Re: Crash in sim_query_fac_pinlock_cb

[Denis Kenzior <denkenz@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3907 bytes --]

Hi,

On 05/23/2017 11:39 AM, cantabile wrote:
> Hello.
>
> Ofono crashes as soon as I plug in my Nokia 5230 in "OVI Suite" mode.
> Ofono is the latest from git. Here is the backtrace:
>
> (gdb) bt full
> #0  0x0000000000526a5f in sim_query_fac_pinlock_cb
> (error=0x7fffffffdfd0, status=8799424, data=0x2) at src/sim.c:2476
>         sim = 0x2
> #1  0x000000000044faa0 in check_sec_response (msg=0x7fffffffe120,
> opaque=0x80c370, success=2 '\002', failure=3 '\003') at
> drivers/isimodem/sim.c:468
>         e = {type = OFONO_ERROR_TYPE_NO_ERROR, error = 0}
>         __ofono_debug_desc = {name = 0x0, file = 0x58f389
> "drivers/isimodem/sim.c", flags = 0}
>         __ofono_debug_desc = {name = 0x0, file = 0x58f389
> "drivers/isimodem/sim.c", flags = 0}
>         __ofono_debug_desc = {name = 0x0, file = 0x58f389
> "drivers/isimodem/sim.c", flags = 0}
>         __ofono_debug_desc = {name = 0x0, file = 0x58f389
> "drivers/isimodem/sim.c", flags = 0}
>         cbd = 0x80c370
>         cb = 0x526a40 <sim_query_fac_pinlock_cb>
>         sim = 0x8644c0
>         id = 2 '\002'
>         cause = 0 '\000'
> #2  0x000000000044fc57 in sec_code_state_resp_cb (msg=0x7fffffffe120,
> opaque=0x80c370) at drivers/isimodem/sim.c:649
> No locals.
> #3  0x0000000000436ae6 in pending_remove_and_dispatch (op=0x80c590,
> msg=0x7fffffffe120) at gisi/modem.c:171
>         modem = 0x8de2b0
> #4  0x0000000000437e04 in service_dispatch (mux=0x830a50,
> msg=0x7fffffffe120, is_indication=0) at gisi/modem.c:218
>         next = 0x0
>         pend = 0x80c590
>         msgid = 2 '\002'
>         utid = 3 '\003'
>         l = 0x8a8400 = {0x80baa0}
> #5  0x00000000004358e6 in isi_callback (channel=0x8df790, cond=G_IO_IN,
> data=0x8de2b0) at gisi/modem.c:334
>         msg = {addr = 0x7fffffffe160, version = 0x830a60, error = 0,
> data = 0x7fffffffe0f0, len = 4, private = 0x7ffff7b39670
> <g_thread_self+16>}
>         key = 8
>         buf = 0x7fffffffe0f0
>         addr = {spn_family = 35, spn_obj = 46 '.', spn_dev = 0 '\000',
> spn_resource = 8 '\b', __pad = "\000\000\000\000\000\000\000\000\000\000"}
>         mux = 0x830a50
>         modem = 0x8de2b0
>         len = 4
>         fd = 11
> #6  0x00007ffff7b1145a in g_main_context_dispatch () from
> /usr/lib/libglib-2.0.so.0
> No symbol table info available.
> #7  0x00007ffff7b11810 in ?? () from /usr/lib/libglib-2.0.so.0
> No symbol table info available.
> #8  0x00007ffff7b11b32 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
> No symbol table info available.
> #9  0x00000000004eebee in main (argc=1, argv=0x7fffffffe428) at
> src/main.c:256
>         context = 0x803df0
>         err = 0x0
>         conn = 0x80a440
>         error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0,
> dummy3 = 1, dummy4 = 1, dummy5 = 0, padding1 = 0x720000007b}
>         signal = 1
> (gdb)
>
>
> You'll notice that the function pointer cb being called in
> check_sec_response (frame #1) is of type
>
> typedef void (*ofono_sim_lock_unlock_cb_t)(const struct ofono_error
> *error, void *data);
>
> It takes two parameters. The value of the function pointer is
> sim_query_fac_pinlock_cb, which takes three parameters.

It is quite obvious the driver implementation is wrong.  Someone was a 
bit too copy-paste happy.  When this driver was submitted, the query API 
was not being exercised, hence this path was never tested.

I do not know/have the ISI specs, nor do I have any functional ISI 
hardware.  In effect, the ISI driver code is not maintained.  If you 
want to fix this, then you will need to figure out what the callback 
implementation should look like.  Perhaps this RFC version of the 
current driver code might be of use, see sec_code_state_resp_cb() in 
particular:
https://lists.ofono.org/pipermail/ofono/2010-October/005154.html

Regards,
-Denis