[PATCH BlueZ 1/2] policy: Fix not removing timers

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH BlueZ 1/2] policy: Fix not removing timers
@ 2015-01-30 13:04 Luiz Augusto von Dentz
  2015-01-30 13:04 ` [PATCH BlueZ 2/2] core: Fix crash on device removal Luiz Augusto von Dentz
  2015-02-02  6:44 ` [PATCH BlueZ 1/2] policy: Fix not removing timers Johan Hedberg
  0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2015-01-30 13:04 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

If service becomes unavailable, due to e.g. the device being removed,
all the related timers should be removed as well otherwise it may cause
crashes such as the following:

Invalid read of size 8
   at 0x4A6597: btd_device_get_service (device.c:5335)
   by 0x40F49F: policy_connect_ct (policy.c:112)
   by 0x4E7F552: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
   by 0x4E7EAEA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
   by 0x4E7EE87: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
   by 0x4E7F1B1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
   by 0x40BACF: main (main.c:631)
 Address 0x73b9ba8 is 360 bytes inside a block of size 592 free'd
   at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x4E847FE: g_free (in /usr/lib64/libglib-2.0.so.0.4200.1)
   by 0x49C83F: device_free (device.c:624)
   by 0x4BDB29: remove_interface (object.c:658)
   by 0x4BE701: g_dbus_unregister_interface (object.c:1382)
   by 0x4A49DC: btd_device_unref (device.c:5173)
   by 0x41DC46: avdtp_free (avdtp.c:1138)
   by 0x41EE09: connection_lost (avdtp.c:1164)
   by 0x422EA5: session_cb (avdtp.c:2263)
   by 0x4E7EAEA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
   by 0x4E7EE87: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
   by 0x4E7F1B1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
---
 plugins/policy.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/plugins/policy.c b/plugins/policy.c
index 6fb0729..0aaf45f 100644
--- a/plugins/policy.c
+++ b/plugins/policy.c
@@ -214,6 +214,11 @@ static void sink_cb(struct btd_service *service, btd_service_state_t old_state,
 
 	switch (new_state) {
 	case BTD_SERVICE_STATE_UNAVAILABLE:
+		if (data->sink_timer > 0) {
+			g_source_remove(data->sink_timer);
+			data->sink_timer = 0;
+		}
+		break;
 	case BTD_SERVICE_STATE_DISCONNECTED:
 		if (old_state == BTD_SERVICE_STATE_CONNECTING) {
 			int err = btd_service_get_error(service);
@@ -324,6 +329,11 @@ static void source_cb(struct btd_service *service,
 
 	switch (new_state) {
 	case BTD_SERVICE_STATE_UNAVAILABLE:
+		if (data->source_timer > 0) {
+			g_source_remove(data->source_timer);
+			data->source_timer = 0;
+		}
+		break;
 	case BTD_SERVICE_STATE_DISCONNECTED:
 		if (old_state == BTD_SERVICE_STATE_CONNECTING) {
 			int err = btd_service_get_error(service);
@@ -382,6 +392,11 @@ static void controller_cb(struct btd_service *service,
 
 	switch (new_state) {
 	case BTD_SERVICE_STATE_UNAVAILABLE:
+		if (data->ct_timer > 0) {
+			g_source_remove(data->ct_timer);
+			data->ct_timer = 0;
+		}
+		break;
 	case BTD_SERVICE_STATE_DISCONNECTED:
 		break;
 	case BTD_SERVICE_STATE_CONNECTING:
@@ -410,6 +425,12 @@ static void target_cb(struct btd_service *service,
 
 	switch (new_state) {
 	case BTD_SERVICE_STATE_UNAVAILABLE:
+		if (data->tg_timer > 0) {
+			g_source_remove(data->tg_timer);
+			data->tg_timer = 0;
+		}
+
+		break;
 	case BTD_SERVICE_STATE_DISCONNECTED:
 		break;
 	case BTD_SERVICE_STATE_CONNECTING:
@@ -419,6 +440,7 @@ static void target_cb(struct btd_service *service,
 			g_source_remove(data->tg_timer);
 			data->tg_timer = 0;
 		}
+
 		break;
 	case BTD_SERVICE_STATE_DISCONNECTING:
 		break;
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH BlueZ 2/2] core: Fix crash on device removal
  2015-01-30 13:04 [PATCH BlueZ 1/2] policy: Fix not removing timers Luiz Augusto von Dentz
@ 2015-01-30 13:04 ` Luiz Augusto von Dentz
  2015-02-02  6:44 ` [PATCH BlueZ 1/2] policy: Fix not removing timers Johan Hedberg
  1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2015-01-30 13:04 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The following crash happen when attempting to remove a device while it
is connecting, this will turn all services to unavailable without first
setting it to disconnected causing the backtrace:

