* [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase
@ 2024-01-03 14:39 Xiao Yao
2024-01-03 14:39 ` [PATCH BlueZ v3 2/2] avdtp: Remove unused transaction parameter Xiao Yao
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Xiao Yao @ 2024-01-03 14:39 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Xiao Yao
From: Xiao Yao <xiaoyao@rock-chips.com>
BLUETOOTH SPECIFICATION Page 61 of 140
Audio/Video Distribution Transport Protocol Specification (V13)
8.4.6 Message integrity verification at receiver side
- The receiver of an AVDTP signaling message shall not interpret corrupted
messages. Those messages are discarded and no signaling message is returned
to the sender if no error code is applicable. Possible corrupted messages
are:
* Response messages where the transaction label cannot match a previous
command sent to the remote device
Consider the following scenario:
btmon log:
... ...
AVDTP: Discover (0x01) Command (0x00) type 0x00 label 5 nosp 0
AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 5 nosp 0
AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 6 nosp 0
AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 6 nosp 0
AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 7 nosp 0
AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 7 nosp 0
< AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 8 nosp 0
//Currently, a 'set configuration' message has been received from the
//sender, which contains a transaction label valued at 8. This message
//was then relayed to A2DP backend(PulseAudio/PipeWire) using the dbus
//interface.
set_configuration()(media.c)
dbus_message_new_method_call(..., "SetConfiguration", ...);
g_dbus_send_message_with_reply(btd_get_dbus_connection(), ...);
dbus_pending_call_set_notify(request->call, endpoint_reply, ...);
...
> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 0 nosp 0
//At this time, the A2DP reverse discovery issued an A2DP discover command.
< AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 0 nosp 0
//After receiving the discover reply, the session->in.transaction is
//changed to 0
> AVDTP: Set Configuration (0x03) Resp Accept (0x02) type 0 label 0 nosp 0
//The audio backend reply the dbus message
endpoint_reply (media.c)
setconf_cb (avdtp.c)
//Here avdtp_send sends an incorrect transaction value, causing
//the sender to discard the message. (The correct transaction
//value is 8)
avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
AVDTP_SET_CONFIGURATION, NULL, 0)
AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 1 nosp 0
AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 1 nosp 0
AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 2 nosp 0
... ...
Therefore, a async_transaction that requires asynchronous return is
recorded to prevent it from being incorrectly modified.
Signed-off-by: Xiao Yao <xiaoyao@rock-chips.com>
---
v1 -> v2: Fixed "session->in.transaction" logic err.
v2 -> v3: Fixed some compile warnings
---
profiles/audio/avdtp.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 10ef380d4..386c7f67c 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -286,6 +286,7 @@ struct in_buf {
gboolean active;
int no_of_packets;
uint8_t transaction;
+ uint8_t async_transaction;
uint8_t message_type;
uint8_t signal_id;
uint8_t buf[1024];
@@ -1462,15 +1463,16 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
if (err != NULL) {
rej.error = AVDTP_UNSUPPORTED_CONFIGURATION;
rej.category = err->err.error_code;
- avdtp_send(session, session->in.transaction,
- AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
- &rej, sizeof(rej));
+ avdtp_send(session, session->in.async_transaction,
+ AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
+ &rej, sizeof(rej));
stream_free(stream);
return;
}
- if (!avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
- AVDTP_SET_CONFIGURATION, NULL, 0)) {
+ if (!avdtp_send(session, session->in.async_transaction,
+ AVDTP_MSG_TYPE_ACCEPT,
+ AVDTP_SET_CONFIGURATION, NULL, 0)) {
stream_free(stream);
return;
}
@@ -1569,6 +1571,13 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
session->version = 0x0103;
if (sep->ind && sep->ind->set_configuration) {
+ /* The setconfig configuration stage is asynchronous;
+ * high CPU load or other factors can delay dbus message
+ * responses, potentially altering the transaction value.
+ * It's essential to record the received transaction value
+ * for use in the final accept command.
