https://osmocom.org/https://osmocom.org/favicon.ico?16647414092020-05-11T10:20:57ZOpen Source Mobile CommunicationsOsmoGSMTester - Bug #4542: ofono: crash in drivers/qmimodem/gprs.c:extract_ss_info()https://osmocom.org/issues/4542?journal_id=182432020-05-11T10:20:57Zpespin
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/18243/diff?detail_id=30242">diff</a>)</li></ul> OsmoGSMTester - Bug #4542: ofono: crash in drivers/qmimodem/gprs.c:extract_ss_info()https://osmocom.org/issues/4542?journal_id=182442020-05-11T10:53:27Zpespin
<ul></ul><p>Looks like a race condition. The usual scenario, (working non-crashing one) is to call qmi_attached_status() and then receive the callback from modem in get_ss_info_cb().<br />However, in some cases (crashing ones) we receive some events in between qmi_attached_status() and receiving the callback in get_ss_info_cb(). For intance:<br /><pre>
May 10 23:41:11.428424 osmo-gsm-tester-prod ofonod[22747]: drivers/qmimodem/gprs.c:qmi_attached_status()
...
May 10 23:41:11.460495 osmo-gsm-tester-prod ofonod[22747]: plugins/gobi.c:set_online_cb()
May 10 23:41:11.460882 osmo-gsm-tester-prod ofonod[22747]: src/modem.c:modem_change_state() old state: 3, new state: 2
May 10 23:41:11.460906 osmo-gsm-tester-prod ofonod[22747]: src/modem.c:flush_atoms()
May 10 23:41:11.460938 osmo-gsm-tester-prod ofonod[22747]: src/gprs.c:gprs_context_unregister() 0x55eab5deb320, 0x55eab5deb100
May 10 23:41:11.460967 osmo-gsm-tester-prod ofonod[22747]: src/gprs.c:gprs_context_remove() atom: 0x55eab5deb360
May 10 23:41:11.460998 osmo-gsm-tester-prod ofonod[22747]: drivers/qmimodem/gprs-context.c:qmi_gprs_context_remove()
May 10 23:41:11.461078 osmo-gsm-tester-prod ofonod[22747]: src/gprs.c:gprs_unregister() 0x55eab5deb100
May 10 23:41:11.473859 osmo-gsm-tester-prod ofonod[22747]: src/network.c:__ofono_netreg_remove_status_watch() 0x55eab5eee220
May 10 23:41:11.473929 osmo-gsm-tester-prod ofonod[22747]: src/gprs.c:gprs_remove() atom: 0x55eab5deb1b0
May 10 23:41:11.473998 osmo-gsm-tester-prod ofonod[22747]: drivers/qmimodem/gprs.c:qmi_gprs_remove()
May 10 23:41:11.474049 osmo-gsm-tester-prod ofonod[22747]: src/ussd.c:ussd_remove() atom: 0x55eab5e8a0f0
May 10 23:41:11.474069 osmo-gsm-tester-prod ofonod[22747]: drivers/qmimodem/ussd.c:qmi_ussd_remove()
May 10 23:41:11.474109 osmo-gsm-tester-prod ofonod[22747]: drivers/qmimodem/netmon.c:qmi_netmon_remove()
May 10 23:41:11.482561 osmo-gsm-tester-prod ofonod[22747]: src/sim.c:ofono_sim_remove_spn_watch() 0x55eab5e73700
May 10 23:41:11.482636 osmo-gsm-tester-prod ofonod[22747]: src/network.c:netreg_remove() atom: 0x55eab5eee120
May 10 23:41:11.482657 osmo-gsm-tester-prod ofonod[22747]: drivers/qmimodem/network-registration.c:qmi_netreg_remove()
May 10 23:41:11.482901 osmo-gsm-tester-prod ofonod[22747]: drivers/qmimodem/qmibridge.c:ask_qmi() _REQ: QMI QMUX:
QMI length = 16
QMI flags = 0x00
QMI service = "ctl"
QMI client = 0
QMI QMI:
QMI flags = "none"
QMI transaction = 11
QMI tlv_length = 5
QMI message = "Release CID" (0x0023)
QMI TLV:
QMI type = "Release Info" (0x01)
QMI length = 2
QMI value = 1A:01
QMI translated = [ service = 'wda' cid = '1' ]
AND FINALLY WE RECEIVE OUR RESPONSE WHICH WILL CRASH:
May 10 23:41:11.494370 osmo-gsm-tester-prod ofonod[22747]: drivers/qmimodem/gprs.c:get_ss_info_cb()
</pre></p>
<p>So probably some stuff which is used in the callback is being de-allocated due to "modem_change_state() old state: 3, new state: 2" (MODEM_STATE_ONLINE -> MODEM_STATE_OFFLINE).</p> OsmoGSMTester - Bug #4542: ofono: crash in drivers/qmimodem/gprs.c:extract_ss_info()https://osmocom.org/issues/4542?journal_id=182452020-05-11T11:40:05Zpespin
<ul></ul><p>So in qmi_attached_status(), "struct ofono_gprs *gprs" is assigned to "cbd->user = gprs;" to be used later during get_ss_info_cb() callback.</p>
<p>Then while we wait for callback in gprs_remove(), "struct ofono_gprs" is freed: <br /><pre>
struct ofono_gprs *gprs = __ofono_atom_get_data(atom);
if (gprs->driver && gprs->driver->remove)
gprs->driver->remove(gprs);
g_free(gprs);
</pre></p>
<p>And finally callback get_ss_info_cb() arrives and uses it:<br /><pre>
struct ofono_gprs *gprs = cbd->user;
status = handle_ss_info(result, gprs);
// In handle_ss_info() gprs is derreferenced and probably crashes when setting the value:
struct gprs_data *data = ofono_gprs_get_data(gprs);
...
data->last_auto_context_id = 0; <--- crash here.
</pre></p> OsmoGSMTester - Bug #4542: ofono: crash in drivers/qmimodem/gprs.c:extract_ss_info()https://osmocom.org/issues/4542?journal_id=182502020-05-12T09:38:18Zpespin
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>I reported the crash together with a link to this same ticket in ofono ML:<br /><a class="external" href="https://lists.ofono.org/hyperkitty/list/ofono@ofono.org/thread/IWOBIJL32WCSR2NXPI2HHMM4YC2PEUQ2/">https://lists.ofono.org/hyperkitty/list/ofono@ofono.org/thread/IWOBIJL32WCSR2NXPI2HHMM4YC2PEUQ2/</a></p> OsmoGSMTester - Bug #4542: ofono: crash in drivers/qmimodem/gprs.c:extract_ss_info()https://osmocom.org/issues/4542?journal_id=224202021-07-30T10:30:11Zpespin
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Stalled</i></li></ul>