[kwin] [Bug 429395] New: kwin_wayland segmentation faults in spa_hook_remove in pipewire 0.3.16-1.fc33

Fri, 20 Nov 2020 05:39:18 -0800 

https://bugs.kde.org/show_bug.cgi?id=429395

            Bug ID: 429395
           Summary: kwin_wayland segmentation faults in spa_hook_remove in
                    pipewire 0.3.16-1.fc33
           Product: kwin
           Version: 5.20.3
          Platform: Fedora RPMs
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: wayland-generic
          Assignee: kwin-bugs-n...@kde.org
          Reporter: matthew.fagn...@utoronto.ca
  Target Milestone: ---

SUMMARY

I was using Plasma 5.20.3 on Wayland in a F33 KDE Plasma spin installation with
kwin-wayland, plasma-workspace-wayland and their dependencies installed. I ran
sudo dnf upgrade --refresh with updates-testing enabled. The update included
pipewire-0.3.16-1.fc33, kernel-5.9.9-200.fc33 and other rpms. I rebooted. I
logged in to Plasma 5.20.3 on Wayland. I was using Firefox Nightly 85.0a1 on
Wayland for a few minutes. kwin_wayland segmentation faulted in spa_hook_remove
at ../spa/include/spa/utils/hook.h:112 in pipewire 0.3.16-1.fc33 The crash
appeared to happen when the pipewire stream was being destroyed starting with
KWin::PipeWireStream::~PipeWireStream() in frame 3

