Bug 429395

Summary: kwin_wayland segmentation faults in spa_hook_remove in pipewire 0.3.16-1.fc33
Product: [Plasma] kwin Reporter: Matt Fagnani <matt.fagnani>
Component: wayland-genericAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED FIXED    
Severity: normal CC: postix, sam
Priority: NOR    
Version: 5.20.3   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=439455
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Matt Fagnani 2020-11-20 13:39:00 UTC 
SUMMARY

I was using Plasma 5.20.3 on Wayland in a F33 KDE Plasma spin installation with kwin-wayland, plasma-workspace-wayland and their dependencies installed. I ran sudo dnf upgrade --refresh with updates-testing enabled. The update included pipewire-0.3.16-1.fc33, kernel-5.9.9-200.fc33 and other rpms. I rebooted. I logged in to Plasma 5.20.3 on Wayland. I was using Firefox Nightly 85.0a1 on Wayland for a few minutes. kwin_wayland segmentation faulted in spa_hook_remove at ../spa/include/spa/utils/hook.h:112 in pipewire 0.3.16-1.fc33 The crash appeared to happen when the pipewire stream was being destroyed starting with KWin::PipeWireStream::~PipeWireStream() in frame 3

--Type <RET> for more, q to quit, c to continue without paging--
Core was generated by `/usr/bin/kwin_wayland --xwayland --exit-with-session=/usr/libexec/startplasma-w'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  spa_hook_remove (hook=0x562000027818) at ../spa/include/spa/utils/hook.h:112
112                     hook->removed(hook);
[Current thread is 1 (Thread 0x7f505f8c8e00 (LWP 3661))]
(gdb) bt
#0  spa_hook_remove (hook=0x562000027818) at ../spa/include/spa/utils/hook.h:112
#1  spa_hook_list_clean (list=<optimized out>) at ../spa/include/spa/utils/hook.h:119
#2  pw_stream_destroy (stream=0x5620002159d0) at ../src/pipewire/stream.c:1315
#3  0x0000561ffe7ee8f1 in KWin::PipeWireStream::~PipeWireStream()
    (this=0x5620000277f0, this=<optimized out>)
    at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/pipewirestream.cpp:188
#4  0x0000561ffe7eea7a in KWin::WindowStream::~WindowStream()
    (this=0x5620000277f0, this=<optimized out>)
    at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/screencastmanager.cpp:40
#5  KWin::WindowStream::~WindowStream() (this=0x5620000277f0, this=<optimized out>)
    at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/screencast/screencastmanager.cpp:40
#6  0x00007f505fb56256 in QtPrivate::QSlotObjectBase::call(QObject*, void**)
    (a=0x7ffcca163730, r=0x5620000277f0, this=0x562000087560)
    at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#7  doActivate<false>(QObject*, int, void**)
    (sender=0x56200009f000, signal_index=3, argv=0x7ffcca163730) at kernel/qobject.cpp:3886
#8  0x00007f5060cab605 in KWaylandServer::ScreencastStreamV1InterfacePrivate::zkde_screencast_stream_unstable_v1_destroy_resource(QtWaylandServer::zkde_screencast_stream_unstable_v1::Resource*)
    (this=0x562000130ae0, resource=<optimized out>)
    at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/screencast_v1_interface.cpp:31
#9  0x00007f5060cf0584 in QtWaylandServer::zkde_screencast_stream_unstable_v1::destroy_func(wl_resource*) (client_resource=<optimized out>)
    at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/x86_64-redhat-linux-gnu/src/server/qwayland-server-zkde-screencast-unstable-v1.cpp:326
#10 0x00007f505df0197f in destroy_resource
--Type <RET> for more, q to quit, c to continue without paging--c
    (element=0x5620000cc740, data=data@entry=0x7ffcca163824, flags=0) at src/wayland-server.c:724
#11 0x00007f505df02013 in for_each_helper (entries=<optimized out>, entries=0x561ffff542e0, data=0x7ffcca163824, func=0x7f505df018d0 <destroy_resource>) at src/wayland-util.c:372
#12 wl_map_for_each (data=0x7ffcca163824, func=0x7f505df018d0 <destroy_resource>, map=0x561ffff542e0) at src/wayland-util.c:385
#13 wl_client_destroy (client=client@entry=0x561ffff542b0) at src/wayland-server.c:883
#14 0x00007f505df0244b in destroy_client_with_error (reason=<optimized out>, client=<optimized out>) at src/wayland-server.c:319
#15 wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at src/wayland-server.c:342
#16 0x00007f505df01ac2 in wl_event_loop_dispatch (loop=0x561fff0e06e0, timeout=<optimized out>) at src/event-loop.c:1027
#17 0x00007f5060c81f13 in KWaylandServer::Display::Private::dispatch() (this=<optimized out>) at /usr/src/debug/kwayland-server-5.20.3-1.fc33.x86_64/src/server/display.cpp:135
#18 0x00007f505fb56256 in QtPrivate::QSlotObjectBase::call(QObject*, void**) (a=0x7ffcca163d70, r=0x561fff102640, this=0x561fffac3280) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:398
#19 doActivate<false>(QObject*, int, void**) (sender=0x561fffba6830, signal_index=3, argv=0x7ffcca163d70) at kernel/qobject.cpp:3886
#20 0x00007f505fb59476 in QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (this=this@entry=0x561fffba6830, _t1=..., _t2=<optimized out>, _t3=...) at .moc/moc_qsocketnotifier.cpp:178
#21 0x00007f505fb59be9 in QSocketNotifier::event(QEvent*) (this=0x561fffba6830, e=0x7ffcca163e90) at kernel/qsocketnotifier.cpp:302
#22 0x00007f506051e15f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x561fffba6830, e=0x7ffcca163e90) at kernel/qapplication.cpp:3630
#23 0x00007f505fb27be8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x561fffba6830, event=0x7ffcca163e90) at kernel/qcoreapplication.cpp:1063
#24 0x00007f505fb6fece in QEventDispatcherUNIXPrivate::activateSocketNotifiers() (this=0x561fff0cab40) at kernel/qeventdispatcher_unix.cpp:304
#25 0x00007f505fb70254 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=<optimized out>, flags=...) at kernel/qeventdispatcher_unix.cpp:511
#26 0x00007f504ca243ad in QUnixEventDispatcherQPA::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib64/qt5/plugins/platforms/KWinQpaPlugin.so
#27 0x00007f505fb2664b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7ffcca164000, flags=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#28 0x00007f505fb2e010 in QCoreApplication::exec() () at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#29 0x0000561ffe7d456e in main(int, char**) (argc=<optimized out>, argv=0x7ffcca164220) at /usr/src/debug/kwin-5.20.3-1.fc33.x86_64/main_wayland.cpp:702

