[PATCH] core: Fix crash due to agent callback freeing the agent

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH] core: Fix crash due to agent callback freeing the agent
@ 2013-12-09 19:20 Szymon Janc
  2013-12-10  0:08 ` Bastien Nocera
  2013-12-10  5:22 ` Johan Hedberg
  0 siblings, 2 replies; 4+ messages in thread
From: Szymon Janc @ 2013-12-09 19:20 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Szymon Janc

Similar fix was provided for simple_agent_reply in a2f5d438 but missed
pincode_reply case.

Fix following:

src/agent.c:agent_disconnect() Agent :1.48 disconnected
src/agent.c:set_default_agent() Default agent cleared
src/agent.c:agent_destroy() agent :1.48
src/agent.c:agent_unref() 0x4701c68: ref=1
Agent /org/bluez/agent replied with an error:
    org.freedesktop.DBus.Error.NoReply, Message did not receive a reply
    (timeout by message bus)
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
    pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=0
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
    pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=-1
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
    pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=-2
...
---
 src/agent.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/agent.c b/src/agent.c
index bcba969..4c63cb9 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -426,6 +426,9 @@ static void pincode_reply(DBusPendingCall *call, void *user_data)
 	 * is only called after a reply has been received */
 	message = dbus_pending_call_steal_reply(call);
 
+	/* Protect from the callback freeing the agent */
+	agent_ref(agent);
+
 	dbus_error_init(&err);
 	if (dbus_set_error_from_message(&err, message)) {
 		error("Agent %s replied with an error: %s, %s",
@@ -465,6 +468,7 @@ done:
 	dbus_pending_call_cancel(req->call);
 	agent->request = NULL;
 	agent_request_free(req, TRUE);
+	agent_unref(agent);
 }
 
 static int pincode_request_new(struct agent_request *req, const char *device_path,
-- 
1.8.5.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] core: Fix crash due to agent callback freeing the agent
  2013-12-09 19:20 [PATCH] core: Fix crash due to agent callback freeing the agent Szymon Janc
@ 2013-12-10  0:08 ` Bastien Nocera
  2013-12-10  0:10   ` Bastien Nocera
  2013-12-10  5:22 ` Johan Hedberg
  1 sibling, 1 reply; 4+ messages in thread
From: Bastien Nocera @ 2013-12-10  0:08 UTC (permalink / raw)
  To: Szymon Janc; +Cc: linux-bluetooth

On Mon, 2013-12-09 at 20:20 +0100, Szymon Janc wrote:
> Similar fix was provided for simple_agent_reply in a2f5d438 but missed
> pincode_reply case.

That fixes the bug I reported in:
http://thread.gmane.org/gmane.linux.bluez.kernel/41496

Cheers


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] core: Fix crash due to agent callback freeing the agent
  2013-12-10  0:08 ` Bastien Nocera
@ 2013-12-10  0:10   ` Bastien Nocera
  0 siblings, 0 replies; 4+ messages in thread
From: Bastien Nocera @ 2013-12-10  0:10 UTC (permalink / raw)
  To: Szymon Janc; +Cc: linux-bluetooth

On Tue, 2013-12-10 at 01:08 +0100, Bastien Nocera wrote:
> On Mon, 2013-12-09 at 20:20 +0100, Szymon Janc wrote:
> > Similar fix was provided for simple_agent_reply in a2f5d438 but missed
> > pincode_reply case.
> 
> That fixes the bug I reported in:
> http://thread.gmane.org/gmane.linux.bluez.kernel/41496

Though I'd still add an assertion in all the unref() calls you can find
in the bluez tree.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] core: Fix crash due to agent callback freeing the agent
  2013-12-09 19:20 [PATCH] core: Fix crash due to agent callback freeing the agent Szymon Janc
  2013-12-10  0:08 ` Bastien Nocera
@ 2013-12-10  5:22 ` Johan Hedberg
  1 sibling, 0 replies; 4+ messages in thread
From: Johan Hedberg @ 2013-12-10  5:22 UTC (permalink / raw)
  To: Szymon Janc; +Cc: linux-bluetooth

Hi Szymon,

On Mon, Dec 09, 2013, Szymon Janc wrote:
> Similar fix was provided for simple_agent_reply in a2f5d438 but missed
> pincode_reply case.
> 
> Fix following:
> 
> src/agent.c:agent_disconnect() Agent :1.48 disconnected
> src/agent.c:set_default_agent() Default agent cleared
> src/agent.c:agent_destroy() agent :1.48
> src/agent.c:agent_unref() 0x4701c68: ref=1
> Agent /org/bluez/agent replied with an error:
>     org.freedesktop.DBus.Error.NoReply, Message did not receive a reply
>     (timeout by message bus)
> src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
>     pinlen 0
> src/agent.c:agent_unref() 0x4701c68: ref=0
> src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
>     pinlen 0
> src/agent.c:agent_unref() 0x4701c68: ref=-1
> src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
>     pinlen 0
> src/agent.c:agent_unref() 0x4701c68: ref=-2
> ...
> ---
>  src/agent.c | 4 ++++
>  1 file changed, 4 insertions(+)

Applied. Thanks.

Johan

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-12-10  5:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-09 19:20 [PATCH] core: Fix crash due to agent callback freeing the agent Szymon Janc
2013-12-10  0:08 ` Bastien Nocera
2013-12-10  0:10   ` Bastien Nocera
2013-12-10  5:22 ` Johan Hedberg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox