Skip to content

Add unacknowledged send event in ubus

Piotr Lavrov requested to merge add-unacknowledged-send-event into devel

hostapd normally sends events in ubus.c and waits for acknowledgement. If while waiting it receives some other message it calls the corresponding callback. If the callback removes the interface and releases its data the process crashes with SIGSEGV. One of the possible cases is given below: Program terminated with signal SIGSEGV, Segmentation fault.

bt #0 0x0051ebbc in hostapd_check_ht_capab (iface=0xb6f08020) at ../src/ap/hw_features.c:694 (gdb) (gdb) bt #0 0x0051ebbc in hostapd_check_ht_capab (iface=0xb6f08020) at ../src/ap/hw_features.c:694 #1 hostapd_check_ht_capab (iface=iface@entry=0xb6f08020) at ../src/ap/hw_features.c:688 #2 0x0051fb24 in hostapd_acs_completed (iface=0xb6f08020, err=) at ../src/ap/hw_features.c:1060 #3 0x0052aedc in acs_study (iface=0xb6f08020) at ../src/ap/acs.c:1008 #4 acs_scan_complete (iface=0xb6f08020) at ../src/ap/acs.c:1045 #5 0x004d7fe4 in send_scan_event (drv=drv@entry=0xb6f10b40, aborted=aborted@entry=0, tb=0xbedfbc20, tb@entry=0xbedfbc18, external_scan=) at ../src/drivers/driver_nl80211_event.c:1409 #6 0x004d8570 in do_process_drv_event (tb=0xbedfbc18, cmd=34, bss=0xb6c4af70) at ../src/drivers/driver_nl80211_event.c:3060 #7 process_global_event (msg=, arg=0xb6f10590) at ../src/drivers/driver_nl80211_event.c:3288 #8 0xb6c084b4 in recvmsgs (cb=0xb6c30990, sk=0xb6cbeb20) at nl.c:645 #9 nl_recvmsgs (sk=0xb6cbeb20, cb=0xb6c30990) at nl.c:692 #10 0x004bcf4c in wpa_driver_nl80211_event_receive (sock=, eloop_ctx=0xb6c30990, handle=0xb6cbeb20) at ../src/drivers/driver_nl80211.c:1787 #11 0x00461128 in eloop_sock_table_dispatch (nfds=1, events=0x2d30) at ../src/utils/eloop.c:625 #12 eloop_run () at ../src/utils/eloop.c:1238 #13 hostapd_global_run (pid_file=, daemonize=, ifaces=) at main.c:447 #14 main (argc=, argv=0x547233) at main.c:905 (gdb) p *iface = {interfaces = 0xbedfcd0c, owner = 0x0, config_fname = 0xb6f094d0 /var/run/hostapd-phy1.conf, conf = 0x0, ...} (gdb) p *iface->conf Cannot access memory at address 0x0

To avoid such crashes an alternative context is added an ubus_send_event(ctx_ev, service, b.head); does not wait and thus the further execution does not fail. Several wifi tests have been run, no difference to the wifi behavior without this patch has been seen.

Merge request reports