Opened 9 years ago

Closed 8 years ago

Last modified 8 years ago

#259 closed defect (fixed)

Crash in NDCTL.EXE while browsing directory under PMView

Reported by: Lewis Rosenthal Owned by:
Priority: major Milestone:
Component: Samba Client Plugin Version: Client 3.0.x
Keywords: Cc:

Description

Directory contains several nested directories of image files, and is located on NetWare CIFS volume (SMB1). Browsing for several minutes, moving form one directory to another results in a crash. The relevant portion of log.smbc (I think) is:

[2015/07/13 09:25:19.777000,  3, pid=46, effective(0, 0), real(0, 0)] ../source3
/lib/util_sock.c:617(open_socket_out_send)
  Connecting to 192.168.100.1 at port 139
[2015/07/13 09:25:19.799000,  5, pid=46, effective(0, 0), real(0, 0)] ../lib/uti
l/util_net.c:890(print_socket_options)
  Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 4
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        Could not test socket option SO_REUSEPORT.
        SO_SNDBUF = 33580
        SO_RCVBUF = 33580
        SO_SNDLOWAT = 4096
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
[2015/07/13 09:25:19.801000,  4, pid=46, effective(0, 0), real(0, 0)] U:/DEV/sam
ba-svn/trunk/client-4.x/src/smbwrp.c:272(smbwrp_connect)
   session request ok, c->timeout = 20000
[2015/07/13 09:25:19.844000,  0, pid=46, effective(0, 0), real(0, 0)] ../lib/uti
l/talloc_stack.c:104(talloc_pop)
  Freed frame U:/DEV/samba-svn/trunk/client-4.x/src/smbwrp.c:1193, expected U:/D
EV/samba-svn/trunk/client-4.x/src/smbwrp.c:1193.
[2015/07/13 09:25:20.055000,  0, pid=46, effective(0, 0), real(0, 0)] ../lib/uti
l/debug.c:429(talloc_log_fn)
  talloc: access after free error - first free may be at U:/DEV/samba-svn/trunk/
client-4.x/src/smbwrp.c:1251
[2015/07/13 09:25:20.057000,  0, pid=46, effective(0, 0), real(0, 0)] ../lib/uti
l/debug.c:429(talloc_log_fn)
  Bad talloc magic value - access after free

Killed by SIGABRT
pid=0x002e ppid=0x0000 tid=0x0003 slot=0x0089 pri=0x0400 mc=0x0001 ps=0x0000
C:\NDFS\NDCTL.EXE
Process dumping was disabled, use DUMPPROC / PROCDUMP to enable it.

I have not tested with smbclient, yet, though I'm not sure I can even duplicate the conditions under smbclient (I can browse directories from a command line, but not from a file picker, as no drive letter mapping is possible with it).

Attachments (2)

log.smbc (98.3 KB ) - added by Lewis Rosenthal 9 years ago.
Last 1,000 lines of log.smbc
log.smbc.smb2.zip (170.1 KB ) - added by Lewis Rosenthal 9 years ago.
Complete log.smbc taken during crash under SMB2

Download all attachments as: .zip

Change History (5)

by Lewis Rosenthal, 9 years ago

Attachment: log.smbc added

Last 1,000 lines of log.smbc

comment:1 by Lewis Rosenthal, 9 years ago

This issue (or an unrelated one with similar symptoms) occurs against a Samba 4.1.8 share served from openSuSE 13.2 with only a handful of image files in it. The end of log.ndpsmb says:

2015/07/13 10:00:35.10: 9 3: NdpFindStart: dir [\Images\], dir_mask [*.*], mask
[\Images\*], szPath [Images\*.*]
2015/07/13 10:00:35.10: 4 3:  smbwrp_filelist
2015/07/13 10:00:35.10: 1 3: Filelist <\Images\*> on master <WORKGROUP> wgrp <wo
rkgroup> server <dp45sg.randr> share <Test> clidev <(null)>
2015/07/13 10:00:35.10: 1 3: list_files
2015/07/13 10:00:35.10: 4 3: SMB2 detected, calling list_files_smb2()
2015/07/13 10:00:35.10: 1 3: list_files_smb
2015/07/13 10:00:35.10: 9 2: NdpCreateConnection in
2015/07/13 10:00:35.11: 9 2: NdpCreateConnection send CONNECT
2015/07/13 10:00:35.11: 1 2: Connecting to \\lewis:*********@workgroup:dp45sg.ra
ndr\Test. Master WORKGROUP:1

at which point the control program crashes with the following in log.smbc:

[2015/07/13 10:00:35.111000,  5, pid=181, effective(0, 0), real(0, 0)] ../lib/td
b_wrap/tdb_wrap.c:65(tdb_wrap_log)
  tdb(C:\MPTN\ETC/samba/lock/gencache_notrans.tdb): fcntl_lock: (fd=11) offset=4
24 rw_type=1 len=1 waitflag=1 (rc=0) pid=181
[2015/07/13 10:00:35.113000,  5, pid=181, effective(0, 0), real(0, 0)] ../lib/td
b_wrap/tdb_wrap.c:65(tdb_wrap_log)
  tdb(C:\MPTN\ETC/samba/lock/gencache_notrans.tdb): fcntl_unlock: (fd=11) offset
=424 rw_type=1 len=1 (rc=0) pid=181
[2015/07/13 10:00:35.113000,  5, pid=181, effective(0, 0), real(0, 0)] ../source
3/libsmb/namecache.c:165(namecache_fetch)
  name dp45sg.randr#20 found.
[2015/07/13 10:00:35.113000, 10, pid=181, effective(0, 0), real(0, 0)] ../source
3/libsmb/namequery.c:1110(remove_duplicate_addrs2)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2015/07/13 10:00:35.113000,  3, pid=181, effective(0, 0), real(0, 0)] ../source
3/lib/util_sock.c:617(open_socket_out_send)
  Connecting to 192.168.100.18 at port 139

(complete log.smbc, attached as log.smbc.smb2.zip).

