mirror of git://git.sysmocom.de/ofono
6369cc902c
A periodic CLCC polling is started when there is an ongoing multiparty call and a new call appears in the system. A simple way to reproduce the crashing scenario is: 1. Place a call. 2. Place a second call. 3. Create a multiparty call with both calls. 4. Place a third call (incoming or outgoing does not matter). 5. Disconnect HFP from the modem. Within the function ciev_callheld_notify, the AT+CLCC command is also invoked, thus a new cyclic CLCC polling is started, and it overwrites the timer resource identifier stored in voicecall_data.clcc_source. This means that there are several timers doing the CLCC polling, but only one of those is under control, i.e. it can be removed through its source identifier, hence a timer source leak. This has a fatal consequence when the HFP modem is disconnected. The function hfp_voicecall_remove stops the timer that is under control before freeing the voicecall_data struct. However there are other timers that are still active and will execute its handler poll_clcc afterwards. Inside poll_clcc the driver_data is accessed, which is already NULL. A solution for this is to avoid starting a CLCC polling if there is already one active, i.e. clcc_source is not 0. By doing this the uncontrolled timers will not cycle forever. |
||
---|---|---|
.. | ||
atmodem | ||
calypsomodem | ||
cdmamodem | ||
dunmodem | ||
hfpmodem | ||
hsomodem | ||
huaweimodem | ||
iceramodem | ||
ifxmodem | ||
isimodem | ||
mbmmodem | ||
nwmodem | ||
qmimodem | ||
speedupmodem | ||
stemodem | ||
swmodem | ||
ztemodem |