Ubuntu
samba package

Samba server crashes with segv in yield_connection on file read.

Bug #686627 reported by Manolo Cabezabolo on 2010-12-07

This bug report is a duplicate of: Bug #388483: smbd panic action with yield_connection name=0x0. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	samba (Ubuntu)	Confirmed	Undecided	Serge Hallyn

Bug Description

Binary package hint: samba

#lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04

root@tulga:~# apt-cache policy samba
samba:
  Instalados: 2:3.4.7~dfsg-1ubuntu3.2
  Candidato: 2:3.4.7~dfsg-1ubuntu3.2
  Tabla de versión:
*** 2:3.4.7~dfsg-1ubuntu3.2 0
        500 http://es.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
        500 http://es.archive.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     2:3.4.7~dfsg-1ubuntu3 0
        500 http://es.archive.ubuntu.com/ubuntu/ lucid/main Packages

[Thread debugging using libthread_db enabled]
0x0060a422 in __kernel_vsyscall ()
#0 0x0060a422 in __kernel_vsyscall ()
#1 0x00ffe7d3 in waitpid () from /lib/tls/i686/cmov/libc.so.6
#2 0x00f9fde3 in ?? () from /lib/tls/i686/cmov/libc.so.6
#3 0x0013f27d in system () from /lib/tls/i686/cmov/libpthread.so.0
#4 0x00b2076d in smb_panic (why=0xec66e2 "internal error") at lib/util.c:1486
#5 0x00b0dc8e in fault_report (sig=11) at lib/fault.c:52
#6 sig_fault (sig=11) at lib/fault.c:75
#7 <signal handler called>
#8 0x00fda7a0 in ?? () from /lib/tls/i686/cmov/libc.so.6
#9 0x00af5cc8 in rep_strlcpy (d=0xbfd7356c "", s=0x0, bufsize=256)
   at ../lib/replace/replace.c:65
#10 0x00b2eed7 in connections_fetch_entry (mem_ctx=0x0, conn=0x21656960,
   name=0x0) at lib/conn_tdb.c:65
#11 0x0089091f in yield_connection (conn=0x21656960, name=0x0)
   at smbd/connection.c:33
#12 0x0090509e in close_cnum (conn=0x21656960, vuid=100) at smbd/service.c:1245
#13 0x008b7818 in reply_tdis (req=0x2165d280) at smbd/reply.c:4747
#14 0x00903c0e in switch_message (type=<value optimized out>, req=0x2165d280,
   size=39) at smbd/process.c:1377
#15 0x0090407d in construct_reply (conn=<value optimized out>,
   inbuf=<value optimized out>, nread=39, unread_bytes=0,
   encrypted=<value optimized out>, deferred_pcd=0x0) at smbd/process.c:1408
#16 process_smb (conn=<value optimized out>, inbuf=<value optimized out>,
   nread=39, unread_bytes=0, encrypted=<value optimized out>,
   deferred_pcd=0x0) at smbd/process.c:1471
#17 0x00904958 in smbd_server_connection_read_handler (ev=0x21648050,
   fde=0x215a9e18, flags=<value optimized out>, private_data=0x215a9368)
   at smbd/process.c:1887
#18 smbd_server_connection_handler (ev=0x21648050, fde=0x215a9e18,
   flags=<value optimized out>, private_data=0x215a9368)
   at smbd/process.c:1901
#19 0x00b31d24 in run_events (ev=0x21648050, selrtn=1, read_fds=0xbfd73a6c,
   write_fds=0xbfd739ec) at lib/events.c:126
#20 0x009034a2 in smbd_server_connection_loop_once () at smbd/process.c:820
#21 smbd_process () at smbd/process.c:2178
#22 0x00e06a38 in smbd_accept_connection (ev=0x21648050, fde=0x2165a788,
   flags=1, private_data=0x2165ae10) at smbd/server.c:395
#23 0x00b31d24 in run_events (ev=0x21648050, selrtn=1, read_fds=0xbfd73d7c,
   write_fds=0xbfd73cfc) at lib/events.c:126
#24 0x00b31fcf in s3_event_loop_once (ev=0x21648050,
   location=0xf500cb "smbd/server.c:681") at lib/events.c:185
#25 0x00b32618 in _tevent_loop_once (ev=0x21648050,
   location=0xf500cb "smbd/server.c:681") at ../lib/tevent/tevent.c:490
#26 0x00e0777a in smbd_parent_loop (argc=2, argv=0xbfd741b4)
   at smbd/server.c:681
#27 main (argc=2, argv=0xbfd741b4) at smbd/server.c:1251
A debugging session is active.

Inferior 1 [process 2892] will be detached.

Quit anyway? (y or n) [answered Y; input not from terminal]

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2010-12-08:

Thanks for reporting this bug and helping to make Ubuntu better.

Do you get this error any time you start up samba, or only when reading
a particular file?

