From 33e1a3d0de11ee7e973d9f4d14f28d6558f5e0c0 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 18 May 2021 02:34:43 -0400
Subject: [PATCH] import bluez-5.52-4.el8

---
 ...att-Fix-possible-crash-on-disconnect.patch | 150 ++++++++++++++++++
 SPECS/bluez.spec                              |  16 +-
 2 files changed, 165 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0001-shared-att-Fix-possible-crash-on-disconnect.patch

diff --git a/SOURCES/0001-shared-att-Fix-possible-crash-on-disconnect.patch b/SOURCES/0001-shared-att-Fix-possible-crash-on-disconnect.patch
new file mode 100644
index 0000000..45c0a0e
--- /dev/null
+++ b/SOURCES/0001-shared-att-Fix-possible-crash-on-disconnect.patch
@@ -0,0 +1,150 @@
+From b61877eb3e05b9b9dff36b4eccc46c539634cf15 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Thu, 22 Oct 2020 11:23:00 +0530
+Subject: [PATCH BlueZ]     shared/att: Fix possible crash on disconnect
+
+commit 1cd644db8c23a2f530ddb93cebed7dacc5f5721a
+Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date:   Wed Jul 15 18:25:37 2020 -0700
+
+    shared/att: Fix possible crash on disconnect
+
+    If there are pending request while disconnecting they would be notified
+    but clients may endup being freed in the proccess which will then be
+    calling bt_att_cancel to cancal its requests causing the following
+    trace:
+
+    Invalid read of size 4
+       at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
+       by 0x1D247B: disc_att_send_op (att.c:417)
+       by 0x1CCC17: queue_remove_all (queue.c:354)
+       by 0x1D47B7: disconnect_cb (att.c:635)
+       by 0x1E0707: watch_callback (io-glib.c:170)
+       by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
+       by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
+       by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
+       by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
+       by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
+       by 0x12BC3B: main (main.c:770)
+     Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
+       at 0x484A2E0: free (vg_replace_malloc.c:540)
+       by 0x1CCC17: queue_remove_all (queue.c:354)
+       by 0x1CCC83: queue_destroy (queue.c:73)
+       by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
+       by 0x16497B: batt_free (battery.c:77)
+       by 0x16497B: batt_remove (battery.c:286)
+       by 0x1A0013: service_remove (service.c:176)
+     by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
+       by 0x1A9B7B: gatt_service_removed (device.c:3805)
+       by 0x1CC90B: queue_foreach (queue.c:220)
+       by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
+       by 0x1DE387: notify_service_changed (gatt-db.c:361)
+       by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
+       by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
+       by 0x1D674F: discovery_op_complete (gatt-client.c:388)
+       by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
+       by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
+       by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
+       by 0x1D247B: disc_att_send_op (att.c:417)
+       by 0x1CCC17: queue_remove_all (queue.c:354)
+       by 0x1D47B7: disconnect_cb (att.c:635)
+---
+ src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 40 insertions(+), 6 deletions(-)
+
+diff --git a/src/shared/att.c b/src/shared/att.c
+index 0ea6d55bd..b0fdb8e9f 100644
+--- a/src/shared/att.c
++++ b/src/shared/att.c
+@@ -62,6 +62,7 @@ struct bt_att {
+ 	struct queue *ind_queue;	/* Queued ATT protocol indications */
+ 	struct att_send_op *pending_ind;
+ 	struct queue *write_queue;	/* Queue of PDUs ready to send */
++	bool in_disc;			/* Cleanup queues on disconnect_cb */
+ 	bool writer_active;
+ 
+ 	struct queue *notify_list;	/* List of registered callbacks */
+@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data)
+ 	free(op);
+ }
+ 
+-static void cancel_att_send_op(struct att_send_op *op)
++static void cancel_att_send_op(void *data)
+ {
++	struct att_send_op *op = data;
++
+ 	if (op->destroy)
+ 		op->destroy(op->user_data);
+ 
+@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
+ 	att->io = NULL;
+ 	att->fd = -1;
+ 
+-	/* Notify request callbacks */
+-	queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
+-	queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
+-	queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
+-
+ 	if (att->pending_req) {
+ 		disc_att_send_op(att->pending_req);
+ 		att->pending_req = NULL;
+@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
+ 
+ 	bt_att_ref(att);
+ 
++	att->in_disc = true;
++
++	/* Notify request callbacks */
++	queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
++	queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
++	queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
++
++	att->in_disc = false;
++
+ 	queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
+ 
+ 	bt_att_unregister_all(att);
+@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b)
+ 	return op->id == id;
+ }
+ 
++static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
++{
++	struct att_send_op *op;
++
++	op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
++	if (op)
++		goto done;
++
++	op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
++	if (op)
++		goto done;
++
++	op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
++
++done:
++	if (!op)
++		return false;
++
++	/* Just cancel since disconnect_cb will be cleaning up */
++	cancel_att_send_op(op);
++
++	return true;
++}
++
+ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+ {
+ 	struct att_send_op *op;
+@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
+ 		return true;
+ 	}
+ 
++	if (att->in_disc)
++		return bt_att_disc_cancel(att, id);
++
+ 	op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
+ 	if (op)
+ 		goto done;
+-- 
+2.21.1
+
diff --git a/SPECS/bluez.spec b/SPECS/bluez.spec
index 8a11617..dee1387 100644
--- a/SPECS/bluez.spec
+++ b/SPECS/bluez.spec
@@ -1,7 +1,7 @@
 Name:    bluez
 Summary: Bluetooth utilities
 Version: 5.52
-Release: 1%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 URL:     http://www.bluez.org/
 
@@ -38,6 +38,7 @@ Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
 
 Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
 Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
+Patch29: 0001-shared-att-Fix-possible-crash-on-disconnect.patch
 
 BuildRequires: git-core
 BuildRequires: dbus-devel >= 1.6
@@ -274,6 +275,19 @@ make check
 %{_userunitdir}/obex.service
 
 %changelog
+
+* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-4
++ bluez-5.52-4
+- Fixing (#1885378)
+
+* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-3
++ bluez-5.52-3
+- Revering the 5.52-2 patch due some mismatch with upsream patch. 
+
+* Mon Oct 20 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-2
++ bluez-5.52-2
+- Fixing (#1885378)
+
 * Tue Jun 9 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-1
 + bluez-5.52-1
 - Fixing (#1830397)