147e:2016: invalid free in fpi_usb_transfer_unref
Trying to use fprintd-enroll on a ThinkPad R61 with a "Upek Biometric Touchchip/Touchstrip Fingerprint Sensor" (147e:2016) causes a crash due to an invalid free(). IIRC an older version of libfprint/fprintd used to work with this sensor.
PID: 38496 (fprintd)
UID: 0 (root)
GID: 0 (root)
Signal: 6 (ABRT)
Timestamp: Sat 2021-04-10 11:56:57 CEST (1h 9min ago)
Command Line: /usr/lib/fprintd
Executable: /usr/lib/fprintd
Control Group: /system.slice/fprintd.service
Unit: fprintd.service
Slice: system.slice
Boot ID: 2e22071fba8f4b3f842f6bf26f1ba2ce
Machine ID: e88df9efe8ee4cc886fc811596c93b55
Hostname: spc
Storage: /var/lib/systemd/coredump/core.fprintd.0.2e22071fba8f4b3f842f6bf26f1ba2ce.38496.1618048617000000.zst (inaccessible)
Message: Process 38496 (fprintd) of user 0 dumped core.
Stack trace of thread 38496:
#0 0x00007faef82d6ef5 raise (libc.so.6 + 0x3cef5)
#1 0x00007faef82c0862 abort (libc.so.6 + 0x26862)
#2 0x00007faef8318f38 __libc_message (libc.so.6 + 0x7ef38)
#3 0x00007faef8320bea malloc_printerr (libc.so.6 + 0x86bea)
#4 0x00007faef8322113 _int_free (libc.so.6 + 0x88113)
#5 0x00007faef8325ca8 __libc_free (libc.so.6 + 0x8bca8)
#6 0x00007faef84c4c3c fpi_usb_transfer_unref (libfprint-2.so.2 + 0x3cc3c)
#7 0x00007faef84c4db1 transfer_finish_cb (libfprint-2.so.2 + 0x3cdb1)
#8 0x00007faefb4c13d4 n/a (libgio-2.0.so.0 + 0xa03d4)
#9 0x00007faefb4c1409 n/a (libgio-2.0.so.0 + 0xa0409)
#10 0x00007faefb631f30 g_main_context_dispatch (libglib-2.0.so.0 + 0x53f30)
#11 0x00007faefb685b59 n/a (libglib-2.0.so.0 + 0xa7b59)
#12 0x00007faefb631593 g_main_loop_run (libglib-2.0.so.0 + 0x53593)
#13 0x00005612f09e5495 main (fprintd + 0x7495)
#14 0x00007faef82c1b25 __libc_start_main (libc.so.6 + 0x27b25)
#15 0x00005612f09e56de _start (fprintd + 0x76de)
Stack trace of thread 38501:
#0 0x00007faef838e37f __poll (libc.so.6 + 0xf437f)
#1 0x00007faef7d0113a n/a (libusb-1.0.so.0 + 0xd13a)
#2 0x00007faef7cfea7e n/a (libusb-1.0.so.0 + 0xaa7e)
#3 0x00007faef7cffc98 libusb_handle_events_timeout_completed (libusb-1.0.so.0 + 0xbc98)
#4 0x00007faef8153cef n/a (libgusb.so.2 + 0x5cef)
#5 0x00007faefb6600c1 n/a (libglib-2.0.so.0 + 0x820c1)
#6 0x00007faef8210299 start_thread (libpthread.so.0 + 0x9299)
#7 0x00007faef8399053 __clone (libc.so.6 + 0xff053)
Stack trace of thread 38500:
#0 0x00007faef838e37f __poll (libc.so.6 + 0xf437f)
#1 0x00007faef7d06206 n/a (libusb-1.0.so.0 + 0x12206)
#2 0x00007faef8210299 start_thread (libpthread.so.0 + 0x9299)
#3 0x00007faef8399053 __clone (libc.so.6 + 0xff053)
Stack trace of thread 38499:
#0 0x00007faef838e37f __poll (libc.so.6 + 0xf437f)
#1 0x00007faefb685ae8 n/a (libglib-2.0.so.0 + 0xa7ae8)
#2 0x00007faefb631593 g_main_loop_run (libglib-2.0.so.0 + 0x53593)
#3 0x00007faefb523558 n/a (libgio-2.0.so.0 + 0x102558)
#4 0x00007faefb6600c1 n/a (libglib-2.0.so.0 + 0x820c1)
#5 0x00007faef8210299 start_thread (libpthread.so.0 + 0x9299)
#6 0x00007faef8399053 __clone (libc.so.6 + 0xff053)
Stack trace of thread 38498:
#0 0x00007faef838e37f __poll (libc.so.6 + 0xf437f)
#1 0x00007faefb685ae8 n/a (libglib-2.0.so.0 + 0xa7ae8)
#2 0x00007faefb62f781 g_main_context_iteration (libglib-2.0.so.0 + 0x51781)
#3 0x00007faefb62f7d2 n/a (libglib-2.0.so.0 + 0x517d2)
#4 0x00007faefb6600c1 n/a (libglib-2.0.so.0 + 0x820c1)
#5 0x00007faef8210299 start_thread (libpthread.so.0 + 0x9299)
#6 0x00007faef8399053 __clone (libc.so.6 + 0xff053)
Stack trace of thread 38502:
#0 0x00007faef8393a9d syscall (libc.so.6 + 0xf9a9d)
#1 0x00007faefb68006b g_cond_wait_until (libglib-2.0.so.0 + 0xa206b)
#2 0x00007faefb6018b3 n/a (libglib-2.0.so.0 + 0x238b3)
#3 0x00007faefb662ddb n/a (libglib-2.0.so.0 + 0x84ddb)
#4 0x00007faefb6600c1 n/a (libglib-2.0.so.0 + 0x820c1)
#5 0x00007faef8210299 start_thread (libpthread.so.0 + 0x9299)
#6 0x00007faef8399053 __clone (libc.so.6 + 0xff053)
==7483== Memcheck, a memory error detector
==7483== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==7483== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==7483== Command: /usr/lib/fprintd
==7483==
--7483-- WARNING: unhandled amd64-linux syscall: 315
--7483-- You may be able to write your own handler.
