When spooling a print job we get a panic in the samba log file. This does not happen consistently and is not easy to reproduce. If it happens then at smb_io_notify_info_data_strings+0x133. The problem is neither tied to a specific client machine nor to a specific client OS. It has been observed with Windows 2000 SP3 and SP4, and Windows XP SP2 clients. smbd is running on x86 Debian Linux Etch (testing). The stack trace is shown below. I will attach the bottom part of a level 10 log. The complete log is available here: www.thesycon.de/ftp_temp/temp/smbd_pid9485_segfault.log.gz =============================================================== [2006/09/13 10:16:18, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 9485 (3.0.23c) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/09/13 10:16:18, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/09/13 10:16:18, 0] lib/fault.c:fault_report(45) =============================================================== [2006/09/13 10:16:18, 0] lib/util.c:smb_panic(1592) PANIC (pid 9485): internal error [2006/09/13 10:16:18, 0] lib/util.c:log_stack_trace(1699) BACKTRACE: 19 stack frames: #0 /usr/sbin/smbd(log_stack_trace+0x23) [0x822b763] #1 /usr/sbin/smbd(smb_panic+0x46) [0x822b856] #2 /usr/sbin/smbd [0x8219f0a] #3 [0xffffe420] #4 /usr/sbin/smbd(smb_io_notify_info_data_strings+0x133) [0x81cafb3] #5 /usr/sbin/smbd [0x81cb393] #6 /usr/sbin/smbd(spoolss_io_r_rfnpcnex+0x7f) [0x81cb66f] #7 /usr/sbin/smbd [0x8155010] #8 /usr/sbin/smbd(api_rpcTNP+0x15f) [0x818b05f] #9 /usr/sbin/smbd(api_pipe_request+0x183) [0x818b643] #10 /usr/sbin/smbd [0x818597e] #11 /usr/sbin/smbd [0x809bb9d] #12 /usr/sbin/smbd [0x809c08c] #13 /usr/sbin/smbd(reply_trans+0x56f) [0x809ccff] #14 /usr/sbin/smbd [0x80ea2f4] #15 /usr/sbin/smbd(smbd_process+0x6f8) [0x80eb4b8] #16 /usr/sbin/smbd(main+0x10df) [0x82c281f] #17 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xd0) [0xb7b73eb0] #18 /usr/sbin/smbd [0x8082a31] [2006/09/13 10:16:18, 0] lib/util.c:smb_panic(1600) smb_panic(): calling panic action [/usr/share/samba/panic-action 9485] [2006/09/13 10:16:18, 0] lib/util.c:smb_panic(1608) smb_panic(): action returned status 0 [2006/09/13 10:16:18, 0] lib/fault.c:dump_core(168) unable to change to /var/log/samba/cores/smbdrefusing to dump core
Created attachment 2136 [details] level 10 log file of panic (bottom part) Complete log file available for download at: http://www.thesycon.de/ftp_temp/temp/smbd_pid9485_segfault.log.gz
Created attachment 2159 [details] patch for spoolss_notify_devmode We have been able to reproduce and debug the problem. The segfault happens because spoolss_notify_devmode is an empty function. At a minimum, the function should set the fields SPOOL_NOTIFY_INFO_DATA.notify_data.data.length and .string to zero. Otherwise, these contain random values (struct was returned by malloc). These random values cause smb_io_notify_info_data_strings to crash.
Great catch ! Applied, will be in the next release. Thanks a lot. Jeremy.