+ */
+ session->in.async_transaction = transaction;
if (!sep->ind->set_configuration(session, sep, stream,
stream->caps,
setconf_cb,
base-commit: 7ad5669402c9acff8e4cc808edc12a41df36654e
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH BlueZ v3 2/2] avdtp: Remove unused transaction parameter
2024-01-03 14:39 [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Xiao Yao
@ 2024-01-03 14:39 ` Xiao Yao
2024-01-03 15:38 ` [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Luiz Augusto von Dentz
2024-01-03 16:20 ` [BlueZ,v3,1/2] " bluez.test.bot
2 siblings, 0 replies; 7+ messages in thread
From: Xiao Yao @ 2024-01-03 14:39 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Xiao Yao
This removes unused "transaction" param from avdtp_parse_resq/rej.
Signed-off-by: Xiao Yao <xiaokeqinhealth@126.com>
---
profiles/audio/avdtp.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 386c7f67c..fb49ad45a 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -419,11 +419,11 @@ static int send_request(struct avdtp *session, gboolean priority,
void *buffer, size_t size);
static gboolean avdtp_parse_resp(struct avdtp *session,
struct avdtp_stream *stream,
- uint8_t transaction, uint8_t signal_id,
+ uint8_t signal_id,
void *buf, int size);
static gboolean avdtp_parse_rej(struct avdtp *session,
struct avdtp_stream *stream,
- uint8_t transaction, uint8_t signal_id,
+ uint8_t signal_id,
void *buf, int size);
static int process_queue(struct avdtp *session);
static void avdtp_sep_set_state(struct avdtp *session,
@@ -2293,7 +2293,6 @@ static gboolean session_cb(GIOChannel *chan, GIOCondition cond,
switch (header->message_type) {
case AVDTP_MSG_TYPE_ACCEPT:
if (!avdtp_parse_resp(session, session->req->stream,
- session->in.transaction,
session->in.signal_id,
session->in.buf,
session->in.data_size)) {
@@ -2303,7 +2302,6 @@ static gboolean session_cb(GIOChannel *chan, GIOCondition cond,
break;
case AVDTP_MSG_TYPE_REJECT:
if (!avdtp_parse_rej(session, session->req->stream,
- session->in.transaction,
session->in.signal_id,
session->in.buf,
session->in.data_size)) {
@@ -2941,7 +2939,7 @@ static gboolean avdtp_delay_report_resp(struct avdtp *session,
static gboolean avdtp_parse_resp(struct avdtp *session,
struct avdtp_stream *stream,
- uint8_t transaction, uint8_t signal_id,
+ uint8_t signal_id,
void *buf, int size)
{
struct pending_req *next;
@@ -3055,7 +3053,7 @@ static gboolean stream_rej_to_err(struct stream_rej *rej, unsigned int size,
static gboolean avdtp_parse_rej(struct avdtp *session,
struct avdtp_stream *stream,
- uint8_t transaction, uint8_t signal_id,
+ uint8_t signal_id,
void *buf, int size)
{
struct avdtp_error err;
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase
2024-01-03 14:39 [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Xiao Yao
2024-01-03 14:39 ` [PATCH BlueZ v3 2/2] avdtp: Remove unused transaction parameter Xiao Yao
@ 2024-01-03 15:38 ` Luiz Augusto von Dentz
2024-01-03 15:40 ` Luiz Augusto von Dentz
2024-01-03 18:41 ` Yao Xiao
2024-01-03 16:20 ` [BlueZ,v3,1/2] " bluez.test.bot
2 siblings, 2 replies; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2024-01-03 15:38 UTC (permalink / raw)
To: Xiao Yao; +Cc: linux-bluetooth, Xiao Yao
Hi,
On Wed, Jan 3, 2024 at 9:40 AM Xiao Yao <xiaokeqinhealth@126.com> wrote:
>
> From: Xiao Yao <xiaoyao@rock-chips.com>
>
> BLUETOOTH SPECIFICATION Page 61 of 140
> Audio/Video Distribution Transport Protocol Specification (V13)
> 8.4.6 Message integrity verification at receiver side
>
> - The receiver of an AVDTP signaling message shall not interpret corrupted
> messages. Those messages are discarded and no signaling message is returned
> to the sender if no error code is applicable. Possible corrupted messages
> are:
>
> * Response messages where the transaction label cannot match a previous
> command sent to the remote device
>
> Consider the following scenario:
> btmon log:
> ... ...
> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 5 nosp 0
> AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 5 nosp 0
> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 6 nosp 0
> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 6 nosp 0
> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 7 nosp 0
> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 7 nosp 0
>
> < AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 8 nosp 0
> //Currently, a 'set configuration' message has been received from the
> //sender, which contains a transaction label valued at 8. This message
> //was then relayed to A2DP backend(PulseAudio/PipeWire) using the dbus
> //interface.
> set_configuration()(media.c)
> dbus_message_new_method_call(..., "SetConfiguration", ...);
> g_dbus_send_message_with_reply(btd_get_dbus_connection(), ...);
> dbus_pending_call_set_notify(request->call, endpoint_reply, ...);
> ...
>
> > AVDTP: Discover (0x01) Command (0x00) type 0x00 label 0 nosp 0
> //At this time, the A2DP reverse discovery issued an A2DP discover command.
> < AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 0 nosp 0
> //After receiving the discover reply, the session->in.transaction is
> //changed to 0
>
> > AVDTP: Set Configuration (0x03) Resp Accept (0x02) type 0 label 0 nosp 0
> //The audio backend reply the dbus message
> endpoint_reply (media.c)
> setconf_cb (avdtp.c)
> //Here avdtp_send sends an incorrect transaction value, causing
> //the sender to discard the message. (The correct transaction
> //value is 8)
> avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
> AVDTP_SET_CONFIGURATION, NULL, 0)
>
> AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 1 nosp 0
> AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 1 nosp 0
> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 2 nosp 0
> ... ...
>
> Therefore, a async_transaction that requires asynchronous return is
> recorded to prevent it from being incorrectly modified.
>
> Signed-off-by: Xiao Yao <xiaoyao@rock-chips.com>
> ---
> v1 -> v2: Fixed "session->in.transaction" logic err.
> v2 -> v3: Fixed some compile warnings
> ---
> profiles/audio/avdtp.c | 19 ++++++++++++++-----
> 1 file changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> index 10ef380d4..386c7f67c 100644
> --- a/profiles/audio/avdtp.c
> +++ b/profiles/audio/avdtp.c
> @@ -286,6 +286,7 @@ struct in_buf {
> gboolean active;
> int no_of_packets;
> uint8_t transaction;
> + uint8_t async_transaction;
Didn't I already explain it already that we are not supposed to have 2
outstanding transactions?
> uint8_t message_type;
> uint8_t signal_id;
> uint8_t buf[1024];
> @@ -1462,15 +1463,16 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
> if (err != NULL) {
> rej.error = AVDTP_UNSUPPORTED_CONFIGURATION;
> rej.category = err->err.error_code;
> - avdtp_send(session, session->in.transaction,
> - AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
> - &rej, sizeof(rej));
> + avdtp_send(session, session->in.async_transaction,
> + AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
> + &rej, sizeof(rej));
> stream_free(stream);
> return;
> }
>
> - if (!avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
> - AVDTP_SET_CONFIGURATION, NULL, 0)) {
> + if (!avdtp_send(session, session->in.async_transaction,
> + AVDTP_MSG_TYPE_ACCEPT,
> + AVDTP_SET_CONFIGURATION, NULL, 0)) {
> stream_free(stream);
> return;
> }
> @@ -1569,6 +1571,13 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
> session->version = 0x0103;
>
> if (sep->ind && sep->ind->set_configuration) {
> + /* The setconfig configuration stage is asynchronous;
> + * high CPU load or other factors can delay dbus message
> + * responses, potentially altering the transaction value.
> + * It's essential to record the received transaction value
> + * for use in the final accept command.
