997324 – libsmbclient keeps segfaulting on mount/umount

Bug 997324 - libsmbclient keeps segfaulting on mount/umount

Summary: libsmbclient keeps segfaulting on mount/umount

Keywords:
Status:	CLOSED DUPLICATE of bug 953622
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gvfs
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Ondrej Holy
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-15 07:32 UTC by Bojan Smojver
Modified:	2015-02-24 14:38 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-24 14:38:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bojan Smojver 2013-08-15 07:32:16 UTC

Description of problem:
Have a Twonky server on my router that runs Samba shares. Many times when I try to mount or umount such a share from Files in Gnome (as an unprivileged user), I get a segfault in libsmbclient. Like this:

[ 9528.407855] pool[7436]: segfault at 170 ip 0000003a3f00a87c sp 00007f6a897f88d0 error 4 in libsmbclient.so.0.2.0[3a3f000000+22000]

If I repeat the operation, it will work fine.

Version-Release number of selected component (if applicable):
libsmbclient-4.0.8-1.fc19.x86_64

How reproducible:
Most of the time.

Steps to Reproduce:
1. Mount a Samba share using Files.
2. or
3. Unmount a Samba share using Files.

Actual results:
Segfault, which brings Files down.

Expected results:
Should work, like it works sometimes.

Additional info:

Comment 1 Bojan Smojver 2013-08-26 22:13:52 UTC

Still seems to be crashing with the just updated libsmbclient-4.0.9-1.fc19.x86_64.

Comment 2 Andreas Schneider 2013-09-04 08:53:37 UTC

Can you install debug packages and get us a full backtrace of the crash?

Comment 3 Bojan Smojver 2013-09-05 02:03:13 UTC

From gdb:
-------------------------
(gdb) c
Continuing.
[New Thread 0x7ff96f490700 (LWP 27454)]
[New Thread 0x7ff97a9b1700 (LWP 27480)]
[Thread 0x7ff97a9b1700 (LWP 27480) exited]

Program received signal SIGABRT, Aborted.
0x0000003568a35a19 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) t a a bt

Thread 5 (Thread 0x7ff96f490700 (LWP 27454)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x000000356ae875b5 in g_cond_wait_until (cond=cond@entry=0x2854758, 
    mutex=mutex@entry=0x2854750, end_time=end_time@entry=97741643428)
    at gthread-posix.c:859
#2  0x000000356ae1eaf1 in g_async_queue_pop_intern_unlocked (
    queue=queue@entry=0x2854750, wait=wait@entry=1, 
    end_time=end_time@entry=97741643428) at gasyncqueue.c:424
#3  0x000000356ae1f07b in g_async_queue_timeout_pop (queue=0x2854750, 
    timeout=timeout@entry=15000000) at gasyncqueue.c:545
#4  0x000000356ae6cc16 in g_thread_pool_wait_for_new_pool ()
    at gthreadpool.c:169
#5  g_thread_pool_thread_proxy (data=<optimized out>) at gthreadpool.c:366
#6  0x000000356ae6c185 in g_thread_proxy (data=0x7ff98003e770) at gthread.c:798
#7  0x0000003568e07c53 in start_thread (arg=0x7ff96f490700)
    at pthread_create.c:308
#8  0x0000003568af5d3d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 4 (Thread 0x7ff98e1f6700 (LWP 16410)):
#0  0x0000003568aeb76d in poll () at ../sysdeps/unix/syscall-template.S:81
---Type <return> to continue, or q <return> to quit---
#1  0x000000356ae480f4 in g_main_context_poll (priority=2147483647, n_fds=11, 
    fds=0x7ff98807bb00, timeout=-1, context=0x2768d20) at gmain.c:3995
#2  g_main_context_iterate (context=0x2768d20, block=block@entry=1, 
    dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3696
#3  0x000000356ae4855a in g_main_loop_run (loop=0x2768cb0) at gmain.c:3895
#4  0x000000356c2c6d66 in gdbus_shared_thread_func (user_data=0x2768cf0)
    at gdbusprivate.c:278
#5  0x000000356ae6c185 in g_thread_proxy (data=0x2767630) at gthread.c:798
#6  0x0000003568e07c53 in start_thread (arg=0x7ff98e1f6700)
    at pthread_create.c:308
#7  0x0000003568af5d3d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 3 (Thread 0x7ff987fff700 (LWP 16412)):
#0  0x0000003568aeb76d in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x000000356ae480f4 in g_main_context_poll (priority=2147483647, n_fds=1, 
    fds=0x7ff97c0010c0, timeout=-1, context=0x284dd60) at gmain.c:3995
#2  g_main_context_iterate (context=context@entry=0x284dd60, 
    block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3696
#3  0x000000356ae481fc in g_main_context_iteration (context=0x284dd60, 
    may_block=1) at gmain.c:3762
#4  0x00007ff98c1799cd in dconf_gdbus_worker_thread ()
---Type <return> to continue, or q <return> to quit---
   from /usr/lib64/gio/modules/libdconfsettings.so
#5  0x000000356ae6c185 in g_thread_proxy (data=0x2810400) at gthread.c:798
#6  0x0000003568e07c53 in start_thread (arg=0x7ff987fff700)
    at pthread_create.c:308
#7  0x0000003568af5d3d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 2 (Thread 0x7ff985a8e700 (LWP 16413)):
#0  0x0000003568aeb76d in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x000000356ae480f4 in g_main_context_poll (priority=2147483647, n_fds=1, 
    fds=0x7ff9740008c0, timeout=5566, context=0x7ff980008bc0) at gmain.c:3995
#2  g_main_context_iterate (context=context@entry=0x7ff980008bc0, 
    block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3696
#3  0x000000356ae481fc in g_main_context_iteration (context=0x7ff980008bc0, 
    may_block=may_block@entry=1) at gmain.c:3762
#4  0x000000356ae48249 in glib_worker_main (data=<optimized out>)
    at gmain.c:5427
#5  0x000000356ae6c185 in g_thread_proxy (data=0x7ff980009000) at gthread.c:798
#6  0x0000003568e07c53 in start_thread (arg=0x7ff985a8e700)
    at pthread_create.c:308
#7  0x0000003568af5d3d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
---Type <return> to continue, or q <return> to quit---

