iface-modem-3gpp-profile-manager: correct a GError instance ownership (!632) · Merge requests · Mobile broadband connectivity / ModemManager

Lubomir Rintel requested to merge lkundrak/ModemManager:lr/gerror-ownership into master Oct 01, 2021

The call to g_task_return_error() takes ownership of the GError passed to it; we must not free it ourselves upon automatic pointer cleanup.

Otherwise a crash can be triggered in the error handling path:

  ModemManager[259816]: <debug> [1633088468.157848] [modem0/modemu/at] <-- '<CR><LF>OK<CR><LF>'
  ModemManager[259816]: <debug> [1633088468.159832] [modem0] stored profile with id '1'
  ModemManager[259816]: <debug> [1633088468.160501] [modem0] set profile state (7/8): list after
  ModemManager[259816]: <debug> [1633088468.161686] [modem0/modemu/at] device open count is 3 (open)
  ModemManager[259816]: <debug> [1633088468.162320] [modem0/modemu/at] device open count is 2 (close)
  ModemManager[259816]: <debug> [1633088468.162746] [modem0/modemu/at] --> 'AT+CGDCONT?<CR>'
  ModemManager[259816]: <debug> [1633088468.177437] [modem0/modemu/at] <-- '<CR><LF>ERROR<CR><LF>'
  ModemManager[259816]: <debug> [1633088468.178011] [modem0/modemu/at] operation failure: 100 (Unknown error)
  ModemManager[259816]: <warn>  [1633088468.182420] [modem0/bearer0] connection attempt #1 failed: Couldn't validate update of profile '1': Unknown error
  ModemManager[259816]: <info>  [1633088468.193156] [modem0/bearer0] connection #1 finished: duration 0s, tx: 0 bytes, rx: 0 bytes
  ModemManager[259816]: <debug> [1633088468.194280] [modem0] couldn't connect bearer: Couldn't validate update of profile '1': Unknown error
  ==259816== Invalid read of size 4
  ==259816==    at 0x4FF66CF: UnknownInlinedFun (gerror.c:535)
  ==259816==    by 0x4FF66CF: g_error_free (gerror.c:832)
  ==259816==    by 0x1A7F49: UnknownInlinedFun (glib-autocleanups.h:52)
  ==259816==    by 0x1A7F49: UnknownInlinedFun (glib-autocleanups.h:52)
  ==259816==    by 0x1A7F49: profile_manager_get_profile_after_ready (mm-iface-modem-3gpp-profile-manager.c:140)
  ==259816==    by 0x4E342C9: g_task_return_now (gtask.c:1219)
  ==259816==    by 0x4E344CA: UnknownInlinedFun (gtask.c:1289)
  ==259816==    by 0x4E344CA: g_task_return (gtask.c:1245)
  ==259816==    by 0x1A867C: get_profile_list_ready (mm-iface-modem-3gpp-profile-manager.c:680)
  ==259816==    by 0x4E342C9: g_task_return_now (gtask.c:1219)
  ==259816==    by 0x4E344CA: UnknownInlinedFun (gtask.c:1289)
  ==259816==    by 0x4E344CA: g_task_return (gtask.c:1245)
  ==259816==    by 0x1A3DB5: internal_list_profiles_ready (mm-iface-modem-3gpp-profile-manager.c:774)
  ==259816==    by 0x4E342C9: g_task_return_now (gtask.c:1219)
  ==259816==    by 0x4E344CA: UnknownInlinedFun (gtask.c:1289)
  ==259816==    by 0x4E344CA: g_task_return (gtask.c:1245)
  ==259816==    by 0x1D7B8B: profile_manager_cgdcont_query_ready (mm-broadband-modem.c:10240)
  ==259816==    by 0x4E1DB61: g_simple_async_result_complete (gsimpleasyncresult.c:802)
  ==259816==  Address 0x9286da0 is 0 bytes inside a block of size 16 free'd
  ==259816==    at 0x48440E4: free (vg_replace_malloc.c:755)
  ==259816==    by 0x500FD1C: g_free (gmem.c:199)
  ==259816==    by 0x502A22F: g_slice_free1 (gslice.c:1180)
  ==259816==    by 0x4FF6780: g_error_free (gerror.c:864)
  ==259816==    by 0x1B22D2: connect_bearer_ready (mm-iface-modem-simple.c:286)
  ==259816==    by 0x4E342C9: g_task_return_now (gtask.c:1219)
  ==259816==    by 0x4E344CA: UnknownInlinedFun (gtask.c:1289)
  ==259816==    by 0x4E344CA: g_task_return (gtask.c:1245)
  ==259816==    by 0x18031A: connect_ready (mm-base-bearer.c:917)
  ==259816==    by 0x4E342C9: g_task_return_now (gtask.c:1219)
  ==259816==    by 0x4E344CA: UnknownInlinedFun (gtask.c:1289)
  ==259816==    by 0x4E344CA: g_task_return (gtask.c:1245)
  ==259816==    by 0x18329B: connect_3gpp_ready (mm-broadband-bearer.c:918)
  ==259816==    by 0x4E342C9: g_task_return_now (gtask.c:1219)
  ==259816==  Block was alloc'd at
  ==259816==    at 0x484186F: malloc (vg_replace_malloc.c:380)
  ==259816==    by 0x5013408: g_malloc (gmem.c:106)
  ==259816==    by 0x502ACB4: g_slice_alloc (gslice.c:1069)
  ==259816==    by 0x502B33D: g_slice_alloc0 (gslice.c:1095)
  ==259816==    by 0x4FF64E6: g_error_allocate (gerror.c:702)
  ==259816==    by 0x4FF6F03: UnknownInlinedFun (gerror.c:716)
  ==259816==    by 0x4FF6F03: g_error_copy (gerror.c:886)
  ==259816==    by 0x4E1D0A0: g_simple_async_result_set_from_error (gsimpleasyncresult.c:676)
  ==259816==    by 0x236AAB: port_serial_got_response (mm-port-serial.c:744)
  ==259816==    by 0x23B0F1: UnknownInlinedFun (mm-port-serial.c:934)
  ==259816==    by 0x23B0F1: common_input_available (mm-port-serial.c:1035)
  ==259816==    by 0x500AF9E: UnknownInlinedFun (gmain.c:3337)
  ==259816==    by 0x500AF9E: g_main_context_dispatch (gmain.c:4055)
  ==259816==    by 0x505F607: g_main_context_iterate.constprop.0 (gmain.c:4131)
  ==259816==    by 0x500A562: g_main_loop_run (gmain.c:4329)

Edited Oct 01, 2021 by Lubomir Rintel

Admin message

iface-modem-3gpp-profile-manager: correct a GError instance ownership

Merge request reports