[PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info
@ 2025-10-30 17:01 Luiz Augusto von Dentz
  2025-10-30 17:01 ` [PATCH BlueZ v1 2/2] btdev: Fix crash on BIG cleanup Luiz Augusto von Dentz
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2025-10-30 17:01 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This fixes the following crash:

Invalid read of size 1
   at 0x401DEFE: send_command (bthost.c:1101)
   by 0x4021F01: bthost_past_set_info (bthost.c:3758)
   by 0x4006038: test_listen_past (iso-tester.c:3246)
   by 0x494984A: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x4943862: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x494C7A7: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x494CA4E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x402CC4D: mainloop_run (mainloop-glib.c:65)
   by 0x402D224: mainloop_run_with_signal (mainloop-notify.c:196)
   by 0x402C445: tester_run (tester.c:1084)
   by 0x4005609: main (iso-tester.c:4335)
 Address 0x40 is not stack'd, malloc'd or (recently) free'd
---
 emulator/bthost.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/emulator/bthost.c b/emulator/bthost.c
index 79d8305d78cf..faabbaa36a4a 100644
--- a/emulator/bthost.c
+++ b/emulator/bthost.c
@@ -3751,6 +3751,9 @@ void bthost_past_set_info(struct bthost *bthost, uint16_t handle)
 {
 	struct bt_hci_cmd_le_past_set_info cp;
 
+	if (!bthost)
+		return;
+
 	memset(&cp, 0, sizeof(cp));
 	cp.handle = cpu_to_le16(handle);
 	cp.adv_handle = 0x01;
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH BlueZ v1 2/2] btdev: Fix crash on BIG cleanup
  2025-10-30 17:01 [PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info Luiz Augusto von Dentz
@ 2025-10-30 17:01 ` Luiz Augusto von Dentz
  2025-10-30 18:24 ` [BlueZ,v1,1/2] bthost: Fix crash on bthost_past_set_info bluez.test.bot
  2025-10-30 22:30 ` [PATCH BlueZ v1 1/2] " patchwork-bot+bluetooth
  2 siblings, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2025-10-30 17:01 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This fixes the following crash:

Invalid read of size 8
   at 0x400F26F: le_big_free (btdev.c:606)
   by 0x4024636: queue_remove_all (queue.c:341)
   by 0x40246C2: queue_destroy (queue.c:60)
   by 0x401B7C9: btdev_destroy (btdev.c:7820)
   by 0x400CFBF: hciemu_client_destroy (hciemu.c:301)
   by 0x4024636: queue_remove_all (queue.c:341)
   by 0x40246C2: queue_destroy (queue.c:60)
   by 0x400DA91: hciemu_unref (hciemu.c:441)
   by 0x40072F2: test_post_teardown (iso-tester.c:701)
   by 0x402BB0A: tester_teardown_complete (tester.c:713)
   by 0x402BB41: default_teardown (tester.c:266)
   by 0x402B43B: teardown_callback (tester.c:434)
---
 emulator/btdev.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/emulator/btdev.c b/emulator/btdev.c
index 8c72a24290c6..c53db7040d39 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -6863,7 +6863,7 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data,
 {
 	const struct bt_hci_cmd_le_term_big *cmd = data;
 	struct bt_hci_evt_le_big_terminate rsp;
-	struct le_big *big;
+	struct le_big *big, *rbig;
 	struct btdev_conn *conn;
 	struct btdev *remote = NULL;
 
@@ -6875,7 +6875,6 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data,
 
 	big = queue_find(dev->le_big, match_big_handle,
 			UINT_TO_PTR(cmd->handle));
-
 	if (!big)
 		return 0;
 
@@ -6892,14 +6891,17 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data,
 
 			remote = conn->link->dev;
 
