[PATCH] iface-modem: fix crash in wait_for_final_state_context_complete_and_free

Mon Dec 16 16:37:41 PST 2013

On 17/12/13 01:17, Ben Chan wrote:
> When wait_for_final_state_context_complete_and_free is invoked, if the callback
> associated with the GSimpleAsyncResult object of the WaitForFinalStateContext
> object updates the modem state via mm_iface_modem_update_state, state_changed
> is invoked, which causes wait_for_final_state_context_complete_and_free to be
> invoked again on the same WaitForFinalStateContext object. That leads to the
> following crash, which is observed sometimes when a modem is being disabled.
> 

Pushed, thanks.

> Thread 0 *CRASHED* ( SIGSEGV @ 0x00000000 )
> 
> 0x7fcb7728f202   [libgobject-2.0.so.0.3400.3] - gobject.c:2916              g_object_unref
> 0x7fcb7743205c   [ModemManager]               - mm-broadband-modem.c:8034   disabling_context_complete_and_free
> 0x7fcb77434d64   [ModemManager]               - mm-broadband-modem.c:8130   disabling_wait_for_final_state_ready
> 0x7fcb770c0b86   [libgio-2.0.so.0.3400.3]     - gsimpleasyncresult.c:775    g_simple_async_result_complete
> 0x7fcb7740cdbc   [ModemManager]               - mm-iface-modem.c:101]       wait_for_final_state_context_complete_and_free
> 0x7fcb7740ce19   [ModemManager]               - mm-iface-modem.c:128]       state_changed_wait_expired
> 0x7fcb76f78c33   [libglib-2.0.so.0.3400.3]    - gmain.c:4026]               g_timeout_dispatch
> 0x7fcb76f78087   [libglib-2.0.so.0.3400.3]    - gmain.c:2715]               g_main_context_dispatch
> 0x7fcb76f78437   [libglib-2.0.so.0.3400.3]    - gmain.c:3290]               g_main_context_iterate
> 0x7fcb76f78891   [libglib-2.0.so.0.3400.3]    - gmain.c:3484]               g_main_loop_run
> 0x7fcb773f4d55   [ModemManager]               - main.c:142]                 main
> 0x7fcb7698a9c6   [libc-2.15.so]               - libc-start.c:234]           __libc_start_main
> 0x7fcb773f48b8   [ModemManager]               + 0x000218b8]
> ---
>  src/mm-iface-modem.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/src/mm-iface-modem.c b/src/mm-iface-modem.c
> index befb0e2..faf83cb 100644
> --- a/src/mm-iface-modem.c
> +++ b/src/mm-iface-modem.c
> @@ -98,9 +98,14 @@ typedef struct {
>  static void
>  wait_for_final_state_context_complete_and_free (WaitForFinalStateContext *ctx)
>  {
> +    /* The callback associated with 'ctx->result' may update the modem state.
> +     * Disconnect the signal handler for modem state changes before completing
> +     * 'ctx->result' in order to prevent state_changed from being invoked, which
> +     * invokes wait_for_final_state_context_complete_and_free (ctx) again. */
> +    g_signal_handler_disconnect (ctx->self, ctx->state_changed_id);
> +
>      g_simple_async_result_complete (ctx->result);
>      g_object_unref (ctx->result);
> -    g_signal_handler_disconnect (ctx->self, ctx->state_changed_id);
>      g_source_remove (ctx->state_changed_wait_id);
>      g_object_unref (ctx->self);
>      g_slice_free (WaitForFinalStateContext, ctx);
> 

-- 
Aleksander