There are places where __connman_service_disconnect is called by the code which isn't holding its own reference to connman_service. Here is an example (line numbers may not exactly match upstream):
==5339== Invalid write of size 4 ==5339== at 0x70C9C: __connman_service_ipconfig_indicate_state (service.c:6131) ==5339== by 0x5BC0B: set_disconnected (network.c:791) ==5339== by 0x5D64B: __connman_network_disconnect (network.c:1616) ==5339== by 0x7191F: __connman_service_disconnect (service.c:6480) ==5339== by 0x57DAB: __connman_device_disable (device.c:247) ... ==5339== Address 0x4e25264 is 212 bytes inside a block of size 240 free'd ==5339== at 0x483752C: free (vg_replace_malloc.c:446) ==5339== by 0x48B56AB: g_free (gmem.c:197) ==5339== by 0x6E273: service_destroy (service.c:4894) ==5339== by 0x6E34B: service_free (service.c:4921) ==5339== by 0x48971E7: g_hash_table_remove_node (ghash.c:448) ==5339== by 0x48979D3: g_hash_table_remove_internal (ghash.c:1276) ==5339== by 0x6E77B: connman_service_unref_debug (service.c:5040) ==5339== by 0x605BF: remove_gateway (connection.c:707) ==5339== by 0x48971E7: g_hash_table_remove_node (ghash.c:448) ==5339== by 0x48979D3: g_hash_table_remove_internal (ghash.c:1276) ==5339== by 0x61197: __connman_connection_gateway_remove (connection.c:1001) ==5339== by 0x5BBCF: set_disconnected (network.c:773) ==5339== by 0x5D64B: __connman_network_disconnect (network.c:1616) ==5339== by 0x7191F: __connman_service_disconnect (service.c:6480) ==5339== by 0x57DAB: __connman_device_disable (device.c:247) ... Slava Monich (1): service: Hold a reference to the service while disconnecting src/service.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) -- 1.8.3.2 _______________________________________________ connman mailing list [email protected] https://lists.connman.net/mailman/listinfo/connman
