大屏共建稳定性-wpa_supplicant递归调用导致stack-buffer-overflow问题分析

FishingLover

28人浏览 · 2025-12-15 15:09:59

FishingLover · 2025-12-15 15:09:59 发布

问题现象：

稳定性挂机测试。发现有coredump问题。分析日志是wpa_supplicant递归调用(radio_remove_works->wpas_start_listen_cb->radio_remove_works)导致stack-buffer-overflow

问题关键现象日志：

Device info:GK6780V100
Build info:GKTVOpenHarmonyV100R003C00SPC010
Fingerprint:6fca49096c1b8a418fc314db7469c99d5db8c7b43d9ba3cea7d8adc29c836227
Module name:wifi_hal_service
Timestamp:2025-12-10 23:58:25.211
Pid:4161
Uid:1010
Process name:/system/bin/wifi_hal_service
Process life time:21609s
Reason:Signal:SIGSEGV(SEGV_ACCERR)@0x0000007fa667bff4 current thread stack low address = 0x0000007fa667c000, probably caused by stack-buffer-overflow
Fault thread info:
Tid:4162, Name:WpaMainThread
#00 pc 0000000000023834 /system/lib64/chipset-pub-sdk/libhilog.so(SecOutputPS+104)(b64c06967e337e0ce750086663ee6915)
#01 pc 0000000000023710 /system/lib64/chipset-pub-sdk/libhilog.so(vsnprintfp_s+136)(b64c06967e337e0ce750086663ee6915)
#02 pc 000000000000c080 /system/lib64/chipset-pub-sdk/libhilog.so(HiLogPrintArgs+828)(b64c06967e337e0ce750086663ee6915)
#03 pc 000000000000c650 /system/lib64/chipset-pub-sdk/libhilog.so(HiLogPrint+112)(b64c06967e337e0ce750086663ee6915)
#04 pc 0000000000165524 /system/lib64/libwpa_sys.z.so(wpa_printf.cfi+584)(bae56f564ba23c3a427fc852eeaa6eb3)
#05 pc 00000000002573ec /system/lib64/libwpa_sys.z.so(wpa_driver_set_ap_wps_p2p_ie.cfi+172)(bae56f564ba23c3a427fc852eeaa6eb3)
#06 pc 000000000021c18c /system/lib64/libwpa_sys.z.so(wpas_stop_listen.cfi+128)(bae56f564ba23c3a427fc852eeaa6eb3)
#07 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#08 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#09 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#10 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#11 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#12 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#13 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#14 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#15 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#16 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#17 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#18 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#19 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#20 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#21 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#22 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#23 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#24 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#25 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#26 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#27 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#28 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#29 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#30 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#31 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#32 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#33 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#34 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#35 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#36 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#37 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#38 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#39 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
#40 pc 00000000001aed78 /system/lib64/libwpa_sys.z.so(radio_remove_works.cfi+216)(bae56f564ba23c3a427fc852eeaa6eb3)
#41 pc 00000000002252e0 /system/lib64/libwpa_sys.z.so(wpas_start_listen_cb.cfi+44)(bae56f564ba23c3a427fc852eeaa6eb3)
// 省略，递归调用栈很深！
Registers:
x0:0000007fa667c030 x1:0000000000000000 x2:fffffffffffffff1 x3:0000007fa667c1c0
x4:0000007fa667c231 x5:0000000000000004 x6:707075735f617077 x7:746e6163696c7070
x8:0000000000000000 x9:0000000000000025 x10:00000000fffffdff x11:ffffffff80001000
x12:0000000000005476 x13:000000007fffffff x14:00000000028d1492 x15:02333355695b1836
x16:0000007fa64e7f70 x17:0000007fa7148300 x18:0000000000000000 x19:0000007fa667c030
x20:0000007fa667c2d0 x21:0000000000000000 x22:0000007fa667c2b0 x23:0000000000000003
x24:000000000d005200 x25:0000007fa667d3b8 x26:0000000000001000 x27:0000000000000fff
x28:0000007f25d4acc2 x29:0000007fa667c240
lr:0000007fa64e3828 sp:0000007fa667bf90 pc:0000007fa64e3834

