setatr(cli1, sname, 0, 0); cli_posix_unlink(cli1, sname); + cli_setatr(cli1, fname_windows, 0, 0); + cli_posix_unlink(cli1, fname_windows); /* Create a directory. */ status = cli_posix_mkdir(cli1, dname, 0777); @@ -5681,6 +5685,39 @@ static bool run_simple_posix_open_test(int dummy) goto out; } + /* + * Now create a Windows file, and attempt a POSIX unlink. + * This should fail with a sharing violation but due to: + * + * [Bug 9571] Unlink after open causes smbd to panic + * + * ensure we've fixed the lock ordering violation. + */ + + status = cli_ntcreate(cli1, fname_windows, 0, + FILE_READ_DATA|FILE_WRITE_DATA, 0, + FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, + FILE_CREATE, + 0x0, 0x0, &fnum2); + if (!NT_STATUS_IS_OK(status)) { + printf("Windows create of %s failed (%s)\n", fname_windows, + nt_errstr(status)); + goto out; + } + + /* Now try posix_unlink. */ + status = cli_posix_unlink(cli1, fname_windows); + if (!NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) { + printf("POSIX unlink of %s should fail " + "with NT_STATUS_SHARING_VIOLATION " + "got %s instead !\n", + fname_windows, + nt_errstr(status)); + goto out; + } + + cli_close(cli1, fnum2); + printf("Simple POSIX open test passed\n"); correct = true; @@ -5691,6 +5728,11 @@ static bool run_simple_posix_open_test(int dummy) fnum1 = (uint16_t)-1; } + if (fnum2 != (uint16_t)-1) { + cli_close(cli1, fnum2); + fnum2 = (uint16_t)-1; + } + cli_setatr(cli1, sname, 0, 0); cli_posix_unlink(cli1, sname); cli_setatr(cli1, hname, 0, 0); @@ -5699,6 +5741,8 @@ static bool run_simple_posix_open_test(int dummy) cli_posix_unlink(cli1, fname); cli_setatr(cli1, dname, 0, 0); cli_posix_rmdir(cli1, dname); + cli_setatr(cli1, fname_windows, 0, 0); + cli_posix_unlink(cli1, fname_windows); if (!torture_close_connection(cli1)) { correct = false; -- Samba Shared Repository