Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp761111imw; Fri, 8 Jul 2022 11:11:47 -0700 (PDT) X-Google-Smtp-Source: AGRyM1unwzkIUXS1dECzs7XKCUUhUuUiLOMkAfakB31o5eE/j5SNKTWx0nzIoX03ex2mNH38iflv X-Received: by 2002:a05:6402:5518:b0:43a:9e32:b6fc with SMTP id fi24-20020a056402551800b0043a9e32b6fcmr6662683edb.252.1657303907304; Fri, 08 Jul 2022 11:11:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657303907; cv=none; d=google.com; s=arc-20160816; b=PbxB+i6HgLoT1xAAIyV27GyIFAVw/lTPJAu7MhPkTxX1skEGo2sbB4B6j7oXTBAhrP CtULS4mZI93iOzJL81Wn4zMSDA59uhfN3eh3MsOtxmvfuv9n8qAFfF+C3hdFIvDzyGiV Y95lE2gLzLxt+MNymJpAzF0S7BpJ59pLEbFcg9xKavcVRPAG1OozCmAVh16+cPmoUtSE bHDPTp1xvAVhgc74xEcK59FFuLPRiBBZWpY/FNvdm7Jr4PoDP3US0XQN57f/kcgwNyIJ oUO0gl8hJZ9K0GDbdqdUG+XryBoq1HJrpUg/ZzIRBHsk9cR1GSVERcMqatyXrlWk/T8P 3H2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=6RWEygXYqWchB5ZdRrUcmVd8ZKx2kYEDzBMC7Ah3j/o=; b=tmN/rIoU+1hzttCBUP++oiS5fAiT9TFKUxPYJmaE6D+nIVebblBo2cMUcfqTVtUWu4 VZT0w9d9FtFv+FcvkjTeF/cED4JEJnctuD3r6HkfwQKzgSxINgrsD+D4eVPx8sGfTbCY LN+AmU8IuMM1fGqPZcyhAfHylLdzeXWf8yKO60E2etSIRupqgzLDiTRlQurN/ESMT4t8 vLFghKFE1x3nuQQdCYGn79GKmIleloe7FNWIpF5XbMvG8lDSAhFb6dMgf/DWGO3ORVqE fYgsEFqeGO15kW0IVmqObY7OxoYnTajvO4r4RwmMcmXbCb0V9/lCi1grIRVsC6o2nyKO ZVhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=kdiLoiaQ; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q27-20020a056402249b00b0043a1efc97adsi12718626eda.220.2022.07.08.11.11.08; Fri, 08 Jul 2022 11:11:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=kdiLoiaQ; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238630AbiGHSGg (ORCPT + 99 others); Fri, 8 Jul 2022 14:06:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238541AbiGHSGf (ORCPT ); Fri, 8 Jul 2022 14:06:35 -0400 Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7A7A17C1AB for ; Fri, 8 Jul 2022 11:06:34 -0700 (PDT) Received: by mail-lf1-x12f.google.com with SMTP id t19so36940344lfl.5 for ; Fri, 08 Jul 2022 11:06:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6RWEygXYqWchB5ZdRrUcmVd8ZKx2kYEDzBMC7Ah3j/o=; b=kdiLoiaQnK+VNvtbyNG8I6NZBI7waUtqDh8sPLCowS093KRwJ4Ojlj1F2mGyhonDIh dzEixoou7DlWArSH39ESjpgeNfPGxQMYr+FC/7Rj3E30Y5869SbYgJvqoa9ynSLCxGN8 YpB6dw0K1a0U3ntHhOgjP6/us+Bg+h7pl4y2W9C0pjN1Qhw2ErghizhhuDNaJb3rSuqM yh2z6n7/PLeV0klk/tVut/y5i/kaXBPPbGy5a2lt79t89bbEe01LaJaf2imOIpMWPJ6r CRAlFNr8bEERBo9O6ZmelqYKHmSUrQ5YfMckeVqqFDER0dCxjVVysg5JNE8JUUFWdM9O UfMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6RWEygXYqWchB5ZdRrUcmVd8ZKx2kYEDzBMC7Ah3j/o=; b=A6w+f6zvSPnVgoughSh4PKAxR2XGLhs076v+8sUxBHnWlogD7E2D80znbZLGK+pno3 sqmDtJBFknr2WI/8DBbIK/tHYNXCWBdLRPFsJZWNbgcQe3UNCkvFcOEswb8JI9An1a0L 4QB7y7Q2ZcW+jgkkH2pIhT1BpfLIjaqZGzhYXaL/SEwGgmQhD6Z3Ps7nNxIHdLd4zqNr tJMyaeNK19Y5vfRRMCP2XS8kVwBB9+YJx2yNjNY0orexOxLSQXSsd/ILAzwR61h1Cq0G LyOsUvITGeTQFb9wXd9/lGr6Gp4wCbz4Q2VWHuuPh0pZeV8uQ8KsDtw3KkxAlHWDQ/3D 7UBw== X-Gm-Message-State: AJIora9xyaLgZ5D+h7ieovJBaPlGRZOT3JT6f42hW9WZWz2jTvNdZmo9 9rZslK0sQRtXnxxbP6FI54iJm9umobnnPYBG8QKa7+mz46Y= X-Received: by 2002:a05:6512:31d0:b0:47f:92c6:99f1 with SMTP id j16-20020a05651231d000b0047f92c699f1mr3328802lfe.198.1657303592768; Fri, 08 Jul 2022 11:06:32 -0700 (PDT) MIME-Version: 1.0 References: <20220708062548.31167-1-wangyouwan@uniontech.com> In-Reply-To: <20220708062548.31167-1-wangyouwan@uniontech.com> From: Luiz Augusto von Dentz Date: Fri, 8 Jul 2022 11:06:21 -0700 Message-ID: Subject: Re: [PATCH] obexd: fix crashed after cancel the on-going transfer To: Youwan Wang Cc: "linux-bluetooth@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Youwan, On Thu, Jul 7, 2022 at 11:30 PM Youwan Wang wrote: > > Pointer is reused after release. > After the transfer pointer is released, > remove the response function in pending_pkg > to avoid the 'p->rsp_func' is reused > > step: > [obex]# connect 28:33:34:1E:96:98 > Attempting to connect to 28:33:34:1E:96:98 > [NEW] Session /org/bluez/obex/client/session2 [default] > [NEW] ObjectPush /org/bluez/obex/client/session2 > Connection successful > [28:33:34:1E:96:98]# send /home/uos/Desktop/systemd.zip > Attempting to send /home/uos/Desktop/systemd.zip > [NEW] Transfer /org/bluez/obex/client/session2/transfer2 > Transfer /org/bluez/obex/client/session2/transfer2 > Status: queued > Name: systemd.zip > Size: 33466053 > Filename: /home/uos/Desktop/systemd.zip > Session: /org/bluez/obex/client/session2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > [CHG] Transfer /org/bluez/obex/client/session2/transfer2 > er2 33:34:1E:96:98]# cancel /org/bluez/obex/client/sessi > Attempting to cancel transfer /org/bluez/obex/client/s > Cancel successful > > valgrind trace: > ==11431== Invalid read of size 4 > ==11431== at 0x12B442: transfer_response () > ==11431== by 0x127764: req_timeout () > ==11431== by 0x49B8922: ??? ( ) > ==11431== by 0x49B7E97: g_main_context_dispatch () > ==11431== by 0x49B8287: ??? (in ) > ==11431== by 0x49B8581: g_main_loop_run () > ==11431== by 0x121834: main (main.c:322) > ==11431== Address 0x7344fa0 is 16 bytes inside a block of size > ==11431== at 0x48369AB: free () > ==11431== by 0x12B459: transfer_response () > ==11431== by 0x127B3D: cancel_complete () > ==11431== by 0x49B7E97: g_main_context_dispatch () > ==11431== by 0x49B8287: ??? () > ==11431== by 0x49B8581: g_main_loop_run () > ==11431== by 0x121834: main (main.c:322) > ==11431== Block was alloc'd at > ==11431== at 0x4837B65: calloc () > ==11431== by 0x49BD9D8: g_malloc0 () > ==11431== by 0x12AB89: transfer_new () > ==11431== by 0x12B732: g_obex_put_req_pkt () > ==11431== by 0x12B732: g_obex_put_req_pkt () > ==11431== by 0x146982: transfer_start_put () > ==11431== by 0x146982: obc_transfer_start () > ==11431== by 0x13C5A7: session_process_transfer () > ==11431== by 0x13D248: session_process_queue () > ==11431== by 0x13D248: session_process_queue () > ==11431== by 0x13D2AF: session_process () > ==11431== by 0x49B7E97: g_main_context_dispatch () > ==11431== by 0x49B8287: ??? (i) > ==11431== by 0x49B8581: g_main_loop_run () > ==11431== by 0x121834: main () > ==11431== > ==11431== (action on error) vgdb me ... > --- > gobex/gobex-transfer.c | 2 ++ > gobex/gobex.c | 6 ++++++ > gobex/gobex.h | 1 + > 3 files changed, 9 insertions(+) > > diff --git a/gobex/gobex-transfer.c b/gobex/gobex-transfer.c > index c94d018b2..38c23785c 100644 > --- a/gobex/gobex-transfer.c > +++ b/gobex/gobex-transfer.c > @@ -64,6 +64,8 @@ static void transfer_free(struct transfer *transfer) > g_obex_remove_request_function(transfer->obex, > transfer->abort_id); > > + g_obex_remove_responsefunc(transfer->obex); > + > g_obex_unref(transfer->obex); > g_free(transfer); > } > diff --git a/gobex/gobex.c b/gobex/gobex.c > index bc4d52551..54ce484f2 100644 > --- a/gobex/gobex.c > +++ b/gobex/gobex.c > @@ -533,6 +533,12 @@ void g_obex_drop_tx_queue(GObex *obex) > pending_pkt_free(p); > } > > +void g_obex_remove_responsefunc(GObex *obex) > +{ > + if (obex->pending_req) > + obex->pending_req->rsp_func = NULL; > +} Can we stop treating the symptom and really fix the cause, transfer_free does already call g_obex_cancel_req which normally should take care of removing any timeout handling which seems to be the cause of the crash here: https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/gobex/gobex.c#n841 Btw, Ive already pointed out that there are test cases for it and if we are not capturing the exact scenario you are describing here would you please add a test case with the exact response that is causing such a crash: https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/unit/test-gobex-transfer.c#n480 > static gboolean g_obex_send_internal(GObex *obex, struct pending_pkt *p, > GError **err) > { > diff --git a/gobex/gobex.h b/gobex/gobex.h > index f16e4426c..1f7ae513a 100644 > --- a/gobex/gobex.h > +++ b/gobex/gobex.h > @@ -51,6 +51,7 @@ void g_obex_suspend(GObex *obex); > void g_obex_resume(GObex *obex); > gboolean g_obex_srm_active(GObex *obex); > void g_obex_drop_tx_queue(GObex *obex); > +void g_obex_remove_responsefunc(GObex *obex); > > GObex *g_obex_new(GIOChannel *io, GObexTransportType transport_type, > gssize rx_mtu, gssize tx_mtu); > -- > 2.20.1 > > > -- Luiz Augusto von Dentz