diff options
| author | Sergio Checa Blanco <sergio.checa@bmw-carit.de> | 2014-06-27 09:56:07 +0200 |
|---|---|---|
| committer | Denis Kenzior <denkenz@gmail.com> | 2014-06-30 13:22:10 -0500 |
| commit | 6369cc902ceea75a5d74bf2d1a7223b9ee94cff5 (patch) | |
| tree | a231a214466e37fd10d10aa6297f574ca5cdebbe /drivers/hsomodem | |
| parent | d05b718cc0b0d367227fbfbf52e60fc5462cc549 (diff) | |
| download | ofono-6369cc902ceea75a5d74bf2d1a7223b9ee94cff5.tar.bz2 | |
hfpmodem: Fix crash with more than two calls
A periodic CLCC polling is started when there is an ongoing multiparty
call and a new call appears in the system. A simple way to reproduce
the crashing scenario is:
1. Place a call.
2. Place a second call.
3. Create a multiparty call with both calls.
4. Place a third call (incoming or outgoing does not matter).
5. Disconnect HFP from the modem.
Within the function ciev_callheld_notify, the AT+CLCC command is also
invoked, thus a new cyclic CLCC polling is started, and it overwrites
the timer resource identifier stored in voicecall_data.clcc_source.
This means that there are several timers doing the CLCC polling, but
only one of those is under control, i.e. it can be removed through its
source identifier, hence a timer source leak.
This has a fatal consequence when the HFP modem is disconnected. The
function hfp_voicecall_remove stops the timer that is under control
before freeing the voicecall_data struct. However there are other timers
that are still active and will execute its handler poll_clcc afterwards.
Inside poll_clcc the driver_data is accessed, which is already NULL.
A solution for this is to avoid starting a CLCC polling if there is
already one active, i.e. clcc_source is not 0. By doing this the
uncontrolled timers will not cycle forever.
Diffstat (limited to 'drivers/hsomodem')
0 files changed, 0 insertions, 0 deletions