Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1798970iog;
        Tue, 14 Jun 2022 13:44:03 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1tAhtZ9R13VCx/ZPg3pm4XjSl80tkHsJ8VKH3EThnv+fd2AK4y2zJS6VOApaGSL3YBre+FO
X-Received: by 2002:a05:6a00:1801:b0:51c:1001:6241 with SMTP id y1-20020a056a00180100b0051c10016241mr6481791pfa.81.1655239443081;
        Tue, 14 Jun 2022 13:44:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655239443; cv=none;
        d=google.com; s=arc-20160816;
        b=dVJC8sKX6A/CldX1uOtC5wBw2PMfaA3Ewc+QCKLiFUujyWI9im5Rvhhe6cLaHPurx0
         dIuqEQbRVCs4elLMc4rON/B/P4wT8FiR8rXaegYOvr8ntIzhLXcXSWPAnIUni6kGm+7P
         uIwHOliO5esRVJnGp/OsKXUDgGG9FzrSED+1PAyAsTSge/NwJRNLpg5eBaOxHcse2cxh
         RvpUEQw9JhKmMSA9piqfQsLHENau4dhbjVk2+ZNzHY+pGETDBMTk/q4hqPefp5cJQlzf
         lcPz9SYQ9CZmiSognLtlMLAsBw/JUp2Y1CdSJcRBGsXpShOZutibs6tXueNgENZAvY3C
         1K5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=Cngke8nv353WystrjUKeHF7SKETtOBwGYtbPt5+IURo=;
        b=XRhdtsj5GKyM+I5MbP2dum075+pYLZIApoJkJvIA+w+vbN4XNS1g8ytuMJiEmkCM5P
         vE+eD9lt5Py9DCcnI15ht7lf+rZ3g/WNZxYwFXC2KisDb969diNLVSkgKDmx2PNRudIh
         JPpprFHz7dkqkkRnpA/udg8zWoz7ftDmB51nLkhfPtffkY43EMNW79hswhoTplbIP08J
         mlMfx8P6GW7Z3EuF6vsGmd4OYBNz4o5wPxQfrwfg/8qTYB/ZbrpPqhdjLRXq84NZAG0o
         pQqTmz6ciSxxzR1TAlFndFD409Q0ikBM+7Oev8MQh6vKvCfZl/stQ3lUPjQKMPHdyxr3
         dhYA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=qwkJEeyq;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id lp13-20020a17090b4a8d00b001e4289b95a2si68378pjb.2.2022.06.14.13.43.13;
        Tue, 14 Jun 2022 13:44:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=qwkJEeyq;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238919AbiFNUlE (ORCPT <rfc822;sandmor1220@gmail.com>
        + 99 others); Tue, 14 Jun 2022 16:41:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58854 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234017AbiFNUlE (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Tue, 14 Jun 2022 16:41:04 -0400
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D96446149
        for <linux-bluetooth@vger.kernel.org>; Tue, 14 Jun 2022 13:41:03 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id w20so15738026lfa.11
        for <linux-bluetooth@vger.kernel.org>; Tue, 14 Jun 2022 13:41:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Cngke8nv353WystrjUKeHF7SKETtOBwGYtbPt5+IURo=;
        b=qwkJEeyqloyD4Y1UkZ/WTgiCgIBCX0tmHwSMsuGjSwu9D45WvC3ueAR6k015hALRvL
         ImaSqZeXUJipI9TftjQgvBrEmDsX5IsrwY+TwEUY5/PH93aaXq9PUDB1totOKoUU6vtz
         1SkF4yG2WyF1ow8fHN/RF2hnO9M/b3OJ+nxMK8+XqyqHy1ZZndB6CpYr+qbjjji46gcP
         VoAMw28RpfNT/1IBhTOVFPS1hf3FJOou8gMtFecSkaOkmVwrHCIPLVPYEMQMpHK8k7ub
         M0xUJWYLSL27svfN2qIJrGSYnq66L1z/q6320BHo9BqrKVAKZWZ9KOIPBWbXB+HTE8Kn
         nRrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Cngke8nv353WystrjUKeHF7SKETtOBwGYtbPt5+IURo=;
        b=skf4TuEPY2EjNTgrzwojkg3OF4ZnrX2AM2x23N8WKrOQCi5VVEAOSXzzSDJELe9iDs
         8PoCjhsbjBkj8nd7TRHUaw64ZXRNBV8Ik+tF5y/4axSmxedd9FAfAIFDLiPFcFqWhvPN
         Khqu5TlCer5Krtoj5+eTCrNMiP/CMCA7mjLk15nbcK3Kersd8dpRYJSJod9JK9PF/DDi
         QKA5+3x/xrPJFfKQOvidJrKuhOJ7Jhu1QHAYyAC8prEoppFMZ+64cH4czRaxWIRKqVF5
         UvLBR6oTuPZn+hQ+g96jJKfS7Wq12idykG4avmQkyhT7Y52JNHeAisBOAiFvEXju+7Bm
         PLdw==
X-Gm-Message-State: AJIora/gIC9ip5LoORXzRmISGLBiKPRlt7v7Z+HmYOuNdsBxEwdUtPNO
        Qf+NbIW0yOyqKpVS46nvb/3x1S0D7WC8hwUNh8v+zBxM
X-Received: by 2002:a05:6512:e94:b0:478:f6ad:c9d7 with SMTP id
 bi20-20020a0565120e9400b00478f6adc9d7mr4196073lfb.198.1655239261060; Tue, 14
 Jun 2022 13:41:01 -0700 (PDT)
MIME-Version: 1.0
References: <20220614114914.30497-1-wangyouwan@uniontech.com>
In-Reply-To: <20220614114914.30497-1-wangyouwan@uniontech.com>
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date:   Tue, 14 Jun 2022 13:40:49 -0700
Message-ID: <CABBYNZKcqH=pTCgt=nvjUMUhv8GiBAaXxi2PvHtqA_Zar983Lg@mail.gmail.com>
Subject: Re: [PATCH] obexd: Fix transfer has been free during
 transfer_abort_response func
To:     wangyouwan <wangyouwan@uniontech.com>
Cc:     "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi,

