Hi Daniel,

I think I have a fix for this, but wanted to see if it worked before
sending it out. What's going on is you are trying to connect multiple
times, and the second connect happens before IWD has associated to the
first. This causes an immediate callback which our code did not expect
and you end up with NULL pointers which were assumed to be set. I cant
seem to trigger this with iwctl, probably because my APs are
associating faster than my fingers can type.

Since you are able to trigger this reliably would you mind testing it
out? Attached is the patch.

Thanks,
James

On Mon, 2021-04-05 at 20:45 +0200, Daniel Wagner wrote:
> Hi,
> 
> I was hacking on ConnMan and was able to reliable trigger this crash
> with the current head:
> 
> ++++++++ backtrace ++++++++
> #0  0x7f4e1504e530 in /lib64/libc.so.6
> #1  0x432b54 in network_get_security() at src/network.c:253
> #2  0x416e92 in station_handshake_setup() at src/station.c:937
> #3  0x41a505 in __station_connect_network() at src/station.c:2551
> #4  0x41a683 in station_disconnect_onconnect_cb() at
> src/station.c:2581
> #5  0x40b4ae in netdev_disconnect() at src/netdev.c:3142
> #6  0x41a719 in station_disconnect_onconnect() at src/station.c:2603
> #7  0x41a89d in station_connect_network() at src/station.c:2652
> #8  0x433f1d in network_connect_psk() at src/network.c:886
> #9  0x43483a in network_connect() at src/network.c:1183
> #10 0x4add11 in _dbus_object_tree_dispatch() at ell/dbus-
> service.c:1802
> #11 0x49ff54 in message_read_handler() at ell/dbus.c:285
> #12 0x496d2f in io_callback() at ell/io.c:120
> #13 0x495894 in l_main_iterate() at ell/main.c:478
> #14 0x49599b in l_main_run() at ell/main.c:521
> #15 0x495cb3 in l_main_run_with_signal() at ell/main.c:647
> #16 0x404add in main() at src/main.c:490
> #17 0x7f4e15038b25 in /lib64/libc.so.6
> 
> 
> The sequence which seems to be to trigger it
> 
>   - set autoconnect to a known network
>   - connnect to this network immediately
> 
> I was not sure if setting the autoconnect will trigger the connect or
> not. Anyway, crashing seems a a bit harsh to let me know that me I am
> doing something wrong ;)
> 
> The same crash happened when I blocked the STA from the AP. I've
> collected a pcap as well. Not sure if you need it.
> 
>   https://www.monom.org/data/blocked.pcap
> 
> Thanks,
> Daniel
> 
> ps: note the above call trace, the pcap and the call trace bellow
> are collected from separate crashes.
> 
> 
> (gdb) bt full
> #0  0x000000000043306e in network_get_security (network=0x0) at
> src/network.c:253
> No locals.
> #1  0x00000000004172eb in station_handshake_setup (station=0x54bf40,
> network=0x0, bss=0x0) at src/station.c:938
>         security = 5553984
>         settings = 0x4e8070 <__func__.14>
>         wiphy = 0x417de5 <station_enter_state+681>
>         hs = 0x7fffffffe710
>         ssid = 0x54d6d0 ""
>         eapol_proto_version = 0
>         value = 0x4e71eb "State"
>         full_random = false
>         override = false
>         new_addr = "\177\000\000QwA"
>         __func__ = "station_handshake_setup"
> #2  0x000000000041a9b7 in __station_connect_network
> (station=0x54bf40, network=0x0, bss=0x0) at src/station.c:2553
>         extra_ies = 0x7fffffffe810
>         iov_elems = 0
>         hs = 0x0
>         r = 0
>         __func__ = "__station_connect_network"
> #3  0x000000000041ab35 in station_disconnect_onconnect_cb
> (netdev=0x54b4a0, success=true, user_data=0x54bf40) at
> src/station.c:2583
>         station = 0x54bf40
>         err = 0
> #4  0x000000000040b81e in netdev_disconnect (netdev=0x54b4a0,
> cb=0x41aae8 <station_disconnect_onconnect_cb>, user_data=0x54bf40)
