Bug 1251366 - dleyna-renderer: Crashes due to double-free when destroying the same dlr_upnp_t twice
dleyna-renderer: Crashes due to double-free when destroying the same dlr_upnp...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: dleyna-renderer (Show other bugs)
24
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Debarshi Ray
Fedora Extras Quality Assurance
https://retrace.fedoraproject.org/faf...
abrt_hash:dc3e1c78f8895ccc2a8bc57aa4b...
:
: 1134358 1253007 1253072 1299104 1301249 1301746 1357281 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-07 02:24 EDT by Steven Newbury
Modified: 2016-10-03 16:19 EDT (History)
6 users (show)

See Also:
Fixed In Version: dleyna-renderer-0.5.0-5.fc25 dleyna-renderer-0.5.0-5.fc24 dleyna-renderer-0.5.0-4.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-25 20:20:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (14.99 KB, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: cgroup (231 bytes, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: core_backtrace (3.70 KB, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: dso_list (2.86 KB, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: environ (710 bytes, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: limits (1.29 KB, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: maps (14.15 KB, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: mountinfo (3.65 KB, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: namespaces (85 bytes, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: open_fds (1.00 KB, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: proc_pid_status (1.13 KB, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details
File: var_log_messages (28 bytes, text/plain)
2015-08-07 02:24 EDT, Steven Newbury
no flags Details

  None (edit)
Description Steven Newbury 2015-08-07 02:24:07 EDT
Version-Release number of selected component:
dleyna-renderer-0.5.0-2.fc23

Additional info:
reporter:       libreport-2.6.2
backtrace_rating: 3
cmdline:        /usr/libexec/dleyna-renderer-service
crash_function: dlr_upnp_delete
executable:     /usr/libexec/dleyna-renderer-service
global_pid:     3428
kernel:         4.2.0-0.rc4.git4.1.fc24.x86_64
runlevel:       N 5
type:           CCpp
uid:            1001

Truncated backtrace:
Thread no. 1 (5 frames)
 #7 dlr_upnp_delete at upnp.c:423
 #8 prv_control_point_stop_service at server.c:725
 #9 prv_context_quit_cb at libdleyna/core/main-loop.c:61
 #14 dleyna_main_loop_start at libdleyna/core/main-loop.c:155
 #16 _start

Potential duplicate: bug 1134358
Comment 1 Steven Newbury 2015-08-07 02:24:10 EDT
Created attachment 1060215 [details]
File: backtrace
Comment 2 Steven Newbury 2015-08-07 02:24:11 EDT
Created attachment 1060216 [details]
File: cgroup
Comment 3 Steven Newbury 2015-08-07 02:24:13 EDT
Created attachment 1060217 [details]
File: core_backtrace
Comment 4 Steven Newbury 2015-08-07 02:24:14 EDT
Created attachment 1060218 [details]
File: dso_list
Comment 5 Steven Newbury 2015-08-07 02:24:15 EDT
Created attachment 1060219 [details]
File: environ
Comment 6 Steven Newbury 2015-08-07 02:24:16 EDT
Created attachment 1060220 [details]
File: limits
Comment 7 Steven Newbury 2015-08-07 02:24:18 EDT
Created attachment 1060221 [details]
File: maps
Comment 8 Steven Newbury 2015-08-07 02:24:19 EDT
Created attachment 1060222 [details]
File: mountinfo
Comment 9 Steven Newbury 2015-08-07 02:24:20 EDT
Created attachment 1060223 [details]
File: namespaces
Comment 10 Steven Newbury 2015-08-07 02:24:21 EDT
Created attachment 1060224 [details]
File: open_fds
Comment 11 Steven Newbury 2015-08-07 02:24:23 EDT
Created attachment 1060225 [details]
File: proc_pid_status
Comment 12 Steven Newbury 2015-08-07 02:24:24 EDT
Created attachment 1060226 [details]
File: var_log_messages
Comment 13 Jan Kurik 2016-02-24 08:35:40 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 14 Debarshi Ray 2016-09-15 10:35:37 EDT
*** Bug 1134358 has been marked as a duplicate of this bug. ***
Comment 15 Debarshi Ray 2016-09-15 10:36:18 EDT
*** Bug 1299104 has been marked as a duplicate of this bug. ***
Comment 16 Debarshi Ray 2016-09-15 10:40:26 EDT
*** Bug 1357281 has been marked as a duplicate of this bug. ***
Comment 17 Debarshi Ray 2016-09-15 10:41:47 EDT
*** Bug 1253007 has been marked as a duplicate of this bug. ***
Comment 18 Debarshi Ray 2016-09-15 11:27:32 EDT
The problem here is two-fold.

