The samba3.smb2.streams.simpleserver test crashes smbd 2025-11-14T09:48:35.113291+00:00 localshare4.samba.example.com log.smbd[4108071]: smbd version 4.24.0pre1-DEVELOPERBUILD started. Copyright Andrew Tridgell and the Samba Team 1992-2025 2025-11-14T09:48:35.122180+00:00 localshare4.samba.example.com log.smbd[4108071]: INFO: Profiling turned OFF from pid 4108071 2025-11-14T09:48:41.132030+00:00 localshare4.samba.example.com log.smbd[4108306]: Freed frame ../../source3/smbd/smb2_process.c:1783, expected ../../source3/smbd/smb2_reply.c:1384. 2025-11-14T09:48:41.132045+00:00 localshare4.samba.example.com log.smbd[4108306]: =============================================================== 2025-11-14T09:48:41.132049+00:00 localshare4.samba.example.com log.smbd[4108306]: INTERNAL ERROR: Frame not freed in order. in smbd (smbd[10.53.57.1) (client [10.53.57.11]) pid 4108306 (4.24.0pre1-DEVELOPERBUILD) 2025-11-14T09:48:41.132053+00:00 localshare4.samba.example.com log.smbd[4108306]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting 2025-11-14T09:48:41.132056+00:00 localshare4.samba.example.com log.smbd[4108306]: =============================================================== 2025-11-14T09:48:41.132058+00:00 localshare4.samba.example.com log.smbd[4108306]: PANIC (pid 4108306): Frame not freed in order. in 4.24.0pre1-DEVELOPERBUILD 2025-11-14T09:48:41.132146+00:00 localshare4.samba.example.com log.smbd[4108306]: BACKTRACE: 29 stack frames: #0 bin/shared/private/libgenrand-private-samba.so(log_stack_trace+0x1f) [0x7f0a50fed41e] #1 bin/shared/private/libgenrand-private-samba.so(smb_panic_log+0x206) [0x7f0a50fed3b2] #2 bin/shared/private/libgenrand-private-samba.so(smb_panic+0x18) [0x7f0a50fed3cd] #3 bin/shared/libsamba-util.so.0(+0x73d83) [0x7f0a51343d83] #4 bin/shared/private/libtalloc-private-samba.so(+0x590b) [0x7f0a5126490b] #5 bin/shared/private/libtalloc-private-samba.so(+0x5c8d) [0x7f0a51264c8d] #6 bin/shared/private/libtalloc-private-samba.so(_talloc_free+0x10b) [0x7f0a51265f88] #7 bin/shared/private/libsmbd-base-private-samba.so(+0x1654e3) [0x7f0a515654e3] #8 bin/shared/private/libsmbd-base-private-samba.so(+0x165547) [0x7f0a51565547] #9 bin/shared/private/libtevent-private-samba.so(tevent_trace_point_callback+0x3f) [0x7f0a511ace26] #10 bin/shared/private/libtevent-private-samba.so(_tevent_loop_once+0x127) [0x7f0a511ac4fe] #11 bin/shared/private/libtevent-private-samba.so(tevent_common_loop_wait+0x25) [0x7f0a511ac82f] #12 bin/shared/private/libtevent-private-samba.so(+0x15fe3) [0x7f0a511b5fe3] #13 bin/shared/private/libtevent-private-samba.so(_tevent_loop_wait+0x2b) [0x7f0a511ac8d5] #14 bin/shared/private/libsmbd-base-private-samba.so(smbd_process+0xeb6) [0x7f0a51566654] #15 smbd: client [10.53.57.11]() [0x20f266] #16 bin/shared/private/libtevent-private-samba.so(tevent_common_invoke_fd_handler+0x121) [0x7f0a511adb32] #17 bin/shared/private/libtevent-private-samba.so(+0x1a1c2) [0x7f0a511ba1c2] #18 bin/shared/private/libtevent-private-samba.so(+0x1a8af) [0x7f0a511ba8af] #19 bin/shared/private/libtevent-private-samba.so(+0x15f3e) [0x7f0a511b5f3e] #20 bin/shared/private/libtevent-private-samba.so(_tevent_loop_once+0x113) [0x7f0a511ac4ea] #21 bin/shared/private/libtevent-private-samba.so(tevent_common_loop_wait+0x25) [0x7f0a511ac82f] #22 