SMB kernel panic in smb_user_namecmp during MMC close file
While attempting to release a file lock from a CIFS shared file, using the MMC utility to close the open file, system panic'ed.
Updated by Gordon Ross 4 months ago
Before #11031 the function smb_server_session_disconnect
used to take a hold on each user object before operating on it.
Taking the hold filters out user objects in states other than
"LOGGED_ON", which is what this function wants.
After #11031 the hold is taken only after the user object is
examined with smb_user_namecmp (to find out if it's one we
should log off) so that may see incomplete user objects.
The fix is fairly simple: Move the smb_user_hold call earlier,
much as it was before #11031
Updated by Gordon Ross 3 months ago
Testing: This is tricky to reproduce. We first need to arrange for the existence of an smb_user_t object in state LOGGING_ON and making it stay in that state for a while. The only easy way I know of to do that is run a client under debug and put a breakpoint after the first SMB2_SESSION_SETUP command, leaving the client stopped in the debugger at that point. Check that we have an smb_user_t object in state LOGGING_ON by examining the SMB server state with mdb -k (::smblist). Then use "server manager" on a Windows client (with "connect to remote computer") and enumerate client sessions. Finally, do a "force disconnect" operation on the client we arranged to be in LOGGING_ON state above.
Updated by Electric Monk 3 months ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit 896d95522971026bf88063d02c736529f8a884dd Author: Gordon Ross <email@example.com> Date: 2019-10-19T13:02:11.000Z 11831 SMB kernel panic in smb_user_namecmp during MMC close file Reviewed by: Evan Layton <firstname.lastname@example.org> Reviewed by: Matt Barden <email@example.com> Reviewed by: Yuri Pankov <firstname.lastname@example.org> Reviewed by: Andy Stormont <AStormont@racktopsystems.com> Approved by: Robert Mustacchi <email@example.com>