> + */
> + session->in.async_transaction = transaction;
> if (!sep->ind->set_configuration(session, sep, stream,
> stream->caps,
> setconf_cb,
>
> base-commit: 7ad5669402c9acff8e4cc808edc12a41df36654e
> --
> 2.34.1
>
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase
2024-01-03 15:38 ` [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Luiz Augusto von Dentz
@ 2024-01-03 15:40 ` Luiz Augusto von Dentz
2024-01-03 18:41 ` Yao Xiao
1 sibling, 0 replies; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2024-01-03 15:40 UTC (permalink / raw)
To: Xiao Yao; +Cc: linux-bluetooth, Xiao Yao
Hi,
On Wed, Jan 3, 2024 at 10:38 AM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi,
>
> On Wed, Jan 3, 2024 at 9:40 AM Xiao Yao <xiaokeqinhealth@126.com> wrote:
> >
> > From: Xiao Yao <xiaoyao@rock-chips.com>
> >
> > BLUETOOTH SPECIFICATION Page 61 of 140
> > Audio/Video Distribution Transport Protocol Specification (V13)
> > 8.4.6 Message integrity verification at receiver side
> >
> > - The receiver of an AVDTP signaling message shall not interpret corrupted
> > messages. Those messages are discarded and no signaling message is returned
> > to the sender if no error code is applicable. Possible corrupted messages
> > are:
> >
> > * Response messages where the transaction label cannot match a previous
> > command sent to the remote device
> >
> > Consider the following scenario:
> > btmon log:
> > ... ...
> > AVDTP: Discover (0x01) Command (0x00) type 0x00 label 5 nosp 0
> > AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 5 nosp 0
> > AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 6 nosp 0
> > AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 6 nosp 0
> > AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 7 nosp 0
> > AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 7 nosp 0
> >
> > < AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 8 nosp 0
> > //Currently, a 'set configuration' message has been received from the
> > //sender, which contains a transaction label valued at 8. This message
> > //was then relayed to A2DP backend(PulseAudio/PipeWire) using the dbus
> > //interface.
> > set_configuration()(media.c)
> > dbus_message_new_method_call(..., "SetConfiguration", ...);
> > g_dbus_send_message_with_reply(btd_get_dbus_connection(), ...);
> > dbus_pending_call_set_notify(request->call, endpoint_reply, ...);
> > ...
> >
> > > AVDTP: Discover (0x01) Command (0x00) type 0x00 label 0 nosp 0
> > //At this time, the A2DP reverse discovery issued an A2DP discover command.
> > < AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 0 nosp 0
> > //After receiving the discover reply, the session->in.transaction is
> > //changed to 0
> >
> > > AVDTP: Set Configuration (0x03) Resp Accept (0x02) type 0 label 0 nosp 0
> > //The audio backend reply the dbus message
> > endpoint_reply (media.c)
> > setconf_cb (avdtp.c)
> > //Here avdtp_send sends an incorrect transaction value, causing
> > //the sender to discard the message. (The correct transaction
> > //value is 8)
> > avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
> > AVDTP_SET_CONFIGURATION, NULL, 0)
> >
> > AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 1 nosp 0
> > AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 1 nosp 0
> > AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
> > AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 2 nosp 0
> > ... ...
> >
> > Therefore, a async_transaction that requires asynchronous return is
> > recorded to prevent it from being incorrectly modified.
Btw, we can probably come up with a test for this on unit/test-avdtp
to ensure we cover it.
> >
> > Signed-off-by: Xiao Yao <xiaoyao@rock-chips.com>
> > ---
> > v1 -> v2: Fixed "session->in.transaction" logic err.
> > v2 -> v3: Fixed some compile warnings
> > ---
> > profiles/audio/avdtp.c | 19 ++++++++++++++-----
> > 1 file changed, 14 insertions(+), 5 deletions(-)
> >
> > diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> > index 10ef380d4..386c7f67c 100644
> > --- a/profiles/audio/avdtp.c
> > +++ b/profiles/audio/avdtp.c
> > @@ -286,6 +286,7 @@ struct in_buf {
> > gboolean active;
> > int no_of_packets;
> > uint8_t transaction;
> > + uint8_t async_transaction;
>
> Didn't I already explain it already that we are not supposed to have 2
> outstanding transactions?