Invalid read of size 8
   at 0x495BF8: btd_service_connect (service.c:200)
   by 0x49D942: connect_next.isra.7 (device.c:1283)
   by 0x4A2B82: device_profile_connected (device.c:1328)
   by 0x4A2B82: service_state_changed (device.c:5325)
   by 0x4957A9: change_state (service.c:108)
   by 0x495AF4: service_remove (service.c:173)
   by 0x4A4BD9: device_remove (device.c:3207)
   by 0x48AAC1: btd_adapter_remove_device (adapter.c:1135)
   by 0x48B536: remove_device (adapter.c:2270)
   by 0x4BF4CB: process_message.isra.3 (object.c:259)
   by 0x4BFD12: generic_message (object.c:1070)
   by 0x518C5CE: ??? (in /usr/lib64/libdbus-1.so.3.8.10)
   by 0x517E193: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.8.10)
 Address 0x7a22e60 is 16 bytes inside a block of size 40 free'd
   at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x4E847FE: g_free (in /usr/lib64/libglib-2.0.so.0.4200.1)
   by 0x495988: btd_service_unref (service.c:130)
   by 0x495B26: service_remove (service.c:177)
   by 0x4A4BD9: device_remove (device.c:3207)
   by 0x48AAC1: btd_adapter_remove_device (adapter.c:1135)
   by 0x48B536: remove_device (adapter.c:2270)
   by 0x4BF4CB: process_message.isra.3 (object.c:259)
   by 0x4BFD12: generic_message (object.c:1070)
   by 0x518C5CE: ??? (in /usr/lib64/libdbus-1.so.3.8.10)
   by 0x517E193: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.8.10)
   by 0x4BA45F: message_dispatch (mainloop.c:72)
---
 src/service.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/service.c b/src/service.c
index b66b1c9..8c85cd1 100644
--- a/src/service.c
+++ b/src/service.c
@@ -170,6 +170,7 @@ int service_probe(struct btd_service *service)
 
 void service_remove(struct btd_service *service)
 {
+	change_state(service, BTD_SERVICE_STATE_DISCONNECTED, -ECONNABORTED);
 	change_state(service, BTD_SERVICE_STATE_UNAVAILABLE, 0);
 	service->profile->device_remove(service);
 	service->device = NULL;
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH BlueZ 1/2] policy: Fix not removing timers
  2015-01-30 13:04 [PATCH BlueZ 1/2] policy: Fix not removing timers Luiz Augusto von Dentz
  2015-01-30 13:04 ` [PATCH BlueZ 2/2] core: Fix crash on device removal Luiz Augusto von Dentz
@ 2015-02-02  6:44 ` Johan Hedberg
  1 sibling, 0 replies; 3+ messages in thread
From: Johan Hedberg @ 2015-02-02  6:44 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hi Luiz,

On Fri, Jan 30, 2015, Luiz Augusto von Dentz wrote:
> If service becomes unavailable, due to e.g. the device being removed,
> all the related timers should be removed as well otherwise it may cause
> crashes such as the following:
> 
> Invalid read of size 8
>    at 0x4A6597: btd_device_get_service (device.c:5335)
>    by 0x40F49F: policy_connect_ct (policy.c:112)
>    by 0x4E7F552: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
>    by 0x4E7EAEA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
>    by 0x4E7EE87: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
>    by 0x4E7F1B1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
>    by 0x40BACF: main (main.c:631)
>  Address 0x73b9ba8 is 360 bytes inside a block of size 592 free'd
>    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
>    by 0x4E847FE: g_free (in /usr/lib64/libglib-2.0.so.0.4200.1)
>    by 0x49C83F: device_free (device.c:624)
>    by 0x4BDB29: remove_interface (object.c:658)
>    by 0x4BE701: g_dbus_unregister_interface (object.c:1382)
>    by 0x4A49DC: btd_device_unref (device.c:5173)
>    by 0x41DC46: avdtp_free (avdtp.c:1138)
>    by 0x41EE09: connection_lost (avdtp.c:1164)
>    by 0x422EA5: session_cb (avdtp.c:2263)
>    by 0x4E7EAEA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
>    by 0x4E7EE87: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
>    by 0x4E7F1B1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
> ---
>  plugins/policy.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)

Both of these two patches have been applied. Thanks.

Johan

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-02-02  6:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-30 13:04 [PATCH BlueZ 1/2] policy: Fix not removing timers Luiz Augusto von Dentz
2015-01-30 13:04 ` [PATCH BlueZ 2/2] core: Fix crash on device removal Luiz Augusto von Dentz
2015-02-02  6:44 ` [PATCH BlueZ 1/2] policy: Fix not removing timers Johan Hedberg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).