Bug #6321
Crash on Fedora 39
Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
Crashes
Target version:
-
Start date:
2024-01-10
Due date:
% Done:
0%
Estimated time:
Found in version:
4.3^20230408gitf32c7c5-3.fc39
Affected Versions:
Description
Crash log attached.
Fedora 39 home PVR server. Freshly built today.
Last line of the attached log:
Jan 10 20:40:21 server.host abrt-notification[12400]: Process 2951 (tvheadend) crashed in pvr_generate_filename()
Files
History
Updated by Chuck Bonesteel 11 months ago
Updated by For repro - nothing specific. Tvheadend was running for 7.5 hours and then crashed.
Updated by Chuck Bonesteel 11 months ago
(gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f77d7eae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f77d7e5c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f77d7e4498f in __GI_abort () at abort.c:100 #4 0x00007f77d7e457d0 in __libc_message (fmt=fmt@entry=0x7f77d7fc2309 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150 #5 0x00007f77d7f41d19 in __GI___fortify_fail (msg=msg@entry=0x7f77d7fc22f0 "buffer overflow detected") at fortify_fail.c:24 #6 0x00007f77d7f416d4 in __GI___chk_fail () at chk_fail.c:28 #7 0x00007f77d7f42eb5 in ___snprintf_chk (s=s@entry=0x7f77baa5fbb4 "", maxlen=maxlen@entry=4093, flag=flag@entry=2, slen=slen@entry=4061, format=format@entry=0x55c5504315e4 "/%s") at snprintf_chk.c:29 #8 0x000055c5502a1c6a in snprintf (__fmt=0x55c5504315e4 "/%s", __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:54 #9 pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091 #10 0x000055c5502a4e2c in dvr_rec_start (ss=0x55c55229cc00, de=<optimized out>) at src/dvr/dvr_rec.c:1314 #11 dvr_thread_rec_start (_de=_de@entry=0x7f77baa60e00, ss=ss@entry=0x55c55229cc00, run=run@entry=0x7f77baa60df8, started=started@entry=0x7f77baa60dfc, dts_offset=dts_offset@entry=0x7f77baa60e08, postproc=postproc@entry=0x0) at src/dvr/dvr_rec.c:1566 #12 0x000055c5502a5dd8 in dvr_thread (aux=<optimized out>) at src/dvr/dvr_rec.c:1808 #13 0x000055c5502069f8 in thread_wrapper (p=0x55c552296c80) at src/tvh_thread.c:91 #14 0x00007f77d7eac897 in start_thread (arg=<optimized out>) at pthread_create.c:444 #15 0x00007f77d7f336fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 (gdb)
Updated by Chuck Bonesteel 11 months ago
(gdb) f 9 #9 pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091 1091 snprintf(path + l + j, sizeof(path) - l + j, "/%s", filename); (gdb) p de->de_config $1 = (dvr_config_t *) 0x55c5517a73d0 (gdb) p de->de_config->dvr_storage $2 = 0x55c55178d1a0 "/mnt/stor/tvheadend" (gdb) p path $3 = "/mnt/stor/tvheadend/Australian Story\000n.$x", '\000' <repeats 4055 times> (gdb) p l $4 = 20 (gdb) p j $5 = <optimized out> (gdb) p filename $6 = "Australian Story$n.$x", '\000' <repeats 4074 times> (gdb)
Updated by
Updated by Chuck Bonesteel 11 months ago
(sorry for spam - I'm new to this)
(gdb) bt full
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
tid = <optimized out>
ret = 0
pd = <optimized out>
old_mask = {__val = {0}}
ret = <optimized out>
#1 0x00007f77d7eae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
No locals.
#2 0x00007f77d7e5c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
ret = <optimized out>
#3 0x00007f77d7e4498f in __GI_abort () at abort.c:100
act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {18446744073709551615, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x0}
#4 0x00007f77d7e457d0 in __libc_message (fmt=fmt@entry=0x7f77d7fc2309 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
ap = {{gp_offset = 16, fp_offset = 32631, overflow_arg_area = 0x7f77baa5c940, reg_save_area = 0x7f77baa5c8d0}}
fd = 2
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
#5 0x00007f77d7f41d19 in __GI___fortify_fail (msg=msg@entry=0x7f77d7fc22f0 "buffer overflow detected") at fortify_fail.c:24
No locals.
