[PATCH] obexd: Fix transfer has been free during transfer_abort_response func

[PATCH] obexd: Fix transfer has been free during transfer_abort_response func

[wangyouwan]

Breakpoint 7, transfer_new (obex=0x5555555f5b50, opcode=2 '\002',
complete_func=0x555555590c40 <xfer_complete>, user_data=0x5555555f7000)
at gobex/gobex-transfer.c:254
254     gobex/gobex-transfer.c:
(gdb) c
Continuing.

Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6d60)
at gobex/gobex-transfer.c:99
99      in gobex/gobex-transfer.c
(gdb) c
Continuing.

Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6d60,
user_data=0x5555555f7000)
at obexd/client/transfer.c:659
659     obexd/client/transfer.c:
(gdb) n
661     in obexd/client/transfer.c
(gdb) n
663     in obexd/client/transfer.c
(gdb) p callback->func
$17 = (transfer_callback_t) 0x5555555885e0 <transfer_complete>
(gdb) c
Continuing.

Breakpoint 3, transfer_complete (transfer=0x5555555f7000, err=0x5555555f6d60,
user_data=0x5555555f48d0) at obexd/client/session.c:964
964     obexd/client/session.c:
(gdb) c
Continuing.

Breakpoint 5, transfer_free (transfer=0x5555555f5f40) at gobex/gobex-transfer.c:61
61      gobex/gobex-transfer.c:
(gdb) n
63      in gobex/gobex-transfer.c
(gdb) p transfer->id
$18 = 1
(gdb) c
Continuing.

Breakpoint 2, transfer_abort_response (obex=0x5555555f5b50, err=0x0, rsp=0x5555555f0810,
user_data=0x5555555f5f40) at gobex/gobex-transfer.c:116
116     in gobex/gobex-transfer.c
(gdb) n
118     in gobex/gobex-transfer.c
(gdb) p transfer->id
$19 = 1432314080
(gdb) c
Continuing.

Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6f00) at gobex/gobex-transfer.c:99
99      in gobex/gobex-transfer.c
(gdb) c
Continuing.

Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6f00, user_data=0x5555555f7000)
at obexd/client/transfer.c:659
659     obexd/client/transfer.c:
(gdb) n
661     in obexd/client/transfer.c
(gdb) p callback->func
$20 = (transfer_callback_t) 0x5555555f6420
(gdb) n
663     in obexd/client/transfer.c
(gdb) n
668     in obexd/client/transfer.c
(gdb) n
671     in obexd/client/transfer.c
(gdb) n
672     in obexd/client/transfer.c
(gdb) n
676     in obexd/client/transfer.c
(gdb) n
679     in obexd/client/transfer.c
(gdb) n
680     in obexd/client/transfer.c
(gdb) n
0x00005555555f6420 in ?? ()
(gdb) n
Cannot find bounds of current function
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00005555555f6420 in ?? ()
(gdb)
---
 gobex/gobex-transfer.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gobex/gobex-transfer.c b/gobex/gobex-transfer.c
index c94d018b2..48b1f6962 100644
--- a/gobex/gobex-transfer.c
+++ b/gobex/gobex-transfer.c
@@ -92,7 +92,9 @@ static void transfer_complete(struct transfer *transfer, GError *err)
 		g_obex_drop_tx_queue(transfer->obex);
 	}
 
-	transfer->complete_func(transfer->obex, err, transfer->user_data);
+	if (find_transfer(id) != NULL)
+		transfer->complete_func(transfer->obex, err, transfer->user_data);
+
 	/* Check if the complete_func removed the transfer */
 	if (find_transfer(id) == NULL)
 		return;
-- 
2.20.1

RE: obexd: Fix transfer has been free during transfer_abort_response func

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2864 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=650185

---Test result---

Test Summary:
CheckPatch                    FAIL      1.06 seconds
GitLint                       FAIL      0.77 seconds
Prep - Setup ELL              PASS      43.82 seconds
Build - Prep                  PASS      0.58 seconds
Build - Configure             PASS      8.55 seconds
Build - Make                  PASS      1426.59 seconds
Make Check                    PASS      12.09 seconds
Make Check w/Valgrind         PASS      440.91 seconds
Make Distcheck                PASS      233.61 seconds
Build w/ext ELL - Configure   PASS      8.59 seconds
Build w/ext ELL - Make        PASS      1391.37 seconds
Incremental Build with patchesPASS      0.00 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script with rule in .checkpatch.conf
Output:
obexd: Fix transfer has been free during transfer_abort_response func
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#64: 
Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6d60)

WARNING:LONG_LINE: line length of 82 exceeds 80 columns
#158: FILE: gobex/gobex-transfer.c:96:
+		transfer->complete_func(transfer->obex, err, transfer->user_data);