日志分析：注意前方有日志丢失！

可以看到确实在反复递归调用

   行 7676: 12-10 23:58:25.205 0 0 I C00000/HiLog: ========Slow reader missed log lines: 377
   行 7754: 12-10 23:58:25.213 0 0 I C00000/HiLog: ========Slow reader missed log lines: 3
   行 7789: 12-10 23:58:25.218 0 0 I C00000/HiLog: ========Slow reader missed log lines: 78
   行 7831: 12-10 23:58:25.223 0 0 I C00000/HiLog: ========Slow reader missed log lines: 14
   行 7908: 12-10 23:58:25.228 0 0 I C00000/HiLog: ========Slow reader missed log lines: 113
   行 8008: 12-10 23:58:25.234 0 0 I C00000/HiLog: ========Slow reader missed log lines: 81
   行 8175: 12-10 23:58:25.242 0 0 I C00000/HiLog: ========Slow reader missed log lines: 25
   行 8207: 12-10 23:58:25.261 0 0 I C00000/HiLog: ========Slow reader missed log lines: 447
   行 8215: 12-10 23:58:25.126 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8218: 12-10 23:58:25.126 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8226: 12-10 23:58:25.126 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8229: 12-10 23:58:25.126 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8234: 12-10 23:58:25.126 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8236: 12-10 23:58:25.126 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8239: 12-10 23:58:25.127 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8240: 12-10 23:58:25.127 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8241: 12-10 23:58:25.264 0 0 I C00000/HiLog: ========Slow reader missed log lines: 6
   行 8258: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8261: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8266: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8269: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8272: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8274: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8276: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8277: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8281: 12-10 23:58:25.131 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8282: 12-10 23:58:25.269 0 0 I C00000/HiLog: ========Slow reader missed log lines: 180
   行 8283: 12-10 23:58:25.135 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8287: 12-10 23:58:25.135 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8289: 12-10 23:58:25.135 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8291: 12-10 23:58:25.135 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8292: 12-10 23:58:25.135 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8294: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8295: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8297: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8298: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8300: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8301: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8304: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8306: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8310: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8312: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8316: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
   行 8317: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
   行 8320: 12-10 23:58:25.136 4161 4162 D C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it
// 省略，后面都是重复的

C05200/wpa_supplicant: p2p0: Remove radio work 'p2p-listen'@0x7fa6656c20 (started)
C05200/wpa_supplicant: P2P: p2p-listen is still pending - remove it

静态代码分析:

结论：当释放一个已经开始的(started为1)的"p2p-listen"任务，会导致无限递归调用！

修改方案：

欢迎加入Laval社区

社区规范：仅讨论OpenHarmony相关问题。

更多推荐

Openharmony-蓝牙遥控器连接失败定位总结

一、问题现象在大屏共建项目中，蓝牙遥控器连接失败，问题100%必现，连接操作后无法配对成功，导致遥控器无法使用。二、分析过程分析测试提供的蓝牙snoop日志确定遥控器品牌为seneasy；排查遥控器电量：确定遥控器电量无问题，电池电量是40%；分析测试提供另一个大屏子项目的测试结果，信号要好很多：本地使用同一品牌seneasy遥控器复现，没有连接不上的问题，对齐测试环境；比对

Laval社区

Openharmony-wifi连接问题案例总结

一.密码为空导致连接失败：问题现象描述：用户连接2个wifi后。界面上关闭wifi。过10s后再次打开wifi。选择连接wifiA,界面一直现在"正在连接中"，60s后，界面"界面连接中"的显示小时。回退到主界面再次进入到wifi界面，发现显示连接的wifi是wifiB. 原因分析： 1.分析测试提供的问题视频，梳理操作步骤

Laval社区

蓝牙遥控器回连

1. 问题描述【系统】【概率】设备熄屏后等三小时，等蓝牙遥控器休眠，再按遥控器电源键，遥控器不会回连，必现。 2. 问题分析 2.1 问题现状分析 a 按非power按键，遥控器发送定向广播按非power按键，遥控器与tv可以回连，查看代码可以看到有相应的处理逻辑。实现逻辑：遥控器按非power按键的时候，遥控器会发送定向广播 tv会开启广播扫描，扫描到蓝牙设备