Message ID | 20240408200905.2983892-1-denkenz@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Commit | a4e8c26e4bfc57452ec87972aa499419a62acb4f |
Headers | show |
Series | [1/2] modem: remove atom entry prior to invoking the watch callback | expand |
Hello: This series was applied to ofono.git (master) by Denis Kenzior <denkenz@gmail.com>: On Mon, 8 Apr 2024 15:09:03 -0500 you wrote: > In __ofono_atom_free, the atom is removed from the list prior to > invoking __ofono_atom_unregister. This ensures that any invocation of > __ofono_atom_find or __ofono_modem_find_atom() will fail to find the > just-removed object when invoked from the atom watch. > > The above does not hold in flush_atoms() implementation, which can lead > to surprising results. Make sure that the atom is removed from the > modem's atom list prior to invoking __ofono_atom_unregister in all > cases. > > [...] Here is the summary with links: - [1/2] modem: remove atom entry prior to invoking the watch callback https://git.kernel.org/pub/scm/network/ofono/ofono.git/?id=a4e8c26e4bfc - [2/2] hfp_ag_bluez5: Fix use-after-free (no matching commit) You are awesome, thank you!
diff --git a/src/modem.c b/src/modem.c index bfd5d7a81c45..7d93c3234e83 100644 --- a/src/modem.c +++ b/src/modem.c @@ -480,13 +480,6 @@ static void flush_atoms(struct ofono_modem *modem, enum modem_state new_state) continue; } - __ofono_atom_unregister(atom); - - if (atom->destruct) - atom->destruct(atom); - - g_free(atom); - if (prev) prev->next = cur->next; else @@ -495,6 +488,13 @@ static void flush_atoms(struct ofono_modem *modem, enum modem_state new_state) tmp = cur; cur = cur->next; g_slist_free_1(tmp); + + __ofono_atom_unregister(atom); + + if (atom->destruct) + atom->destruct(atom); + + g_free(atom); } }