hook pointed to an inaccessible address 0x215a38.

(gdb) p hook
$1 = (struct spa_hook *) 0x562000027818
(gdb) x 0x562000027818
0x562000027818: 0x00215a38
(gdb) x 0x00215a38
0x215a38:       Cannot access memory at address 0x215a38

kwin_wayland crashed with essentially the same traces each of three further times within 5-10 minutes after I logged into Plasma on Wayland with pipewire-0.3.16-1.fc33. These crashes didn't happen with pipewire-0.3.15-2.fc33.

STEPS TO REPRODUCE
1. Boot a F33 KDE Plasma spin installation with kwin-wayland, plasma-workspace-wayland and their dependencies installed. 
2. Log in to Plasma 5.20.3 on Wayland 
3. sudo dnf upgrade --refresh with updates-testing enabled
The update should include pipewire-0.3.16-1.fc33
4. reboot
5. log in to Plasma 5.20.3 on Wayland. 
6. Wait for pipewire to start in the background or start it directly. 
I was using Firefox Nightly 85.0a1 on Wayland during 3 of the crashes.
 

OBSERVED RESULT
kwin_wayland segmentation faults in spa_hook_remove in pipewire 0.3.16-1.fc33

EXPECTED RESULT
No crashes would happen.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 33
(available in About System)
KDE Plasma Version: 5.20.3
KDE Frameworks Version: 5.75.0
Qt Version: 5.15.1

ADDITIONAL INFORMATION

The journal at the time of the first kwin_wayland crash showed some pipewire errors as it was starting automatically in the background.