>
> > uint8_t message_type;
> > uint8_t signal_id;
> > uint8_t buf[1024];
> > @@ -1462,15 +1463,16 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
> > if (err != NULL) {
> > rej.error = AVDTP_UNSUPPORTED_CONFIGURATION;
> > rej.category = err->err.error_code;
> > - avdtp_send(session, session->in.transaction,
> > - AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
> > - &rej, sizeof(rej));
> > + avdtp_send(session, session->in.async_transaction,
> > + AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
> > + &rej, sizeof(rej));
> > stream_free(stream);
> > return;
> > }
> >
> > - if (!avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
> > - AVDTP_SET_CONFIGURATION, NULL, 0)) {
> > + if (!avdtp_send(session, session->in.async_transaction,
> > + AVDTP_MSG_TYPE_ACCEPT,
> > + AVDTP_SET_CONFIGURATION, NULL, 0)) {
> > stream_free(stream);
> > return;
> > }
> > @@ -1569,6 +1571,13 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
> > session->version = 0x0103;
> >
> > if (sep->ind && sep->ind->set_configuration) {
> > + /* The setconfig configuration stage is asynchronous;
> > + * high CPU load or other factors can delay dbus message
> > + * responses, potentially altering the transaction value.
> > + * It's essential to record the received transaction value
> > + * for use in the final accept command.
> > + */
> > + session->in.async_transaction = transaction;
> > if (!sep->ind->set_configuration(session, sep, stream,
> > stream->caps,
> > setconf_cb,
> >
> > base-commit: 7ad5669402c9acff8e4cc808edc12a41df36654e
> > --
> > 2.34.1
> >
> >
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [BlueZ,v3,1/2] avdtp: fix incorrect transaction label in setconf phase
2024-01-03 14:39 [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Xiao Yao
2024-01-03 14:39 ` [PATCH BlueZ v3 2/2] avdtp: Remove unused transaction parameter Xiao Yao
2024-01-03 15:38 ` [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Luiz Augusto von Dentz
@ 2024-01-03 16:20 ` bluez.test.bot
2 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2024-01-03 16:20 UTC (permalink / raw)
To: linux-bluetooth, xiaokeqinhealth
[-- Attachment #1: Type: text/plain, Size: 1522 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=814123
---Test result---
Test Summary:
CheckPatch PASS 0.89 seconds
GitLint PASS 0.61 seconds
BuildEll PASS 24.34 seconds
BluezMake PASS 756.61 seconds
MakeCheck PASS 11.85 seconds
MakeDistcheck PASS 164.66 seconds
CheckValgrind PASS 225.23 seconds
CheckSmatch PASS 335.03 seconds
bluezmakeextell PASS 109.42 seconds
IncrementalBuild PASS 1397.88 seconds
ScanBuild WARNING 979.52 seconds
Details
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
profiles/audio/avdtp.c:896:25: warning: Use of memory after it is freed
session->prio_queue = g_slist_remove(session->prio_queue, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
profiles/audio/avdtp.c:903:24: warning: Use of memory after it is freed
session->req_queue = g_slist_remove(session->req_queue, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase
2024-01-03 15:38 ` [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Luiz Augusto von Dentz
2024-01-03 15:40 ` Luiz Augusto von Dentz
@ 2024-01-03 18:41 ` Yao Xiao
2024-01-03 18:49 ` Luiz Augusto von Dentz
1 sibling, 1 reply; 7+ messages in thread
From: Yao Xiao @ 2024-01-03 18:41 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth, Xiao Yao
Hi,
On 2024/1/3 23:38, Luiz Augusto von Dentz wrote:
> Hi,
>
> On Wed, Jan 3, 2024 at 9:40 AM Xiao Yao <xiaokeqinhealth@126.com> wrote:
>> From: Xiao Yao <xiaoyao@rock-chips.com>
>>
>> BLUETOOTH SPECIFICATION Page 61 of 140
>> Audio/Video Distribution Transport Protocol Specification (V13)
>> 8.4.6 Message integrity verification at receiver side
>>
>> - The receiver of an AVDTP signaling message shall not interpret corrupted
>> messages. Those messages are discarded and no signaling message is returned
>> to the sender if no error code is applicable. Possible corrupted messages
>> are:
>>
>> * Response messages where the transaction label cannot match a previous
>> command sent to the remote device
>>
>> Consider the following scenario:
>> btmon log:
>> ... ...
>> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 5 nosp 0
>> AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 5 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 6 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 6 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 7 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 7 nosp 0
>>
>> < AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 8 nosp 0
>> //Currently, a 'set configuration' message has been received from the
>> //sender, which contains a transaction label valued at 8. This message
>> //was then relayed to A2DP backend(PulseAudio/PipeWire) using the dbus
>> //interface.
>> set_configuration()(media.c)
>> dbus_message_new_method_call(..., "SetConfiguration", ...);
>> g_dbus_send_message_with_reply(btd_get_dbus_connection(), ...);
>> dbus_pending_call_set_notify(request->call, endpoint_reply, ...);
>> ...
>>
>>> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 0 nosp 0
>> //At this time, the A2DP reverse discovery issued an A2DP discover command.
>> < AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 0 nosp 0
>> //After receiving the discover reply, the session->in.transaction is
>> //changed to 0
>>
>>> AVDTP: Set Configuration (0x03) Resp Accept (0x02) type 0 label 0 nosp 0
>> //The audio backend reply the dbus message
>> endpoint_reply (media.c)
>> setconf_cb (avdtp.c)
>> //Here avdtp_send sends an incorrect transaction value, causing
>> //the sender to discard the message. (The correct transaction
>> //value is 8)
>> avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
>> AVDTP_SET_CONFIGURATION, NULL, 0)
>>
>> AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 1 nosp 0
>> AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 1 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
>> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 2 nosp 0
>> ... ...
>>
>> Therefore, a async_transaction that requires asynchronous return is
>> recorded to prevent it from being incorrectly modified.
>>
>> Signed-off-by: Xiao Yao <xiaoyao@rock-chips.com>
>> ---
>> v1 -> v2: Fixed "session->in.transaction" logic err.
>> v2 -> v3: Fixed some compile warnings
>> ---
>> profiles/audio/avdtp.c | 19 ++++++++++++++-----
>> 1 file changed, 14 insertions(+), 5 deletions(-)
>>
>> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
>> index 10ef380d4..386c7f67c 100644
>> --- a/profiles/audio/avdtp.c
>> +++ b/profiles/audio/avdtp.c
>> @@ -286,6 +286,7 @@ struct in_buf {
>> gboolean active;
>> int no_of_packets;
>> uint8_t transaction;
>> + uint8_t async_transaction;
> Didn't I already explain it already that we are not supposed to have 2
> outstanding transactions?
Apologies for the misunderstanding earlier. When you mentioned
'outstanding transactions',
were you referring to a complete configuration process, rather than a
single command?
Can I understand it this way: An a2dp discovery command should not be
sent before responding
to the AVDTP_MSG_TYPE_ACCEPT message? Is it only after sending the
AVDTP_MSG_TYPE_ACCEPT
response to the remote device that I can proceed with the a2dp discovery?
>
>> uint8_t message_type;
>> uint8_t signal_id;
>> uint8_t buf[1024];
>> @@ -1462,15 +1463,16 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
>> if (err != NULL) {
>> rej.error = AVDTP_UNSUPPORTED_CONFIGURATION;
>> rej.category = err->err.error_code;
>> - avdtp_send(session, session->in.transaction,
>> - AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
>> - &rej, sizeof(rej));
>> + avdtp_send(session, session->in.async_transaction,
>> + AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
>> + &rej, sizeof(rej));
>> stream_free(stream);
>> return;
>> }
>>
>> - if (!avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
>> - AVDTP_SET_CONFIGURATION, NULL, 0)) {
>> + if (!avdtp_send(session, session->in.async_transaction,
>> + AVDTP_MSG_TYPE_ACCEPT,
>> + AVDTP_SET_CONFIGURATION, NULL, 0)) {
>> stream_free(stream);
>> return;
>> }
>> @@ -1569,6 +1571,13 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
>> session->version = 0x0103;
>>
>> if (sep->ind && sep->ind->set_configuration) {
>> + /* The setconfig configuration stage is asynchronous;
>> + * high CPU load or other factors can delay dbus message
>> + * responses, potentially altering the transaction value.
