GNOME Bugzilla – Bug 631023
gvfsd-dnssd crashed with signal 7 in avahi_service_resolver_event()
Last modified: 2016-11-18 15:27:53 UTC
this report has been filed here: https://bugs.edge.launchpad.net/ubuntu/+source/gvfs/+bug/647236 ".
+ Trace 223957
Thread 1 (process 13819)
This is still happening: https://bugzilla.redhat.com/show_bug.cgi?id=1282663 https://retrace.fedoraproject.org/faf/problems/?source_file_names=%25gvfsbackenddnssd.c
It looks like backend->files contains invalid LinkFile structs, but I have no idea, how this happened. It would crash earlier if name/type would be NULL. Concurrent access for backend->files is not possible also, because all functions should be executed on daemon main loop...
Ah, I've finally managed what is wrong. It is similar to Bug 712235. This happens, when multiple mount operations are executed concurrently...
Created attachment 332348 [details] [review] dnssd: Fix crashes when mount failed Pushed fix to master as commit 8398c16, gnome-3-20 as commit 6c1124d, and gnome-3-18 as commit 4fd1a8f.
I think this fix actually causes a use-after-free when avahi searches through the client's service resolvers in avahi_service_resolver_event, but I'm not quite sure how this is possible.
+ Trace 236731
Two gvfsd-dnssd instances with similar PIDs (3566, 3568) crashed at the same time with the same backtrace.
You are right, I see other crashes on retrace server on versions including this fix :-/ It would be really nice to have a reproducer, because it seems I am not able to reproduce it with the latest fix. However, I see some other issues, which might cause the crashes. I will attach patches for them soon...
Created attachment 337589 [details] [review] dnssd: Free client object on finalize Client object is not freed even if there isn't more backends. Free the client in order to avoid potential use-after-free crashes caused by some avahi client activity.
Created attachment 337590 [details] [review] dnssd: Use only one daemon process The dnssd backend was designed to run under one common daemon process, however, new daemon is always spawn for each host (i.e. backend) currently. Set common dbus mountpoint in order to use one daemon process for all backends.
Created attachment 337591 [details] [review] dnssd: Free resolvers also on client failure Resolvers are not currently removed on client failure. It might potentialy lead to some use-after-free crashes. Remove resolver objects also on client failures.
Created attachment 337592 [details] [review] dnssd: Free browser objects properly Browser objects are not currently freed by remove_browsers call, just the list is emptied. Free the browser objects for sure in order to avoid some use-after-free crashes.
I hope the attached patches fix the crashes and do not cause another once, however, it would be nice if somebody could test those patches before pushing also...
Created attachment 339601 [details] [review] dnssd: Use only one daemon process The dnssd backend was designed to run under one common daemon process, however, new daemon is always spawn for each host (i.e. backend) currently. Set common dbus mountpoint in order to use one daemon process for all backends.
Created attachment 340241 [details] [review] dnssd: Free client object on finalize Client object is not freed even if there isn't more backends. Free the client in order to avoid potential use-after-free crashes caused by some avahi client activity.
Attachment 337591 [details] pushed as 7368e48 - dnssd: Free resolvers also on client failure Attachment 337592 [details] pushed as 9fcbd14 - dnssd: Free browser objects properly Attachment 339601 [details] pushed as 28e06fb - dnssd: Use only one daemon process Attachment 340241 [details] pushed as ccf7b91 - dnssd: Free client object on finalize
Pushed also for gnome-3-22.