MASTER NetworkManager 0.7 crashed with SIGSEGV in nm_device_get_act_request()

StacktraceTop:nm_device_get_act_request ()
?? ()
g_main_context_dispatch ()
?? () from /usr/lib/libglib-2.0.so.0
g_main_loop_run () from /usr/lib/libglib-2.0.so.0

apport failed. I retraced locally and got:

(gdb) bt
#0 0x0000000000410dad in nm_device_get_act_request (self=0x147a060) at nm-device.c:346
#1 0x000000000041a02e in supplicant_iface_connection_state_cb_handler (user_data=<value optimized out>)
    at nm-device-wifi.c:2177
#2 0x00007faab721cea2 in IA__g_main_context_dispatch (context=0x14667c0) at /build/buildd/glib2.0-2.17.7/glib/gmain.c:2073
#3 0x00007faab722063d in g_main_context_iterate (context=0x14667c0, block=1, dispatch=1, self=<value optimized out>)
    at /build/buildd/glib2.0-2.17.7/glib/gmain.c:2706
#4 0x00007faab7220b6d in IA__g_main_loop_run (loop=0x14644b0) at /build/buildd/glib2.0-2.17.7/glib/gmain.c:2929
#5 0x000000000042611e in main (argc=1, argv=0x7fffc07ff0f8) at NetworkManager.c:339

(gdb) bt full
#0 0x0000000000410dad in nm_device_get_act_request (self=0x147a060) at nm-device.c:346
 __PRETTY_FUNCTION__ = "nm_device_get_act_request"
#1 0x000000000041a02e in supplicant_iface_connection_state_cb_handler (user_data=<value optimized out>)
    at nm-device-wifi.c:2177
 cb_data = (struct state_cb_data *) 0x1490c90
 self = (NMDeviceWifi *) 0x147a060
 dev = <value optimized out>
 new_state = 0
 old_state = 1
#2 0x00007faab721cea2 in IA__g_main_context_dispatch (context=0x14667c0) at /build/buildd/glib2.0-2.17.7/glib/gmain.c:2073
No locals.
#3 0x00007faab722063d in g_main_context_iterate (context=0x14667c0, block=1, dispatch=1, self=<value optimized out>)
    at /build/buildd/glib2.0-2.17.7/glib/gmain.c:2706
 max_priority = 200
 timeout = 0
 some_ready = 1
 nfds = 3
 allocated_nfds = <value optimized out>
 fds = (GPollFD *) 0x14735f0
 __PRETTY_FUNCTION__ = "g_main_context_iterate"
#4 0x00007faab7220b6d in IA__g_main_loop_run (loop=0x14644b0) at /build/buildd/glib2.0-2.17.7/glib/gmain.c:2929
 self = (GThread *) 0x145aaa0
 __PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#5 0x000000000042611e in main (argc=1, argv=0x7fffc07ff0f8) at NetworkManager.c:339
 opt_ctx = <value optimized out>
 become_daemon = 1
 pidfile = 0x145a850 "/var/run/NetworkManager.pid"
 user_pidfile = 0x0
 success = <value optimized out>
 policy = (NMPolicy *) 0x1471db0
 vpn_manager = (NMVPNManager *) 0x14674a0
 named_mgr = <value optimized out>
 dbus_mgr = (NMDBusManager *) 0x145cd80
 sup_mgr = (NMSupplicantManager *) 0x145d040
 options = {{long_name = 0x44e526 "no-daemon", short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_NONE,
    arg_data = 0x7fffc07fefcc, description = 0x44e530 "Don't become a daemon", arg_description = 0x0}, {
    long_name = 0x44e546 "pid-file", short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_FILENAME,
    arg_data = 0x7fffc07fefc0, description = 0x44e040 "Specify the location of a PID file",
    arg_description = 0x44e54f "filename"}, {long_name = 0x0, short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_NONE,
    arg_data = 0x0, description = 0x0, arg_description = 0x0}}
 __PRETTY_FUNCTION__ = "main"

More gdb output suggests that self->priv is either freed or not instantiated at all.

#0 0x0000000000410dad in nm_device_get_act_request (self=0x147a060) at nm-device.c:346
346 return self->priv->act_request;
(gdb) l
341 NMActRequest *
342 nm_device_get_act_request (NMDevice *self)
343 {
344 g_return_val_if_fail (self != NULL, NULL);
345
346 return self->priv->act_request;
347 }
348
349
350 gboolean
(gdb) p self
$1 = (NMDevice *) 0x147a060
(gdb) p self->priv
$2 = (NMDevicePrivate *) 0xaaaaaaaaaaaaaaaa

attaching encrypted CoreDump.gpg in case you need it for evalution, just ask me for an unencrypted version.

I believe this is the same bug I'm seeing.

I'm using an external USB wireless card. I share this between two notebooks (both have unsupported internal cards), so I'm constantly pulling it from one notebook and putting it in the other.

Under Hardy, this is no problem. Pull card out, plug it back in, network manager recovers. Under Intrepid, pulling the card out causes NM to crash. I have to plug the card back in and /etc/init.d/NetworkManager restart to make it work again.

