gdbusdaemon: potential segfault due to use-after-free (threading related)
Submitted by Andreas Hübner
Link to original bug (#773878)
Description
I'm currently debugging an issue where gdbusdaemon crashes under heavy load. In the test setup, a shell script repeatedly uses 'gdbus emit' to broadcast a signal on the bus. However, the issue is highly timing reliant, so it is not so easy to reproduce.
From my understanding, this is what seems to happen:
- gdbusdaemon gets a new connection and creates a Client object.
- in client_new() a cleanup function for the client is added to the connection_closed signal and the daemon also registers its filter_function()
- the client sends a message and closes the connection on his side
- daemon closes the connection but the message is still in the worker queue or currently being processed
- the filter_function now tries to use the client object, that was already freed in step 4
- depending on whether the memory was reused in the meantime, the daemon might crash here
Some details from my description might be wrong, since I'm still investigating this more thoroughly.
Any suggestions on how to fix this properly? In the filter_function() I can check if the connection is closed and abort, but then i might lose some messages. It would be better if I can block the client_free until the message processing is done.
The issue is related to bug 704568, but no one calls g_dbus_connection_remove_filter here.
Version: 2.51.x