On Tue, Jun 14, 2022 at 4:55 AM wangyouwan <wangyouwan@uniontech.com> wrote:
>
> Breakpoint 7, transfer_new (obex=0x5555555f5b50, opcode=2 '\002',
> complete_func=0x555555590c40 <xfer_complete>, user_data=0x5555555f7000)
> at gobex/gobex-transfer.c:254
> 254     gobex/gobex-transfer.c:
> (gdb) c
> Continuing.
>
> Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6d60)
> at gobex/gobex-transfer.c:99
> 99      in gobex/gobex-transfer.c
> (gdb) c
> Continuing.
>
> Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6d60,
> user_data=0x5555555f7000)
> at obexd/client/transfer.c:659
> 659     obexd/client/transfer.c:
> (gdb) n
> 661     in obexd/client/transfer.c
> (gdb) n
> 663     in obexd/client/transfer.c
> (gdb) p callback->func
> $17 = (transfer_callback_t) 0x5555555885e0 <transfer_complete>
> (gdb) c
> Continuing.
>
> Breakpoint 3, transfer_complete (transfer=0x5555555f7000, err=0x5555555f6d60,
> user_data=0x5555555f48d0) at obexd/client/session.c:964
> 964     obexd/client/session.c:
> (gdb) c
> Continuing.
>
> Breakpoint 5, transfer_free (transfer=0x5555555f5f40) at gobex/gobex-transfer.c:61
> 61      gobex/gobex-transfer.c:
> (gdb) n
> 63      in gobex/gobex-transfer.c
> (gdb) p transfer->id
> $18 = 1
> (gdb) c
> Continuing.
>
> Breakpoint 2, transfer_abort_response (obex=0x5555555f5b50, err=0x0, rsp=0x5555555f0810,
> user_data=0x5555555f5f40) at gobex/gobex-transfer.c:116
> 116     in gobex/gobex-transfer.c
> (gdb) n
> 118     in gobex/gobex-transfer.c
> (gdb) p transfer->id
> $19 = 1432314080
> (gdb) c
> Continuing.
>
> Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6f00) at gobex/gobex-transfer.c:99
> 99      in gobex/gobex-transfer.c
> (gdb) c
> Continuing.
>
> Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6f00, user_data=0x5555555f7000)
> at obexd/client/transfer.c:659
> 659     obexd/client/transfer.c:
> (gdb) n
> 661     in obexd/client/transfer.c
> (gdb) p callback->func
> $20 = (transfer_callback_t) 0x5555555f6420
> (gdb) n
> 663     in obexd/client/transfer.c
> (gdb) n
> 668     in obexd/client/transfer.c
> (gdb) n
> 671     in obexd/client/transfer.c
> (gdb) n
> 672     in obexd/client/transfer.c
> (gdb) n
> 676     in obexd/client/transfer.c
> (gdb) n
> 679     in obexd/client/transfer.c
> (gdb) n
> 680     in obexd/client/transfer.c
> (gdb) n
> 0x00005555555f6420 in ?? ()
> (gdb) n
> Cannot find bounds of current function
> (gdb) c
> Continuing.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00005555555f6420 in ?? ()
> (gdb)
> ---
>  gobex/gobex-transfer.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/gobex/gobex-transfer.c b/gobex/gobex-transfer.c
> index c94d018b2..48b1f6962 100644
> --- a/gobex/gobex-transfer.c
> +++ b/gobex/gobex-transfer.c
> @@ -92,7 +92,9 @@ static void transfer_complete(struct transfer *transfer, GError *err)
>                 g_obex_drop_tx_queue(transfer->obex);
>         }
>
> -       transfer->complete_func(transfer->obex, err, transfer->user_data);
> +       if (find_transfer(id) != NULL)
> +               transfer->complete_func(transfer->obex, err, transfer->user_data);

I would rather fix the code calling of the transfer_complete rather
than its side effect if transfer has been freed already, also it might
be better to use valgrind to collect the bracktrace since it should be
able to tell us where the transfer pointer is being freed.

>         /* Check if the complete_func removed the transfer */
>         if (find_transfer(id) == NULL)
>                 return;
> --
> 2.20.1
>
>
>


-- 
Luiz Augusto von Dentz