The branch, v4-13-test has been updated
via 7436dde6ef6 s3: smbd: fix deferred renames
via a85f7995740 s4: torture. Add smb2.lease.rename_wait test to
reproduce regression in delay rename for lease break code.
via 3644afc38c7 rpc_server3: Fix a memleak for internal pipes
via 85b5657cbd6 spools: avoid leaking memory into the callers mem_ctx
via 890cc945e33 pidl: set the per-request memory context in the pidl
generator
from 42e7b36454d smbd: free open_rec state in
remove_deferred_open_message_smb2_internal()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -----------------------------------------------------------------
commit 7436dde6ef68826174b9f74a014e2a2040cb14a2
Author: Ralph Boehme <s...@samba.org>
Date: Mon Mar 29 12:24:39 2021 +0200
s3: smbd: fix deferred renames
This was broken by c7a9e0e4cdfb22e66533b5c8e20af3cfdb8ae78c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@amba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Wed Mar 31 06:13:39 UTC 2021 on sn-devel-184
(cherry picked from commit 10d753868e810604d8f60673bbd48f55aaff0797)
Autobuild-User(v4-13-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-13-test): Thu Apr 1 12:19:23 UTC 2021 on sn-devel-184
commit a85f79957407b0369166c63e30537b5170ba0ea7
Author: Jeremy Allison <j...@samba.org>
Date: Tue Mar 30 15:05:47 2021 -0700
s4: torture. Add smb2.lease.rename_wait test to reproduce regression in
delay rename for lease break code.
Passes against Windows 10. Add to knownfail, the
next commit will fix this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875
Back-ported from 8d9a0b8d57713781c72440c7e91746b5d89e6f6a.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 3644afc38c726a19f39f1d4f96badfb7827fb1a4
Author: Volker Lendecke <v...@samba.org>
Date: Tue Mar 23 17:06:15 2021 +0100
rpc_server3: Fix a memleak for internal pipes
state->call should not be talloc'ed off a long-lived context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861
RN: Memory leak in the RPC server
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Wed Mar 31 12:14:01 UTC 2021 on sn-devel-184
(cherry picked from commit 12f516e4680753460e7fe8811e6c6ff70057580c)
commit 85b5657cbd685968045fcaad2e7d3323b902edc9
Author: Ralph Boehme <s...@samba.org>
Date: Mon Mar 22 12:06:39 2021 +0100
spools: avoid leaking memory into the callers mem_ctx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
(cherry picked from commit 481176ec745c14b78fca68e01a61c83405a4b97b)
commit 890cc945e338bbe3047bee45772330ec32feb5a2
Author: Ralph Boehme <s...@samba.org>
Date: Tue Mar 23 11:40:21 2021 +0100
pidl: set the per-request memory context in the pidl generator
The talloc memory context referenced by the pipe_struct mem_ctx member is
used
as talloc parent for RPC response data by the RPC service implementations.
In Samba versions up to 4.10 all talloc children of p->mem_ctx were freed
after
a RPC response was delivered by calling talloc_free_children(p->mem_ctx).
Commit
60fa8e255254d38e9443bf96f2c0f31430be6ab8 removed this call which resulted
in all
memory allocations on this context not getting released, which can consume
significant memory in long running RPC connections.
