medialibrary: fix heap-use-after-free
m_deviceLister is listening to media source tree callbacks and need be cleaned (and callbacks removed) before m_devices, since callbacks read m_devices. ==1750167==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100002c640 at pc 0x7f8906109b0e bp 0x7f88ef176630 sp 0x7f88ef176628 READ of size 8 at 0x61100002c640 thread T22 #0 0x7f8906109b0d in std::__shared_ptr<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2>::get() const /usr/include/c++/12/bits/shared_ptr_base.h:1666 #1 0x7f8906109b0d in std::__shared_ptr_access<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2, false, false>::_M_get() const /usr/include/c++/12/bits/shared_ptr_base.h:1363 #2 0x7f8906109b0d in std::__shared_ptr_access<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2, false, false>::operator->() const /usr/include/c++/12/bits/shared_ptr_base.h:1357 #3 0x7f8906109b0d in operator() ../../modules/misc/medialibrary/fs/fs.cpp:195 #4 0x7f8906109cac in operator()<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > > > /usr/include/c++/12/bits/predefined_ops.h:318 #5 0x7f8906109cac in __find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, __gnu_cxx::__ops::_Iter_pred<vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > > /usr/include/c++/12/bits/stl_algobase.h:2067 #6 0x7f8906109f54 in __find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, __gnu_cxx::__ops::_Iter_pred<vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > > /usr/include/c++/12/bits/stl_algobase.h:2112 #7 0x7f8906109f54 in find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > /usr/include/c++/12/bits/stl_algo.h:3877 #8 0x7f890610b532 in vlc::medialibrary::SDFileSystemFactory::deviceByUuid(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../../modules/misc/medialibrary/fs/fs.cpp:193 #9 0x7f890610c16e in vlc::medialibrary::SDFileSystemFactory::onDeviceMounted(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ../../modules/misc/medialibrary/fs/fs.cpp:146 #10 0x7f890610edd1 in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long) ../../modules/misc/medialibrary/fs/devicelister.cpp:131 #11 0x7f890610f06e in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long, void*) ../../modules/misc/medialibrary/fs/devicelister.cpp:105 #12 0x7f8908b01f44 in vlc_media_tree_Add ../../src/media_source/media_tree.c:303 #13 0x7f8908b00dc0 in services_discovery_item_added ../../src/media_source/media_source.c:81 #14 0x7f8907972be6 in services_discovery_AddItem ../../include/vlc_services_discovery.h:166 #15 0x7f8907972be6 in entry_item_append ../../modules/access/dsm/sd.c:73 #16 0x7f8907972daf in netbios_ns_discover_on_entry_added ../../modules/access/dsm/sd.c:117 #17 0x7f8907980930 in netbios_ns_discover_thread (/home/tom/work/out/lib/x86_64-linux-gnu/libdsm.so.3+0x5930) #18 0x7f89086a3d7f in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7d7f) #19 0x7f89085bdbae in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfabae) 0x61100002c640 is located 0 bytes inside of 256-byte region [0x61100002c640,0x61100002c740) freed by thread T0 here: #0 0x7f8908cba3c8 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164 #1 0x7f890610c7d8 in std::__new_allocator<std::shared_ptr<medialibrary::fs::IDevice> >::deallocate(std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/new_allocator.h:158 #2 0x7f890610c7d8 in std::allocator_traits<std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::deallocate(std::allocator<std::shared_ptr<medialibrary::fs::IDevice> >&, std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:496 #3 0x7f890610c7d8 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_deallocate(std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/stl_vector.h:387 #4 0x7f890610c7d8 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::~_Vector_base() /usr/include/c++/12/bits/stl_vector.h:366 #5 0x7f890610cc47 in std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::~vector() /usr/include/c++/12/bits/stl_vector.h:733 #6 0x7f890610ccb4 in vlc::medialibrary::SDFileSystemFactory::~SDFileSystemFactory() ../../modules/misc/medialibrary/fs/fs.h:45 #7 0x7f89060dd7f0 (/home/tom/work/git/vlc/build-asan/modules/.libs/libmedialibrary_plugin.so+0xdd7f0) #8 0x7f8906192379 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/12/bits/shared_ptr_base.h:346 #9 0x7f8906192379 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/12/bits/shared_ptr_base.h:317 #10 0x7f8906192379 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/12/bits/shared_ptr_base.h:1071 #11 0x7f8906192379 in std::__shared_ptr<medialibrary::fs::IFileSystemFactory, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/12/bits/shared_ptr_base.h:1524 #12 0x7f8906192379 in std::shared_ptr<medialibrary::fs::IFileSystemFactory>::~shared_ptr() /usr/include/c++/12/bits/shared_ptr.h:175 #13 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory> >(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:151 #14 0x7f8906192379 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*>(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:163 #15 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*>(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:196 #16 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory> >(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::allocator<std::shared_ptr<medialibrary::fs::IFileSystemFactory> >&) /usr/include/c++/12/bits/alloc_traits.h:850 #17 0x7f8906192379 in std::vector<std::shared_ptr<medialibrary::fs::IFileSystemFactory>, std::allocator<std::shared_ptr<medialibrary::fs::IFileSystemFactory> > >::~vector() /usr/include/c++/12/bits/stl_vector.h:730 #18 0x7f8906192379 in medialibrary::FsHolder::~FsHolder() ../src/filesystem/FsHolder.cpp:66 previously allocated by thread T22 here: #0 0x7f8908cb94c8 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95 #1 0x7f890610d4d8 in std::__new_allocator<std::shared_ptr<medialibrary::fs::IDevice> >::allocate(unsigned long, void const*) /usr/include/c++/12/bits/new_allocator.h:137 #2 0x7f890610d789 in std::allocator_traits<std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::allocate(std::allocator<std::shared_ptr<medialibrary::fs::IDevice> >&, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:464 #3 0x7f890610d789 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_allocate(unsigned long) /usr/include/c++/12/bits/stl_vector.h:378 #4 0x7f890610d789 in void std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_realloc_insert<std::shared_ptr<medialibrary::fs::IDevice> const&>(__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > > >, std::shared_ptr<medialibrary::fs::IDevice> const&) /usr/include/c++/12/bits/vector.tcc:453 #5 0x7f890610dc02 in std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::push_back(std::shared_ptr<medialibrary::fs::IDevice> const&) /usr/include/c++/12/bits/stl_vector.h:1287 #6 0x7f890610c3b3 in vlc::medialibrary::SDFileSystemFactory::onDeviceMounted(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ../../modules/misc/medialibrary/fs/fs.cpp:151 #7 0x7f890610edd1 in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long) ../../modules/misc/medialibrary/fs/devicelister.cpp:131 #8 0x7f890610f06e in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long, void*) ../../modules/misc/medialibrary/fs/devicelister.cpp:105 #9 0x7f8908b01f44 in vlc_media_tree_Add ../../src/media_source/media_tree.c:303 Thread T22 created by T0 here: #0 0x7f8908c49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207 #1 0x7f890798126c in netbios_ns_discover_start (/home/tom/work/out/lib/x86_64-linux-gnu/libdsm.so.3+0x626c) #2 0x7f8908b022b5 in generic_start ../../src/modules/modules.c:275 SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/12/bits/shared_ptr_base.h:1666 in std::__shared_ptr<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2>::get() const Shadow bytes around the buggy address: 0x0c227fffd870: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fffd880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffd890: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa 0x0c227fffd8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffd8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa =>0x0c227fffd8c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c227fffd8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffd8e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fffd8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffd900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa 0x0c227fffd910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1750167==ABORTING
Please register or sign in to comment