Hi,
came across the valgrind report below when trying to reproduce a
connmand crash. Test was run against Jolla version of connmand (1.24 +
some patches) so the line numbers are slightly off wrt upstream but the
locations should be in the same ballpark.
In the test I was periodically removing and reinstalling wlan kernel
module, periodically restarting wpa supplicant (both simple sh loops)
and semi-randomly connecting to and disconnecting from networks from the
phone UI. Kernel module and wpa supplicant would be up barely enough to
have time to scan and connect/disconnect a couple of times to some of
the networks configured on the device, in an attempt to make
connect/disconnect overlap with those special events.
While the test is somewhat convoluted the root cause for the issue could
perhaps be triggered by a simpler scenario too.
It looks like wifi->pending_network has already been freed by the time
the pointer is dereferenced.
I get rid of this if I add reference counting to pending_network, but
since reference counting it was previously removed (commit c8c5cd51)
perhaps there's a more proper way to handle the issue.
==2725== Invalid read of size 4
==2725== at 0x41520: connman_network_get_device (network.c:2161)
==2725== by 0x1FAF3: network_connect (wifi.c:1479)
==2725== by 0x217F3: disconnect_callback (wifi.c:1545)
==2725== by 0x24A5B: interface_disconnect_result (supplicant.c:4054)
==2725== by 0x29BBF: supplicant_dbus_method_call_cancel_all (dbus.c:451)
==2725== by 0x286F3: g_supplicant_interface_cancel (supplicant.c:2640)
==2725== by 0x2876B: signal_interface_removed (supplicant.c:2047)
==2725== by 0x2325F: g_supplicant_filter (supplicant.c:2630)
==2725== by 0x4976F47: dbus_connection_dispatch (dbus-connection.c:4631)
==2725== by 0x82653: message_dispatch (mainloop.c:72)
==2725== by 0x48A7A8B: g_idle_dispatch (gmain.c:5251)
==2725== by 0x48ABB1F: g_main_context_dispatch (gmain.c:3066)
==2725== Address 0x5730854 is 60 bytes inside a block of size 144 free'd
==2725== at 0x483752C: free (vg_replace_malloc.c:446)
==2725== by 0x48B36AB: g_free (gmem.c:197)
==2725== by 0x237B7: remove_network (supplicant.c:443)
==2725== by 0x48951E7: g_hash_table_remove_node (ghash.c:448)
==2725== by 0x48959D3: g_hash_table_remove_internal (ghash.c:1276)
==2725== by 0x25D8F: signal_bss_removed (supplicant.c:1803)
==2725== by 0x2325F: g_supplicant_filter (supplicant.c:2630)
==2725== by 0x4976F47: dbus_connection_dispatch (dbus-connection.c:4631)
==2725== by 0x82653: message_dispatch (mainloop.c:72)
==2725== by 0x48A7A8B: g_idle_dispatch (gmain.c:5251)
==2725== by 0x48ABB1F: g_main_context_dispatch (gmain.c:3066)
==2725== by 0x48ABE23: g_main_context_iterate.part.19 (gmain.c:3713)
==2725==
BR,
H.
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman
