Bug 1899826 - kwin_wayland segmentation faults in spa_hook_remove in pipewire 0.3.16-1.fc33
Summary: kwin_wayland segmentation faults in spa_hook_remove in pipewire 0.3.16-1.fc33
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pipewire
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Wim Taymans
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-20 06:40 UTC by Matt Fagnani
Modified: 2021-01-12 16:46 UTC (History)
2 users (show)

Fixed In Version: pipewire-0.3.16-2.fc34 pipewire-0.3.19-4.eln108
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-20 09:12:00 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Matt Fagnani 2020-11-20 06:40:52 UTC
Description of problem:

I was using Plasma 5.20.3 on Wayland in a F33 KDE Plasma spin installation with kwin-wayland, plasma-workspace-wayland and their dependencies installed. I ran sudo dnf upgrade --refresh with updates-testing enabled. The update included pipewire-0.3.16-1.fc33, kernel-5.9.9-200.fc33 and other rpms. I rebooted. I logged in to Plasma 5.20.3 on Wayland. I was using Firefox Nightly 85.0a1 on Wayland for a few minutes. kwin_wayland segmentation faulted in spa_hook_remove at ../spa/include/spa/utils/hook.h:112 in pipewire 0.3.16-1.fc33 The crash appeared to happen when the pipewire stream was being destroyed starting with KWin::PipeWireStream::~PipeWireStream() in frame 3

--Type <RET> for more, q to quit, c to continue without paging--
Core was generated by `/usr/bin/kwin_wayland --xwayland --exit-with-session=/usr/libexec/startplasma-w'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  spa_hook_remove (hook=0x562000027818) at ../spa/include/spa/utils/hook.h:112
112                     hook->removed(hook);
[Current thread is 1 (Thread 0x7f505f8c8e00 (LWP 3661))]
(gdb) bt
#0  spa_hook_remove (hook=0x562000027818) at ../spa/include/spa/utils/hook.h:112
#1  spa_hook_list_clean (list=<optimized out>) at ../spa/include/spa/utils/hook.h:119
#2  pw_stream_destroy (stream=0x5620002159d0) at ../src/pipewire/stream.c:1315
#3  0x0000561ffe7ee8f1 in KWin::PipeWireStream::~PipeWireStream()
    (this=0x5620000277f0, this=<optimized out>)
    at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/pipewirestream.cpp:188
#4  0x0000561ffe7eea7a in KWin::WindowStream::~WindowStream()
    (this=0x5620000277f0, this=<optimized out>)
    at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/screencastmanager.cpp:40
#5  KWin::WindowStream::~WindowStream() (this=0x5620000277f0, this=<optimized out>)
    at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/screencastmanager.cpp:40
#6  0x00007f505fb56256 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
    (a=0x7ffcca163730, r=0x5620000277f0, this=0x562000087560)
    at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#7  doActivate<false>(QObject*, int, void**)
    (sender=0x56200009f000, signal_index=3, argv=0x7ffcca163730) at kernel/qobject.cpp:3886
#8  0x00007f5060cab605 in KWaylandServer::ScreencastStreamV1InterfacePrivate::zkde_screencast_stream_unstable_v1_destroy_resource(QtWaylandServer::zkde_screencast_stream_unstable_v1::Resource*)
    (this=0x562000130ae0, resource=<optimized out>)
    at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/screencast_v1_interface.cpp:31
#9  0x00007f5060cf0584 in QtWaylandServer::zkde_screencast_stream_unstable_v1::destroy_func(wl_resource*) (client_resource=<optimized out>)
    at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/x86_64-redhat-linux-gnu/src/server/qwayland-server-zkde-screencast-unstable-v1.cpp:326
#10 0x00007f505df0197f in destroy_resource
--Type <RET> for more, q to quit, c to continue without paging--c
    (element=0x5620000cc740, data=data@entry=0x7ffcca163824, flags=0) at src/wayland-server.c:724
#11 0x00007f505df02013 in for_each_helper (entries=<optimized out>, entries=0x561ffff542e0, data=0x7ffcca163824, func=0x7f505df018d0 <destroy_resource>) at src/wayland-util.c:372
#12 wl_map_for_each (data=0x7ffcca163824, func=0x7f505df018d0 <destroy_resource>, map=0x561ffff542e0) at src/wayland-util.c:385
#13 wl_client_destroy (client=client@entry=0x561ffff542b0) at src/wayland-server.c:883
#14 0x00007f505df0244b in destroy_client_with_error (reason=<optimized out>, client=<optimized out>) at src/wayland-server.c:319
#15 wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at src/wayland-server.c:342
#16 0x00007f505df01ac2 in wl_event_loop_dispatch (loop=0x561fff0e06e0, timeout=<optimized out>) at src/event-loop.c:1027
#17 0x00007f5060c81f13 in KWaylandServer::Display::Private::dispatch() (this=<optimized out>) at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/display.cpp:135
#18 0x00007f505fb56256 in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7ffcca163d70, r=0x561fff102640, this=0x561fffac3280) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#19 doActivate<false>(QObject*, int, void**) (sender=0x561fffba6830, signal_index=3, argv=0x7ffcca163d70) at kernel/qobject.cpp:3886
#20 0x00007f505fb59476 in QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (this=this@entry=0x561fffba6830, _t1=..., _t2=<optimized out>, _t3=...) at .moc/moc_qsocketnotifier.cpp:178
#21 0x00007f505fb59be9 in QSocketNotifier::event(QEvent*) (this=0x561fffba6830, e=0x7ffcca163e90) at kernel/qsocketnotifier.cpp:302
#22 0x00007f506051e15f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x561fffba6830, e=0x7ffcca163e90) at kernel/qapplication.cpp:3630
#23 0x00007f505fb27be8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x561fffba6830, event=0x7ffcca163e90) at kernel/qcoreapplication.cpp:1063
#24 0x00007f505fb6fece in QEventDispatcherUNIXPrivate::activateSocketNotifiers() (this=0x561fff0cab40) at kernel/qeventdispatcher_unix.cpp:304
#25 0x00007f505fb70254 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at kernel/qeventdispatcher_unix.cpp:511
#26 0x00007f504ca243ad in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so
#27 0x00007f505fb2664b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7ffcca164000, flags=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#28 0x00007f505fb2e010 in QCoreApplication::exec() () at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#29 0x0000561ffe7d456e in main(int, char**) (argc=<optimized out>, argv=0x7ffcca164220) at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/main_wayland.cpp:702

