Found this issue which caused connman crash on 1.27. From connman log it looks like scan done call back (scan_callback_hidden) is called twice for the same scan causing the ref count to go to zero and wifi memory to be freed.
This is the sequence in which functions in plugins/wifi.c are called: 1. wifi_scan ==> Called for a broadcast wifi scan causing the data ref count to be incremented to 2. scan_started 2. scan_started ==> NOP 3. scan_finished ==> NOP 4. Bunch of BSS are reported as a part of scan results. 5. scan_callback_hidden ==> Connman Supplied callback to gsupplicant/supplicant.s 6. scan_callback ==> In this function we call wifi_data_unref_debug which decrement the ref count by 1 and thus it becomes 1. 7. scan_started is called again looks like we are not done with scanning completely. 8. scan_finished is called again 9. We do see bunch of scan results coming. 10. scan_callback_hidden is called again 11. scan_cakkback is called again which would again cause ref count to be decremented by 1 and making it 0 and causing wifi memory to be freed. The problem here is that we assume that once scan_callback is called there will be no more scanning happening but this supposedly is not the case. I enabled logging in connman and here is the snippet of log which proves that: 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:scan_callback_hidden() result 0 wifi 0xb74d0 ==> *supplied call back is called* 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:get_hidden_connections_params() max ssids 1 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:scan_callback() result 0 wifi 0xb74d0 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/device.c:connman_device_set_scanning() device 0xb9348 scanning 0 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/technology.c:technology_find() type 3 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/technology.c:__connman_technology_scan_stopped() technology 0xb7858 device 0xb9348 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/technology.c:reply_scan_pending() technology 0xb7858 err 0 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/technology.c:reply_scan_pending() reply to :1.6 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/service.c:__connman_service_auto_connect() 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:start_autoscan() 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/device.c:connman_device_unref_debug() 0xb9348 unref 2 by /connman/./connman/plugins/wifi. 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:scan_callback() calling unref 3 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:wifi_data_unref_debug() 0xb74d0 unref 1 by /connman/./connman/plugins/wifi.c:1 ==> *data ref Count becomes 1* 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/rtnl.c:rtnl_message() buf 0xbeca198c len 56 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/rtnl.c:rtnl_message() NEWLINK len 56 type 16 flags 0x0000 seq 0 pid 0 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/gsupplicant/supplicant.c:signal_interface_changed() 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/gsupplicant/supplicant.c:interface_property() Scanning ==> *Interface state is still scanning* 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:scan_started() ==> *scan started is called again !!!!* 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/src/manager.c:get_technologies() 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/gsupplicant/supplicant.c:signal_bss_removed() 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/gsupplicant/supplicant.c:update_network_signal() New network signal 0 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/gsupplicant/supplicant.c:signal_scan_done() 2000-01-01 06:01:27.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:scan_finished() ==> *After this we would receive bunch of scan results and then again scan done callback would be called* | | | | 2000-01-01 06:01:29.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:scan_callback_hidden() result 0 wifi 0xb74d0 ==> *scan callback is called again* 2000-01-01 06:01:29.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:get_hidden_connections_params() max ssids 1 2000-01-01 06:01:29.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:scan_callback() result 0 wifi 0xb74d0 2000-01-01 06:01:29.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:start_autoscan() 2000-01-01 06:01:29.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:scan_callback() calling unref 3 2000-01-01 06:01:29.000000 daemon.debug connmand[298]: /connman/./connman/plugins/wifi.c:wifi_data_unref_debug() 0xb74d0 unref 0 by /connman/./connman/plugins/wifi.c:1 ==> *count has become 0 !!!!!* *Regards* *Naveen* _______________________________________________ connman mailing list [email protected] https://lists.connman.net/mailman/listinfo/connman