Instead of putting the talloc_free_children(p->mem_ctx) back, just use the
mem_ctx argument of the ${pipename}_op_dispatch_internal() function which
is a
dcesrv_call_state object created by dcesrv_process_ncacn_packet() and
released
by the RPC server when the RPC request processing is finished.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
(cherry picked from commit 4c3fb2a5912966a61e7ebdb05eb3231a0e1d6033)
-----------------------------------------------------------------------
Summary of changes:
pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm | 2 +
source3/rpc_server/rpc_handles.c | 6 -
source3/rpc_server/rpc_ncacn_np.c | 2 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 6 +-
source3/smbd/smb2_setinfo.c | 1 +
source4/torture/smb2/lease.c | 145 +++++++++++++++++++++++++
6 files changed, 153 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm
b/pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm
index 54feea0a9ef..d1368c3dbca 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm
@@ -299,6 +299,7 @@ sub boilerplate_iface($)
$self->pidl("/* Update pipes struct opnum */");
$self->pidl("p->opnum = opnum;");
$self->pidl("p->dce_call = dce_call;");
+ $self->pidl("p->mem_ctx = mem_ctx;");
$self->pidl("/* Update pipes struct session info */");
$self->pidl("pipe_session_info = p->session_info;");
$self->pidl("p->session_info = dce_call->auth_state->session_info;");
@@ -344,6 +345,7 @@ sub boilerplate_iface($)
$self->pidl("");
$self->pidl("p->dce_call = NULL;");
+ $self->pidl("p->mem_ctx = NULL;");
$self->pidl("/* Restore session info */");
$self->pidl("p->session_info = pipe_session_info;");
$self->pidl("p->auth.auth_type = 0;");
diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
index d897e0caabe..bcf8f240f63 100644
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -60,12 +60,6 @@ int make_base_pipes_struct(TALLOC_CTX *mem_ctx,
return ENOMEM;
}
- p->mem_ctx = talloc_named(p, 0, "pipe %s %p", pipe_name, p);
- if (!p->mem_ctx) {
- talloc_free(p);
- return ENOMEM;
- }
-
p->msg_ctx = msg_ctx;
p->transport = transport;
diff --git a/source3/rpc_server/rpc_ncacn_np.c
b/source3/rpc_server/rpc_ncacn_np.c
index 625b28c9209..11f8a9b0602 100644
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -541,7 +541,7 @@ static struct tevent_req
*rpcint_bh_raw_call_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- state->call = talloc_zero(hs->conn, struct dcesrv_call_state);
+ state->call = talloc_zero(state, struct dcesrv_call_state);
if (tevent_req_nomem(state->call, req)) {
return tevent_req_post(req, ev);
}
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c
b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index 10c1b1d54f2..7951543747d 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -5738,7 +5738,8 @@ static WERROR
construct_printer_driver_info_level(TALLOC_CTX *mem_ctx,
}
if (pinfo2->drivername == NULL || pinfo2->drivername[0] == '\0') {
- return WERR_UNKNOWN_PRINTER_DRIVER;
+ result = WERR_UNKNOWN_PRINTER_DRIVER;
+ goto done;
}
DBG_INFO("Construct printer driver [%s] for [%s]\n",
@@ -7030,7 +7031,8 @@ static WERROR update_printer(struct pipes_struct *p,
raddr = tsocket_address_inet_addr_string(p->remote_address,
p->mem_ctx);
if (raddr == NULL) {
- return WERR_NOT_ENOUGH_MEMORY;
+ result = WERR_NOT_ENOUGH_MEMORY;
+ goto done;
}
/* add_printer_hook() will call reload_services() */
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 43dc232a6d6..7713cc2d55a 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -213,6 +213,7 @@ static bool delay_rename_lease_break_fn(
return false;
}
+ state->delay = true;
break_to = (e_lease_type & ~SMB2_LEASE_HANDLE);
send_break_message(
diff --git a/source4/torture/smb2/lease.c b/source4/torture/smb2/lease.c
index d3b8daea310..824db95a4b5 100644
--- a/source4/torture/smb2/lease.c
+++ b/source4/torture/smb2/lease.c
@@ -3722,6 +3722,148 @@ static bool test_lease_timeout(struct torture_context
*tctx,
return ret;
}
+static bool test_lease_rename_wait(struct torture_context *tctx,
+ struct smb2_tree *tree)
+{
+ TALLOC_CTX *mem_ctx = talloc_new(tctx);
+ struct smb2_create io;
+ struct smb2_lease ls1;
+ struct smb2_lease ls2;
+ struct smb2_lease ls3;
+ struct smb2_handle h1 = {{0}};
+ struct smb2_handle h2 = {{0}};
+ struct smb2_handle h3 = {{0}};
+ union smb_setfileinfo sinfo;
+ NTSTATUS status;
+ const char *fname_src = "lease_rename_src.dat";
+ const char *fname_dst = "lease_rename_dst.dat";
+ bool ret = true;
+ struct smb2_lease_break_ack ack = {};
+ struct smb2_request *rename_req = NULL;
+ uint32_t caps;
+ unsigned int i;
+
+ caps = smb2cli_conn_server_capabilities(tree->session->transport->conn);
+ if (!(caps & SMB2_CAP_LEASING)) {
+ torture_skip(tctx, "leases are not supported");
+ }
+
+ smb2_util_unlink(tree, fname_src);
+ smb2_util_unlink(tree, fname_dst);
+
+ /* Short timeout for fails. */
+ tree->session->transport->options.request_timeout = 15;
+
+ /* Grab a RH lease. */
+ smb2_lease_create(&io,
+ &ls1,
+ false,
+ fname_src,
+ LEASE1,
+ smb2_util_lease_state("RH"));
+ status = smb2_create(tree, mem_ctx, &io);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+ CHECK_LEASE(&io, "RH", true, LEASE1, 0);
+ h1 = io.out.file.handle;
+
+ /* Second open with a RH lease. */
+ smb2_lease_create(&io,
+ &ls2,
+ false,
+ fname_src,
+ LEASE2,
+ smb2_util_lease_state("RH"));
+ io.in.create_disposition = NTCREATEX_DISP_OPEN;
+ io.in.desired_access = GENERIC_READ_ACCESS;
+ status = smb2_create(tree, mem_ctx, &io);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_CREATED(&io, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+ CHECK_LEASE(&io, "RH", true, LEASE2, 0);
+ h2 = io.out.file.handle;
+
+ /*
+ * Don't ack a lease break.