First, prv_control_point_stop_service in dleyna-renderer doesn't NULLify the dlr_upnp_t pointer after destroying it, which leaves it vulnerable to double free. Filed as: https://github.com/01org/dleyna-renderer/pull/160

Second, dleyna-core schedules dleyna_task_processor_t->on_quit_cb more than once. The dleyna-renderer code is not ready for this (see above), and hits a double free. Ideally, on_quit_cb handler shouldn't be invoked twice. Filed as: https://github.com/01org/dleyna-core/pull/48
Comment 19 Debarshi Ray 2016-09-15 11:29:29 EDT
*** Bug 1253072 has been marked as a duplicate of this bug. ***
Comment 20 Debarshi Ray 2016-09-15 11:29:45 EDT
*** Bug 1301746 has been marked as a duplicate of this bug. ***
Comment 21 Debarshi Ray 2016-09-15 11:32:13 EDT
*** Bug 1301249 has been marked as a duplicate of this bug. ***
Comment 22 Debarshi Ray 2016-09-15 11:49:53 EDT
(In reply to Debarshi Ray from comment #18)
> The problem here is two-fold.
> 
> First, prv_control_point_stop_service in dleyna-renderer doesn't NULLify the
> dlr_upnp_t pointer after destroying it, which leaves it vulnerable to double
> free. Filed as: https://github.com/01org/dleyna-renderer/pull/160
> 
> Second, dleyna-core schedules dleyna_task_processor_t->on_quit_cb more than
> once. The dleyna-renderer code is not ready for this (see above), and hits a
> double free. Ideally, on_quit_cb handler shouldn't be invoked twice. Filed
> as: https://github.com/01org/dleyna-core/pull/48

Let's wait for some upstream reviews before we add these to Fedora.
Comment 23 Fedora Update System 2016-09-22 05:55:38 EDT
dleyna-renderer-0.5.0-5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4cc484e18
Comment 24 Fedora Update System 2016-09-22 05:55:47 EDT
dleyna-core-0.5.0-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8b47d28f07
Comment 25 Fedora Update System 2016-09-23 02:54:05 EDT
dleyna-renderer-0.5.0-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c0573a805d
Comment 26 Fedora Update System 2016-09-23 02:54:17 EDT
dleyna-core-0.5.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d3927e6a71
Comment 27 Fedora Update System 2016-09-23 04:01:23 EDT
dleyna-renderer-0.5.0-5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-83b2fee0aa
Comment 28 Fedora Update System 2016-09-23 04:01:32 EDT
dleyna-core-0.5.0-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-603b9f4445
Comment 29 Fedora Update System 2016-09-25 20:20:34 EDT
dleyna-core-0.5.0-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2016-09-26 20:34:25 EDT
dleyna-renderer-0.5.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2016-09-26 20:34:34 EDT
dleyna-core-0.5.0-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2016-10-03 13:22:29 EDT
dleyna-renderer-0.5.0-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2016-10-03 16:19:46 EDT
dleyna-renderer-0.5.0-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2016-10-03 16:19:54 EDT
dleyna-core-0.5.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.