Dear Maintainer,
I tried to get some more information from the kernel message.

This led me to this line:
  at 0x55555556ee99: file gpm-engine.c, line 540.

There the array is dereferenced unconditionally:
  
https://sources.debian.org/src/mate-power-manager/1.24.2-1/src/gpm-engine.c/#L540
  539   array = up_client_get_devices2 (engine->priv->client);
  540   for (i=0;i<array->len;i++) {

Therefore the assertion message just before the segfault
seems related:
  up_client_get_devices2: assertion 'UP_IS_CLIENT (client)' failed

That points to this line in upower:
  https://cgit.freedesktop.org/upower/tree/libupower-glib/up-client.c#n117
  117   g_return_val_if_fail (UP_IS_CLIENT (client), NULL);

And therefore the "array" seems to have received the NULL pointer.

Therefore the value given to function up_client_get_devices2
seems already suspicious.


Unfortunately I have not found any related
entry in upstream bug trackers.
Details in attached file.

Kind regards,
Bernhard
# Bullseye/testing amd64 qemu VM 2021-03-06


apt update
apt dist-upgrade


systemd-coredump mate xserver-xorg lightdm gdb mate-power-manager-dbgsym


reboot




https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash

From submitter:
[  349.205142] mate-power-mana[3580]: segfault at 8 ip 00005641ef93ae99 sp 
00007ffcb468bf60 error 4 in mate-power-manager[5641ef928000+1a000]
[  349.205154] Code: 00 49 8b 44 24 18 31 db 48 8b 78 20 e8 b0 01 ff ff 4c 89 
e7 e8 68 f5 ff ff 49 8b 44 24 18 48 8b 78 08 e8 fa e3 fe ff 48 89 c5 <8b> 40 08 
85 c0 74 1a 48 8b 45 00 89 da 4c 89 e7 83 c3 01 48 8b 34

error 4 == 0b00000100:
- 0: no page found
- 0: read access
- 0: kernel-mode access

echo -n "find /b ..., ..., 0x" && \
echo "00 49 8b 44 24 18 31 db 48 8b 78 20 e8 b0 01 ff ff 4c 89 e7 e8 68 f5 ff 
ff 49 8b 44 24 18 48 8b 78 08 e8 fa e3 fe ff 48 89 c5 <8b> 40 08 85 c0 74 1a 48 
8b 45 00 89 da 4c 89 e7 83 c3 01 48 8b 34" \
 | sed 's/[<>]//g' | sed 's/ /, 0x/g'

find /b ..., ..., 0x00, 0x49, 0x8b, 0x44, 0x24, 0x18, 0x31, 0xdb, 0x48, 0x8b, 
0x78, 0x20, 0xe8, 0xb0, 0x01, 0xff, 0xff, 0x4c, 0x89, 0xe7, 0xe8, 0x68, 0xf5, 
0xff, 0xff, 0x49, 0x8b, 0x44, 0x24, 0x18, 0x48, 0x8b, 0x78, 0x08, 0xe8, 0xfa, 
0xe3, 0xfe, 0xff, 0x48, 0x89, 0xc5, 0x8b, 0x40, 0x08, 0x85, 0xc0, 0x74, 0x1a, 
0x48, 0x8b, 0x45, 0x00, 0x89, 0xda, 0x4c, 0x89, 0xe7, 0x83, 0xc3, 0x01, 0x48, 
0x8b, 0x34




gdb -q
set width 0
set pagination off
file /usr/bin/mate-power-manager
tb main
run

info target
...
        0x000055555555d760 - 0x0000555555575a11 is .text
...


find /b 0x000055555555d760, 0x0000555555575a11, 0x00, 0x49, 0x8b, 0x44, 0x24, 
0x18, 0x31, 0xdb, 0x48, 0x8b, 0x78, 0x20, 0xe8, 0xb0, 0x01, 0xff, 0xff, 0x4c, 
0x89, 0xe7, 0xe8, 0x68, 0xf5, 0xff, 0xff, 0x49, 0x8b, 0x44, 0x24, 0x18, 0x48, 
0x8b, 0x78, 0x08, 0xe8, 0xfa, 0xe3, 0xfe, 0xff, 0x48, 0x89, 0xc5, 0x8b, 0x40, 
0x08, 0x85, 0xc0, 0x74, 0x1a, 0x48, 0x8b, 0x45, 0x00, 0x89, 0xda, 0x4c, 0x89, 
0xe7, 0x83, 0xc3, 0x01, 0x48, 0x8b, 0x34
0x55555556ee6f <gpm_engine_coldplug_idle_cb+79>
1 pattern found.

