Bug #6321
Crash on Fedora 39
0%
Description
Crash log attached.
Fedora 39 home PVR server. Freshly built today.
Last line of the attached log:
Jan 10 20:40:21 server.host abrt-notification[12400]: Process 2951 (tvheadend) crashed in pvr_generate_filename()
Files
History
Updated by Chuck Bonesteel 12 months ago
For repro - nothing specific. Tvheadend was running for 7.5 hours and then crashed.
Updated by Chuck Bonesteel 12 months ago
(gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f77d7eae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f77d7e5c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f77d7e4498f in __GI_abort () at abort.c:100 #4 0x00007f77d7e457d0 in __libc_message (fmt=fmt@entry=0x7f77d7fc2309 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150 #5 0x00007f77d7f41d19 in __GI___fortify_fail (msg=msg@entry=0x7f77d7fc22f0 "buffer overflow detected") at fortify_fail.c:24 #6 0x00007f77d7f416d4 in __GI___chk_fail () at chk_fail.c:28 #7 0x00007f77d7f42eb5 in ___snprintf_chk (s=s@entry=0x7f77baa5fbb4 "", maxlen=maxlen@entry=4093, flag=flag@entry=2, slen=slen@entry=4061, format=format@entry=0x55c5504315e4 "/%s") at snprintf_chk.c:29 #8 0x000055c5502a1c6a in snprintf (__fmt=0x55c5504315e4 "/%s", __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:54 #9 pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091 #10 0x000055c5502a4e2c in dvr_rec_start (ss=0x55c55229cc00, de=<optimized out>) at src/dvr/dvr_rec.c:1314 #11 dvr_thread_rec_start (_de=_de@entry=0x7f77baa60e00, ss=ss@entry=0x55c55229cc00, run=run@entry=0x7f77baa60df8, started=started@entry=0x7f77baa60dfc, dts_offset=dts_offset@entry=0x7f77baa60e08, postproc=postproc@entry=0x0) at src/dvr/dvr_rec.c:1566 #12 0x000055c5502a5dd8 in dvr_thread (aux=<optimized out>) at src/dvr/dvr_rec.c:1808 #13 0x000055c5502069f8 in thread_wrapper (p=0x55c552296c80) at src/tvh_thread.c:91 #14 0x00007f77d7eac897 in start_thread (arg=<optimized out>) at pthread_create.c:444 #15 0x00007f77d7f336fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 (gdb)
Updated by Chuck Bonesteel 12 months ago
(gdb) f 9 #9 pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091 1091 snprintf(path + l + j, sizeof(path) - l + j, "/%s", filename); (gdb) p de->de_config $1 = (dvr_config_t *) 0x55c5517a73d0 (gdb) p de->de_config->dvr_storage $2 = 0x55c55178d1a0 "/mnt/stor/tvheadend" (gdb) p path $3 = "/mnt/stor/tvheadend/Australian Story\000n.$x", '\000' <repeats 4055 times> (gdb) p l $4 = 20 (gdb) p j $5 = <optimized out> (gdb) p filename $6 = "Australian Story$n.$x", '\000' <repeats 4074 times> (gdb)
Updated by Chuck Bonesteel 12 months ago
(sorry for spam - I'm new to this)
(gdb) bt full #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 tid = <optimized out> ret = 0 pd = <optimized out> old_mask = {__val = {0}} ret = <optimized out> #1 0x00007f77d7eae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 No locals. #2 0x00007f77d7e5c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 ret = <optimized out> #3 0x00007f77d7e4498f in __GI_abort () at abort.c:100 act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {18446744073709551615, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x0} #4 0x00007f77d7e457d0 in __libc_message (fmt=fmt@entry=0x7f77d7fc2309 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150 ap = {{gp_offset = 16, fp_offset = 32631, overflow_arg_area = 0x7f77baa5c940, reg_save_area = 0x7f77baa5c8d0}} fd = 2 list = <optimized out> nlist = <optimized out> cp = <optimized out> #5 0x00007f77d7f41d19 in __GI___fortify_fail (msg=msg@entry=0x7f77d7fc22f0 "buffer overflow detected") at fortify_fail.c:24 No locals. #6 0x00007f77d7f416d4 in __GI___chk_fail () at chk_fail.c:28 No locals. #7 0x00007f77d7f42eb5 in ___snprintf_chk (s=s@entry=0x7f77baa5fbb4 "", maxlen=maxlen@entry=4093, flag=flag@entry=2, slen=slen@entry=4061, format=format@entry=0x55c5504315e4 "/%s") at snprintf_chk.c:29 mode = <optimized out> ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7f77baa5ca40, reg_save_area = 0x7f77baa5c980}} ret = <optimized out> #8 0x000055c5502a1c6a in snprintf (__fmt=0x55c5504315e4 "/%s", __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:54 No locals. #9 pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091 filename = "Australian Story$n.$x", '\000' <repeats 4074 times> path = "/mnt/stor/tvheadend/Australian Story\000n.