>     at src/netdev.c:3242
>         disconnect = 0x7fffffffe7d8
>         send_disconnect = false
> #5  0x000000000041abcb in station_disconnect_onconnect
> (station=0x54bf40, network=0x558720, bss=0x5593e0, message=0x557bc0)
>     at src/station.c:2605
> No locals.
> #6  0x000000000041ad60 in station_connect_network (station=0x54bf40,
> network=0x558720, bss=0x5593e0, message=0x557bc0)
>     at src/station.c:2653
>         dbus = 0x538d00
>         err = 2
> #7  0x0000000000434437 in network_connect_psk (network=0x558720,
> bss=0x5593e0, message=0x557bc0) at src/network.c:884
>         station = 0x54bf40
>         need_passphrase = false
>         __func__ = "network_connect_psk"
> #8  0x0000000000434d54 in network_connect (dbus=0x538d00,
> message=0x557bc0, user_data=0x558720) at src/network.c:1183
>         network = 0x558720
>         station = 0x54bf40
>         bss = 0x5593e0
>         __func__ = "network_connect"
> #9  0x00000000004ae3f7 in _dbus_object_tree_dispatch (tree=0x53bee0,
> dbus=0x538d00, message=0x557bc0) at ell/dbus-service.c:1802
>         path = 0x558c38 "/net/connman/iwd/2/39/41636865726f6e_psk"
>         interface = 0x558c88 "net.connman.iwd.Network"
>         member = 0x558ca8 "Connect"
>         msg_sig = 0x4fadd9 ""
>         sig = 0x5464a5 ""
>         node = 0x54cd10
>         instance = 0x551b70
>         method = 0x546490
>         reply = 0x0
> #10 0x00000000004a063a in message_read_handler (io=0x539df0,
> user_data=0x538d00) at ell/dbus.c:285
>         dbus = 0x538d00
>         message = 0x557bc0
>         header = 0x558c20
>         body = 0x0
>         header_size = 160
>         body_size = 0
>         msgtype = DBUS_MESSAGE_TYPE_METHOD_CALL
> #11 0x0000000000497415 in io_callback (fd=6, events=1,
> user_data=0x539df0) at ell/io.c:120
>         io = 0x539df0
> #12 0x0000000000495f7a in l_main_iterate (timeout=-1) at
> ell/main.c:478
>         events = {{events = 1, data = {ptr = 0x539e70, fd = 5480048,
> u32 = 5480048, u64 = 5480048}}, {events = 4, data = {ptr = 0x539e70, 
>               fd = 5480048, u32 = 5480048, u64 = 5480048}}, {events =
> 4, data = {ptr = 0x539e70, fd = 5480048, u32 = 5480048, 
>               u64 = 5480048}}, {events = 5, data = {ptr = 0x539e70,
> fd = 5480048, u32 = 5480048, u64 = 5480048}}, {events = 1, data = {
>               ptr = 0x54ff50, fd = 5570384, u32 = 5570384, u64 =
> 5570384}}, {events = 0, data = {ptr = 0x10, fd = 16, u32 = 16, 
>               u64 = 16}}, {events = 4294967224, data = {ptr =
> 0xffffffff, fd = -1, u32 = 4294967295, u64 = 4294967295}}, {events =
> 0, 
>             data = {ptr = 0x0, fd = 0, u32 = 0, u64 = 0}}, {events =
> 0, data = {ptr = 0xf7e6334400000000, fd = 0, u32 = 0, 
>               u64 = 17863021339162443776}}, {events = 32767, data =
> {ptr = 0x53e6b0, fd = 5498544, u32 = 5498544, u64 = 5498544}}}
>         data = 0x539e70
>         n = 0
>         nfds = 1
> #13 0x0000000000496081 in l_main_run () at ell/main.c:525
>         timeout = -1
> #14 0x0000000000496399 in l_main_run_with_signal (callback=0x403a2e
> <signal_handler>, user_data=0x0) at ell/main.c:647
>         data = 0x53e4e0
>         sigint = 0x53e500
>         sigterm = 0x53e680
>         result = 0
> #15 0x0000000000404add in main (argc=2, argv=0x7fffffffec58) at
> src/main.c:490
>         enable_dbus_debug = false
>         exit_status = 1
>         dbus = 0x538d00
>         config_dir = 0x4e3a51 "/etc/iwd"
>         config_dirs = 0x5347a0
>         i = 1
>         __func__ = "main"
> _______________________________________________
> iwd mailing list -- iwd(a)lists.01.org
> To unsubscribe send an email to iwd-leave(a)lists.01.org