ASAN crash in pipewire impl-link.c:check_states
ASAN crash in pipewire daemon, appearing at caf0b2df
This is triggered quite often when switching Bluetooth headset between different HFP codecs while playing audio with paplay.
=================================================================
==183501==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900002cbf8 at pc 0x7f2d86ae365c bp 0x7ffccfe5d440 sp 0x7ffccfe5d438
READ of size 4 at 0x61900002cbf8 thread T0
#0 0x7f2d86ae365b in check_states ../src/pipewire/impl-link.c:646
#1 0x7f2d86c339b6 in process_work_queue ../src/pipewire/work-queue.c:87
#2 0x7f2d74aaa5e6 in source_event_func ../spa/plugins/support/loop.c:490
#3 0x7f2d74aa42f3 in loop_iterate ../spa/plugins/support/loop.c:335
#4 0x7f2d86b0ceeb in pw_main_loop_run ../src/pipewire/main-loop.c:155
#5 0x564231387707 in main ../src/daemon/pipewire.c:129
#6 0x7f2d85a3eb74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
#7 0x56423138629d in _start (/home/pauli/.local/lib/pipewire-local/bin/pipewire+0x429d)
0x61900002cbf8 is located 120 bytes inside of 1136-byte region [0x61900002cb80,0x61900002cff0)
freed by thread T0 here:
#0 0x7f2d87382647 in free (/lib64/libasan.so.6+0xae647)
#1 0x7f2d86af8ed6 in pw_impl_link_destroy ../src/pipewire/impl-link.c:1441
#2 0x7f2d86bb6702 in do_destroy_link ../src/pipewire/impl-port.c:1028
#3 0x7f2d86bbd345 in pw_impl_port_for_each_link ../src/pipewire/impl-port.c:1296
#4 0x7f2d86bb672f in pw_impl_port_unlink ../src/pipewire/impl-port.c:1034
#5 0x7f2d86bb8f1f in pw_impl_port_destroy ../src/pipewire/impl-port.c:1094
#6 0x7f2d86b57db3 in node_port_info ../src/pipewire/impl-node.c:1379
#7 0x7f2d7317b200 in clear_port ../src/modules/module-client-node/client-node.c:551
#8 0x7f2d7318a434 in client_node_port_update ../src/modules/module-client-node/client-node.c:1014
#9 0x7f2d731bbbe5 in client_node_demarshal_port_update ../src/modules/module-client-node/protocol-native.c:1071
#10 0x7f2d7463ed86 in process_messages ../src/modules/module-protocol-native.c:246
#11 0x7f2d746406b4 in connection_data ../src/modules/module-protocol-native.c:317
#12 0x7f2d74aa473f in source_io_func ../spa/plugins/support/loop.c:347
#13 0x7f2d74aa42f3 in loop_iterate ../spa/plugins/support/loop.c:335
#14 0x7f2d86b0ceeb in pw_main_loop_run ../src/pipewire/main-loop.c:155
#15 0x564231387707 in main ../src/daemon/pipewire.c:129
#16 0x7f2d85a3eb74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
previously allocated by thread T0 here:
#0 0x7f2d87382af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
#1 0x7f2d86aef63c in pw_context_create_link ../src/pipewire/impl-link.c:1193
#2 0x7f2d72de667b in create_object ../src/modules/module-link-factory.c:414
#3 0x7f2d86b722e5 in pw_impl_factory_create_object ../src/pipewire/impl-factory.c:270
#4 0x7f2d86a0158f in core_create_object ../src/pipewire/impl-core.c:331
#5 0x7f2d7466e1df in core_method_demarshal_create_object ../src/modules/module-protocol-native/protocol-native.c:628
#6 0x7f2d7463ed86 in process_messages ../src/modules/module-protocol-native.c:246
#7 0x7f2d74650db4 in do_resume ../src/modules/module-protocol-native.c:1113
#8 0x7f2d74aaa5e6 in source_event_func ../spa/plugins/support/loop.c:490
#9 0x7f2d74aa42f3 in loop_iterate ../spa/plugins/support/loop.c:335
#10 0x7f2d86b0ceeb in pw_main_loop_run ../src/pipewire/main-loop.c:155
#11 0x564231387707 in main ../src/daemon/pipewire.c:129
#12 0x7f2d85a3eb74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/pipewire/impl-link.c:646 in check_states
Shadow bytes around the buggy address:
0x0c327fffd920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffd930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffd940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffd950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c327fffd960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffd970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
0x0c327fffd980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffd990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffd9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffd9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffd9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==183501==ABORTING