modem_update_interfaces could crash if "org.ofono.ConnectionManager" interface is removed right after it has been added, before GetContext call completes (or if it fails):
connmand[5141]: plugins/ofono.c:modem_changed() /ril_0 Interfaces 0x05 connmand[5141]: plugins/ofono.c:modem_update_interfaces() /ril_0 connmand[5141]: plugins/ofono.c:api_added() cm added connmand[5141]: plugins/ofono.c:get_properties() /ril_0 path /ril_0 org.ofono.ConnectionManager connmand[5141]: plugins/ofono.c:cm_get_contexts() /ril_0 connmand[5141]: plugins/ofono.c:cm_update_attached() /ril_0 Attached 1 connmand[5141]: plugins/ofono.c:modem_changed() /ril_0 Interfaces 0x01 connmand[5141]: plugins/ofono.c:modem_update_interfaces() /ril_0 connmand[5141]: plugins/ofono.c:api_removed() cm removed ==5141== Invalid read of size 4 ==5141== at 0x31FB4: modem_update_interfaces (ofono.c:2147) ==5141== by 0x326F3: modem_changed (ofono.c:2214) ==5141== by 0x82C0B: signal_filter (watch.c:407) ==5141== by 0x82A4F: message_filter (watch.c:557) ==5141== by 0x497AF4F: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.7.12) ==5141== by 0x8197F: message_dispatch (mainloop.c:72) ==5141== by 0x48ABA8B: g_idle_dispatch (gmain.c:5251) ==5141== by 0x48AFB1F: g_main_dispatch (gmain.c:3066) ==5141== by 0x48AFB1F: g_main_context_dispatch (gmain.c:3642) ==5141== by 0x48AFE23: g_main_context_iterate.part.19 (gmain.c:3713) ==5141== by 0x48B048B: g_main_loop_run (gmain.c:3906) ==5141== by 0x149D3: main (main.c:779) ==5141== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==5141== ==5141== ==5141== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==5141== Access not within mapped region at address 0x0 ==5141== at 0x31FB4: modem_update_interfaces (ofono.c:2147) ==5141== by 0x326F3: modem_changed (ofono.c:2214) ==5141== by 0x82C0B: signal_filter (watch.c:407) ==5141== by 0x82A4F: message_filter (watch.c:557) ==5141== by 0x497AF4F: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.7.12) ==5141== by 0x8197F: message_dispatch (mainloop.c:72) ==5141== by 0x48ABA8B: g_idle_dispatch (gmain.c:5251) ==5141== by 0x48AFB1F: g_main_dispatch (gmain.c:3066) ==5141== by 0x48AFB1F: g_main_context_dispatch (gmain.c:3642) ==5141== by 0x48AFE23: g_main_context_iterate.part.19 (gmain.c:3713) ==5141== by 0x48B048B: g_main_loop_run (gmain.c:3906) ==5141== by 0x149D3: main (main.c:779) --- plugins/ofono.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/plugins/ofono.c b/plugins/ofono.c index 5cd8302..267b3bd 100644 --- a/plugins/ofono.c +++ b/plugins/ofono.c @@ -2142,8 +2142,18 @@ static void modem_update_interfaces(struct modem_data *modem, if (api_added(old_ifaces, new_ifaces, OFONO_API_CDMA_NETREG)) cdma_netreg_get_properties(modem); - if (api_removed(old_ifaces, new_ifaces, OFONO_API_CM)) - remove_cm_context(modem, modem->context->path); + if (api_removed(old_ifaces, new_ifaces, OFONO_API_CM)) { + if (modem->call_get_contexts) { + DBG("cancelling pending GetContexts call"); + dbus_pending_call_cancel(modem->call_get_contexts); + dbus_pending_call_unref(modem->call_get_contexts); + modem->call_get_contexts = NULL; + } + if (modem->context) { + DBG("removing context %s", modem->context->path); + remove_cm_context(modem, modem->context->path); + } + } if (api_removed(old_ifaces, new_ifaces, OFONO_API_CDMA_CM)) remove_cm_context(modem, modem->context->path); -- 1.8.3.2 _______________________________________________ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman