Crash in sim_query_fac_pinlock_cb

Crash in sim_query_fac_pinlock_cb

[cantabile]

[-- Attachment #1: Type: text/plain, Size: 3274 bytes --]

Hello.

Ofono crashes as soon as I plug in my Nokia 5230 in "OVI Suite" mode. 
Ofono is the latest from git. Here is the backtrace:

(gdb) bt full
#0  0x0000000000526a5f in sim_query_fac_pinlock_cb 
(error=0x7fffffffdfd0, status=8799424, data=0x2) at src/sim.c:2476
         sim = 0x2
#1  0x000000000044faa0 in check_sec_response (msg=0x7fffffffe120, 
opaque=0x80c370, success=2 '\002', failure=3 '\003') at 
drivers/isimodem/sim.c:468
         e = {type = OFONO_ERROR_TYPE_NO_ERROR, error = 0}
         __ofono_debug_desc = {name = 0x0, file = 0x58f389 
"drivers/isimodem/sim.c", flags = 0}
         __ofono_debug_desc = {name = 0x0, file = 0x58f389 
"drivers/isimodem/sim.c", flags = 0}
         __ofono_debug_desc = {name = 0x0, file = 0x58f389 
"drivers/isimodem/sim.c", flags = 0}
         __ofono_debug_desc = {name = 0x0, file = 0x58f389 
"drivers/isimodem/sim.c", flags = 0}
         cbd = 0x80c370
         cb = 0x526a40 <sim_query_fac_pinlock_cb>
         sim = 0x8644c0
         id = 2 '\002'
         cause = 0 '\000'
#2  0x000000000044fc57 in sec_code_state_resp_cb (msg=0x7fffffffe120, 
opaque=0x80c370) at drivers/isimodem/sim.c:649
No locals.
#3  0x0000000000436ae6 in pending_remove_and_dispatch (op=0x80c590, 
msg=0x7fffffffe120) at gisi/modem.c:171
         modem = 0x8de2b0
#4  0x0000000000437e04 in service_dispatch (mux=0x830a50, 
msg=0x7fffffffe120, is_indication=0) at gisi/modem.c:218
         next = 0x0
         pend = 0x80c590
         msgid = 2 '\002'
         utid = 3 '\003'
         l = 0x8a8400 = {0x80baa0}
#5  0x00000000004358e6 in isi_callback (channel=0x8df790, cond=G_IO_IN, 
data=0x8de2b0) at gisi/modem.c:334
         msg = {addr = 0x7fffffffe160, version = 0x830a60, error = 0, 
data = 0x7fffffffe0f0, len = 4, private = 0x7ffff7b39670 <g_thread_self+16>}
         key = 8
         buf = 0x7fffffffe0f0
         addr = {spn_family = 35, spn_obj = 46 '.', spn_dev = 0 '\000', 
spn_resource = 8 '\b', __pad = "\000\000\000\000\000\000\000\000\000\000"}
         mux = 0x830a50
         modem = 0x8de2b0
         len = 4
         fd = 11
#6  0x00007ffff7b1145a in g_main_context_dispatch () from 
/usr/lib/libglib-2.0.so.0
No symbol table info available.
#7  0x00007ffff7b11810 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#8  0x00007ffff7b11b32 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#9  0x00000000004eebee in main (argc=1, argv=0x7fffffffe428) at 
src/main.c:256
         context = 0x803df0
         err = 0x0
         conn = 0x80a440
         error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0, 
dummy3 = 1, dummy4 = 1, dummy5 = 0, padding1 = 0x720000007b}
         signal = 1
(gdb)


You'll notice that the function pointer cb being called in 
check_sec_response (frame #1) is of type

typedef void (*ofono_sim_lock_unlock_cb_t)(const struct ofono_error 
*error, void *data);

It takes two parameters. The value of the function pointer is 
sim_query_fac_pinlock_cb, which takes three parameters.

I don't know if the wrong function is being called, or if the right 
function is being called using the wrong function pointer type. I hope 
someone here can figure it out.

Re: Crash in sim_query_fac_pinlock_cb

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 3907 bytes --]

Hi,

On 05/23/2017 11:39 AM, cantabile wrote:
> Hello.
>
> Ofono crashes as soon as I plug in my Nokia 5230 in "OVI Suite" mode.
> Ofono is the latest from git. Here is the backtrace:
>
> (gdb) bt full
> #0  0x0000000000526a5f in sim_query_fac_pinlock_cb
> (error=0x7fffffffdfd0, status=8799424, data=0x2) at src/sim.c:2476
>         sim = 0x2
> #1  0x000000000044faa0 in check_sec_response (msg=0x7fffffffe120,
> opaque=0x80c370, success=2 '\002', failure=3 '\003') at
> drivers/isimodem/sim.c:468
>         e = {type = OFONO_ERROR_TYPE_NO_ERROR, error = 0}
>         __ofono_debug_desc = {name = 0x0, file = 0x58f389
> "drivers/isimodem/sim.c", flags = 0}
>         __ofono_debug_desc = {name = 0x0, file = 0x58f389
> "drivers/isimodem/sim.c", flags = 0}
>         __ofono_debug_desc = {name = 0x0, file = 0x58f389
> "drivers/isimodem/sim.c", flags = 0}
>         __ofono_debug_desc = {name = 0x0, file = 0x58f389
> "drivers/isimodem/sim.c", flags = 0}
>         cbd = 0x80c370
>         cb = 0x526a40 <sim_query_fac_pinlock_cb>
>         sim = 0x8644c0
>         id = 2 '\002'
>         cause = 0 '\000'
> #2  0x000000000044fc57 in sec_code_state_resp_cb (msg=0x7fffffffe120,
> opaque=0x80c370) at drivers/isimodem/sim.c:649
> No locals.
> #3  0x0000000000436ae6 in pending_remove_and_dispatch (op=0x80c590,
> msg=0x7fffffffe120) at gisi/modem.c:171
>         modem = 0x8de2b0
> #4  0x0000000000437e04 in service_dispatch (mux=0x830a50,
> msg=0x7fffffffe120, is_indication=0) at gisi/modem.c:218
>         next = 0x0
>         pend = 0x80c590
>         msgid = 2 '\002'
>         utid = 3 '\003'
>         l = 0x8a8400 = {0x80baa0}
> #5  0x00000000004358e6 in isi_callback (channel=0x8df790, cond=G_IO_IN,
> data=0x8de2b0) at gisi/modem.c:334
>         msg = {addr = 0x7fffffffe160, version = 0x830a60, error = 0,
> data = 0x7fffffffe0f0, len = 4, private = 0x7ffff7b39670
> <g_thread_self+16>}
>         key = 8
>         buf = 0x7fffffffe0f0
>         addr = {spn_family = 35, spn_obj = 46 '.', spn_dev = 0 '\000',
> spn_resource = 8 '\b', __pad = "\000\000\000\000\000\000\000\000\000\000"}
>         mux = 0x830a50
>         modem = 0x8de2b0
>         len = 4
>         fd = 11
> #6  0x00007ffff7b1145a in g_main_context_dispatch () from
> /usr/lib/libglib-2.0.so.0
> No symbol table info available.
> #7  0x00007ffff7b11810 in ?? () from /usr/lib/libglib-2.0.so.0
> No symbol table info available.
> #8  0x00007ffff7b11b32 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
> No symbol table info available.
> #9  0x00000000004eebee in main (argc=1, argv=0x7fffffffe428) at
> src/main.c:256
>         context = 0x803df0
>         err = 0x0
>         conn = 0x80a440
>         error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0,
> dummy3 = 1, dummy4 = 1, dummy5 = 0, padding1 = 0x720000007b}
>         signal = 1
> (gdb)
>
>
> You'll notice that the function pointer cb being called in
> check_sec_response (frame #1) is of type
>
> typedef void (*ofono_sim_lock_unlock_cb_t)(const struct ofono_error
> *error, void *data);
>
> It takes two parameters. The value of the function pointer is
> sim_query_fac_pinlock_cb, which takes three parameters.

It is quite obvious the driver implementation is wrong.  Someone was a 
bit too copy-paste happy.  When this driver was submitted, the query API 
was not being exercised, hence this path was never tested.

I do not know/have the ISI specs, nor do I have any functional ISI 
hardware.  In effect, the ISI driver code is not maintained.  If you 
want to fix this, then you will need to figure out what the callback 
implementation should look like.  Perhaps this RFC version of the 
current driver code might be of use, see sec_code_state_resp_cb() in 
particular:
https://lists.ofono.org/pipermail/ofono/2010-October/005154.html

Regards,
-Denis

Re: Crash in sim_query_fac_pinlock_cb

[cantabile]

[-- Attachment #1: Type: text/plain, Size: 813 bytes --]

On 05/31/2017 02:12 AM, Denis Kenzior wrote:
> It is quite obvious the driver implementation is wrong.  Someone was a 
> bit too copy-paste happy.  When this driver was submitted, the query API 
> was not being exercised, hence this path was never tested.
> 
> I do not know/have the ISI specs, nor do I have any functional ISI 
> hardware.  In effect, the ISI driver code is not maintained.  If you 
> want to fix this, then you will need to figure out what the callback 
> implementation should look like.  Perhaps this RFC version of the 
> current driver code might be of use, see sec_code_state_resp_cb() in 
> particular:
> https://lists.ofono.org/pipermail/ofono/2010-October/005154.html
> 
> Regards,
> -Denis

I'm not inclined to find out what any of this is, so it'll just stay broken.