-			big = queue_find(remote->le_big, match_bis, conn->link);
-			if (big) {
+			rbig = queue_find(remote->le_big, match_bis,
+							conn->link);
+			if (rbig) {
 				memset(&evt, 0, sizeof(evt));
-				evt.big_handle = big->handle;
+				evt.big_handle = rbig->handle;
 				evt.reason = cmd->reason;
 				le_meta_event(remote,
 						BT_HCI_EVT_LE_BIG_SYNC_LOST,
 						&evt, sizeof(evt));
+				queue_remove(remote->le_big, rbig);
+				le_big_free(rbig);
 			}
 		}
 
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [BlueZ,v1,1/2] bthost: Fix crash on bthost_past_set_info
  2025-10-30 17:01 [PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info Luiz Augusto von Dentz
  2025-10-30 17:01 ` [PATCH BlueZ v1 2/2] btdev: Fix crash on BIG cleanup Luiz Augusto von Dentz
@ 2025-10-30 18:24 ` bluez.test.bot
  2025-10-30 22:30 ` [PATCH BlueZ v1 1/2] " patchwork-bot+bluetooth
  2 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2025-10-30 18:24 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz

[-- Attachment #1: Type: text/plain, Size: 1753 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1017827

---Test result---

Test Summary:
CheckPatch                    PENDING   0.34 seconds
GitLint                       PENDING   0.43 seconds
BuildEll                      PASS      20.06 seconds
BluezMake                     PASS      2601.24 seconds
MakeCheck                     PASS      20.41 seconds
MakeDistcheck                 PASS      186.43 seconds
CheckValgrind                 PASS      238.88 seconds
CheckSmatch                   WARNING   309.74 seconds
bluezmakeextell               PASS      129.07 seconds
IncrementalBuild              PENDING   0.42 seconds
ScanBuild                     PASS      911.10 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
emulator/bthost.c:699:28: warning: Variable length array is used.emulator/bthost.c:700:32: warning: Variable length array is used.emulator/bthost.c:917:28: warning: Variable length array is used.emulator/bthost.c:951:28: warning: Variable length array is used.emulator/bthost.c:952:32: warning: Variable length array is used.emulator/btdev.c:459:29: warning: Variable length array is used.
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info
  2025-10-30 17:01 [PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info Luiz Augusto von Dentz
  2025-10-30 17:01 ` [PATCH BlueZ v1 2/2] btdev: Fix crash on BIG cleanup Luiz Augusto von Dentz
  2025-10-30 18:24 ` [BlueZ,v1,1/2] bthost: Fix crash on bthost_past_set_info bluez.test.bot
@ 2025-10-30 22:30 ` patchwork-bot+bluetooth
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2025-10-30 22:30 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 30 Oct 2025 13:01:25 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> This fixes the following crash:
> 
> Invalid read of size 1
>    at 0x401DEFE: send_command (bthost.c:1101)
>    by 0x4021F01: bthost_past_set_info (bthost.c:3758)
>    by 0x4006038: test_listen_past (iso-tester.c:3246)
>    by 0x494984A: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
>    by 0x4943862: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
>    by 0x494C7A7: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
>    by 0x494CA4E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.8400.4)
>    by 0x402CC4D: mainloop_run (mainloop-glib.c:65)
>    by 0x402D224: mainloop_run_with_signal (mainloop-notify.c:196)
>    by 0x402C445: tester_run (tester.c:1084)
>    by 0x4005609: main (iso-tester.c:4335)
>  Address 0x40 is not stack'd, malloc'd or (recently) free'd
> 
> [...]

Here is the summary with links:
  - [BlueZ,v1,1/2] bthost: Fix crash on bthost_past_set_info
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=229d411e5a71
  - [BlueZ,v1,2/2] btdev: Fix crash on BIG cleanup
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=bb82243a6c27

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-10-30 22:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-30 17:01 [PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info Luiz Augusto von Dentz
2025-10-30 17:01 ` [PATCH BlueZ v1 2/2] btdev: Fix crash on BIG cleanup Luiz Augusto von Dentz
2025-10-30 18:24 ` [BlueZ,v1,1/2] bthost: Fix crash on bthost_past_set_info bluez.test.bot
2025-10-30 22:30 ` [PATCH BlueZ v1 1/2] " patchwork-bot+bluetooth

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.