commit 977f50cdf476be26c1e88eace25ea0b1955cc5ab
author Andrew Lassalle <andrewlassalle@chromium.org> Wed May 26 12:56:18 2021 -0700
committer Commit Bot <commit-bot@chromium.org> Sat May 29 18:42:59 2021 +0000
tree 4521429ec19798c3adf899c00a8998b1f9fc3981
parent 58e3d1065bd47329a16f137e04795066432e357e

CHROMIUM: broadband-modem-qmi: Fix crash on array free

Freeing the values of the array is not correct and causes a crash when
modemmanager is stopped. Cleanup the logic related to the creation and
disposing of the array.

BUG=b:189112803
TEST=restart modemmanager and check for crashes.
TEST=Run `tast run lazor network.ModemmanagerInhibitDevice` with and
without this fix, and see no crashes with the fix.

Change-Id: I587fdba9bebd6a4b5abf6c2ca0038bdc930d8556
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/modemmanager-next/+/2919179
Tested-by: Andrew Lassalle <andrewlassalle@chromium.org>
Commit-Queue: Andrew Lassalle <andrewlassalle@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Pavan Holla <pholla@google.com>
(cherry picked from commit 7efa220ad0a003b05613e3e75d8e2d79570b26dd)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/modemmanager-next/+/2926139
Auto-Submit: Andrew Lassalle <andrewlassalle@chromium.org>
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>

src/mm-broadband-modem-qmi.c

diff --git a/src/mm-broadband-modem-qmi.c b/src/mm-broadband-modem-qmi.c
index eada6da..15f0e4b 100644
--- a/src/mm-broadband-modem-qmi.c
+++ b/src/mm-broadband-modem-qmi.c
@@ -8769,8 +8769,12 @@
         return;
     }
 
+    /* Resize array to match |current_list| */
+    g_array_set_size (self->priv->current_pdn_list, current_list->len);
+
     mm_obj_dbg (self, "Found %u LTE attach PDNs defined", current_list->len);
     for (i = 0; i < current_list->len; i++) {
+        g_array_index (self->priv->current_pdn_list, guint16, i) = g_array_index (current_list, guint16, i);
         if (i == 0) {
             self->priv->default_attach_pdn = g_array_index (current_list, guint16, i);
             mm_obj_dbg (self, "Default LTE attach PDN profile: %u", self->priv->default_attach_pdn);
@@ -8778,11 +8782,6 @@
             mm_obj_dbg (self, "Additional LTE attach PDN profile: %u", g_array_index (current_list, guint16, i));
     }
 
-    if (self->priv->current_pdn_list)
-        g_array_free (self->priv->current_pdn_list, TRUE);
-
-    self->priv->current_pdn_list = g_array_copy (current_list);
-
     load_initial_eps_bearer_get_profile_settings (task, client);
 }
 
@@ -10534,6 +10533,7 @@
     self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
                                               MM_TYPE_BROADBAND_MODEM_QMI,
                                               MMBroadbandModemQmiPrivate);
+    self->priv->current_pdn_list = g_array_new (FALSE, FALSE, sizeof (guint16));
 }
 
 static void
@@ -10549,6 +10549,9 @@
     if (self->priv->supported_bands)
         g_array_unref (self->priv->supported_bands);
 
+    if (self->priv->current_pdn_list)
+        g_array_free (self->priv->current_pdn_list, TRUE);
+
     G_OBJECT_CLASS (mm_broadband_modem_qmi_parent_class)->finalize (object);
 }
 
@@ -10573,9 +10576,6 @@
     g_list_free_full (self->priv->firmware_list, g_object_unref);
     self->priv->firmware_list = NULL;
 
-    if (self->priv->current_pdn_list)
-        g_array_free (self->priv->current_pdn_list, TRUE);
-
     g_clear_object (&self->priv->current_firmware);
 
     G_OBJECT_CLASS (mm_broadband_modem_qmi_parent_class)->dispose (object);