>> + * It's essential to record the received transaction value
>> + * for use in the final accept command.
>> + */
>> + session->in.async_transaction = transaction;
>> if (!sep->ind->set_configuration(session, sep, stream,
>> stream->caps,
>> setconf_cb,
>>
>> base-commit: 7ad5669402c9acff8e4cc808edc12a41df36654e
>> --
>> 2.34.1
>>
>>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase
2024-01-03 18:41 ` Yao Xiao
@ 2024-01-03 18:49 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2024-01-03 18:49 UTC (permalink / raw)
To: Yao Xiao; +Cc: linux-bluetooth, Xiao Yao
Hi,
On Wed, Jan 3, 2024 at 1:41 PM Yao Xiao <xiaokeqinhealth@126.com> wrote:
>
> Hi,
> On 2024/1/3 23:38, Luiz Augusto von Dentz wrote:
> > Hi,
> >
> > On Wed, Jan 3, 2024 at 9:40 AM Xiao Yao <xiaokeqinhealth@126.com> wrote:
> >> From: Xiao Yao <xiaoyao@rock-chips.com>
> >>
> >> BLUETOOTH SPECIFICATION Page 61 of 140
> >> Audio/Video Distribution Transport Protocol Specification (V13)
> >> 8.4.6 Message integrity verification at receiver side
> >>
> >> - The receiver of an AVDTP signaling message shall not interpret corrupted
> >> messages. Those messages are discarded and no signaling message is returned
> >> to the sender if no error code is applicable. Possible corrupted messages
> >> are:
> >>
> >> * Response messages where the transaction label cannot match a previous
> >> command sent to the remote device
> >>
> >> Consider the following scenario:
> >> btmon log:
> >> ... ...
> >> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 5 nosp 0
> >> AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 5 nosp 0
> >> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 6 nosp 0
> >> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 6 nosp 0
> >> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 7 nosp 0
> >> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 7 nosp 0
> >>
> >> < AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 8 nosp 0
> >> //Currently, a 'set configuration' message has been received from the
> >> //sender, which contains a transaction label valued at 8. This message
> >> //was then relayed to A2DP backend(PulseAudio/PipeWire) using the dbus
> >> //interface.
> >> set_configuration()(media.c)
> >> dbus_message_new_method_call(..., "SetConfiguration", ...);
> >> g_dbus_send_message_with_reply(btd_get_dbus_connection(), ...);
> >> dbus_pending_call_set_notify(request->call, endpoint_reply, ...);
> >> ...
> >>
> >>> AVDTP: Discover (0x01) Command (0x00) type 0x00 label 0 nosp 0
> >> //At this time, the A2DP reverse discovery issued an A2DP discover command.
> >> < AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 0 nosp 0
> >> //After receiving the discover reply, the session->in.transaction is
> >> //changed to 0
> >>
> >>> AVDTP: Set Configuration (0x03) Resp Accept (0x02) type 0 label 0 nosp 0
> >> //The audio backend reply the dbus message
> >> endpoint_reply (media.c)
> >> setconf_cb (avdtp.c)
> >> //Here avdtp_send sends an incorrect transaction value, causing
> >> //the sender to discard the message. (The correct transaction
> >> //value is 8)
> >> avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
> >> AVDTP_SET_CONFIGURATION, NULL, 0)
> >>
> >> AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 1 nosp 0
> >> AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 1 nosp 0
> >> AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
> >> AVDTP: Get All Capabilities (0x0c) Resp Accept (0x02) type 0 label 2 nosp 0
> >> ... ...