/github/workspace/src/12880945.patch total: 0 errors, 2 warnings, 10 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/12880945.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint with rule in .gitlint
Output:
obexd: Fix transfer has been free during transfer_abort_response func
35: B1 Line exceeds max length (82>80): "Breakpoint 5, transfer_free (transfer=0x5555555f5f40) at gobex/gobex-transfer.c:61"
44: B1 Line exceeds max length (88>80): "Breakpoint 2, transfer_abort_response (obex=0x5555555f5b50, err=0x0, rsp=0x5555555f0810,"
54: B1 Line exceeds max length (106>80): "Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6f00) at gobex/gobex-transfer.c:99"
59: B1 Line exceeds max length (95>80): "Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6f00, user_data=0x5555555f7000)"




---
Regards,
Linux Bluetooth

Re: [PATCH] obexd: Fix transfer has been free during transfer_abort_response func

[Luiz Augusto von Dentz]

Hi,

On Tue, Jun 14, 2022 at 4:55 AM wangyouwan <wangyouwan@uniontech.com> wrote:
>
> Breakpoint 7, transfer_new (obex=0x5555555f5b50, opcode=2 '\002',
> complete_func=0x555555590c40 <xfer_complete>, user_data=0x5555555f7000)
> at gobex/gobex-transfer.c:254
> 254     gobex/gobex-transfer.c:
> (gdb) c
> Continuing.
>
> Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6d60)
> at gobex/gobex-transfer.c:99
> 99      in gobex/gobex-transfer.c
> (gdb) c
> Continuing.
>
> Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6d60,
> user_data=0x5555555f7000)
> at obexd/client/transfer.c:659
> 659     obexd/client/transfer.c:
> (gdb) n
> 661     in obexd/client/transfer.c
> (gdb) n
> 663     in obexd/client/transfer.c
> (gdb) p callback->func
> $17 = (transfer_callback_t) 0x5555555885e0 <transfer_complete>
> (gdb) c
> Continuing.
>
> Breakpoint 3, transfer_complete (transfer=0x5555555f7000, err=0x5555555f6d60,
> user_data=0x5555555f48d0) at obexd/client/session.c:964
> 964     obexd/client/session.c:
> (gdb) c
> Continuing.
>
> Breakpoint 5, transfer_free (transfer=0x5555555f5f40) at gobex/gobex-transfer.c:61
> 61      gobex/gobex-transfer.c:
> (gdb) n
> 63      in gobex/gobex-transfer.c
> (gdb) p transfer->id
> $18 = 1
> (gdb) c
> Continuing.
>
> Breakpoint 2, transfer_abort_response (obex=0x5555555f5b50, err=0x0, rsp=0x5555555f0810,
> user_data=0x5555555f5f40) at gobex/gobex-transfer.c:116
> 116     in gobex/gobex-transfer.c
> (gdb) n
> 118     in gobex/gobex-transfer.c
> (gdb) p transfer->id
> $19 = 1432314080
> (gdb) c
> Continuing.
>
> Breakpoint 3, transfer_complete (transfer=0x5555555f5f40, err=0x5555555f6f00) at gobex/gobex-transfer.c:99
> 99      in gobex/gobex-transfer.c
> (gdb) c
> Continuing.
>
> Breakpoint 4, xfer_complete (obex=0x5555555f5b50, err=0x5555555f6f00, user_data=0x5555555f7000)
> at obexd/client/transfer.c:659
> 659     obexd/client/transfer.c:
> (gdb) n
> 661     in obexd/client/transfer.c
> (gdb) p callback->func
> $20 = (transfer_callback_t) 0x5555555f6420
> (gdb) n
> 663     in obexd/client/transfer.c
> (gdb) n
> 668     in obexd/client/transfer.c
> (gdb) n
> 671     in obexd/client/transfer.c
> (gdb) n
> 672     in obexd/client/transfer.c
> (gdb) n
> 676     in obexd/client/transfer.c
> (gdb) n
> 679     in obexd/client/transfer.c
> (gdb) n
> 680     in obexd/client/transfer.c
> (gdb) n
> 0x00005555555f6420 in ?? ()
> (gdb) n
> Cannot find bounds of current function
> (gdb) c
> Continuing.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00005555555f6420 in ?? ()
> (gdb)
> ---
>  gobex/gobex-transfer.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/gobex/gobex-transfer.c b/gobex/gobex-transfer.c
> index c94d018b2..48b1f6962 100644
> --- a/gobex/gobex-transfer.c
> +++ b/gobex/gobex-transfer.c
> @@ -92,7 +92,9 @@ static void transfer_complete(struct transfer *transfer, GError *err)
>                 g_obex_drop_tx_queue(transfer->obex);
>         }
>
> -       transfer->complete_func(transfer->obex, err, transfer->user_data);
> +       if (find_transfer(id) != NULL)
> +               transfer->complete_func(transfer->obex, err, transfer->user_data);

I would rather fix the code calling of the transfer_complete rather
than its side effect if transfer has been freed already, also it might
be better to use valgrind to collect the bracktrace since it should be
able to tell us where the transfer pointer is being freed.

>         /* Check if the complete_func removed the transfer */
>         if (find_transfer(id) == NULL)
>                 return;
> --
> 2.20.1
>
>
>


-- 
Luiz Augusto von Dentz