--7483-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
--7483-- Nevertheless we consider this a bug. Please report
--7483-- it at http://valgrind.org/support/bug_reports.html.
==7483== Invalid free() / delete / delete[] / realloc()
==7483== at 0x483F9AB: free (vg_replace_malloc.c:538)
==7483== by 0x4C30CCB: UnknownInlinedFun (fpi-usb-transfer.c:122)
==7483== by 0x4C30CCB: fpi_usb_transfer_unref (fpi-usb-transfer.c:161)
==7483== by 0x4C30E90: transfer_finish_cb (fpi-usb-transfer.c:354)
==7483== by 0x4A793D3: ??? (in /usr/lib/libgio-2.0.so.0.6800.1)
==7483== by 0x4A79408: ??? (in /usr/lib/libgio-2.0.so.0.6800.1)
==7483== by 0x48F7F2F: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x494BB58: ??? (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x48F7592: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x10F494: ??? (in /usr/lib/fprintd)
==7483== by 0x7B81B24: (below main) (in /usr/lib/libc-2.33.so)
==7483== Address 0x88b01c0 is 0 bytes inside a block of size 8 free'd
==7483== at 0x483F9AB: free (vg_replace_malloc.c:538)
==7483== by 0x4C30E88: transfer_finish_cb (fpi-usb-transfer.c:352)
==7483== by 0x4A793D3: ??? (in /usr/lib/libgio-2.0.so.0.6800.1)
==7483== by 0x4A79408: ??? (in /usr/lib/libgio-2.0.so.0.6800.1)
==7483== by 0x48F7F2F: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x494BB58: ??? (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x48F7592: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x10F494: ??? (in /usr/lib/fprintd)
==7483== by 0x7B81B24: (below main) (in /usr/lib/libc-2.33.so)
==7483== Block was alloc'd at
==7483== at 0x4840B65: calloc (vg_replace_malloc.c:760)
==7483== by 0x4900A61: g_malloc0 (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x4C1DE11: UnknownInlinedFun (fpi-usb-transfer.c:249)
==7483== by 0x4C1DE11: sm_read_reg (upeksonly.c:708)
==7483== by 0x4C1CA28: UnknownInlinedFun (upeksonly.c:581)
==7483== by 0x4C1CA28: write_regs_iterate (upeksonly.c:614)
==7483== by 0x4C30E88: transfer_finish_cb (fpi-usb-transfer.c:352)
==7483== by 0x4A793D3: ??? (in /usr/lib/libgio-2.0.so.0.6800.1)
==7483== by 0x4A79408: ??? (in /usr/lib/libgio-2.0.so.0.6800.1)
==7483== by 0x48F7F2F: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x494BB58: ??? (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x48F7592: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6800.1)
==7483== by 0x10F494: ??? (in /usr/lib/fprintd)
==7483== by 0x7B81B24: (below main) (in /usr/lib/libc-2.33.so)
==7483==
Apr 10 11:56:55 spc systemd[1]: Starting Fingerprint Authentication Daemon...
Apr 10 11:56:55 spc systemd[1]: Started Fingerprint Authentication Daemon.
Apr 10 11:56:57 spc fprintd[38496]: double free or corruption (fasttop)
Apr 10 11:56:57 spc systemd[1]: fprintd.service: Main process exited, code=dumped, status=6/ABRT
Apr 10 11:56:57 spc systemd[1]: fprintd.service: Failed with result 'core-dump'.