From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ 2/2] core: Fix crash on device removal
Date: Fri, 30 Jan 2015 15:04:35 +0200 [thread overview]
Message-ID: <1422623075-6319-2-git-send-email-luiz.dentz@gmail.com> (raw)
In-Reply-To: <1422623075-6319-1-git-send-email-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
The following crash happen when attempting to remove a device while it
is connecting, this will turn all services to unavailable without first
setting it to disconnected causing the backtrace:
Invalid read of size 8
at 0x495BF8: btd_service_connect (service.c:200)
by 0x49D942: connect_next.isra.7 (device.c:1283)
by 0x4A2B82: device_profile_connected (device.c:1328)
by 0x4A2B82: service_state_changed (device.c:5325)
by 0x4957A9: change_state (service.c:108)
by 0x495AF4: service_remove (service.c:173)
by 0x4A4BD9: device_remove (device.c:3207)
by 0x48AAC1: btd_adapter_remove_device (adapter.c:1135)
by 0x48B536: remove_device (adapter.c:2270)
by 0x4BF4CB: process_message.isra.3 (object.c:259)
by 0x4BFD12: generic_message (object.c:1070)
by 0x518C5CE: ??? (in /usr/lib64/libdbus-1.so.3.8.10)
by 0x517E193: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.8.10)
Address 0x7a22e60 is 16 bytes inside a block of size 40 free'd
at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4E847FE: g_free (in /usr/lib64/libglib-2.0.so.0.4200.1)
by 0x495988: btd_service_unref (service.c:130)
by 0x495B26: service_remove (service.c:177)
by 0x4A4BD9: device_remove (device.c:3207)
by 0x48AAC1: btd_adapter_remove_device (adapter.c:1135)
by 0x48B536: remove_device (adapter.c:2270)
by 0x4BF4CB: process_message.isra.3 (object.c:259)
by 0x4BFD12: generic_message (object.c:1070)
by 0x518C5CE: ??? (in /usr/lib64/libdbus-1.so.3.8.10)
by 0x517E193: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.8.10)
by 0x4BA45F: message_dispatch (mainloop.c:72)
---
src/service.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/service.c b/src/service.c
index b66b1c9..8c85cd1 100644
--- a/src/service.c
+++ b/src/service.c
@@ -170,6 +170,7 @@ int service_probe(struct btd_service *service)
void service_remove(struct btd_service *service)
{
+ change_state(service, BTD_SERVICE_STATE_DISCONNECTED, -ECONNABORTED);
change_state(service, BTD_SERVICE_STATE_UNAVAILABLE, 0);
service->profile->device_remove(service);
service->device = NULL;
--
2.1.0
next prev parent reply other threads:[~2015-01-30 13:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-30 13:04 [PATCH BlueZ 1/2] policy: Fix not removing timers Luiz Augusto von Dentz
2015-01-30 13:04 ` Luiz Augusto von Dentz [this message]
2015-02-02 6:44 ` Johan Hedberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1422623075-6319-2-git-send-email-luiz.dentz@gmail.com \
--to=luiz.dentz@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).