supplicant: fix crash setting supplicant state down

When we receive a "InterfaceRemoved" signal, we will end up calling set_state_down(). That emits a "state" change signal, which causes NMDeviceWifi to unref the supplicant interface. This may already give up the last reference, and we cleanup the supplicant state (by again calling set_state_down()). When we return, set_state_down() will crash because it operates on an already destroyed instance. Avoid that by keeping a reference to the interface during set_state_down(). Fixes: b83f07916a ('supplicant: large rework of wpa_supplicant handling') https://bugzilla.redhat.com/show_bug.cgi?id=1815058
2026-01-02 18:10:26 +01:00 · 2020-03-20 11:32:42 +01:00 · 2020-03-20 11:32:42 +01:00 · 11797f4ad4
commit 11797f4ad4
parent c03f88575d
2 changed files with 5 additions and 0 deletions
--- a/src/supplicant/nm-supplicant-interface.c
+++ b/src/supplicant/nm-supplicant-interface.c
@ -947,6 +947,7 @@ set_state_down (NMSupplicantInterface *self,
                gboolean force_remove_from_supplicant,
                const char *reason)
 {
+	_nm_unused gs_unref_object NMSupplicantInterface *self_keep_alive = g_object_ref (self);
 	NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
 	NMSupplicantBssInfo *bss_info;
 	NMSupplicantPeerInfo *peer_info;
--- a/src/supplicant/nm-supplicant-manager.c
+++ b/src/supplicant/nm-supplicant-manager.c
@ -1053,6 +1053,10 @@ _supp_iface_remove_one (NMSupplicantManager *self,
                        gboolean force_remove_from_supplicant,
                        const char *reason)
 {
+#if NM_MORE_ASSERTS
+	_nm_unused gs_unref_object NMSupplicantInterface *supp_iface_keep_alive = g_object_ref (supp_iface);
+#endif
+
 	nm_assert (NM_IS_SUPPLICANT_MANAGER (self));
 	nm_assert (NM_IS_SUPPLICANT_INTERFACE (supp_iface));
 	nm_assert (c_list_contains (&NM_SUPPLICANT_MANAGER_GET_PRIVATE (self)->supp_lst_head, &supp_iface->supp_lst));