Segmentation Fault when removing P2P group interface on an embedded ARM system

Sun Aug 4 18:21:05 PDT 2013

Hi, all

 

On an embedded ARM system(with Kernel is 3.10) I have issues(segmentation
fault) to remove P2P group interface. 

The test sequences are as follows:

 

1. Run the wpa_supplicant daemon:  wpa_supplicant -Dnl80211 -iwlan0 -c
p2p.conf -u -dd

2. Create the P2P GO : wpa_cli -iwlan0 p2p_group_add 

3. Remove P2P group interface : wpa_cli -iwlan0 p2p_group_remove p2p-wlan0-0

                               

Running wpa_supplicant I got:

============================================================================
===

...

dbus: fi.w1.wpa_supplicant1.Interface.P2PDevice.Disconnect
(/fi/w1/wpa_supplicant1/Interfaces/3)

wlan0: P2P-GROUP-REMOVED p2p-wlan0-0 GO reason=REQUESTED

dbus: Unregister group object
'/fi/w1/wpa_supplicant1/Interfaces/3/Groups/QX'

P2P: Remove group interface p2p-wlan0-0

p2p-wlan0-0: Removing interface p2p-wlan0-0

p2p-wlan0-0: Request to deauthenticate - bssid=02:90:4c:c5:92:38
pending_bssid=00:00:00:00:00:00 reason=3 state=COMPLETED

wpa_driver_nl80211_disconnect(reason_code=3)

p2p-wlan0-0: nl80211: MLME command failed: reason=3 ret=-95 (Operation not
supported)

p2p-wlan0-0: Event DEAUTH (12) received

p2p-wlan0-0: Deauthentication notification

p2p-wlan0-0:  * reason 3 (locally generated)

Deauthentication frame IE(s) - hexdump(len=0): [NULL]

p2p-wlan0-0: Ignore deauth event in AP mode

p2p-wlan0-0: No keys have been configured - skip key clearing

p2p-wlan0-0: Flushing old station entries

p2p-wlan0-0: Deauthenticate all stations

?

 

p2p-wlan0-0: State: COMPLETED -> DISCONNECTED

wpa_driver_nl80211_set_operstate: operstate 1->0 (DORMANT)

netlink: Operstate: linkmode=-1, operstate=5

EAPOL: External notification - portEnabled=0

EAPOL: Supplicant port status: Unauthorized

EAPOL: External notification - portValid=0

EAPOL: Supplicant port status: Unauthorized

EAPOL: External notification - EAP success=0

EAPOL: Supplicant port status: Unauthorized

p2p-wlan0-0: No keys have been configured - skip key clearing

dbus: Unregister network object
'/fi/w1/wpa_supplicant1/Interfaces/3/Networks/0'

dbus: wpa_dbus_unregister_object_per_iface: Could not obtain object's
private data: /fi/w1/wpa_supplicant1/Interfaces/3/Networks/0

Segmentation fault

============================================================================
================

 

I debugged it and I found the problem.

It is to unregister Network's path which is not object path.

 

I can see the obect path related P2P after creating the P2P GO

- /fi/w1/wpa_supplicant1/Interfaces/3/

It is the object path related to p2p-wlan0-0 and
/fi/w1/wpa_supplicant1/Interfaces/3/Networks/0 is not object path. 

 

In wpa_dbus_unregister_object_per_iface() in dbus_new_helper.c,

============================================================================
===================

...

if (!dbus_connection_unregister_object_path(con, path))       ->
Segmentation fault point

    return -1;

...

============================================================================
====================

 

Why do '/fi/w1/wpa_supplicant1/Interfaces/3/Networks/0' unregister ? 

As I mention before, it is not object path.

 

In x86 system(ubuntu 12.04), there are not segmentation fault and it works
fine however I can see unknown message which is not created by
wpa_supplicant as bellow:

============================================================================
=====================

...

dbus: Unregister network object
'/fi/w1/wpa_supplicant1/Interfaces/3/Networks/0'

dbus: wpa_dbus_unregister_object_per_iface: Could not obtain object's
private data: /fi/w1/wpa_supplicant1/Interfaces/3/Networks/0

Attempted to unregister path (path[0] = fi path[1] = w1) which isn't
registered                                                     --> unknown
message

p2p-wlan0-0: Cancelling scan request

p2p-wlan0-0: Cancelling authentication timeout

...

============================================================================
========================

 

I think if the value of path is not object path, it is not necessary to do
dbus_connection_unregister_object_path(con, path).

I changed the source code and both system work fine.

 

============================================================================
======================================================

diff -urN A/wpa_supplicant/dbus/dbus_new_helpers.c
B/wpa_supplicant/dbus/dbus_new_helpers.c

--- A/wpa_supplicant/dbus/dbus_new_helpers.c    

+++ B/wpa_supplicant/dbus/dbus_new_helpers.c  

@@ -590,6 +590,7 @@

        if (!obj_desc) {

                wpa_printf(MSG_ERROR, "dbus: %s: Could not obtain object's "

                           "private data: %s", __func__, path);

+               return 0;

        } else {

                eloop_cancel_timeout(flush_object_timeout_handler, con,

                                     obj_desc); 

============================================================================
======================================================

I don't know exactly why dbus_connection_unregister_object_path(con, path)
generates segmentation fault in my ARM system.

However, I think if path is not object path, we don't need
dbus_connection_unregister_object_path(con, path).

 

Is it a bug or do I make a mistake?

It would be great if you can take a look at the patch and tell me what you
think about it.

 

BTW, I attached the patch file.

 

Best Regards,

Sungho

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130805/cef409ca/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wpa_supplicant-2.0.patch
Type: application/octet-stream
Size: 608 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130805/cef409ca/attachment-0001.obj>