+ */
+ tree->session->transport->lease.handler = torture_lease_handler;
+ tree->session->transport->lease.private_data = tree;
+ torture_reset_lease_break_info(tctx, &lease_break_info);
+ lease_break_info.lease_skip_ack = true;
+
+ /* Break with a rename. */
+ ZERO_STRUCT(sinfo);
+ sinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
+ sinfo.rename_information.in.file.handle = h1;
+ sinfo.rename_information.in.overwrite = true;
+ sinfo.rename_information.in.new_name = fname_dst;
+ rename_req = smb2_setinfo_file_send(tree, &sinfo);
+
+ torture_assert(tctx,
+ rename_req != NULL,
+ "smb2_setinfo_file_send");
+ torture_assert(tctx,
+ rename_req->state == SMB2_REQUEST_RECV,
+ "rename pending");
+
+ /* Try and open the destination with a RH lease. */
+ smb2_lease_create(&io,
+ &ls3,
+ false,
+ fname_dst,
+ LEASE3,
+ smb2_util_lease_state("RH"));
+ /* We want to open, not create. */
+ io.in.create_disposition = NTCREATEX_DISP_OPEN;
+ io.in.desired_access = GENERIC_READ_ACCESS;
+ status = smb2_create(tree, mem_ctx, &io);
+ CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+
+ /*
+ * The smb2_create() I/O should have picked up the break request
+ * caused by the pending rename.
+ */
+
+ /* Copy the break request. */
+ ack.in.lease.lease_key =
+ lease_break_info.lease_break.current_lease.lease_key;
+ ack.in.lease.lease_state =
+ lease_break_info.lease_break.new_lease_state;
+
+ /*
+ * Give the server 3 more chances to have renamed
+ * the file. Better than doing a sleep.
+ */
+ for (i = 0; i < 3; i++) {
+ status = smb2_create(tree, mem_ctx, &io);
+ CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+ }
+
+ /* Ack the break. The server is now free to rename. */
+ status = smb2_lease_break_ack(tree, &ack);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ /* Get the rename reply. */
+ status = smb2_setinfo_recv(rename_req);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ /* The target should now exist. */
+ status = smb2_create(tree, mem_ctx, &io);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ h3 = io.out.file.handle;
+
+ done:
+ smb2_util_close(tree, h1);
+ smb2_util_close(tree, h2);
+ smb2_util_close(tree, h3);
+
+ smb2_util_unlink(tree, fname_src);
+ smb2_util_unlink(tree, fname_dst);
+
+ talloc_free(mem_ctx);
+
+ return ret;
+}
+
static bool test_lease_v2_rename(struct torture_context *tctx,
struct smb2_tree *tree)
{
@@ -4192,6 +4334,9 @@ struct torture_suite *torture_smb2_lease_init(TALLOC_CTX
*ctx)
torture_suite_add_1smb2_test(suite, "dynamic_share",
test_lease_dynamic_share);
torture_suite_add_1smb2_test(suite, "timeout", test_lease_timeout);
torture_suite_add_1smb2_test(suite, "unlink", test_lease_unlink);
+ torture_suite_add_1smb2_test(suite, "rename_wait",
+ test_lease_rename_wait);
+
suite->description = talloc_strdup(suite, "SMB2-LEASE tests");
--
Samba Shared Repository