Thread 1 (Thread 0x7ff99471ca40 (LWP 16407)):
#0  0x0000003568a35a19 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x0000003568a37128 in __GI_abort () at abort.c:90
#2  0x000000356ae6bbc6 in g_assertion_message (domain=domain@entry=0x0, 
    file=file@entry=0x4fe603 "nautilus-bookmark.c", line=line@entry=350, 
    func=func@entry=0x4fec10 <__PRETTY_FUNCTION__.48349> "nautilus_bookmark_connect_file", message=<optimized out>) at gtestutils.c:1912
#3  0x000000356ae6bc24 in g_assertion_message_expr (domain=domain@entry=0x0, 
    file=file@entry=0x4fe603 "nautilus-bookmark.c", line=line@entry=350, 
    func=func@entry=0x4fec10 <__PRETTY_FUNCTION__.48349> "nautilus_bookmark_connect_file", 
    expr=expr@entry=0x4fe918 "!nautilus_file_is_gone (bookmark->details->file)") at gtestutils.c:1923
#4  0x0000000000482aa9 in nautilus_bookmark_connect_file (
    bookmark=bookmark@entry=0x7ff98000c920) at nautilus-bookmark.c:350
#5  0x0000000000482af4 in nautilus_bookmark_constructed (obj=<optimized out>)
    at nautilus-bookmark.c:549
#6  0x000000356b615f95 in g_object_newv (
    object_type=object_type@entry=45116304, n_parameters=n_parameters@entry=3, 
    parameters=parameters@entry=0x2afdbb0) at gobject.c:1747
#7  0x000000356b6162e6 in g_object_new_valist (
---Type <return> to continue, or q <return> to quit---
    object_type=object_type@entry=45116304, 
    first_property_name=first_property_name@entry=0x4fae64 "location", 
    var_args=var_args@entry=0x7fff2c076048) at gobject.c:1836
#8  0x000000356b616654 in g_object_new (object_type=45116304, 
    first_property_name=first_property_name@entry=0x4fae64 "location")
    at gobject.c:1551
#9  0x0000000000482e64 in nautilus_bookmark_new (
    location=location@entry=0x2d792c0, 
    custom_name=custom_name@entry=0x2d17610 "") at nautilus-bookmark.c:756
#10 0x0000000000476dd0 in nautilus_window_slot_update_bookmark (
    file=0x2bce1b0, slot=0x7ff98800d7d0) at nautilus-window-slot.c:1848
#11 nautilus_window_slot_update_for_new_location (slot=0x7ff98800d7d0)
    at nautilus-window-slot.c:2133
#12 location_has_really_changed (slot=0x7ff98800d7d0)
    at nautilus-window-slot.c:2389
#13 view_begin_loading_cb (view=<optimized out>, slot=0x7ff98800d7d0)
    at nautilus-window-slot.c:2310
#14 0x000000356b60fa28 in g_closure_invoke (closure=0x2ccf910, 
    return_value=return_value@entry=0x0, n_param_values=1, 
    param_values=param_values@entry=0x7fff2c076340, 
    invocation_hint=invocation_hint@entry=0x7fff2c0762e0) at gclosure.c:777
#15 0x000000356b620a3d in signal_emit_unlocked_R (node=node@entry=0x2a52850, 
    detail=detail@entry=0, instance=instance@entry=0x2ace3b0, 