--Type <RET> for more, q to quit, c to continue without paging--
Core was generated by `/usr/bin/kwin_wayland --xwayland
--exit-with-session=/usr/libexec/startplasma-w'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  spa_hook_remove (hook=0x562000027818) at
../spa/include/spa/utils/hook.h:112
112                     hook->removed(hook);
[Current thread is 1 (Thread 0x7f505f8c8e00 (LWP 3661))]
(gdb) bt
#0  spa_hook_remove (hook=0x562000027818) at
../spa/include/spa/utils/hook.h:112
#1  spa_hook_list_clean (list=<optimized out>) at
../spa/include/spa/utils/hook.h:119
#2  pw_stream_destroy (stream=0x5620002159d0) at ../src/pipewire/stream.c:1315
#3  0x0000561ffe7ee8f1 in KWin::PipeWireStream::~PipeWireStream()
    (this=0x5620000277f0, this=<optimized out>)
    at
/usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/pipewirestream.cpp:188
#4  0x0000561ffe7eea7a in KWin::WindowStream::~WindowStream()
    (this=0x5620000277f0, this=<optimized out>)
    at
/usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/screencastmanager.cpp:40
#5  KWin::WindowStream::~WindowStream() (this=0x5620000277f0, this=<optimized
out>)
    at
/usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/screencastmanager.cpp:40
#6  0x00007f505fb56256 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
    (a=0x7ffcca163730, r=0x5620000277f0, this=0x562000087560)
    at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#7  doActivate<false>(QObject*, int, void**)
    (sender=0x56200009f000, signal_index=3, argv=0x7ffcca163730) at
kernel/qobject.cpp:3886
#8  0x00007f5060cab605 in
KWaylandServer::ScreencastStreamV1InterfacePrivate::zkde_screencast_stream_unstable_v1_destroy_resource(QtWaylandServer::zkde_screencast_stream_unstable_v1::Resource*)
    (this=0x562000130ae0, resource=<optimized out>)
    at
/usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/screencast_v1_interface.cpp:31
#9  0x00007f5060cf0584 in
QtWaylandServer::zkde_screencast_stream_unstable_v1::destroy_func(wl_resource*)
(client_resource=<optimized out>)
    at
/usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/x86_64-redhat-linux-gnu/src/server/qwayland-server-zkde-screencast-unstable-v1.cpp:326
#10 0x00007f505df0197f in destroy_resource
--Type <RET> for more, q to quit, c to continue without paging--c
    (element=0x5620000cc740, data=data@entry=0x7ffcca163824, flags=0) at
src/wayland-server.c:724
#11 0x00007f505df02013 in for_each_helper (entries=<optimized out>,
entries=0x561ffff542e0, data=0x7ffcca163824, func=0x7f505df018d0
<destroy_resource>) at src/wayland-util.c:372
#12 wl_map_for_each (data=0x7ffcca163824, func=0x7f505df018d0
<destroy_resource>, map=0x561ffff542e0) at src/wayland-util.c:385
#13 wl_client_destroy (client=client@entry=0x561ffff542b0) at
src/wayland-server.c:883
#14 0x00007f505df0244b in destroy_client_with_error (reason=<optimized out>,
client=<optimized out>) at src/wayland-server.c:319
#15 wl_client_connection_data (fd=<optimized out>, mask=<optimized out>,
data=<optimized out>) at src/wayland-server.c:342
#16 0x00007f505df01ac2 in wl_event_loop_dispatch (loop=0x561fff0e06e0,
timeout=<optimized out>) at src/event-loop.c:1027
#17 0x00007f5060c81f13 in KWaylandServer::Display::Private::dispatch()
(this=<optimized out>) at
/usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/display.cpp:135
#18 0x00007f505fb56256 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
(a=0x7ffcca163d70, r=0x561fff102640, this=0x561fffac3280) at
../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#19 doActivate<false>(QObject*, int, void**) (sender=0x561fffba6830,
signal_index=3, argv=0x7ffcca163d70) at kernel/qobject.cpp:3886
#20 0x00007f505fb59476 in QSocketNotifier::activated(QSocketDescriptor,
QSocketNotifier::Type, QSocketNotifier::QPrivateSignal)
(this=this@entry=0x561fffba6830, _t1=..., _t2=<optimized out>, _t3=...) at
.moc/moc_qsocketnotifier.cpp:178
#21 0x00007f505fb59be9 in QSocketNotifier::event(QEvent*) (this=0x561fffba6830,
e=0x7ffcca163e90) at kernel/qsocketnotifier.cpp:302
#22 0x00007f506051e15f in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(this=<optimized out>, receiver=0x561fffba6830, e=0x7ffcca163e90) at
kernel/qapplication.cpp:3630
#23 0x00007f505fb27be8 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
(receiver=0x561fffba6830, event=0x7ffcca163e90) at
kernel/qcoreapplication.cpp:1063
#24 0x00007f505fb6fece in
QEventDispatcherUNIXPrivate::activateSocketNotifiers() (this=0x561fff0cab40) at
kernel/qeventdispatcher_unix.cpp:304
#25 0x00007f505fb70254 in
QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(this=<optimized out>, flags=...) at kernel/qeventdispatcher_unix.cpp:511
#26 0x00007f504ca243ad in
QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
() at /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so
#27 0x00007f505fb2664b in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7ffcca164000,
flags=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#28 0x00007f505fb2e010 in QCoreApplication::exec() () at
../../include/QtCore/../../src/corelib/global/qflags.h:121
#29 0x0000561ffe7d456e in main(int, char**) (argc=<optimized out>,
argv=0x7ffcca164220) at
/usr/src/debug/kwin-5.20.3-1.fc33.x86_64/main_wayland.cpp:702

hook pointed to an inaccessible address 0x215a38.

(gdb) p hook
$1 = (struct spa_hook *) 0x562000027818
(gdb) x 0x562000027818
0x562000027818: 0x00215a38
(gdb) x 0x00215a38
0x215a38:       Cannot access memory at address 0x215a38

kwin_wayland crashed with essentially the same traces each of three further
times within 5-10 minutes after I logged into Plasma on Wayland with
pipewire-0.3.16-1.fc33. These crashes didn't happen with
pipewire-0.3.15-2.fc33.

STEPS TO REPRODUCE
1. Boot a F33 KDE Plasma spin installation with kwin-wayland,
plasma-workspace-wayland and their dependencies installed. 
2. Log in to Plasma 5.20.3 on Wayland 
3. sudo dnf upgrade --refresh with updates-testing enabled
The update should include pipewire-0.3.16-1.fc33
4. reboot
5. log in to Plasma 5.20.3 on Wayland. 
6. Wait for pipewire to start in the background or start it directly. 
I was using Firefox Nightly 85.0a1 on Wayland during 3 of the crashes.


