[PATCH BlueZ] gatt-database: remove database from dbs list when destroyed

[PATCH BlueZ] gatt-database: remove database from dbs list when destroyed

[Pauli Virtanen]

btd_gatt_database_new() adds btd_gatt_database to the dbs lookup queue,
but nothing removes it from there even when destroying.

Fix by removing databases from the lookup queue before destroy.

Fixes crash on adapter removal in some cases:

ERROR: AddressSanitizer: heap-use-after-free on address 0x7bd476be1308
READ of size 8 at 0x7bd476be1308 thread T0
    #0 0x00000064562a in match_db
    #1 0x000000865410 in queue_find
    #2 0x000000645671 in btd_gatt_database_get
0x7bd476be1308 is located 8 bytes inside of 128-byte region [0x7bd476be1300,0x7bd476be>
freed by thread T0 here:
    #0 0x7f1478cee4cf in free.part.0
    #1 0x000000621625 in gatt_database_free
    #2 0x000000645582 in btd_gatt_database_destroy
---
 src/gatt-database.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index 5819c2529..39e6a2593 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -4147,6 +4147,8 @@ void btd_gatt_database_destroy(struct btd_gatt_database *database)
 					adapter_get_path(database->adapter),
 					GATT_MANAGER_IFACE);
 
+	queue_remove(dbs, database);
+
 	gatt_database_free(database);
 }
 
-- 
2.53.0

RE: [BlueZ] gatt-database: remove database from dbs list when destroyed

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1304 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1080317

---Test result---

Test Summary:
CheckPatch                    PENDING   0.37 seconds
GitLint                       PENDING   0.36 seconds
BuildEll                      PASS      20.22 seconds
BluezMake                     PASS      643.90 seconds
MakeCheck                     PASS      18.19 seconds
MakeDistcheck                 PASS      244.06 seconds
CheckValgrind                 PASS      293.20 seconds
CheckSmatch                   PASS      347.57 seconds
bluezmakeextell               PASS      181.61 seconds
IncrementalBuild              PENDING   0.35 seconds
ScanBuild                     PASS      1014.90 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



https://github.com/bluez/bluez/pull/2029

---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ] gatt-database: remove database from dbs list when destroyed

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun, 12 Apr 2026 14:11:30 +0300 you wrote:
> btd_gatt_database_new() adds btd_gatt_database to the dbs lookup queue,
> but nothing removes it from there even when destroying.
> 
> Fix by removing databases from the lookup queue before destroy.
> 
> Fixes crash on adapter removal in some cases:
> 
> [...]

Here is the summary with links:
  - [BlueZ] gatt-database: remove database from dbs list when destroyed
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=1ab128f6d749

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html