Details
-
Bug
-
Resolution: Incomplete
-
Not Evaluated
-
None
-
5.9
-
None
-
Linux/Wayland
Description
We are seeing a double free crash/abort in the Connman bearer plugin with the quite ancient Qt 5.9, but the underlying issue seems to be still present in the current code. A QStringList member is concurrently written and read concurrently without locking.
Here the stack trace fragments of the offending threads with explaining descriptions:
Background thread (Thread 10 (LWP 695)) handling connman dbus event: QConnmanManagerInterface::onServicesChanged modifies "servicesList" member without locking. #4 0xb61e932c in QBasicMutex::lock (this=<optimized out>) at /usr/src/debug/qtbase/5.9.3/git/src/corelib/thread/qmutex.h:73 #5 QRecursiveMutexPrivate::lock (timeout=-1, this=0xa5f40) at /usr/src/debug/qtbase/5.9.3/git/src/corelib/thread/qmutex.cpp:708 #6 QMutex::lock (this=this@entry=0xadacc) at /usr/src/debug/qtbase/5.9.3/git/src/corelib/thread/qmutex.cpp:227 #7 0xb3b1943c in QMutexLocker::QMutexLocker (m=<optimized out>, this=<synthetic pointer>) at /usr/src/debug/qtbase/5.9.3/git/src/corelib/thread/qmutex.h:200 #8 QConnmanEngine::updateServices (this=0xadab8, changed=..., removed=...) at /usr/src/debug/qtbase/5.9.3/git/src/plugins/bearer/connman/qconnmanengine.cpp:218 #9 0xb3b21a60 in QConnmanEngine::qt_static_metacall (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>) at /usr/src/debug/qtbase/5.9.3/build/src/plugins/bearer/connman/.moc/moc_qconnmanengine.cpp:119 #10 0xb63ee964 in QMetaObject::activate (sender=0xb4334614, sender@entry=0x876f0, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=3, argv=argv@entry=0xb433460c) at /usr/src/debug/qtbase/5.9.3/git/src/corelib/kernel/qobject.cpp:3766 #11 0xb63ef0b4 in QMetaObject::activate (sender=sender@entry=0x876f0, m=<optimized out>, local_signal_index=local_signal_index@entry=3, argv=argv@entry=0xb433460c) at /usr/src/debug/qtbase/5.9.3/git/src/corelib/kernel/qobject.cpp:3628 #12 0xb3b1e4c8 in QConnmanManagerInterface::servicesChanged (this=this@entry=0x876f0, _t1=..., _t2=...) at /usr/src/debug/qtbase/5.9.3/build/src/plugins/bearer/connman/.moc/moc_qconnmanservice_linux_p.cpp:317 #13 0xb3afef80 in QConnmanManagerInterface::onServicesChanged (this=0x876f0, changed=..., removed=...) at /usr/src/debug/qtbase/5.9.3/git/src/plugins/bearer/connman/qconnmanservice_linux.cpp:188 UI Thread (Thread 1 (LWP 533)) triggering a network request: QConnmanEngine::defaultConfiguration() copies QConnmanManagerInterface::servicesList by calling non-thread-safe QConnmanManagerInterface::getServices() #3 0xb4f242fc in malloc_printerr (action=<optimized out>, str=0xb4fd454c "double free or corruption (fasttop)", ptr=<optimized out>, ar_ptr=<optimized out>) at /usr/src/debug/glibc/2.24-r0/git/malloc/malloc.c:5046 #4 0xb4f24c9c in _int_free (av=0xb3100010, p=0xb3198508, have_lock=<optimized out>) at /usr/src/debug/glibc/2.24-r0/git/malloc/malloc.c:3902 #5 0xb3b0632c in QList<QString>::~QList (this=0xbed495a4, __in_chrg=<optimized out>) at /usr/src/debug/qtbase/5.9.3/git/src/corelib/tools/qlist.h:827 #6 0xb3b13e6c in QStringList::~QStringList (this=0xbed495a4, __in_chrg=<optimized out>) at /usr/src/debug/qtbase/5.9.3/git/src/corelib/tools/qstringlist.h:101 #7 QConnmanEngine::defaultConfiguration (this=0xadab8) at /usr/src/debug/qtbase/5.9.3/git/src/plugins/bearer/connman/qconnmanengine.cpp:331 #8 0xb532f870 in QNetworkConfigurationManagerPrivate::defaultConfiguration (this=0x87620) at /usr/src/debug/qtbase/5.9.3/git/src/network/bearer/qnetworkconfigmanager_p.cpp:104 #9 0xb532a8a0 in QNetworkConfigurationManager::defaultConfiguration (this=this@entry=0xbed496a0) at /usr/src/debug/qtbase/5.9.3/git/src/network/bearer/qnetworkconfigmanager.cpp:275 #10 0xb52c694c in QNetworkAccessManager::createRequest (this=this@entry=0xa2e20, op=<optimized out>, op@entry=QNetworkAccessManager::PostOperation, originalReq=..., outgoingData=0x5b, outgoingData@entry=0xd3050) at /usr/src/debug/qtbase/5.9.3/git/src/network/access/qnetworkaccessmanager.cpp:1348
Proposed fix incoming shortly.