bin/shared/private/libtevent-private-samba.so(+0x15fe3) [0x7f0a511b5fe3] #23 bin/shared/private/libtevent-private-samba.so(_tevent_loop_wait+0x2b) [0x7f0a511ac8d5] #24 smbd: client [10.53.57.11]() [0x210018] #25 smbd: client [10.53.57.11](main+0x1d58) [0x2133ff] #26 /lib64/libc.so.6(+0x35b5) [0x7f0a50da15b5] #27 /lib64/libc.so.6(__libc_start_main+0x88) [0x7f0a50da1668] #28 smbd: client [10.53.57.11](_start+0x25) [0x20b545] 2025-11-14T09:48:41.132192+00:00 localshare4.samba.example.com log.smbd[4108306]: call_panic_action: Calling panic action [cd /home/asn/workspace/prj/oss/samba/asn-fix && /home/asn/workspace/prj/oss/samba/asn-fix/selftest/gdb_backtrace 4108306 ./bin/smbd] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". __internal_syscall_cancel (a1=4108307, a2=a2@entry=140736347487512, a3=a3@entry=0, a4=a4@entry=0, a5=a5@entry=0, a6=a6@entry=0, nr=61) at cancellation.c:44 44 return result; ### detailed backtrace #0 __internal_syscall_cancel (a1=4108307, a2=a2@entry=140736347487512, a3=a3@entry=0, a4=a4@entry=0, a5=a5@entry=0, a6=a6@entry=0, nr=61) at cancellation.c:44 result = -512 pd = <optimized out> ch = <optimized out> #1 0x00007f0a50e0cc84 in __syscall_cancel (a1=<optimized out>, a2=a2@entry=140736347487512, a3=a3@entry=0, a4=a4@entry=0, a5=a5@entry=0, a6=a6@entry=0, nr=61) at cancellation.c:75 r = <optimized out> #2 0x00007f0a50e7cb4f in __GI___wait4 (pid=<optimized out>, stat_loc=stat_loc@entry=0x7fffbbffbd18, options=options@entry=0, usage=usage@entry=0x0) at ../sysdeps/unix/sysv/linux/wait4.c:30 No locals. #3 0x00007f0a50e7cb9b in __GI___waitpid (pid=<optimized out>, stat_loc=stat_loc@entry=0x7fffbbffbd18, options=options@entry=0) at waitpid.c:38 No locals. #4 0x00007f0a50dcd18d in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:172 __result = <optimized out> _cleanup_start_doit = true _buffer = { __routine = 0x7f0a50dcd210 <cancel_handler>, __arg = 0x7fffbbffbd20, __canceltype = 0, __prev = 0x0 } _cleanup_routine = 0x7f0a50dcd210 <cancel_handler> cancel_args = { quit = 0x7f0a50f8a580 <quit>, intr = 0x7f0a50f8a620 <intr>, pid = 4108307 } status = -1 ret = 0 pid = 4108307 sa = { __sigaction_handler = { sa_handler = 0x1, sa_sigaction = 0x1 }, sa_mask = { __val = {65536, 139682285554848, 82, 139682285557728, 176, 258, 19116814127, 140736347488016, 139682285536242, 3417796028464983407, 1802661751, 176, 139682285557728, 2, 9223372036854775814, 0} }, sa_flags = 0, sa_restorer = 0x0 } omask = { __val = {6272, 139682283310212, 0, 0, 18446744073709551615, 4294967295, 0, 0, 3414118214449442675, 3420599804557685601, 8247334892201992034, 4048790164957651809, 8299979577890925170, 7958811822618996065, 2339735893988766561, 7308620263550101030} } reset = { __val = {6, 7161128523522010999, 17645039919265620, 0, 18446744073709551615, 18446744073709551615, 0, 0, 11068046444225730969, 11068046444225730969, 2314885530818453536, 2314885530818453536, 579005069656919567, 283686952306183, 9223934986808197120, 0} } spawn_attr = { __flags = 12, __pgrp = 0, __sd = { __val = {6, 7161128523522010999, 17645039919265620, 0, 18446744073709551615, 18446744073709551615, 0, 0, 11068046444225730969, 11068046444225730969, 2314885530818453536, 2314885530818453536, 579005069656919567, 283686952306183, 9223934986808197120, 0} }, __ss = { __val = {6272, 139682283310212, 0, 0, 18446744073709551615, 4294967295, 0, 0, 3414118214449442675, 