$x", '\000' <repeats 4055 times> ptmp = "Australian Story", '\000' <repeats 4079 times> number = '\000' <repeats 15 times> tmp = "Australian Story", '\000' <repeats 4079 times> lastpath = 0x0 tally = 0 st = {st_dev = 0, st_ino = 0, st_nlink = 0, st_mode = 0, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec = 0, tv_nsec = 0}, __glibc_reserved = {0, 0, 0}} s = <optimized out> x = <optimized out> fmtstr = <optimized out> dirsep = <optimized out> tm = {tm_sec = 0, tm_min = 30, tm_hour = 20, tm_mday = 10, tm_mon = 0, tm_year = 124, tm_wday = 3, tm_yday = 9, tm_isdst = 1, tm_gmtoff = 39600, tm_zone = 0x55c5516e95f0 "AEDT"} cfg = 0x55c5517a73d0 m = <optimized out> l = 20 j = <optimized out> k = <optimized out> max = <optimized out> dir_dosubs = 0 __PRETTY_FUNCTION__ = "pvr_generate_filename" #10 0x000055c5502a4e2c in dvr_rec_start (ss=0x55c55229cc00, de=<optimized out>) at src/dvr/dvr_rec.c:1314 e = <optimized out> muxer = <optimized out> i = <optimized out> asp = "\232Q\305U\000\0000\r\246\272w\177\000" ch = "\177\000\000F\251)P" f = <optimized out> st = {st_dev = 2431, st_ino = 95158273, st_nlink = 21, st_mode = 16877, st_uid = 985, st_gid = 39, __pad0 = 0, st_rdev = 0, st_size = 28672, st_blksize = 4096, st_blocks = 64, st_atim = {tv_sec = 1704852464, tv_nsec = 929534359}, st_mtim = {tv_sec = 1704550207, tv_nsec = 647315986}, st_ctim = { tv_sec = 1704852447, tv_nsec = 946314019}, __glibc_reserved = {0, 0, 0}} si = 0x55c55229cc08 ssc = <optimized out> info = <optimized out> ss_copy = <optimized out> res = "\305U\000\00068543196", <incomplete sequence \302> sr = "\0000\r\246\272w" cfg = 0x55c5517a73d0 prch = 0x55c5517a2c40 si = <optimized out> ss_copy = <optimized out> ssc = <optimized out> res = <optimized out> asp = <optimized out> sr = <optimized out> ch = <optimized out> cfg = <optimized out> prch = <optimized out> info = <optimized out> e = <optimized out> f = <optimized out> muxer = <optimized out> st = <optimized out> i = <optimized out> _err = <optimized out> #11 dvr_thread_rec_start (_de=_de@entry=0x7f77baa60e00, ss=ss@entry=0x55c55229cc00, run=run@entry=0x7f77baa60df8, started=started@entry=0x7f77baa60dfc, dts_offset=dts_offset@entry=0x7f77baa60e08, postproc=postproc@entry=0x0) at src/dvr/dvr_rec.c:1566 code = <optimized out> de = <optimized out> prch = <optimized out> ret = 0 #12 0x000055c5502a5dd8 in dvr_thread (aux=<optimized out>) at src/dvr/dvr_rec.c:1808 de = 0x55c5519ac200 prch = <optimized out> sq = <optimized out> backlog = {tqh_first = 0x0, tqh_last = 0x7f77baa60e10} sm = <optimized out> sm2 = <optimized out> pkt = <optimized out> pkt2 = <optimized out> pkt3 = <optimized out> ss = <optimized out> run = 1 started = 0 muxing = <optimized out> comm_skip = <optimized out> rs = 5 epg_running = <optimized out> old_epg_running = <optimized out> epg_pause = <optimized out> commercial = <optimized out> running_disabled = <optimized out> packets = <optimized out> dts_offset = -9223372036854775808 now = <optimized out> real_start = <optimized out> start_time = <optimized out> running_start = <optimized out> running_stop = <optimized out> postproc = <optimized out> ubuf = '\377' <repeats 33 times> #13 0x000055c5502069f8 in thread_wrapper (p=0x55c552296c80) at src/tvh_thread.c:91 ts = <optimized out> set = {__val = {16388, 0, 0, 0, 0, 18446744073709550232, 0, 140152433411184, 140152209280784, 140152700392414, 0, 140152433411200, 140152209286848, 140152433411200, 140152433411840, 140152433411840}} r = <optimized out> #14 0x00007f77d7eac897 in start_thread (arg=<optimized out>) at pthread_create.c:444 ret = <optimized out> pd = <optimized out> out = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140152700323232, -2340501643117535906, 140152209286848, -1384, 2, 140722946798512, -2340501643138507426, -2340740690510815906}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <optimized out> #15 0x00007f77d7f336fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 No locals. (gdb)
Updated by Chuck Bonesteel 12 months ago
saen acro wrote:
Is this a mounted storage, and how is mounted?
Yes:
/dev/md127 on /mnt/stor type ext4 (rw,relatime,seclabel)
Updated by Chuck Bonesteel 12 months ago
saen acro wrote:
Who build that package it's modified somehow.
This is my command:
gdb /usr/bin/tvheadend ~/coredump
[user@server tvheadend]$ rpm --verify tvheadend-4.3^20230408gitf32c7c5-3.fc39.x86_64 [user@server tvheadend]$ echo $? 0 [user@server tvheadend]$ rpm -qf /usr/bin/tvheadend tvheadend-4.3^20230408gitf32c7c5-3.fc39.x86_64 [user@server tvheadend]$
Maybe I messed something up. I am jumping around a bit to understand the stack trace...
Updated by Chuck Bonesteel 12 months ago
saen acro wrote:
add some extra
[...]
or in fstab
[...]
ACLs are root cause? I used same mounted storage for ~2 years with tvheadend + Fedora 37 zero issues. No problem for me to change mount flags I just like to understand reasoning.
Updated by Flole Systems 12 months ago
ACLs as a source of a buffer overflow in some string function? Seriously? Sometimes it's better to leave a question/bug report unanswered instead of causing confusion....
Updated by Chuck Bonesteel 12 months ago
Looks like this is already fixed/known:
https://tvheadend.org/issues/6272
https://github.com/tvheadend/tvheadend/commit/003fd92707531bdf7ad1753ab028db8748ac5ab8
Fedora 39 build is based on f32c7c59a, which doesn't contain the fix?
snprintf(path + l + j, sizeof(path) - l + j, "/%s", filename);
Updated by Chuck Bonesteel 12 months ago
Bug submitted to RPMFusion.