Definite regression from Hardy.

rt73usb driver.
Bus 005 Device 024: ID 050d:705a Belkin Components F5D7050A Wireless Adapter

I just tried unplugging my usb wireless adapter and plugging it in again, and it did cause nm-applet to disappear, but I received no notification of a crash(does it notify you if you are on a non administrative desktop or if it has already been reported?). I did get some messages in daemon.log(attached).

btw, we are using different Belkin adapters and drivers, so it would be a software problem if it is related.

I see a similar crash which is reliably reproducible on my system if a network interface disappears (e.g. unloading my wireless module).

I can confirm that removing and replacing the device causes the crash.

Targeted for Intrepid as this is a regression

What appears to happen here is that NM uses a scheduled callback to perform actions on device objects. however, those device objects are neither refcounted nor are the callbacks cancelled when the device goes down and we end up accessing freed memory in the callback.

the attached patch (committed as rev 2865/2866) appears to fix the crash here for both: unplug and unload module.

patch forwarded upstream.

Removing and replacing the device causes the crash.

Not fixed with this patch. I rebuilt the package with this patch included, but I still have crashes.

I resumed from suspend, NM does not reconnect to my AP, I removed the device, and plugged it back in-> crash.

I had both b43 and ndiswrapper loading (accidentally) after my upgrade to intrepid and 2.6.27. The purpose of the upgrade was to test the b43 driver on the 2.6.27 kernel (as requested by one of the automated launchpad systems). Crash occurred shortly after running "modprobe -r ndiswrapper" to remove the ndiswrapper driver.

NetworkManager crashed as soon as I enabled the firmware for my wireless Broadcom 4311. I mean, I just checked "enable" in the popup window and closed it.

After installing Intrepid on a Dell Inspiron 1521 with the Broadcom 4312 wireless, and updating to the current repositories (as of ~22:00 GMT), NetworkManager still crashed as described by Allberto Emiliani.

Executing "Edit Connections" also triggered the same error message on exit (after doing nothing).

After manually copying the directory (and contents) /lib/firmware/b43 from the previous install of Hardy (Ubuntu 8.04) into the same place in the Intrepid install file system, I now can left click on the Gnome network icon and connect via the Broadcom wireless interface, though.

This bug was fixed in the package network-manager - 0.7~~svn20080908t183521+eni0-0ubuntu1

---------------
network-manager (0.7~~svn20080908t183521+eni0-0ubuntu1) intrepid; urgency=low

  [ Alexander Sack <email address hidden> ]
  * new upstream snapshot (Mon 2008-09-08 18:35:21 rev3504)
  * merge improved ifupdown system config implementation from main.eni branch;
    Mon 2008-09-08 20:47:20 +0200; rev 2828
  * Fix LP: #255839 - "0.7 N-M "system setting" does not work"; we create the
    /etc/NetworkManager/system-connections/ directory during package install now
    - update debian/network-manager.dirs
  * adjust patch due to changed ifupdown plugin source dir
    - update debian/patches/50_gcc43.patch
  * fix LP: #256480 - "network-manager 0.7 breaks resolvconf integration"; we
    pass --with-resolvconf=/sbin/resolvconf to configure.
    - update debian/rules
  * (proposed) fix LP: #259503 - "crashes when unplugging device (or unloading
    module)" - crash caused by idle handler accessing already freed device.
    We fix that for wireless and ethernet, which both were affected by
    properly refcounting the device gobjects.
    - add debian/patches/80_lp259503_access_to_freed_device_struct.patch
    - update debian/patches/series
  * drop ifupdown from Depends: - there is no sense to depend on replacements
    - update debian/control
  * drop patch applied upstream
    - delete debian/patches/05-debian_backend.patch
    - update debian/patches/series
  * Fix LP: #261688 - NetworkManager build dependency for "libdbus-glib-1-dev
    (>= 0.60)" incorrect; we adjust the version to >= 0.74.
    - update debian/control
  * bump shlibs requirements for libnm-util0 and libnm-glib0 packages to >=
    0.7~~svn20080908
    - update debian/rules
  * Fix - Networkmanager doesn't update resolv.conf when resolvconf is
    installed, but /etc/resolv.conf isnt a link; we fix that by honouring
    the resolvconf exit code and fall back to "normal" named behaviour in case
    it fails. This requires a resolvconf update which currently doesnt return
    a non-zero exit code when it fails in such a way.
    - add debian/patches/honour_resolvconf_exitcode.patch
    - update debian/patche/series

  [ Matt Zimmerman <email address hidden> ]
  * Add apport package hook (LP: #258552)
    - add debian/network-manager.links
    - add debian/source_network-manager.py
    - update debian/network-manager.install

 -- Alexander Sack <email address hidden> Tue, 09 Sep 2008 16:24:08 +0200

New version compiles fine using apt-build on my system, something crashes when I select a network and I'm unable to establish a connection using iwconfig and dhclient like I am usually able to when other methods fail.

I'm sorry about the messages in quick succession... Should have read "...but after upgrading the packages and rebooting something crashes...."

Just wanted to comment that I haven't seen this problem recently on my system, so *knock-on-wood* the update seems to have fixed it for me. Thank you.

hmm interesting- the crash comes everytime i logon the system - 9.04 - and network manager has the same issue in versions before that first time connect to hidden wpa(2) wlan is not possible but second time works