* [BlueZ PATCH v2] adapter: Fix a crash caused by lingering discovery client pointer
@ 2020-11-02 22:30 Miao-chen Chou
2020-11-02 23:28 ` Luiz Augusto von Dentz
2020-11-04 19:22 ` [BlueZ,v2] " bluez.test.bot
0 siblings, 2 replies; 3+ messages in thread
From: Miao-chen Chou @ 2020-11-02 22:30 UTC (permalink / raw)
To: Bluetooth Kernel Mailing List
Cc: Alain Michaud, Sonny Sasaka, Luiz Augusto von Dentz,
chromeos-bluetooth-upstreaming, Marcel Holtmann, Miao-chen Chou
This cleans up the lingering pointer, adapter->client, during powering
off the adapter. The crash occurs when a D-Bus client set Powered
property to false and immediately calls StopDiscovery() when there is
ongoing discovery. As a part of powering off the adapter,
adapter->discovery_list gets cleared, and given that adapter->client
refers to one of the clients in adapter->discovery_list, adapter->client
should be cleared along with it.
(1) Connect to a BT audio device from BT system tray.
(2) Once the audio device is connected, power off BT and immediately
power off the audio device.
Reviewed-by: Alain Michaud <alainm@chromium.org>
Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
---
Changes in v2:
- Move the D-Bus method call clean-up to discovery_free()
src/adapter.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/adapter.c b/src/adapter.c
index c0053000a..f02ab799d 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -1496,6 +1496,7 @@ static void discovery_cleanup(struct btd_adapter *adapter, int timeout)
static void discovery_free(void *user_data)
{
struct discovery_client *client = user_data;
+ struct btd_adapter *adapter = client->adapter;
DBG("%p", client);
@@ -1507,8 +1508,14 @@ static void discovery_free(void *user_data)
client->discovery_filter = NULL;
}
- if (client->msg)
+ if (client->msg) {
+ if (client == adapter->client) {
+ g_dbus_send_message(dbus_conn,
+ btd_error_busy(client->msg));
+ adapter->client = NULL;
+ }
dbus_message_unref(client->msg);
+ }
g_free(client->owner);
g_free(client);
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [BlueZ PATCH v2] adapter: Fix a crash caused by lingering discovery client pointer
2020-11-02 22:30 [BlueZ PATCH v2] adapter: Fix a crash caused by lingering discovery client pointer Miao-chen Chou
@ 2020-11-02 23:28 ` Luiz Augusto von Dentz
2020-11-04 19:22 ` [BlueZ,v2] " bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2020-11-02 23:28 UTC (permalink / raw)
To: Miao-chen Chou
Cc: Bluetooth Kernel Mailing List, Alain Michaud, Sonny Sasaka,
Luiz Augusto von Dentz, ChromeOS Bluetooth Upstreaming,
Marcel Holtmann
Hi Miao,
On Mon, Nov 2, 2020 at 2:36 PM Miao-chen Chou <mcchou@chromium.org> wrote:
>
> This cleans up the lingering pointer, adapter->client, during powering
> off the adapter. The crash occurs when a D-Bus client set Powered
> property to false and immediately calls StopDiscovery() when there is
> ongoing discovery. As a part of powering off the adapter,
> adapter->discovery_list gets cleared, and given that adapter->client
> refers to one of the clients in adapter->discovery_list, adapter->client
> should be cleared along with it.
>
> (1) Connect to a BT audio device from BT system tray.
> (2) Once the audio device is connected, power off BT and immediately
> power off the audio device.
>
> Reviewed-by: Alain Michaud <alainm@chromium.org>
> Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
> ---
>
> Changes in v2:
> - Move the D-Bus method call clean-up to discovery_free()
>
> src/adapter.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/src/adapter.c b/src/adapter.c
> index c0053000a..f02ab799d 100644
> --- a/src/adapter.c
> +++ b/src/adapter.c
> @@ -1496,6 +1496,7 @@ static void discovery_cleanup(struct btd_adapter *adapter, int timeout)
> static void discovery_free(void *user_data)
> {
> struct discovery_client *client = user_data;
> + struct btd_adapter *adapter = client->adapter;
>
> DBG("%p", client);
>
> @@ -1507,8 +1508,14 @@ static void discovery_free(void *user_data)
> client->discovery_filter = NULL;
> }
>
> - if (client->msg)
> + if (client->msg) {
> + if (client == adapter->client) {
> + g_dbus_send_message(dbus_conn,
> + btd_error_busy(client->msg));
> + adapter->client = NULL;
> + }
> dbus_message_unref(client->msg);
> + }
>
> g_free(client->owner);
> g_free(client);
> --
> 2.26.2
Applied, thanks.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 3+ messages in thread* RE: [BlueZ,v2] adapter: Fix a crash caused by lingering discovery client pointer
2020-11-02 22:30 [BlueZ PATCH v2] adapter: Fix a crash caused by lingering discovery client pointer Miao-chen Chou
2020-11-02 23:28 ` Luiz Augusto von Dentz
@ 2020-11-04 19:22 ` bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2020-11-04 19:22 UTC (permalink / raw)
To: linux-bluetooth, mcchou
[-- Attachment #1: Type: text/plain, Size: 557 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=375919
---Test result---
##############################
Test: CheckPatch - PASS
##############################
Test: CheckGitLint - PASS
##############################
Test: CheckBuild - PASS
##############################
Test: MakeCheck - PASS
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-04 19:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-02 22:30 [BlueZ PATCH v2] adapter: Fix a crash caused by lingering discovery client pointer Miao-chen Chou
2020-11-02 23:28 ` Luiz Augusto von Dentz
2020-11-04 19:22 ` [BlueZ,v2] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).