---Type <return> to continue, or q <return> to quit---
    emission_return=emission_return@entry=0x0, 
    instance_and_params=instance_and_params@entry=0x7fff2c076340)
    at gsignal.c:3584
#16 0x000000356b628829 in g_signal_emit_valist (instance=<optimized out>, 
    signal_id=<optimized out>, detail=<optimized out>, 
    var_args=var_args@entry=0x7fff2c0764c8) at gsignal.c:3328
#17 0x000000356b628a72 in g_signal_emit (instance=instance@entry=0x2ace3b0, 
    signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3384
#18 0x00000000004669cb in finish_loading (view=0x2ace3b0)
    at nautilus-view.c:9144
#19 finish_loading_if_all_metadata_loaded (view=view@entry=0x2ace3b0)
    at nautilus-view.c:9203
#20 0x0000000000466cd5 in metadata_for_directory_as_file_ready_callback (
    file=0x2bce1b0, callback_data=0x2ace3b0) at nautilus-view.c:9223
#21 0x00000000004a40eb in call_ready_callbacks_at_idle (
    callback_data=<optimized out>) at nautilus-directory-async.c:1855
#22 0x000000356ae47e06 in g_main_dispatch (context=0x27580c0) at gmain.c:3054
#23 g_main_context_dispatch (context=context@entry=0x27580c0) at gmain.c:3630
#24 0x000000356ae48158 in g_main_context_iterate (
    context=context@entry=0x27580c0, block=block@entry=1, 
    dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3701
#25 0x000000356ae481fc in g_main_context_iteration (context=0x27580c0, 
    context@entry=0x0, may_block=may_block@entry=1) at gmain.c:3762
---Type <return> to continue, or q <return> to quit---
#26 0x000000356c296744 in g_application_run (application=0x2734000, 
    argc=argc@entry=2, argv=argv@entry=0x7fff2c076868) at gapplication.c:1623
#27 0x000000000042a42b in main (argc=2, argv=0x7fff2c076868)
    at nautilus-main.c:104
-------------------------

dmesg had:
-------------------------
[96074.578099] pool[27129]: segfault at 170 ip 00000035a12125c8 sp 00007fa52cbf1be0 error 4 in libsmbclient.so.0.2.0[35a1200000+22000]
-------------------------

Comment 4 Bojan Smojver 2013-09-05 02:05:06 UTC

BTW, the backtrace is of nautilus, of course.

Comment 5 Andreas Schneider 2014-01-14 16:53:27 UTC

I guess there is a issue in gvfs where they free the context and when a another smbc function tries to use it, it fails dereferencing the pointer.

The smbc context pointer should be set to NULL after it has been freed. Note libsmbclient doesn't call smb_free_context(). The application using libsmbclient needs to call it.

Comment 6 Ondrej Holy 2015-02-24 14:38:47 UTC


*** This bug has been marked as a duplicate of bug 953622 ***

Note You need to log in before you can comment on or make changes to this bug.