2022-06-14 13:18:17

by Youwan Wang

[permalink] [raw]
Subject: [PATCH] obexd: Fix transfer has been free in transfer_abort_response

Breakpoint 7, transfer_new (obex=0x5555555f5b50, opcode=2 '\002',
complete_func=0x555555590c40 <xfer_complete>, user_data=0x5555555f7000)
at gobex/gobex-transfer.c:254
254 gobex/gobex-transfer.c:
(gdb) c
Continuing.

Breakpoint 3, transfer_complete (transfer=0x5555555f5f40,
err=0x5555555f6d60) at gobex/gobex-transfer.c:99
99 in gobex/gobex-transfer.c
(gdb) c
Continuing.

Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6d60,
user_data=0x5555555f7000)
at obexd/client/transfer.c:659
659 obexd/client/transfer.c:
(gdb) n
661 in obexd/client/transfer.c
(gdb) n
663 in obexd/client/transfer.c
(gdb) p callback->func
$17 = (transfer_callback_t) 0x5555555885e0 <transfer_complete>
(gdb) c
Continuing.

Breakpoint 3, transfer_complete (transfer=0x5555555f7000, err=0x5555555f6d60,
user_data=0x5555555f48d0) at obexd/client/session.c:964
964 obexd/client/session.c:
(gdb) c
Continuing.

Breakpoint 5, transfer_free (transfer=0x5555555f5f40) at
gobex/gobex-transfer.c:61
61 gobex/gobex-transfer.c:
(gdb) n
63 in gobex/gobex-transfer.c
(gdb) p transfer->id
$18 = 1
(gdb) c
Continuing.

Breakpoint 2, transfer_abort_response (obex=0x5555555f5b50, err=0x0,
rsp=0x5555555f0810, user_data=0x5555555f5f40) at gobex/gobex-transfer.c:116
116 in gobex/gobex-transfer.c
(gdb) n
118 in gobex/gobex-transfer.c
(gdb) p transfer->id
$19 = 1432314080
(gdb) c
Continuing.

Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6f00)
at gobex/gobex-transfer.c:99
99 in gobex/gobex-transfer.c
(gdb) c
Continuing.

Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6f00,
user_data=0x5555555f7000)
at obexd/client/transfer.c:659
659 obexd/client/transfer.c:
(gdb) n
661 in obexd/client/transfer.c
(gdb) p callback->func
$20 = (transfer_callback_t) 0x5555555f6420
(gdb) n
663 in obexd/client/transfer.c
(gdb) n
668 in obexd/client/transfer.c
(gdb) n
671 in obexd/client/transfer.c
(gdb) n
672 in obexd/client/transfer.c
(gdb) n
676 in obexd/client/transfer.c
(gdb) n
679 in obexd/client/transfer.c
(gdb) n
680 in obexd/client/transfer.c
(gdb) n
0x00005555555f6420 in ?? ()
(gdb) n
Cannot find bounds of current function
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00005555555f6420 in ?? ()
(gdb)
---
gobex/gobex-transfer.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gobex/gobex-transfer.c b/gobex/gobex-transfer.c
index c94d018b2..48b1f6962 100644
--- a/gobex/gobex-transfer.c
+++ b/gobex/gobex-transfer.c
@@ -92,7 +92,9 @@ static void transfer_complete(struct transfer *transfer, GError *err)
g_obex_drop_tx_queue(transfer->obex);
}

- transfer->complete_func(transfer->obex, err, transfer->user_data);
+ if (find_transfer(id) != NULL)
+ transfer->complete_func(transfer->obex, err, transfer->user_data);
+
/* Check if the complete_func removed the transfer */
if (find_transfer(id) == NULL)
return;
--
2.20.1




2022-06-14 13:33:25

by Paul Menzel

[permalink] [raw]
Subject: Re: [PATCH] obexd: Fix transfer has been free in transfer_abort_response

Dear Wang,


Thank you for your patch.

Am 14.06.22 um 15:15 schrieb wangyouwan:

Can you please configure your full name in git?

git config --global user.name "Wang …"

> Breakpoint 7, transfer_new (obex=0x5555555f5b50, opcode=2 '\002',
> complete_func=0x555555590c40 <xfer_complete>, user_data=0x5555555f7000)
> at gobex/gobex-transfer.c:254
> 254 gobex/gobex-transfer.c:
> (gdb) c
> Continuing.

[…]

In addition to the GDB traces, can you please add a sentence, what is
going on, and how to reproduce (test setup) that the transfer
(`find_transfer(id)`) is NULL?

[…]
> ---
> gobex/gobex-transfer.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/gobex/gobex-transfer.c b/gobex/gobex-transfer.c
> index c94d018b2..48b1f6962 100644
> --- a/gobex/gobex-transfer.c
> +++ b/gobex/gobex-transfer.c
> @@ -92,7 +92,9 @@ static void transfer_complete(struct transfer *transfer, GError *err)
> g_obex_drop_tx_queue(transfer->obex);
> }
>
> - transfer->complete_func(transfer->obex, err, transfer->user_data);
> + if (find_transfer(id) != NULL)
> + transfer->complete_func(transfer->obex, err, transfer->user_data);
> +
> /* Check if the complete_func removed the transfer */
> if (find_transfer(id) == NULL)
> return;


Kind regards,

Paul

2022-06-14 14:38:40

by bluez.test.bot

[permalink] [raw]
Subject: RE: obexd: Fix transfer has been free in transfer_abort_response

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=650234

---Test result---

Test Summary:
CheckPatch FAIL 1.56 seconds
GitLint PASS 0.99 seconds
Prep - Setup ELL PASS 43.03 seconds
Build - Prep PASS 0.68 seconds
Build - Configure PASS 8.50 seconds
Build - Make PASS 1283.86 seconds
Make Check PASS 10.99 seconds
Make Check w/Valgrind PASS 442.66 seconds
Make Distcheck PASS 231.34 seconds
Build w/ext ELL - Configure PASS 8.35 seconds
Build w/ext ELL - Make PASS 1210.16 seconds
Incremental Build with patchesPASS 0.00 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script with rule in .checkpatch.conf
Output:
obexd: Fix transfer has been free in transfer_abort_response
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#80:
Breakpoint 3, transfer_complete (transfer=0x5555555f7000, err=0x5555555f6d60,

WARNING:LONG_LINE: line length of 82 exceeds 80 columns
#158: FILE: gobex/gobex-transfer.c:96:
+ transfer->complete_func(transfer->obex, err, transfer->user_data);

/github/workspace/src/12881169.patch total: 0 errors, 2 warnings, 10 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/12881169.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.




---
Regards,
Linux Bluetooth