b * (0x55555556ee6f + 42)
Breakpoint 2 at 0x55555556ee99: file gpm-engine.c, line 540.

info b
Num     Type           Disp Enb Address            What
2       breakpoint     keep y   0x000055555556ee99 in 
gpm_engine_coldplug_idle_cb at gpm-engine.c:540

disassemble /r 0x55555556ee6f, 0x55555556ee6f + 62
Dump of assembler code from 0x55555556ee6f to 0x55555556eead:
   0x000055555556ee6f <gpm_engine_coldplug_idle_cb+79>:     00 49 8b        add 
   %cl,-0x75(%rcx)
   0x000055555556ee72 <gpm_engine_coldplug_idle_cb+82>:     44 24 18        
rex.R and $0x18,%al
   0x000055555556ee75 <gpm_engine_coldplug_idle_cb+85>:     31 db           xor 
   %ebx,%ebx
   0x000055555556ee77 <gpm_engine_coldplug_idle_cb+87>:     48 8b 78 20     mov 
   0x20(%rax),%rdi
   0x000055555556ee7b <gpm_engine_coldplug_idle_cb+91>:     e8 b0 01 ff ff  
call   0x55555555f030 <gpm_phone_coldplug>
   0x000055555556ee80 <gpm_engine_coldplug_idle_cb+96>:     4c 89 e7        mov 
   %r12,%rdi
   0x000055555556ee83 <gpm_engine_coldplug_idle_cb+99>:     e8 68 f5 ff ff  
call   0x55555556e3f0 <gpm_engine_recalculate_state>
   0x000055555556ee88 <gpm_engine_coldplug_idle_cb+104>:    49 8b 44 24 18  mov 
   0x18(%r12),%rax
   0x000055555556ee8d <gpm_engine_coldplug_idle_cb+109>:    48 8b 78 08     mov 
   0x8(%rax),%rdi
   0x000055555556ee91 <gpm_engine_coldplug_idle_cb+113>:    e8 fa e3 fe ff  
call   0x55555555d290 <up_client_get_devices2@plt>
   0x000055555556ee96 <gpm_engine_coldplug_idle_cb+118>:    48 89 c5        mov 
   %rax,%rbp
***0x000055555556ee99 <gpm_engine_coldplug_idle_cb+121>:    8b 40 08        mov 
   0x8(%rax),%eax
   0x000055555556ee9c <gpm_engine_coldplug_idle_cb+124>:    85 c0           
test   %eax,%eax
   0x000055555556ee9e <gpm_engine_coldplug_idle_cb+126>:    74 1a           je  
   0x55555556eeba <gpm_engine_coldplug_idle_cb+154>
   0x000055555556eea0 <gpm_engine_coldplug_idle_cb+128>:    48 8b 45 00     mov 
   0x0(%rbp),%rax
   0x000055555556eea4 <gpm_engine_coldplug_idle_cb+132>:    89 da           mov 
   %ebx,%edx
   0x000055555556eea6 <gpm_engine_coldplug_idle_cb+134>:    4c 89 e7        mov 
   %r12,%rdi
   0x000055555556eea9 <gpm_engine_coldplug_idle_cb+137>:    83 c3 01        add 
   $0x1,%ebx
   0x000055555556eeac <gpm_engine_coldplug_idle_cb+140>:    48 8b 34 d0     mov 
   (%rax,%rdx,8),%rsi
End of assembler dump.




mate-power-manager-dbgsym_1.24.2-1_amd64.deb
https://sources.debian.org/src/mate-power-manager/1.24.2-1/src/gpm-engine.c/#L540
        for (i=0;i<array->len;i++) {

https://git.mate-desktop.org/mate-power-manager/tree/src/gpm-engine.c#n538

https://cgit.freedesktop.org/upower/tree/libupower-glib/up-client.c#n117


(gdb) ptype /o GPtrArray
type = struct _GPtrArray {
/*    0      |     8 */    gpointer *pdata;
/*    8      |     4 */    guint len;
/* XXX  4-byte padding  */

                           /* total size (bytes):   16 */
                         }

https://github.com/mate-desktop/mate-power-manager/issues?q=is%3Aissue+is%3Aopen+gpm_engine_coldplug_idle_cb
https://gitlab.freedesktop.org/groups/upower/-/issues?scope=all&utf8=%E2%9C%93&state=opened&search=up_client_get_devices2

Reply via email to