hook pointed to an inaccessible address 0x215a38.

(gdb) p hook
$1 = (struct spa_hook *) 0x562000027818
(gdb) x 0x562000027818
0x562000027818: 0x00215a38
(gdb) x 0x00215a38
0x215a38:       Cannot access memory at address 0x215a38

kwin_wayland crashed with essentially the same traces each of three further times within 5-10 minutes after I logged into Plasma on Wayland with pipewire-0.3.16-1.fc33. These crashes didn't happen with pipewire-0.3.15-2.fc33.

Version-Release number of selected component (if applicable):
pipewire-0.3.16-1.fc33
kwin-wayland-5.20.3-1.fc33.x86_64
kf5-plasma-5.75.0-1.fc33.x86_64
qt5-qtbase-5.15.1-7.fc33.x86_64

How reproducible:
kwin_wayland crashed 4/4 times using Plasma on Wayland with pipewire-0.3.16-1.fc33

Steps to Reproduce:
1. Boot a F33 KDE Plasma spin installation with kwin-wayland, plasma-workspace-wayland and their dependencies installed. 
2. Log in to Plasma 5.20.3 on Wayland 
3. sudo dnf upgrade --refresh with updates-testing enabled
The update should include pipewire-0.3.16-1.fc33
4. reboot
5. I logged in to Plasma 5.20.3 on Wayland. 
6. Wait for pipewire to start in the background or start it directly. 
I was using Firefox Nightly 85.0a1 on Wayland during 3 of the crashes.

Actual results:
kwin_wayland segmentation faults in spa_hook_remove in pipewire 0.3.16-1.fc33

Expected results:
No crashes would happen.

Additional info:
The journal at the time of the first kwin_wayland crash showed some pipewire errors as it was starting automatically in the background.