When running dir on the directory from 4OS2, there is a noticeable delay befor ethe results are displayed. From CMD, there is no delay, though the results are displayed more slowly. The directory contains the following:

Volume in drive K is NETDRIVE
Directory of  K:\Images\*

7-13-15  10:09         <DIR>        0  .
7-13-15  10:09         <DIR>        0  ..
7-04-15  17:33         <DIR>        0  Samba
7-04-15  17:33         <DIR>        0  YUMIE
7-04-15  17:33           3,491      0  64px-BC_Logo_.ico
7-04-15  17:33           2,409    124  64px-BC_Logo_.png
7-04-15  17:33          36,199      0  artdeco.jpg
7-04-15  17:33             641      0  beach.jpg
7-04-15  17:33          51,648      0  bikes.jpg
7-04-15  17:33          52,750    124  branding.bmp
7-04-15  17:33          32,325  9,577  Captured001.png
7-04-15  17:33          21,610  9,577  Captured002.png
7-04-15  17:33          13,711  9,577  Captured003.png
7-04-15  17:33          16,943  9,577  Captured004.png
7-04-15  17:33           8,085  9,577  Captured005.png
7-04-15  17:33          36,927  9,577  Captured007.png
7-04-15  17:33          11,855  9,577  Captured008.png
7-04-15  17:33          10,548  9,577  Captured009.png
7-04-15  17:33          14,886  9,577  Captured010.png
7-04-15  17:33          40,492      0  city.jpg
7-04-15  17:33           2,585  9,577  default-logo-branding-1024x768.png
7-04-15  17:33           4,502      0  electrum.ico
7-04-15  17:33           9,322    124  electrum.png
7-04-15  17:33          31,452      0  flower.jpg
7-04-15  17:33          10,645  9,577  startcom-ca-list-ff-24-8-1.png
7-04-15  17:33           1,605  9,577  yumie-062-update-from-available-list-not-selectable.png
7-04-15  17:33          28,272  9,577  yumie-063-after-package-update-fresh-search-results-contents.png
7-04-15  17:33          34,046  9,577  yumie-063-after-package-update-installed-contents.png
7-04-15  17:33           9,210  9,577  yumie-063-after-package-update-search-results-contents.png
7-04-15  17:33             893  9,577  yumie-063-before-package-update-installed-contents.png
7-04-15  17:33          29,447  9,577  yumie-063-before-package-update-search-results-contents.png
7-04-15  17:33          26,402  9,577  yumie-063-search-results-contents-after-clearing-and-refreshing.png
7-04-15  17:33          10,610  9,577  yumie-070-error-message.png
7-04-15  17:33          38,201  9,577  yumie-070-lost-help-tooltip.png
7-04-15  17:33          28,880  9,577  yumie-070-truncated-filter-field.png
7-04-15  17:33          14,682  9,577  yumie-072-unreadable-log-text.png
7-04-15  17:33           5,015  9,577  yumie-072-vertical-error-text.png
7-04-15  17:33           2,147  9,577  yumie-075update-fixed-error-text.png
7-04-15  17:33           2,087      0  yumie-pics.zip
        644,523 bytes in 35 files and 4 dirs
        665,600 bytes allocated
465,719,894,016 bytes (433GB) free

As this occurs under SMB2, I can't tell yet whether this is the same crash. EAs are properly read from the other directories. The above directory is also a light table object. Opening it on the desktop takes a considerable amount of time and high CPU (but no crash).

Last edited 9 years ago by Lewis Rosenthal (previous) (diff)

by Lewis Rosenthal, 9 years ago

Attachment: log.smbc.smb2.zip added

Complete log.smbc taken during crash under SMB2

comment:2 by Paul Smedley, 9 years ago

I meant to comment here yesterday, the 20150716a.zip and 20150716b.zip have a potential fix for this issue

comment:3 by Lewis Rosenthal, 8 years ago

Resolution: fixed
Status: newclosed

I can no longer reproduce this condition, either over SMB1 (without EA support on the server side; NetWare CIFS) or SMB3_11 with full EA support (XFS partition on the server side) with:

6-22-16 3:51 13,953,656 124 ndpsmb.dll

I was able to traverse the directory tree from PMView 3.75, create thumbnails on the fly, delete files, delete directories, move files between directories, switch from one mapped volume to another, and even ran a slideshow (of the Developers Workshop 2005) from across the LAN.

Performance could be improved, but that is a separate issue and there are many factors (including the server) to consider. No matter; I could not get NDCTL.EXE to crash.

Version 0, edited 8 years ago by Lewis Rosenthal (next)
Note: See TracTickets for help on using tickets.