SIGSEGV in Supplicant

abdoulaye berthe berthe.ab
Tue Jun 2 06:33:12 PDT 2015 

Hi,

Thanks for your suggestion.
Your assumption about a pending querry that was not started is
probably correct but I cannot confirm it since I do not have a way to
reproduce this issue. For the same reason I am unable to test your
patch and give you a feedback. I have two questions though :

1- If this (the crash) happens for gas_query isn't it likely that it
will happen for other usage of the the circular list ?
2- if we call radio_remove_works(wpa_s, "gas-query", 0); in
wpa_supplicant_cleanup() as suggested by your patch, should we keep
the other call of the same function in radio_remove_interface.
(radio_remove_works(wpa_s, NULL, 0);) ? Note that gas_query_start_cb
will be called again in this function with deinit=1.

Cheers,
/Abdoulaye

On Mon, Jun 1, 2015 at 12:44 PM, Peer, Ilan <ilan.peer at intel.com> wrote:
> Hi,
>
> It is possible that in this flow, there was a pending query that was not started yet, so when gas_query_deinit() flow was executed and gas_query_free() was called, the 'query' object was freed, but without having the radio work removed. Thus, later, when all the radio works of the interface were removed, gas_query_start_cb() is called, which in turn called gas_query_free() which tried to access query->list which resulted with a segfault.
>
> Can you please check if the attached patch fixes things? (I did not test it ...)
>
> Regards,
>
> Ilan.
>
>> -----Original Message-----
>> From: hostap-bounces at lists.shmoo.com [mailto:hostap-
>> bounces at lists.shmoo.com] On Behalf Of abdoulaye berthe
>> Sent: Monday, June 01, 2015 11:06
>> To: hostap at lists.shmoo.com
>> Cc: mikael.kanstrup at sonymobile.com; Abdoulaye Berthe
>> Subject: SIGSEGV in Supplicant
>>
>> Hi,
>>
>> We have experienced a supplicant crash in dl_list_del(?). We have
>> disassemble the supplicant binary used and we got the following call
>> stack:
>>
>> gas_query_free
>> radio_remove_works (from this one the call back gas_query_start_cb is
>> called) wpa_supplicant_deinit_iface wpa_supplicant_remove_iface
>>
>> the lines around the crash:
>>
>> 05-15 19:36:29.373 1484 1484 I wpa_supplicant: wlan0: GAS-QUERY-DONE
>> addr=74:91:1a:10:eb:59 dialog_token=2 freq=2422 status_code=0
>> result=TIMEOUT
>> 05-15 19:36:29.373 1484 1484 I wpa_supplicant: wlan0: Starting ANQP fetch
>> for 74:91:1a:50:eb:58
>> 05-15 19:36:29.374 1484 1484 I wpa_supplicant: wlan0: GAS-QUERY-START
>> addr=74:91:1a:50:eb:58 dialog_token=3 freq=2422
>> 05-15 19:36:29.471 1484 1484 I wpa_supplicant: wlan0: CTRL-EVENT-SCAN-
>> STARTED
>> 05-15 19:36:30.056 1484 1484 I wpa_supplicant: p2p0: CTRL-EVENT-
>> TERMINATING
>> 05-15 19:36:30.124 1484 1484 I wpa_supplicant: wlan0: GAS-QUERY-DONE
>> addr=74:91:1a:50:eb:58 dialog_token=3 freq=2422 status_code=0
>> result=DELETED_AT_DEINIT
>> 05-15 19:36:30.124 1484 1484 I wpa_supplicant: wlan0: ANQP fetch
>> completed
>> 05-15 19:36:30.124 1484 1484 I wpa_supplicant: wlan0:
>> INTERWORKING-NO-MATCH No network with matching credentials found
>> 05-15 19:36:30.124 1484 1484 F libc : Fatal signal 11 (SIGSEGV), code 1, fault
>> addr 0x4 in tid 1484 (wpa_supplicant)
>>
>> Could it be due to an attempt to delete the head list twice with dl_list_del ?
>>
>> Cheers
>> _______________________________________________
>> HostAP mailing list
>> HostAP at lists.shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/hostap

More information about the Hostap mailing list