GNOME Bugzilla – Bug 787893
Segfault when disconnecting from a vpn
Last modified: 2017-10-08 16:30:18 UTC
Using GNOME 3.26, g-c-c segfaults when disconnecting from a vpn that has been reported on https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1718006 "#0 0x00007fe50b4232cc in g_type_check_instance (type_instance=type_instance@entry=0x56251af82340) at ../../../../gobject/gtype.c:4133 No locals.
+ Trace 237983
valgrind shows an invalid read ==23236== Invalid read of size 8 ==23236== at 0xC1BB099: g_type_instance_get_private (gtype.c:4715) ==23236== by 0x9C767CB: vpn_state_changed_proxy (nm-vpn-connection.c:110) ==23236== by 0x1D6BFE17: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==23236== by 0x1D6BF879: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==23236== by 0xC194798: g_cclosure_marshal_generic (gclosure.c:1490) ==23236== by 0xC193F9C: g_closure_invoke (gclosure.c:804) ==23236== by 0xC1A6D2D: signal_emit_unlocked_R (gsignal.c:3635) ==23236== by 0xC1AEA6F: g_signal_emitv (gsignal.c:3129) ==23236== by 0x9CC647C: nmdbus_vpn_connection_proxy_g_signal (org.freedesktop.NetworkManager.VPN.Connection.c:662) ==23236== by 0x1D6BFE17: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==23236== by 0x1D6BF879: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==23236== by 0xC194798: g_cclosure_marshal_generic (gclosure.c:1490) ==23236== by 0xC193F9C: g_closure_invoke (gclosure.c:804) ==23236== by 0xC1A67A7: signal_emit_unlocked_R (gsignal.c:3673) ==23236== by 0xC1AF504: g_signal_emit_valist (gsignal.c:3391) ==23236== by 0xC1B03F7: g_signal_emit_by_name (gsignal.c:3487) ==23236== by 0xBEC1EDC: signal_cb (gdbusobjectmanagerclient.c:1072) ==23236== by 0xBEA2693: emit_signal_instance_in_idle_cb (gdbusconnection.c:3720) ==23236== by 0xC422DD4: g_main_dispatch (gmain.c:3148) ==23236== by 0xC422DD4: g_main_context_dispatch (gmain.c:3813) ==23236== by 0xC42319F: g_main_context_iterate.isra.30 (gmain.c:3886) ==23236== by 0xC42322B: g_main_context_iteration (gmain.c:3947) ==23236== by 0xBE8AA6C: g_application_run (gapplication.c:2401) ==23236== by 0x15C391: main (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== Address 0x3573f200 is 272 bytes inside a block of size 304 free'd ==23236== at 0x4C2ED3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==23236== by 0xC1B8B32: g_type_free_instance (gtype.c:1937) ==23236== by 0x9C57811: dispose (nm-client.c:2629) ==23236== by 0xC198D32: g_object_unref (gobject.c:3277) ==23236== by 0x27479C: cc_wifi_panel_finalize (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0xC198DA1: g_object_unref (gobject.c:3314) ==23236== by 0xA530A6B: gtk_box_forall (gtkbox.c:2671) ==23236== by 0xA57BB6D: gtk_container_destroy (gtkcontainer.c:1700) ==23236== by 0xC193F9C: g_closure_invoke (gclosure.c:804) ==23236== by 0xC1A6EA1: signal_emit_unlocked_R (gsignal.c:3751) ==23236== by 0xC1AF504: g_signal_emit_valist (gsignal.c:3391) ==23236== by 0xC1AFF1E: g_signal_emit (gsignal.c:3447) ==23236== by 0xA79789B: gtk_widget_dispose (gtkwidget.c:12070) ==23236== by 0xC198D32: g_object_unref (gobject.c:3277) ==23236== by 0xA57A098: gtk_container_remove (gtkcontainer.c:1909) ==23236== by 0x165529: cc_window_set_active_panel_from_id (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0x164BE2: show_panel_cb (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0xC196B60: g_cclosure_marshal_VOID__STRINGv (gmarshal.c:1794) ==23236== by 0xC1941D5: _g_closure_invoke_va (gclosure.c:867) ==23236== by 0xC1AF7EE: g_signal_emit_valist (gsignal.c:3300) ==23236== by 0xC1AFF1E: g_signal_emit (gsignal.c:3447) ==23236== by 0x1633D8: row_activated_cb (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0xC193F9C: g_closure_invoke (gclosure.c:804) ==23236== by 0xC1A6D2D: signal_emit_unlocked_R (gsignal.c:3635) ==23236== by 0xC1AF504: g_signal_emit_valist (gsignal.c:3391) ==23236== by 0xC1AFF1E: g_signal_emit (gsignal.c:3447) ==23236== by 0xA63B80F: gtk_list_box_select_and_activate_full (gtklistbox.c:1787) ==23236== by 0xA63B80F: gtk_list_box_multipress_gesture_released (gtklistbox.c:1987) ==23236== by 0x1D6BFE17: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==23236== by 0x1D6BF879: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==23236== by 0xC194B8C: g_cclosure_marshal_generic_va (gclosure.c:1604) ==23236== Block was alloc'd at ==23236== at 0x4C2DB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==23236== by 0xC428538: g_malloc (gmem.c:94) ==23236== by 0xC440005: g_slice_alloc (gslice.c:1025) ==23236== by 0xC440498: g_slice_alloc0 (gslice.c:1051) ==23236== by 0xC1B8835: g_type_create_instance (gtype.c:1839) ==23236== by 0xC199357: g_object_new_internal (gobject.c:1781) ==23236== by 0xC19B4DF: g_object_new_valist (gobject.c:2104) ==23236== by 0xC19B858: g_object_new (gobject.c:1624) ==23236== by 0x9C57188: obj_nm_for_gdbus_object (nm-client.c:2182) ==23236== by 0x9C57A1D: objects_created (nm-client.c:2241) ==23236== by 0x9C57FFF: init_sync (nm-client.c:2368) ==23236== by 0xBE4B136: g_initable_new_valist (ginitable.c:248) ==23236== by 0xBE4B1E8: g_initable_new (ginitable.c:162) ==23236== by 0x274DEC: cc_wifi_panel_init (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0xC1B87C4: g_type_create_instance (gtype.c:1866) ==23236== by 0xC199357: g_object_new_internal (gobject.c:1781) ==23236== by 0xC19B4DF: g_object_new_valist (gobject.c:2104) ==23236== by 0xC19B858: g_object_new (gobject.c:1624) ==23236== by 0x15FD93: cc_panel_loader_load_by_name (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0x1646C1: activate_panel (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0x1654C0: cc_window_set_active_panel_from_id (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0x164BE2: show_panel_cb (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0xC196B60: g_cclosure_marshal_VOID__STRINGv (gmarshal.c:1794) ==23236== by 0xC1941D5: _g_closure_invoke_va (gclosure.c:867) ==23236== by 0xC1AF7EE: g_signal_emit_valist (gsignal.c:3300) ==23236== by 0xC1AFF1E: g_signal_emit (gsignal.c:3447) ==23236== by 0x1633D8: row_activated_cb (in /tmp/gnome-control-center/shell/gnome-control-center) ==23236== by 0xC193F9C: g_closure_invoke (gclosure.c:804) ==23236== by 0xC1A6D2D: signal_emit_unlocked_R (gsignal.c:3635) ==23236== by 0xC1AF504: g_signal_emit_valist (gsignal.c:3391)
Moving to NetworkManager product.
Created attachment 360129 [details] [review] remote-connection: disconnect signal handler when disposed When using GNOME Settings 3.26, it was sistematically crashing every time a VPN connection changed its state. After some digging, a debug message was put on dispose, and this issue was found: libnm-Message: Object 0x55555633c070 disposed libnm-Message: Object 0x55555633c730 disposed libnm-Message: Object 0x55555633eae0 disposed libnm-Message: Object 0x555556340a80 disposed Thread 1 "gnome-control-c" received signal SIGSEGV, Segmentation fault. g_type_check_instance_cast (type_instance=type_instance@entry=0x55555633c070, iface_type=93825006537856) at /.../glib/gobject/gtype.c:4057 4057 node = lookup_type_node_I (type_instance->g_class->g_type); (gdb) bt So appearently, NetworkManager is calling a callback over a disposed (and most certainly finalized) object, which leads to a crash in GNOME Settings. Fix this issue by disconnecting the signal handler when the object is disposed.
the patch resolves that issue, bug #787897 is a similar segfault but still there even with that patch so there might be another similar issue still after that one
Review of attachment 360129 [details] [review]: ::: libnm/nm-remote-connection.c @@ +781,3 @@ + priv->update_signal_handler_id = 0; + } + Please use: nm_clear_g_signal_handler (priv->proxy, &priv->update_signal_handler_id); Or maybe, get rid of priv->update_signal_handler_id and just call: if (priv->proxy) g_signal_handlers_disconnect_by_func (priv->proxy, updated_cb, object) ? Otherwise, LGTM thanks!
Created attachment 360252 [details] [review] {vpn,remote}-connection: disconnect signal handlers when disposed GNOME Settings 3.26 is crashing every time a VPN connection changed its state. After some digging, a debug message was put on dispose, and this issue was found: libnm-Message: Object 0x55555633c070 disposed libnm-Message: Object 0x55555633c730 disposed libnm-Message: Object 0x55555633eae0 disposed libnm-Message: Object 0x555556340a80 disposed Thread 1 "gnome-control-c" received signal SIGSEGV, Segmentation fault. g_type_check_instance_cast (type_instance=type_instance@entry=0x55555633c070, iface_type=93825006537856) at /.../glib/gobject/gtype.c:4057 4057 node = lookup_type_node_I (type_instance->g_class->g_type); (gdb) bt NetworkManager is calling callbacks on disposed objects, which leads to crashes in clients (e.g. GNOME Settings). Fix this issue by disconnecting signal handlers when the objects are disposed. Patch originally by Georges Basile Stavracas Neto <georges.stavracas@gmail.com>
(In reply to Iain Lane from comment #6) > Created attachment 360252 [details] [review] [review] > {vpn,remote}-connection: disconnect signal handlers when disposed Applied to master: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=b18896f77048399e7a8b6ddd4fa0961e603836fa and nm-1-8, thanks.
*** Bug 788306 has been marked as a duplicate of this bug. ***
*** Bug 788648 has been marked as a duplicate of this bug. ***