Bug 1251366

Summary: dleyna-renderer: Crashes due to double-free when destroying the same dlr_upnp_t twice
Product: [Fedora] Fedora Reporter: Steven Newbury <steve>
Component: dleyna-rendererAssignee: Debarshi Ray <debarshir>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: code, debarshir, debugger94, joe, mcatanzaro+wrong-account-do-not-cc, oded
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/754431aa8073ed359a75bb04019f3c9e04e06f51
Whiteboard: abrt_hash:dc3e1c78f8895ccc2a8bc57aa4b51efa36f5c372
Fixed In Version: dleyna-renderer-0.5.0-5.fc25 dleyna-renderer-0.5.0-5.fc24 dleyna-renderer-0.5.0-4.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-26 00:20:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Steven Newbury 2015-08-07 06:24:07 UTC 
Version-Release number of selected component:
dleyna-renderer-0.5.0-2.fc23

Additional info:
reporter:       libreport-2.6.2
backtrace_rating: 3
cmdline:        /usr/libexec/dleyna-renderer-service
crash_function: dlr_upnp_delete
executable:     /usr/libexec/dleyna-renderer-service
global_pid:     3428
kernel:         4.2.0-0.rc4.git4.1.fc24.x86_64
runlevel:       N 5
type:           CCpp
uid:            1001

Truncated backtrace:
Thread no. 1 (5 frames)
 #7 dlr_upnp_delete at upnp.c:423
 #8 prv_control_point_stop_service at server.c:725
 #9 prv_context_quit_cb at libdleyna/core/main-loop.c:61
 #14 dleyna_main_loop_start at libdleyna/core/main-loop.c:155
 #16 _start

Potential duplicate: bug 1134358
Comment 1 Steven Newbury 2015-08-07 06:24:10 UTC 
Created attachment 1060215 [details]
File: backtrace
Comment 2 Steven Newbury 2015-08-07 06:24:11 UTC 
Created attachment 1060216 [details]
File: cgroup
Comment 3 Steven Newbury 2015-08-07 06:24:13 UTC 
Created attachment 1060217 [details]
File: core_backtrace
Comment 4 Steven Newbury 2015-08-07 06:24:14 UTC 
Created attachment 1060218 [details]
File: dso_list
Comment 5 Steven Newbury 2015-08-07 06:24:15 UTC 
Created attachment 1060219 [details]
File: environ
Comment 6 Steven Newbury 2015-08-07 06:24:16 UTC 
Created attachment 1060220 [details]
File: limits
Comment 7 Steven Newbury 2015-08-07 06:24:18 UTC 
Created attachment 1060221 [details]
File: maps
Comment 8 Steven Newbury 2015-08-07 06:24:19 UTC 
Created attachment 1060222 [details]
File: mountinfo
Comment 9 Steven Newbury 2015-08-07 06:24:20 UTC 
Created attachment 1060223 [details]
File: namespaces
Comment 10 Steven Newbury 2015-08-07 06:24:21 UTC 
Created attachment 1060224 [details]
File: open_fds
Comment 11 Steven Newbury 2015-08-07 06:24:23 UTC 
Created attachment 1060225 [details]
File: proc_pid_status
Comment 12 Steven Newbury 2015-08-07 06:24:24 UTC 
Created attachment 1060226 [details]
File: var_log_messages
Comment 13 Jan Kurik 2016-02-24 13:35:40 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 14 Debarshi Ray 2016-09-15 14:35:37 UTC 
*** Bug 1134358 has been marked as a duplicate of this bug. ***
Comment 15 Debarshi Ray 2016-09-15 14:36:18 UTC 
*** Bug 1299104 has been marked as a duplicate of this bug. ***
Comment 16 Debarshi Ray 2016-09-15 14:40:26 UTC 
*** Bug 1357281 has been marked as a duplicate of this bug. ***
Comment 17 Debarshi Ray 2016-09-15 14:41:47 UTC 
*** Bug 1253007 has been marked as a duplicate of this bug. ***
Comment 18 Debarshi Ray 2016-09-15 15:27:32 UTC 
The problem here is two-fold.

First, prv_control_point_stop_service in dleyna-renderer doesn't NULLify the dlr_upnp_t pointer after destroying it, which leaves it vulnerable to double free. Filed as: https://github.com/01org/dleyna-renderer/pull/160

Second, dleyna-core schedules dleyna_task_processor_t->on_quit_cb more than once. The dleyna-renderer code is not ready for this (see above), and hits a double free. Ideally, on_quit_cb handler shouldn't be invoked twice. Filed as: https://github.com/01org/dleyna-core/pull/48
Comment 19 Debarshi Ray 2016-09-15 15:29:29 UTC 
*** Bug 1253072 has been marked as a duplicate of this bug. ***
Comment 20 Debarshi Ray 2016-09-15 15:29:45 UTC 
*** Bug 1301746 has been marked as a duplicate of this bug. ***
Comment 21 Debarshi Ray 2016-09-15 15:32:13 UTC 
*** Bug 1301249 has been marked as a duplicate of this bug. ***
Comment 22 Debarshi Ray 2016-09-15 15:49:53 UTC 
(In reply to Debarshi Ray from comment #18)
> The problem here is two-fold.
> 
> First, prv_control_point_stop_service in dleyna-renderer doesn't NULLify the
> dlr_upnp_t pointer after destroying it, which leaves it vulnerable to double
> free. Filed as: https://github.com/01org/dleyna-renderer/pull/160
> 
> Second, dleyna-core schedules dleyna_task_processor_t->on_quit_cb more than
> once. The dleyna-renderer code is not ready for this (see above), and hits a
> double free. Ideally, on_quit_cb handler shouldn't be invoked twice. Filed
> as: https://github.com/01org/dleyna-core/pull/48

Let's wait for some upstream reviews before we add these to Fedora.
Comment 23 Fedora Update System 2016-09-22 09:55:38 UTC 
dleyna-renderer-0.5.0-5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4cc484e18
Comment 24 Fedora Update System 2016-09-22 09:55:47 UTC 
dleyna-core-0.5.0-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8b47d28f07
Comment 25 Fedora Update System 2016-09-23 06:54:05 UTC 
dleyna-renderer-0.5.0-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c0573a805d
Comment 26 Fedora Update System 2016-09-23 06:54:17 UTC 
dleyna-core-0.5.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d3927e6a71
Comment 27 Fedora Update System 2016-09-23 08:01:23 UTC 
dleyna-renderer-0.5.0-5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-83b2fee0aa
Comment 28 Fedora Update System 2016-09-23 08:01:32 UTC 
dleyna-core-0.5.0-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-603b9f4445
Comment 29 Fedora Update System 2016-09-26 00:20:34 UTC 
dleyna-core-0.5.0-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2016-09-27 00:34:25 UTC 
dleyna-renderer-0.5.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2016-09-27 00:34:34 UTC 
dleyna-core-0.5.0-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2016-10-03 17:22:29 UTC 
dleyna-renderer-0.5.0-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2016-10-03 20:19:46 UTC 
dleyna-renderer-0.5.0-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2016-10-03 20:19:54 UTC 
dleyna-core-0.5.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.