Nov 20 00:10:44 systemd[1097]: Started Multimedia Service.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 4 threads of 2 processes of 1 users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 4 threads of 2 processes of 1 users.
Nov 20 00:10:44 pipewire[3360]: Could not get portal pid: Argument 0 is specified to be of type "uint32", but is actually of type "string"
Nov 20 00:10:44 pipewire[3360]: failed to open "/proc/1167/root": Permission denied
Nov 20 00:10:44 pipewire[3360]: access 0x5607c9ae2790: client 0x5607c9aed7b0 sandbox check failed: Permission denied
Nov 20 00:10:44 rtkit-daemon[779]: Successfully made thread 3361 of process 3360 (/usr/bin/pipewire) owned by '1000' RT at priority 20.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1 users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1 users.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 5 threads of 3 processes of 1 users.
Nov 20 00:10:44 audit[1167]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1167 comm="kwin_wayland" exe="/usr/bin/kwin_wayland" sig=11 res=1
Nov 20 00:10:44 kernel: show_signal_msg: 42 callbacks suppressed
Nov 20 00:10:44 kernel: kwin_wayland[1167]: segfault at 55b88cabe400 ip 000055b88cabe400 sp 00007ffc8325c688 error 15
Nov 20 00:10:44 kernel: Code: 00 00 41 00 00 00 00 00 00 00 41 6c 6c 6f 77 20 63 6c 69 65 6e 74 73 20 74 6f 20 63 72 65 61 74 65 20 61 6e 64 20 63 6f 6e 74 <72> 6f 6c 20 72 65 6d 6f 74 65 20 64 65 76 69 63 65 73 00 00 00 00
Nov 20 00:10:44 rtkit-daemon[779]: Successfully made thread 3365 of process 3363 (/usr/bin/pipewire-media-session) owned by '1000' RT at priority 20.
Nov 20 00:10:44 rtkit-daemon[779]: Supervising 6 threads of 4 processes of 1 users.
Nov 20 00:10:44 systemd[1]: Created slice system-systemd\x2dcoredump.slice.
Nov 20 00:10:44 audit: BPF prog-id=46 op=LOAD
Nov 20 00:10:44 audit: BPF prog-id=47 op=LOAD
Nov 20 00:10:44 audit: BPF prog-id=48 op=LOAD
Nov 20 00:10:44 systemd[1]: Started Process Core Dump (PID 3368/UID 0).
Nov 20 00:10:44 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@0-3368-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 20 00:10:44 pipewire-media-session[3363]: core 0x557031057920: proxy 0x557031091cb0 id:4: bound:-1 seq:4 res:-2 (No such file or directory) msg:"can't create device: No such file or directory"
Nov 20 00:10:44 pipewire-media-session[3363]: error id:4 seq:4 res:-2 (No such file or directory): can't create device: No such file or directory

The same sorts of pipewire errors happened around the time of the other kwin_wayland crashes.


I reported this problem for Fedora at https://bugzilla.redhat.com/show_bug.cgi?id=1899826 Wim Taymans wrote 
"Cause by bug in kwin, the listener should be cleared before adding it so that the removed callback doesn't contain garbage.

here: https://invent.kde.org/plasma/kwin/-/blob/master/screencast/pipewirestream.cpp#L250

but I'll make a workaround to fix this and make it safer in the future."
https://bugzilla.redhat.com/show_bug.cgi?id=1899826#c1
Comment 1 postix 2023-04-10 15:49:21 UTC 
Hi! Have you seen this issue again and if so in some more recent version?
Comment 2 Matt Fagnani 2023-04-10 19:37:16 UTC 
(In reply to postix from comment #1)
> Hi! Have you seen this issue again and if so in some more recent version?

I haven't seen this problem after the pipewire-0.3.16-2.fc33 update https://bodhi.fedoraproject.org/updates/FEDORA-2020-d7bb61dc59 with the workaround by Wim Taymans.