https://bugs.kde.org/show_bug.cgi?id=520469
Bug ID: 520469
Summary: drkonqi-coredump-launcher segfaults in QtCore when
kcrash-metadata is missing; user-systemd socket
re-triggers it on its own coredump which produces
infinite loop and blocks shutdown
Classification: Applications
Product: drkonqi
Version First 6.6.4
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 192503
--> https://bugs.kde.org/attachment.cgi?id=192503&action=edit
compressed coredump (1.9 MB) of the first drkonqi crash
DESCRIPTION
When drkonqi-coredump-launcher is invoked by systemd-coredump to process a
crash of a process that did not produce a kcrash-metadata file (e.g., a
snap-confined Spotify abort), it logs the expected warning ("Unable to find
file for pid X expected at …", "KCrash metadata not marked complete") but then
segfaults at a null pointer inside libQt6Core (libQt6Core.so.6.10.2 offset
0x1f5793, "segfault at 0").
Because the user-level drkonqi-coredump-launcher.socket activates the service
for every coredump processed by systemd-coredump, including coredumps produced
by drkonqi-coredump-launcher itself, this creates an infinite respawn loop.
The loop holds the user session slice busy, so KDE's shutdown path never
finishes draining it; logind never reaches poweroff.target. The system stays in
graphical.target indefinitely.
In a 4h 25min window, this produced 863 coredumps consuming 1.8 GB of disk.
STEPS TO REPRODUCE
1. Plasma 6.6.4 Wayland session on Ubuntu 26.04.
2. Run the Spotify snap.
3. Initiate "Shut Down" from the Plasma menu.
4. Spotify aborts (SIGABRT) during the logout sequence.
5. systemd-coredump invokes drkonqi-coredump-launcher to handle it.
6. drkonqi-coredump-launcher logs the kcrash-metadata warnings, then segfaults
in QtCore.
7. The .socket re-triggers a new instance to handle the drkonqi coredump.
8. The new instance segfaults identically. Loop continues until the user
manually stops the socket.
OBSERVED RESULT
- segfault at 0 in libQt6Core.so.6.10.2[1f5793,…] (null pointer deref)
- Each new instance respawns ~25-30 seconds later (the time it takes
systemd-coredump to compress the dump and trigger the launcher again)
- Logout never completes; system stays in graphical.target
EXPECTED RESULT
- drkonqi-coredump-launcher should exit non-zero (and not crash) when the
expected $XDG_RUNTIME_DIR/kcrash-metadata/<…>.ini file is absent.
- The launcher unit/socket should not re-process coredumps of itself, OR
the service should declare StartLimitBurst / StartLimitIntervalSec so
repeated failures stop being re-triggered.
SOFTWARE/OS VERSIONS
Operating System (available in the Info Center app, or by running `kinfo` in a
terminal window):
KDE Plasma Version:
KDE Frameworks Version:
Qt Version:
ADDITIONAL INFORMATION
ENVIRONMENT:
KDE Plasma: 6.6.4 (Wayland)
KWin: 6.6.4
drkonqi: 6.6.4 (Ubuntu package 6.6.4-0ubuntu1)
KF6 KCrash: 6.24.0
Qt: 6.10.2
Distribution: Ubuntu 26.04 LTS (kernel 7.0.0-15-generic, x86_64)
Trigger of first
crash in chain: Spotify snap rev 94 (1.2.86.502.g8cd7fb22)
ROOT CAUSE HYPOTHESIS:
Snap-confined processes never produce a kcrash-metadata file (AppArmor
confinement / DBus session unavailable at abort time). drkonqi handles that
condition with a warning but continues to a code path that assumes the
metadata-parsed object exists, then dereferences it.
--
You are receiving this mail because:
You are watching all bug changes.