OBSERVED RESULT
kwin_wayland segmentation faults in spa_hook_remove in pipewire 0.3.16-1.fc33

EXPECTED RESULT
No crashes would happen.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 33
(available in About System)
KDE Plasma Version: 5.20.3
KDE Frameworks Version: 5.75.0
Qt Version: 5.15.1

ADDITIONAL INFORMATION

The journal at the time of the first kwin_wayland crash showed some pipewire
errors as it was starting automatically in the background.

Nov 20 00:10:44 systemd[1097]: Started Multimedia Service.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 4 threads of 2 processes of 1
users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 4 threads of 2 processes of 1
users.
Nov 20 00:10:44 pipewire[3360]: Could not get portal pid: Argument 0 is
specified to be of type "uint32", but is actually of type "string"
Nov 20 00:10:44 pipewire[3360]: failed to open "/proc/1167/root": Permission
denied
Nov 20 00:10:44 pipewire[3360]: access 0x5607c9ae2790: client 0x5607c9aed7b0
sandbox check failed: Permission denied
Nov 20 00:10:44 rtkit-daemon[779]: Successfully made thread 3361 of process
3360 (/usr/bin/pipewire) owned by '1000' RT at priority 20.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1
users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1
users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1
users.
Nov 20 00:10:44 audit[1167]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1167
comm="kwin_wayland" exe="/usr/bin/kwin_wayland" sig=11 res=1
Nov 20 00:10:44 kernel: show_signal_msg: 42 callbacks suppressed
Nov 20 00:10:44 kernel: kwin_wayland[1167]: segfault at 55b88cabe400 ip
000055b88cabe400 sp 00007ffc8325c688 error 15
Nov 20 00:10:44 kernel: Code: 00 00 41 00 00 00 00 00 00 00 41 6c 6c 6f 77 20
63 6c 69 65 6e 74 73 20 74 6f 20 63 72 65 61 74 65 20 61 6e 64 20 63 6f 6e 74
<72> 6f 6c 20 72 65 6d 6f 74 65 20 64 65 76 69 63 65 73 00 00 00 00
Nov 20 00:10:44 rtkit-daemon[779]: Successfully made thread 3365 of process
3363 (/usr/bin/pipewire-media-session) owned by '1000' RT at priority 20.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 6 threads of 4 processes of 1
users.
Nov 20 00:10:44 systemd[1]: Created slice system-systemd\x2dcoredump.slice.
Nov 20 00:10:44 audit: BPF prog-id=46 op=LOAD
Nov 20 00:10:44 audit: BPF prog-id=47 op=LOAD
Nov 20 00:10:44 audit: BPF prog-id=48 op=LOAD
Nov 20 00:10:44 systemd[1]: Started Process Core Dump (PID 3368/UID 0).
Nov 20 00:10:44 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-coredump@0-3368-0 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 20 00:10:44 pipewire-media-session[3363]: core 0x557031057920: proxy
0x557031091cb0 id:4: bound:-1 seq:4 res:-2 (No such file or directory)
msg:"can't create device: No such file or directory"
Nov 20 00:10:44 pipewire-media-session[3363]: error id:4 seq:4 res:-2 (No such
file or directory): can't create device: No such file or directory

The same sorts of pipewire errors happened around the time of the other
kwin_wayland crashes.


I reported this problem for Fedora at
https://bugzilla.redhat.com/show_bug.cgi?id=1899826 Wim Taymans wrote 
"Cause by bug in kwin, the listener should be cleared before adding it so that
the removed callback doesn't contain garbage.

here:
https://invent.kde.org/plasma/kwin/-/blob/master/screencast/pipewirestream.cpp#L250

but I'll make a workaround to fix this and make it safer in the future."
https://bugzilla.redhat.com/show_bug.cgi?id=1899826#c1

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to