#6 0x00007f77d7f416d4 in __GI___chk_fail () at chk_fail.c:28
No locals.
#7 0x00007f77d7f42eb5 in ___snprintf_chk (s=s@entry=0x7f77baa5fbb4 "", maxlen=maxlen@entry=4093, flag=flag@entry=2, slen=slen@entry=4061, format=format@entry=0x55c5504315e4 "/%s") at snprintf_chk.c:29
mode = <optimized out>
ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7f77baa5ca40, reg_save_area = 0x7f77baa5c980}}
ret = <optimized out>
#8 0x000055c5502a1c6a in snprintf (__fmt=0x55c5504315e4 "/%s", __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:54
No locals.
#9 pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091
filename = "Australian Story$n.$x", '\000' <repeats 4074 times>
path = "/mnt/stor/tvheadend/Australian Story\000n.$x", '\000' <repeats 4055 times>
ptmp = "Australian Story", '\000' <repeats 4079 times>
number = '\000' <repeats 15 times>
tmp = "Australian Story", '\000' <repeats 4079 times>
lastpath = 0x0
tally = 0
st = {st_dev = 0, st_ino = 0, st_nlink = 0, st_mode = 0, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec = 0, tv_nsec = 0}, __glibc_reserved = {0, 0, 0}}
s = <optimized out>
x = <optimized out>
fmtstr = <optimized out>
dirsep = <optimized out>
tm = {tm_sec = 0, tm_min = 30, tm_hour = 20, tm_mday = 10, tm_mon = 0, tm_year = 124, tm_wday = 3, tm_yday = 9, tm_isdst = 1, tm_gmtoff = 39600, tm_zone = 0x55c5516e95f0 "AEDT"}
cfg = 0x55c5517a73d0
m = <optimized out>
l = 20
j = <optimized out>
k = <optimized out>
max = <optimized out>
dir_dosubs = 0
__PRETTY_FUNCTION__ = "pvr_generate_filename"
#10 0x000055c5502a4e2c in dvr_rec_start (ss=0x55c55229cc00, de=<optimized out>) at src/dvr/dvr_rec.c:1314
e = <optimized out>
muxer = <optimized out>
i = <optimized out>
asp = "\232Q\305U\000\0000\r\246\272w\177\000"
ch = "\177\000\000F\251)P"
f = <optimized out>
st = {st_dev = 2431, st_ino = 95158273, st_nlink = 21, st_mode = 16877, st_uid = 985, st_gid = 39, __pad0 = 0, st_rdev = 0, st_size = 28672, st_blksize = 4096, st_blocks = 64, st_atim = {tv_sec = 1704852464, tv_nsec = 929534359}, st_mtim = {tv_sec = 1704550207, tv_nsec = 647315986}, st_ctim = {
tv_sec = 1704852447, tv_nsec = 946314019}, __glibc_reserved = {0, 0, 0}}
si = 0x55c55229cc08
ssc = <optimized out>
info = <optimized out>
ss_copy = <optimized out>
res = "\305U\000\00068543196", <incomplete sequence \302>
sr = "\0000\r\246\272w"
cfg = 0x55c5517a73d0
prch = 0x55c5517a2c40
si = <optimized out>
ss_copy = <optimized out>
ssc = <optimized out>
res = <optimized out>
asp = <optimized out>
sr = <optimized out>
ch = <optimized out>
cfg = <optimized out>
prch = <optimized out>
info = <optimized out>
e = <optimized out>
f = <optimized out>
muxer = <optimized out>
st = <optimized out>
i = <optimized out>
_err = <optimized out>
#11 dvr_thread_rec_start (_de=_de@entry=0x7f77baa60e00, ss=ss@entry=0x55c55229cc00, run=run@entry=0x7f77baa60df8, started=started@entry=0x7f77baa60dfc, dts_offset=dts_offset@entry=0x7f77baa60e08, postproc=postproc@entry=0x0) at src/dvr/dvr_rec.c:1566
code = <optimized out>
de = <optimized out>
prch = <optimized out>
ret = 0
#12 0x000055c5502a5dd8 in dvr_thread (aux=<optimized out>) at src/dvr/dvr_rec.c:1808
