Hi Daniel,
On Fri, Oct 08, 2010 at 05:31:49PM +0200, Daniel Wagner wrote:
> From: Daniel Wagner <[email protected]>
>
> __connman_counter_register registers with g_dbus_add_disconnect_watch
> only the disconnect function callback and not the connect
> function.
>
> When the the owner disconnects service_filter is called
> eventually. In service_filter filter_data_remove_callback is called
> twice (see backtrace below). This leads to a double free.
I think the issue you're hitting is because when the owner disconnects,
service_filter gets called and does 2 things:
1) It calls the call disconnect function:
if (cb->disc_func)
cb->disc_func(connection, cb->user_data);
which in our case is owner_disconnect(). The latter removes the counter from
the hash table, which then calls remove_counter() which eventually remove the
watch by calling g_dbus_remove_watch(). Eventually
filter_data_remove_callback() is called from there.
2) It calls filter_data_remove_callback() itself at line 484, with the same
data pointer that was used in 1). That causes the double free you're seeing.
I can reproduce this bug by simply running test-counter and Ctrl-c'ing it.
My fix for that issue is to not remove the watch from the remove counter
routine. When owner_disconnect is called, the watch will be removed so no need
to remove it twice.
The watch should only be removed when the counter is unregistered.
We had the same issue in session.c by the way, I just pushed a fix for both of
them. Could you please give it a try ?
Cheers,
Samuel.
--
Intel Open Source Technology Centre
http://oss.intel.com/
_______________________________________________
connman mailing list
[email protected]
http://lists.connman.net/listinfo/connman