3420599804557685601, 8247334892201992034, 4048790164957651809, 8299979577890925170, 7958811822618996065, 2339735893988766561, 7308620263550101030} }, __sp = { sched_priority = 0 }, __policy = 0, __cgroup = 0, __pad = {0 <repeats 15 times>} } #5 0x00007f0a513ded72 in call_panic_action (why=0x7f0a51326058 "Frame not freed in order.", as_root=false) at ../../source3/lib/util.c:714 lp_sub = 0x7f0a513fa550 <s3_global_substitution> cmd = 0x58a1080 "cd /home/asn/workspace/prj/oss/samba/asn-fix && /home/asn/workspace/prj/oss/samba/asn-fix/selftest/gdb_backtrace 4108306 ./bin/smbd" result = 32522 __func__ = "call_panic_action" #6 0x00007f0a513deec8 in smb_panic_s3 (why=0x7f0a51326058 "Frame not freed in order.") at ../../source3/lib/util.c:730 No locals. #7 0x00007f0a50fed3e9 in smb_panic (why=0x7f0a51326058 "Frame not freed in order.") at ../../lib/util/fault.c:209 No locals. #8 0x00007f0a51343d83 in talloc_pop (frame=0x58b6c70) at ../../lib/util/talloc_stack.c:172 ts = 0x57b2820 blocks = 93023344 i = 32767 __FUNCTION__ = "talloc_pop" __func__ = "talloc_pop" #9 0x00007f0a5126490b in _tc_free_internal (tc=0x58b6c10, location=0x7f0a51471a00 "../../source3/smbd/smb2_process.c:1789") at ../../lib/talloc/talloc.c:1158 d = 0x7f0a51343ca4 <talloc_pop> ptr_to_free = 0x58b6c70 ptr = 0x58b6c70 #10 0x00007f0a51264c8d in _talloc_free_internal (ptr=0x58b6c70, location=0x7f0a51471a00 "../../source3/smbd/smb2_process.c:1789") at ../../lib/talloc/talloc.c:1248 tc = 0x58b6c10 #11 0x00007f0a51265f88 in _talloc_free (ptr=0x58b6c70, location=0x7f0a51471a00 "../../source3/smbd/smb2_process.c:1789") at ../../lib/talloc/talloc.c:1792 tc = 0x58b6c10 #12 0x00007f0a515654e3 in smbd_tevent_trace_callback_after_loop_once (state=0x7fffbbffc3c0) at ../../source3/smbd/smb2_process.c:1789 No locals. #13 0x00007f0a51565547 in smbd_tevent_trace_callback (point=TEVENT_TRACE_AFTER_LOOP_ONCE, private_data=0x7fffbbffc3c0) at ../../source3/smbd/smb2_process.c:1807 state = 0x7fffbbffc3c0 #14 0x00007f0a511ace26 in tevent_trace_point_callback (ev=0x57e4dd0, tp=TEVENT_TRACE_AFTER_LOOP_ONCE) at ../../lib/tevent/tevent_debug.c:158 No locals. #15 0x00007f0a511ac4fe in _tevent_loop_once (ev=0x57e4dd0, location=0x7f0a51471fd0 "../../source3/smbd/smb2_process.c:2178") at ../../lib/tevent/tevent.c:861 ret = 0 nesting_stack_ptr = 0x0 __func__ = "_tevent_loop_once" #16 0x00007f0a511ac82f in tevent_common_loop_wait (ev=0x57e4dd0, location=0x7f0a51471fd0 "../../source3/smbd/smb2_process.c:2178") at ../../lib/tevent/tevent.c:989 ret = 0 #17 0x00007f0a511b5fe3 in std_event_loop_wait (ev=0x57e4dd0, location=0x7f0a51471fd0 "../../source3/smbd/smb2_process.c:2178") at ../../lib/tevent/tevent_standard.c:141 glue_ptr = 0x57e4f80 glue = 0x57e4f80 ret = 0 #18 0x00007f0a511ac8d5 in _tevent_loop_wait (ev=0x57e4dd0, location=0x7f0a51471fd0 "../../source3/smbd/smb2_process.c:2178") at ../../lib/tevent/tevent.c:1008 No locals. #19 0x00007f0a51566654 in smbd_process (ev_ctx=0x57e4dd0, msg_ctx=0x57dc9a0, sock_fd=39, interactive=false, transport_type=SMB_TRANSPORT_TYPE_TCP) at ../../source3/smbd/smb2_process.c:2178 lp_sub = 0x7f0a513fa550 <s3_global_substitution> client = 0x58a2350 sconn = 0x589f3d0 xconn = 0x58a3370 locaddr = 0x58a2aa0 "\200}\214\005" remaddr = 0x5887cd0 "\220r\210\005" ret = 0 status = { v = 0 } tv = { tv_sec = 1763113721, tv_usec = 117603 } trace_state = { ev = 0x57e4dd0, frame = 0x58b6c70, sconn = 0x589f3d0, profile_idle = { start = 0, stats = 0x0 }, before_wait_tv = { tv_sec = 1763113721, tv_usec = 117603 }, after_wait_tv = { tv_sec = 1763113721, tv_usec = 117603 } } debug = false now = 134075873211176030 chroot_dir = 0x57b2910 " " rc = 92163536 __func__ = "smbd_process" __FUNCTION__ = "smbd_process" #20 0x000000000020f266 in smbd_accept_connection (ev=0x57e4dd0, fde=0x58a0660, flags=1, private_data=0x588e6b0) at ../../source3/smbd/server.c:1163 transport_type = SMB_TRANSPORT_TYPE_TCP quic_tlsp = 0x0 addrstr = "10.53.57.11\000\020\000\000\000`\305\377\273\377\177\000\000\n\237vQ\n\177\000\000\000\000\000\000\000\000\000\000\b\000\000\000\000" status = { v = 0 } s = 0x0 msg_ctx = 0x57dc9a0 caddr = { sa_socklen = 16, u = { sa = { sa_family = 2, sa_data = "Gw\n59\v\000\000\000\000\000\000\000" }, in = { sin_family = 2, sin_port = 30535, sin_addr = { s_addr = 188298506 }, sin_zero = "\000\000\000\000\000\000\000" }, in6 = { sin6_family = 2, sin6_port = 30535, sin6_flowinfo = 188298506, sin6_addr = { __in6_u = { __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0} } }, sin6_scope_id = 0 }, un = { sun_family = 2, sun_path = "Gw\n59\v", '\000' <repeats 101 times> }, ss = { ss_family = 2, __ss_padding = "Gw\n59\v", '\000' <repeats 111 times>, __ss_align = 0 } } } fd = 39 pid = 0 __FUNCTION__ = "smbd_accept_connection" __func__ = "smbd_accept_connection" #21 0x00007f0a511adb32 in tevent_common_invoke_fd_handler (fde=0x58a0660, flags=1, removed=0x0) at ../../lib/tevent/tevent_fd.c:174 handler_ev = 0x57e4dd0 #22 0x00007f0a511ba1c2 in epoll_event_loop (epoll_ev=0x57e5010, tvalp=0x7fffbbffc6b0) at ../../lib/tevent/tevent_epoll.c:699 fde = 0x58a0660 effective_flags = 1 flags = 1 got_error = false selected = 0x58a0660 ret = 1 i = 0 events = {{ events = 1, data = { ptr = 0x58a0660, fd = 92931680, u32 = 92931680, u64 = 92931680 } }} timeout = 1000 wait_errno = 0 #23 0x00007f0a511ba8af in epoll_event_loop_once (ev=0x57e4dd0, location=0x207588 "../../source3/smbd/server.c:1560") at ../../lib/tevent/tevent_epoll.c:929 epoll_ev = 0x57e5010 tval = { tv_sec = 0, tv_usec = 999979 } panic_triggered = false #24 0x00007f0a511b5f3e in std_event_loop_once (ev=0x57e4dd0, location=0x207588 "../../source3/smbd/server.c:1560") at ../../lib/tevent/tevent_standard.c:110 glue_ptr = 0x57e4f80 glue = 0x57e4f80 ret = 32522 #25 0x00007f0a511ac4ea in _tevent_loop_once (ev=0x57e4dd0, location=0x207588 "../../source3/smbd/server.c:1560") at ../../lib/tevent/tevent.c:860 ret = 0 nesting_stack_ptr = 0x0 __func__ = "_tevent_loop_once" #26 0x00007f0a511ac82f in tevent_common_loop_wait (ev=0x57e4dd0, location=0x207588 "../../source3/smbd/server.c:1560") at ../../lib/tevent/tevent.c:989 ret = 0 #27 0x00007f0a511b5fe3 in std_event_loop_wait (ev=0x57e4dd0, location=0x207588 "../../source3/smbd/server.c:1560") at ../../lib/tevent/tevent_standard.c:141 glue_ptr = 0x57e4f80 glue = 0x57e4f80 ret = 0 #28 0x00007f0a511ac8d5 in _tevent_loop_wait (ev=0x57e4dd0, location=0x207588 "../../source3/smbd/server.c:1560") at ../../lib/tevent/tevent.c:1008 No locals. #29 0x0000000000210018 in smbd_parent_loop (ev_ctx=0x57e4dd0, parent=0x5883720) at ../../source3/smbd/server.c:1560 trace_state = { frame = 0x5886590 } ret = 0 __FUNCTION__ = "smbd_parent_loop" #30 0x00000000002133ff in main (argc=6, argv=0x7fffbbffcd08) at ../../source3/smbd/server.c:2590 cmdline_daemon_cfg = 0x7f0a516c2340 <cmdline_daemon_cfg> log_stdout = false ports = 0x0 profile_level = 0x0 opt = -1 pc = 0x57de7a0 main_server_id = { pid = 4108071, task_id = 0, vnn = 4294967295, unique_id = 8463598923913096162 } long_options = {{ longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f0a50fa0160 <poptHelpOptions>, val = 0, descrip = 0x207ee1 "Help options:", argDescrip = 0x0 }, { longName = 0x207eef "build-options", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 98, descrip = 0x207efd "Print build options", argDescrip = 0x0 }, { longName = 0x207f11 "port", shortName = 112 'p', argInfo = 1, arg = 0x7fffbbffcb18, val = 0, descrip = 0x207f18 "Listen on the specified transports", argDescrip = 0x0 }, { longName = 0x207f3b "profiling-level", shortName = 80 'P', argInfo = 1, arg = 0x7fffbbffcb10, val = 0, descrip = 0x207f4b "Set profiling level", argDescrip = 0x207f5f "PROFILE_LEVEL" }, { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f0a516c1500 <popt_common_samba>, val = 0, descrip = 0x207f6d "Common Samba options:", argDescrip = 0x0 }, { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f0a516c1d60 <popt_common_daemon>, val = 0, descrip = 0x207f83 "Daemon options:", argDescrip = 0x0 }, { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f0a516c1cc0 <popt_common_version>, val = 0, descrip = 0x207f93 "Version options:", argDescrip = 0x0 }, { longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0 }} parent = 0x5883720 frame = 0x57e67c0 status = { v = 0 } ev_ctx = 0x57e4dd0 msg_ctx = 0x57dc9a0 server_id = { pid = 4108071, task_id = 0, vnn = 4294967295, unique_id = 11543553271529240642 } se = 0x5887cd0 profiling_level = 0 np_dir = 0x589d7e0 "p\236\212\005" lp_ctx = 0x57dd910 lp_sub = 0x7f0a513fa550 <s3_global_substitution> smbd_shim_fns = { change_to_root_user = 0x7f0a515289b1 <smbd_change_to_root_user>, become_authenticated_pipe_user = 0x7f0a51528a6b <smbd_become_authenticated_pipe_user>, unbecome_authenticated_pipe_user = 0x7f0a51528b8f <smbd_unbecome_authenticated_pipe_user>, contend_level2_oplocks_begin = 0x7f0a515d56bf <smbd_contend_level2_oplocks_begin>, contend_level2_oplocks_end = 0x7f0a515d56e2 <smbd_contend_level2_oplocks_end>, become_root = 0x7f0a51528e12 <smbd_become_root>, unbecome_root = 0x7f0a51528e3e <smbd_unbecome_root>, exit_server = 0x7f0a515c782e <smbd_exit_server>, exit_server_cleanly = 0x7f0a515c784b <smbd_exit_server_cleanly> } ti = 2 '\002' quic_requested = false ok = true __func__ = "main" __FUNCTION__ = "main" ### info locals result = -512 pd = <optimized out> ch = <optimized out> /home/asn/workspace/prj/oss/samba/asn-fix/st/tmp/gdb_backtrace_main.vaQyacdilz:20: Error in sourced command file: No symbol "PyList_New" in current context. [Inferior 1 (process 4108306) detached] 2025-11-14T09:48:41.956490+00:00 localshare4.samba.example.com log.smbd[4108306]: call_panic_action: action returned status 0 2025-11-14T09:48:41.956530+00:00 localshare4.samba.example.com log.smbd[4108306]: coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern
We already have a fix...
This bug was referenced in samba master: 5d77b445b354f455ea57a815e8d2c9f4e6b13585
The issue only exists in master and it has been fixed there. Closing.