Changed in samba (Ubuntu):
status:	New → Incomplete

Revision history for this message

Manolo Cabezabolo (hphrey) wrote on 2010-12-09:

Hi Serge,
Thank you for helping.
I get this error when a file is read through samba. It happens sometimes and sometimes not. I don't know what are the circumstances that make it happen. If you want me to do further tests, I will be glad to help you.

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2010-12-13:

When this happens, do you get any kernel oops in syslog? If so, can you
attach them?

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2010-12-17:

In addition to the information requested in comment #3, please
append your samba configuration files. What sort of machines are
the client and the server, and on which do you get the bug?

Revision history for this message

Manolo Cabezabolo (hphrey) wrote on 2010-12-21:

Samba configuration file. Edit (12.1 KiB, text/plain)

Download full text (3.2 KiB)

Sorry. Nothing of interest in syslog.

The server is a
model name : Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz running a Ubuntu 10.04.1 LTS 64 bits version.
The clients are always Windows XP Professional SP2/3 32bits.
We get the bug on the server.

The smb.conf file is attached. You will find no share in this file. It is the package default one. The share is shared using the "Share this folder" option in nautilus.

Another stack trace follows:

[Thread debugging using libthread_db enabled]
0x00ee1422 in __kernel_vsyscall ()
#0 0x00ee1422 in __kernel_vsyscall ()
#1 0x004917d3 in waitpid () from /lib/tls/i686/cmov/libc.so.6
#2 0x00432de3 in ?? () from /lib/tls/i686/cmov/libc.so.6
#3 0x003b927d in system () from /lib/tls/i686/cmov/libpthread.so.0
#4 0x008a476d in smb_panic (why=0xc4a6e2 "internal error") at lib/util.c:1486
#5 0x00891c8e in fault_report (sig=11) at lib/fault.c:52
#6 sig_fault (sig=11) at lib/fault.c:75
#7 <signal handler called>
#8 0x0046d7a0 in ?? () from /lib/tls/i686/cmov/libc.so.6
#9 0x00879cc8 in rep_strlcpy (d=0xbfc80b4c "", s=0x0, bufsize=256)
   at ../lib/replace/replace.c:65
#10 0x008b2ed7 in connections_fetch_entry (mem_ctx=0x0, conn=0x21abdec8,
   name=0x0) at lib/conn_tdb.c:65
#11 0x0061491f in yield_connection (conn=0x21abdec8, name=0x0)
   at smbd/connection.c:33
#12 0x0068909e in close_cnum (conn=0x21abdec8, vuid=101) at smbd/service.c:1245
#13 0x0063b818 in reply_tdis (req=0x21ac5278) at smbd/reply.c:4747
#14 0x00687c0e in switch_message (type=<value optimized out>, req=0x21ac5278,
   size=39) at smbd/process.c:1377
#15 0x0068807d in construct_reply (conn=<value optimized out>,
   inbuf=<value optimized out>, nread=39, unread_bytes=0,
   encrypted=<value optimized out>, deferred_pcd=0x0) at smbd/process.c:1408
#16 process_smb (conn=<value optimized out>, inbuf=<value optimized out>,
   nread=39, unread_bytes=0, encrypted=<value optimized out>,
   deferred_pcd=0x0) at smbd/process.c:1471
#17 0x00688958 in smbd_server_connection_read_handler (ev=0x21ab0050,
   fde=0x21a11e18, flags=<value optimized out>, private_data=0x21a11368)
   at smbd/process.c:1887
#18 smbd_server_connection_handler (ev=0x21ab0050, fde=0x21a11e18,
   flags=<value optimized out>, private_data=0x21a11368)
   at smbd/process.c:1901
#19 0x008b5d24 in run_events (ev=0x21ab0050, selrtn=1, read_fds=0xbfc8104c,
   write_fds=0xbfc80fcc) at lib/events.c:126
#20 0x006874a2 in smbd_server_connection_loop_once () at smbd/process.c:820
#21 smbd_process () at smbd/process.c:2178
#22 0x00b8aa38 in smbd_accept_connection (ev=0x21ab0050, fde=0x21ac2780,
   flags=1, private_data=0x21ac2e08) at smbd/server.c:395
#23 0x008b5d24 in run_events (ev=0x21ab0050, selrtn=1, read_fds=0xbfc8135c,
   write_fds=0xbfc812dc) at lib/events.c:126
#24 0x008b5fcf in s3_event_loop_once (ev=0x21ab0050,
   location=0xcd40cb "smbd/server.c:681") at lib/events.c:185
#25 0x008b6618 in _tevent_loop_once (ev=0x21ab0050,
   location=0xcd40cb "smbd/server.c:681") at ../lib/tevent/tevent.c:490
#26 0x00b8b77a in smbd_parent_loop (argc=2, argv=0xbfc81794)
   at smbd/server.c:681
#27 main (argc=2, argv=0xbfc81794) at smbd/server.c:1251
A debugging session is active.

