[BRLTTY] Crash of BRLTTY in X sessionudo systemctl edit brlpulse

Samuel Thibault samuel.thibault at ens-lyon.org
Thu Feb 27 20:54:55 UTC 2025 

Hello,

Sebastian Humenda, le mer. 26 févr. 2025 09:29:25 +0100, a ecrit:
> The ASAN output is below. It didn't figure out the line numbers. If this is
> too vague, I have to try and change the way I get the ASAN output.

I believe we have the information:

> ==208649==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0019f8101 at pc 0x55de2ae390a3 bp 0x7fff172e34a0 sp 0x7fff172e3498
> READ of size 1 at 0x60c0019f8101 thread T0
>     #0 0x55de2ae390a2 in usbCancelRequest ??:?

This is the urb->endpoint read. We are trying to cancel a request but it
was already freed.

>     #1 0x55de2ae28e6c in usbDeallocatePendingInputRequest usb.c:?
>     #2 0x55de2ad68398 in removeItem queue.c:?
>     #3 0x55de2ad683e4 in discardElement queue.c:?
>     #4 0x55de2ad6897b in deleteElement ??:?
>     #5 0x55de2ad6917e in deleteElements ??:?
>     #6 0x55de2ae27b26 in usbFinishEndpoint usb.c:?

This is going through
endpoint->direction.input.pending.requests
I guess the request didn't get remove from it on getting freed.

>     #7 0x55de2ad698ef in processQueue ??:?
>     #8 0x55de2ae27b97 in usbRemoveEndpoints usb.c:?
>     #9 0x55de2ae2816c in usbCloseInterface ??:?
>     #10 0x55de2ae2863f in usbCloseDevice ??:?
>     #11 0x55de2ae2c589 in usbCloseChannel ??:?
>     #12 0x55de2ae4dfaa in disconnectUsbResource gio_usb.c:?
>     #13 0x55de2ae4afcd in gioDisconnectResource ??:?
>     #14 0x55de2ae1b32a in disconnectBrailleResource ??:?
>     #15 0x7ff8a203f0a6 in ?? ??:0
>     #16 0x55de2ad7cc2a in destructBrailleDriver ??:?
>     #17 0x55de2ad7d8ee in deactivateBrailleDriver config.c:?
>     #18 0x55de2ad7dcba in stopBrailleDriver config.c:?
>     #19 0x55de2ad7dd17 in stopBrailleDriverActivity config.c:?
>     #20 0x55de2ad84ae4 in stopActivity ??:?
>     #21 0x55de2ad7df4a in disableBrailleDriver ??:?
>     #22 0x55de2ad7dfad in restartBrailleDriver ??:?
>     #23 0x55de2ad35181 in handleBrailleDriverFailed core.c:?
>     #24 0x55de2ad3556c in brlttyWait ??:?
>     #25 0x55de2ad2dad7 in brlttyRun brltty.c:?
>     #26 0x55de2ad2db10 in main ??:?
>     #27 0x7ff8a9a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>     #28 0x7ff8a9a46304 in __libc_start_main_impl ../csu/libc-start.c:360
>     #27 0x55de2ad2da00 in _start ??:?
> 0x60c0019f8101 is located 1 bytes inside of 120-byte region [0x60c0019f8100,0x60c0019f8178)
> freed by thread T0 here:
>     #0 0x7ff8ac4b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
>     #28 0x55de2ae3b6bb in usbHandleCompletedInputRequests ??:?

This indeed freed the urb after dequeuing it from
eptx->completedRequests, but it doesn't seem to have dequeued it from
endpoint->direction.input.pending.requests while at it.

Dave, any idea?

Samuel

>     #29 0x55de2ad5e975 in invokeMonitorCallback async_io.c:?
>     #30 0x55de2ad5fcef in asyncExecuteIoCallback ??:?
>     #31 0x55de2ad5bbde in ioCallbackExecuter async_wait.c:?
>     #32 0x55de2ad5bf06 in awaitAction async_wait.c:?
>     #33 0x55de2ad5c1ef in asyncAwaitCondition ??:?
>     #34 0x55de2ad3547b in brlttyWait ??:?
>     #35 0x55de2ad2dad7 in brlttyRun brltty.c:?
>     #36 0x55de2ad2db10 in main ??:?
>     #10 0x7ff8a9a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> previously allocated by thread T0 here:
>     #0 0x7ff8ac4b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
>     #37 0x55de2ae38625 in usbMakeURB usb_linux.c:?
>     #38 0x55de2ae38df6 in usbSubmitRequest ??:?
>     #39 0x55de2ae28fd0 in usbAddPendingInputRequest usb.c:?
>     #40 0x55de2ae290e0 in usbEnsurePendingInputRequests usb.c:?
>     #41 0x55de2ae293c8 in usbHandleInputResponse ??:?
>     #42 0x55de2ae3a991 in usbHandleInputURB usb_linux.c:?
>     #43 0x55de2ae3b472 in usbHandleCompletedInputRequest usb_linux.c:?
>     #44 0x55de2ae3b668 in usbHandleCompletedInputRequests ??:?
>     #45 0x55de2ad5e975 in invokeMonitorCallback async_io.c:?
>     #46 0x55de2ad5fcef in asyncExecuteIoCallback ??:?
>     #47 0x55de2ad5bbde in ioCallbackExecuter async_wait.c:?
>     #48 0x55de2ad5bf06 in awaitAction async_wait.c:?
>     #49 0x55de2ad5c1ef in asyncAwaitCondition ??:?
>     #50 0x55de2ad3547b in brlttyWait ??:?
>     #51 0x55de2ad2dad7 in brlttyRun brltty.c:?
>     #52 0x55de2ad2db10 in main ??:?
>     #17 0x7ff8a9a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

More information about the BRLTTY mailing list