> >>
> >> Therefore, a async_transaction that requires asynchronous return is
> >> recorded to prevent it from being incorrectly modified.
> >>
> >> Signed-off-by: Xiao Yao <xiaoyao@rock-chips.com>
> >> ---
> >> v1 -> v2: Fixed "session->in.transaction" logic err.
> >> v2 -> v3: Fixed some compile warnings
> >> ---
> >> profiles/audio/avdtp.c | 19 ++++++++++++++-----
> >> 1 file changed, 14 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> >> index 10ef380d4..386c7f67c 100644
> >> --- a/profiles/audio/avdtp.c
> >> +++ b/profiles/audio/avdtp.c
> >> @@ -286,6 +286,7 @@ struct in_buf {
> >> gboolean active;
> >> int no_of_packets;
> >> uint8_t transaction;
> >> + uint8_t async_transaction;
> > Didn't I already explain it already that we are not supposed to have 2
> > outstanding transactions?
> Apologies for the misunderstanding earlier. When you mentioned
> 'outstanding transactions',
> were you referring to a complete configuration process, rather than a
> single command?
> Can I understand it this way: An a2dp discovery command should not be
> sent before responding
> to the AVDTP_MSG_TYPE_ACCEPT message? Is it only after sending the
> AVDTP_MSG_TYPE_ACCEPT
> response to the remote device that I can proceed with the a2dp discovery?
You can have a single outstanding transaction in each direction, but
not 2 like in.transaction + in.async_transaction since that means we
received a second request while 1 is still outstanding.
> >
> >> uint8_t message_type;
> >> uint8_t signal_id;
> >> uint8_t buf[1024];
> >> @@ -1462,15 +1463,16 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
> >> if (err != NULL) {
> >> rej.error = AVDTP_UNSUPPORTED_CONFIGURATION;
> >> rej.category = err->err.error_code;
> >> - avdtp_send(session, session->in.transaction,
> >> - AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
> >> - &rej, sizeof(rej));
> >> + avdtp_send(session, session->in.async_transaction,
> >> + AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
> >> + &rej, sizeof(rej));
> >> stream_free(stream);
> >> return;
> >> }
> >>
> >> - if (!avdtp_send(session, session->in.transaction, AVDTP_MSG_TYPE_ACCEPT,
> >> - AVDTP_SET_CONFIGURATION, NULL, 0)) {
> >> + if (!avdtp_send(session, session->in.async_transaction,
> >> + AVDTP_MSG_TYPE_ACCEPT,
> >> + AVDTP_SET_CONFIGURATION, NULL, 0)) {
> >> stream_free(stream);
> >> return;
> >> }
> >> @@ -1569,6 +1571,13 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
> >> session->version = 0x0103;
> >>
> >> if (sep->ind && sep->ind->set_configuration) {
> >> + /* The setconfig configuration stage is asynchronous;
> >> + * high CPU load or other factors can delay dbus message
> >> + * responses, potentially altering the transaction value.
> >> + * It's essential to record the received transaction value
> >> + * for use in the final accept command.
> >> + */
> >> + session->in.async_transaction = transaction;
> >> if (!sep->ind->set_configuration(session, sep, stream,
> >> stream->caps,
> >> setconf_cb,
> >>
> >> base-commit: 7ad5669402c9acff8e4cc808edc12a41df36654e
> >> --
> >> 2.34.1
> >>
> >>
> >
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-01-03 18:49 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-03 14:39 [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Xiao Yao
2024-01-03 14:39 ` [PATCH BlueZ v3 2/2] avdtp: Remove unused transaction parameter Xiao Yao
2024-01-03 15:38 ` [PATCH BlueZ v3 1/2] avdtp: fix incorrect transaction label in setconf phase Luiz Augusto von Dentz
2024-01-03 15:40 ` Luiz Augusto von Dentz
2024-01-03 18:41 ` Yao Xiao
2024-01-03 18:49 ` Luiz Augusto von Dentz
2024-01-03 16:20 ` [BlueZ,v3,1/2] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).