...

Sorry. Nothing of interest in syslog.

The server is a 
model name      : Intel(R) Core(TM)2 Duo CPU     E6550  @ 2.33GHz   running a Ubuntu 10.04.1 LTS 64 bits version.
The clients are always Windows XP Professional SP2/3 32bits.
We get the bug on the server.

The smb.conf file is attached. You will find no share in this file. It is the package default one. The share is shared using the "Share this folder" option in nautilus.

Another stack trace follows:

[Thread debugging using libthread_db enabled]
0x00ee1422 in __kernel_vsyscall ()
#0  0x00ee1422 in __kernel_vsyscall ()
#1  0x004917d3 in waitpid () from /lib/tls/i686/cmov/libc.so.6
#2  0x00432de3 in ?? () from /lib/tls/i686/cmov/libc.so.6
#3  0x003b927d in system () from /lib/tls/i686/cmov/libpthread.so.0
#4  0x008a476d in smb_panic (why=0xc4a6e2 "internal error") at lib/util.c:1486
#5  0x00891c8e in fault_report (sig=11) at lib/fault.c:52
#6  sig_fault (sig=11) at lib/fault.c:75
#7  <signal handler called>
#8  0x0046d7a0 in ?? () from /lib/tls/i686/cmov/libc.so.6
#9  0x00879cc8 in rep_strlcpy (d=0xbfc80b4c "", s=0x0, bufsize=256)
   at ../lib/replace/replace.c:65
#10 0x008b2ed7 in connections_fetch_entry (mem_ctx=0x0, conn=0x21abdec8,
   name=0x0) at lib/conn_tdb.c:65
#11 0x0061491f in yield_connection (conn=0x21abdec8, name=0x0)
   at smbd/connection.c:33
#12 0x0068909e in close_cnum (conn=0x21abdec8, vuid=101) at smbd/service.c:1245
#13 0x0063b818 in reply_tdis (req=0x21ac5278) at smbd/reply.c:4747
#14 0x00687c0e in switch_message (type=<value optimized out>, req=0x21ac5278,
   size=39) at smbd/process.c:1377
#15 0x0068807d in construct_reply (conn=<value optimized out>,
   inbuf=<value optimized out>, nread=39, unread_bytes=0,
   encrypted=<value optimized out>, deferred_pcd=0x0) at smbd/process.c:1408
#16 process_smb (conn=<value optimized out>, inbuf=<value optimized out>,
   nread=39, unread_bytes=0, encrypted=<value optimized out>,
   deferred_pcd=0x0) at smbd/process.c:1471
#17 0x00688958 in smbd_server_connection_read_handler (ev=0x21ab0050,
   fde=0x21a11e18, flags=<value optimized out>, private_data=0x21a11368)
   at smbd/process.c:1887
#18 smbd_server_connection_handler (ev=0x21ab0050, fde=0x21a11e18,
   flags=<value optimized out>, private_data=0x21a11368)
   at smbd/process.c:1901
#19 0x008b5d24 in run_events (ev=0x21ab0050, selrtn=1, read_fds=0xbfc8104c,
   write_fds=0xbfc80fcc) at lib/events.c:126
#20 0x006874a2 in smbd_server_connection_loop_once () at smbd/process.c:820
#21 smbd_process () at smbd/process.c:2178
#22 0x00b8aa38 in smbd_accept_connection (ev=0x21ab0050, fde=0x21ac2780,
   flags=1, private_data=0x21ac2e08) at smbd/server.c:395
#23 0x008b5d24 in run_events (ev=0x21ab0050, selrtn=1, read_fds=0xbfc8135c,
   write_fds=0xbfc812dc) at lib/events.c:126
#24 0x008b5fcf in s3_event_loop_once (ev=0x21ab0050,
   location=0xcd40cb "smbd/server.c:681") at lib/events.c:185
#25 0x008b6618 in _tevent_loop_once (ev=0x21ab0050,
   location=0xcd40cb "smbd/server.c:681") at ../lib/tevent/tevent.c:490
#26 0x00b8b77a in smbd_parent_loop (argc=2, argv=0xbfc81794)
   at smbd/server.c:681
#27 main (argc=2, argv=0xbfc81794) at smbd/server.c:1251
A debugging session is active.

Inferior 1 [process 2960] will be detached.

Quit anyway? (y or n) [answered Y; input not from terminal]

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2010-12-22:

Thanks, Manolo. The upstream bug doesn't seem to be going anywhere, so I
will try and reproduce this in a custom environment to see if I can find out any
more.

summary:	- Samba server crashes on file read. + Samba server crashes with segv in yield_connection on file read.
Changed in samba (Ubuntu):
status:	Incomplete → Confirmed
assignee:	nobody → Serge Hallyn (serge-hallyn)