Missing NULL checks - qmi-proxy.c

Peter Naulls peter at chocky.org
Tue Dec 29 12:51:02 UTC 2020 

On 12/21/20 12:53 PM, Aleksander Morgado wrote:
> Hey,
> 

> Is that backtrace obtained upon the crash? Looks like
> qmi_client_info_array is not NULL in that backtrace
> 

Sorry, obviously I can't "sit" on a crash, so that context is lost.  However,
I'm chasing a 4th crash, which I've yet to catch in the act.   But I went
back and took out the patches to recreate this.  I hope this is enough
information this time:



Thread 1 "qmi-proxy" received signal SIGSEGV, Segmentation fault.
0x77c93d41 in qmi_client_info_array_lookup_cid (array=0x0, 
service=QMI_SERVICE_LOC, cid=2 '<error reading variable>) at qmi-proxy.c:544
544	qmi-proxy.c: No such file or directory.
(gdb) bt
#0  0x77c93d41 in qmi_client_info_array_lookup_cid (array=0x0, 
service=QMI_SERVICE_LOC, cid=2 '<error reading variable>) at qmi-proxy.c:544
#1  0x77c94581 in track_implicit_cid (self=0x77958a10, client=0x41c678, 
message=0x416ee0) at qmi-proxy.c:675
#2  0x77c94e9b in process_message (self=0x77958a10, client=0x41c678, 
message=0x416ee0) at qmi-proxy.c:853
#3  0x77c94fad in parse_request (self=0x77958a10, client=0x41c678) at 
qmi-proxy.c:905
#4  0x77c9513f in connection_readable_cb (warning: GDB can't find the start of 
the function at 0x77b5717e.

(gdb) return
Make qmi_client_info_array_lookup_cid return now? (y or n) y
#0  0x77c94581 in track_implicit_cid (self=0x77958a10, client=0x41c678, 
message=0x416ee0) at qmi-proxy.c:675
675	in qmi-proxy.c
(gdb) print *self
$1 = {parent = {g_type_instance = {g_class = 0x77a75a30}, ref_count = 2, qdata = 
0x0}, priv = 0x77958a00}
(gdb) print *client
$2 = {ref_count = 2, proxy = 0x77958a10, connection = 0x77925d18, 
connection_readable_source = 0x77945e60, buffer = 0x77945b40, device = 0x418d00,
   internal_proxy_open_request = 0x0, qmi_client_info_array = 0x77945b60, 
indication_id = 32, device_removed_id = 33}


It's been suggested this is a transition case, where the CID might no longer be
valid.  I'm not 100% on the code path that calls this, but it seems prudent
that libqmi protects itself no matter what.

In the meantime, ModemManager is also crashing, but there's some fixes in latest
git that seem relevant.   I'm going to pull that, and then see if I can
find the 4th crash in libqmi.

More information about the libqmi-devel mailing list