Segfault or crash in module-switch-on-port-available.c and card.c when card->active_profile is Null
I experienced a crash on startup of pulseaudio while loading the module "switch-on-port-available".
My situation may be unusual for some reason - I was replacing an existing version of pulseaudio in my system (my distributions version) so I assume that maybe there is some sort of invalid old configuration data saved somewhere but nonetheless I think crashes shouldn't ever happen. I was using the head of master at 2eb8ec93 (Thu Dec 27 17:32:30 2018 +0530). I'm using Fedora 27 x86_64.
Here's the patch that fixed it for me:
diff --git a/src/modules/module-switch-on-port-available.c b/src/modules/module-switch-on-port-available.c
index 2fa7e4d62..99b743867 100644
--- a/src/modules/module-switch-on-port-available.c
+++ b/src/modules/module-switch-on-port-available.c
@@ -343,8 +343,10 @@ static pa_hook_result_t card_profile_available_hook_callback(pa_core *c, pa_card
if (profile->available != PA_AVAILABLE_NO)
return PA_HOOK_OK;
- if (!pa_streq(profile->name, card->active_profile->name))
- return PA_HOOK_OK;
+ if (card->active_profile) {
+ if (!pa_streq(profile->name, card->active_profile->name))
+ return PA_HOOK_OK;
+ }
pa_log_debug("Active profile %s on card %s became unavailable, switching to another profile", profile->name, card->name);
pa_card_set_profile(card, find_best_profile(card), false);
diff --git a/src/pulsecore/card.c b/src/pulsecore/card.c
index f1628938b..b91ffa8be 100644
--- a/src/pulsecore/card.c
+++ b/src/pulsecore/card.c
@@ -334,7 +334,11 @@ int pa_card_set_profile(pa_card *c, pa_card_profile *profile, bool save) {
if (c->linked && (r = c->set_profile(c, profile)) < 0)
return r;
- pa_log_debug("%s: active_profile: %s -> %s", c->name, c->active_profile->name, profile->name);
+ if (c->active_profile) {
+ pa_log_debug("%s: active_profile: %s -> %s", c->name, c->active_profile->name, profile->name);
+ } else {
+ pa_log_debug("%s: active_profile: None -> %s", c->name, profile->name);
+ }
c->active_profile = profile;
c->save_profile = save;
This is the log from Valgrind when the error happened:
==32619== Invalid read of size 8
==32619== at 0x17143168: card_profile_available_hook_callback (module-switch-on-port-available.c:346)
==32619== by 0x4E661D2: pa_hook_fire (hook-list.c:104)
==32619== by 0x1776FD22: report_jack_state (module-alsa-card.c:504)
==32619== by 0x17771003: init_jacks (module-alsa-card.c:641)
==32619== by 0x17771003: module_alsa_card_LTX_pa__init (module-alsa-card.c:925)
==32619== by 0x4E68395: pa_module_load (module.c:191)
==32619== by 0x173497C4: verify_access (module-udev-detect.c:336)
==32619== by 0x1734A982: process_path (module-udev-detect.c:486)
==32619== by 0x1734A982: module_udev_detect_LTX_pa__init (module-udev-detect.c:802)
==32619== by 0x4E68395: pa_module_load (module.c:191)
==32619== by 0x4E5596D: pa_cli_command_load (cli-command.c:437)
==32619== by 0x4E5D42B: pa_cli_command_execute_line_stateful (cli-command.c:2141)
==32619== by 0x4E5DB80: pa_cli_command_execute_file_stream (cli-command.c:2181)
==32619== by 0x40708F: main (main.c:1097)
==32619== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==32619==
==32619==
==32619== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==32619== Access not within mapped region at address 0x8
==32619== at 0x17143168: card_profile_available_hook_callback (module-switch-on-port-available.c:346)
==32619== by 0x4E661D2: pa_hook_fire (hook-list.c:104)
==32619== by 0x1776FD22: report_jack_state (module-alsa-card.c:504)
==32619== by 0x17771003: init_jacks (module-alsa-card.c:641)
==32619== by 0x17771003: module_alsa_card_LTX_pa__init (module-alsa-card.c:925)
==32619== by 0x4E68395: pa_module_load (module.c:191)
==32619== by 0x173497C4: verify_access (module-udev-detect.c:336)
==32619== by 0x1734A982: process_path (module-udev-detect.c:486)
==32619== by 0x1734A982: module_udev_detect_LTX_pa__init (module-udev-detect.c:802)
==32619== by 0x4E68395: pa_module_load (module.c:191)
==32619== by 0x4E5596D: pa_cli_command_load (cli-command.c:437)
==32619== by 0x4E5D42B: pa_cli_command_execute_line_stateful (cli-command.c:2141)
==32619== by 0x4E5DB80: pa_cli_command_execute_file_stream (cli-command.c:2181)
==32619== by 0x40708F: main (main.c:1097)