Nov 20 00:10:44 systemd[1097]: Started Multimedia Service.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 4 threads of 2 processes of 1 users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 4 threads of 2 processes of 1 users.
Nov 20 00:10:44 pipewire[3360]: Could not get portal pid: Argument 0 is specified to be of type "uint32", but is actually of type "string"
Nov 20 00:10:44 pipewire[3360]: failed to open "/proc/1167/root": Permission denied
Nov 20 00:10:44 pipewire[3360]: access 0x5607c9ae2790: client 0x5607c9aed7b0 sandbox check failed: Permission denied
Nov 20 00:10:44 rtkit-daemon[779]: Successfully made thread 3361 of process 3360 (/usr/bin/pipewire) owned by '1000' RT at priority 20.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1 users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1 users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1 users.
Nov 20 00:10:44 audit[1167]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1167 comm="kwin_wayland" exe="/usr/bin/kwin_wayland" sig=11 res=1
Nov 20 00:10:44 kernel: show_signal_msg: 42 callbacks suppressed
Nov 20 00:10:44 kernel: kwin_wayland[1167]: segfault at 55b88cabe400 ip 000055b88cabe400 sp 00007ffc8325c688 error 15
Nov 20 00:10:44 kernel: Code: 00 00 41 00 00 00 00 00 00 00 41 6c 6c 6f 77 20 63 6c 69 65 6e 74 73 20 74 6f 20 63 72 65 61 74 65 20 61 6e 64 20 63 6f 6e 74 <72> 6f 6c 20 72 65 6d 6f 74 65 20 64 65 76 69 63 65 73 00 00 00 00
Nov 20 00:10:44 rtkit-daemon[779]: Successfully made thread 3365 of process 3363 (/usr/bin/pipewire-media-session) owned by '1000' RT at priority 20.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 6 threads of 4 processes of 1 users.
Nov 20 00:10:44 systemd[1]: Created slice system-systemd\x2dcoredump.slice.
Nov 20 00:10:44 audit: BPF prog-id=46 op=LOAD
Nov 20 00:10:44 audit: BPF prog-id=47 op=LOAD
Nov 20 00:10:44 audit: BPF prog-id=48 op=LOAD
Nov 20 00:10:44 systemd[1]: Started Process Core Dump (PID 3368/UID 0).
Nov 20 00:10:44 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@0-3368-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 20 00:10:44 pipewire-media-session[3363]: core 0x557031057920: proxy 0x557031091cb0 id:4: bound:-1 seq:4 res:-2 (No such file or directory) msg:"can't create device: No such file or directory"
Nov 20 00:10:44 pipewire-media-session[3363]: error id:4 seq:4 res:-2 (No such file or directory): can't create device: No such file or directory

The same sorts of pipewire errors happened around the time of the other kwin_wayland crashes.

Comment 1 Wim Taymans 2020-11-20 08:08:44 UTC
Cause by bug in kwin, the listener should be cleared before adding it so that the removed callback doesn't contain
garbage.

here: https://invent.kde.org/plasma/kwin/-/blob/master/screencast/pipewirestream.cpp#L250

but I'll make a workaround to fix this and make it safer in the future.

Comment 2 Fedora Update System 2020-11-20 09:12:00 UTC
FEDORA-2020-2bbbe3cb33 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Fedora Update System 2020-11-20 09:16:14 UTC
FEDORA-2020-d7bb61dc59 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d7bb61dc59

Comment 4 Matt Fagnani 2020-11-21 00:24:00 UTC
(In reply to Wim Taymans from comment #1)
> Cause by bug in kwin, the listener should be cleared before adding it so
> that the removed callback doesn't contain
> garbage.
> 
> here:
> https://invent.kde.org/plasma/kwin/-/blob/master/screencast/pipewirestream.
> cpp#L250
> 
> but I'll make a workaround to fix this and make it safer in the future.

pipewire-0.3.16-2.fc33 fixed this crash. Thanks. I reported this problem at https://bugs.kde.org/show_bug.cgi?id=429395

Comment 5 Fedora Update System 2020-11-21 02:43:25 UTC
FEDORA-2020-d7bb61dc59 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-d7bb61dc59`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d7bb61dc59

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-11-27 02:10:52 UTC
FEDORA-2020-6914f325a3 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6914f325a3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6914f325a3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2020-11-28 02:55:41 UTC
FEDORA-2020-0c6652bbf5 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-0c6652bbf5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-0c6652bbf5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2021-01-12 16:46:54 UTC
FEDORA-2021-8441f20034 has been pushed to the Fedora ELN stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.