de = 0x55c5519ac200
prch = <optimized out>
sq = <optimized out>
backlog = {tqh_first = 0x0, tqh_last = 0x7f77baa60e10}
sm = <optimized out>
sm2 = <optimized out>
pkt = <optimized out>
pkt2 = <optimized out>
pkt3 = <optimized out>
ss = <optimized out>
run = 1
started = 0
muxing = <optimized out>
comm_skip = <optimized out>
rs = 5
epg_running = <optimized out>
old_epg_running = <optimized out>
epg_pause = <optimized out>
commercial = <optimized out>
running_disabled = <optimized out>
packets = <optimized out>
dts_offset = -9223372036854775808
now = <optimized out>
real_start = <optimized out>
start_time = <optimized out>
running_start = <optimized out>
running_stop = <optimized out>
postproc = <optimized out>
ubuf = '\377' <repeats 33 times>
#13 0x000055c5502069f8 in thread_wrapper (p=0x55c552296c80) at src/tvh_thread.c:91
ts = <optimized out>
set = {__val = {16388, 0, 0, 0, 0, 18446744073709550232, 0, 140152433411184, 140152209280784, 140152700392414, 0, 140152433411200, 140152209286848, 140152433411200, 140152433411840, 140152433411840}}
r = <optimized out>
#14 0x00007f77d7eac897 in start_thread (arg=<optimized out>) at pthread_create.c:444
ret = <optimized out>
pd = <optimized out>
out = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140152700323232, -2340501643117535906, 140152209286848, -1384, 2, 140722946798512, -2340501643138507426, -2340740690510815906}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#15 0x00007f77d7f336fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
No locals.
(gdb)
Updated by Chuck Bonesteel 11 months ago
saen acro wrote:
Is this a mounted storage, and how is mounted?
Yes:
/dev/md127 on /mnt/stor type ext4 (rw,relatime,seclabel)
Updated by Chuck Bonesteel 11 months ago
saen acro wrote:
Who build that package it's modified somehow.
This is my command:
gdb /usr/bin/tvheadend ~/coredump
[user@server tvheadend]$ rpm --verify tvheadend-4.3^20230408gitf32c7c5-3.fc39.x86_64 [user@server tvheadend]$ echo $? 0 [user@server tvheadend]$ rpm -qf /usr/bin/tvheadend tvheadend-4.3^20230408gitf32c7c5-3.fc39.x86_64 [user@server tvheadend]$
Maybe I messed something up. I am jumping around a bit to understand the stack trace... 
Updated by Chuck Bonesteel 11 months ago
saen acro wrote:
add some extra
[...]
or in fstab
[...]
ACLs are root cause? I used same mounted storage for ~2 years with tvheadend + Fedora 37 zero issues. No problem for me to change mount flags I just like to understand reasoning.
Updated by Flole Systems 11 months ago
Updated by ACLs as a source of a buffer overflow in some string function? Seriously? Sometimes it's better to leave a question/bug report unanswered instead of causing confusion....
Updated by Chuck Bonesteel 11 months ago
Looks like this is already fixed/known:
https://tvheadend.org/issues/6272
https://github.com/tvheadend/tvheadend/commit/003fd92707531bdf7ad1753ab028db8748ac5ab8
Fedora 39 build is based on f32c7c59a, which doesn't contain the fix?
snprintf(path + l + j, sizeof(path) - l + j, "/%s", filename);
Updated by Chuck Bonesteel 11 months ago
Bug submitted to RPMFusion.