import bluez-5.52-4.el8
This commit is contained in:
parent
bfa1dc9e35
commit
5023b99235
150
SOURCES/0001-shared-att-Fix-possible-crash-on-disconnect.patch
Normal file
150
SOURCES/0001-shared-att-Fix-possible-crash-on-disconnect.patch
Normal file
@ -0,0 +1,150 @@
|
|||||||
|
From b61877eb3e05b9b9dff36b4eccc46c539634cf15 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||||
|
Date: Thu, 22 Oct 2020 11:23:00 +0530
|
||||||
|
Subject: [PATCH BlueZ] shared/att: Fix possible crash on disconnect
|
||||||
|
|
||||||
|
commit 1cd644db8c23a2f530ddb93cebed7dacc5f5721a
|
||||||
|
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||||
|
Date: Wed Jul 15 18:25:37 2020 -0700
|
||||||
|
|
||||||
|
shared/att: Fix possible crash on disconnect
|
||||||
|
|
||||||
|
If there are pending request while disconnecting they would be notified
|
||||||
|
but clients may endup being freed in the proccess which will then be
|
||||||
|
calling bt_att_cancel to cancal its requests causing the following
|
||||||
|
trace:
|
||||||
|
|
||||||
|
Invalid read of size 4
|
||||||
|
at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
|
||||||
|
by 0x1D247B: disc_att_send_op (att.c:417)
|
||||||
|
by 0x1CCC17: queue_remove_all (queue.c:354)
|
||||||
|
by 0x1D47B7: disconnect_cb (att.c:635)
|
||||||
|
by 0x1E0707: watch_callback (io-glib.c:170)
|
||||||
|
by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
|
||||||
|
by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
|
||||||
|
by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
|
||||||
|
by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
|
||||||
|
by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
|
||||||
|
by 0x12BC3B: main (main.c:770)
|
||||||
|
Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
|
||||||
|
at 0x484A2E0: free (vg_replace_malloc.c:540)
|
||||||
|
by 0x1CCC17: queue_remove_all (queue.c:354)
|
||||||
|
by 0x1CCC83: queue_destroy (queue.c:73)
|
||||||
|
by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
|
||||||
|
by 0x16497B: batt_free (battery.c:77)
|
||||||
|
by 0x16497B: batt_remove (battery.c:286)
|
||||||
|
by 0x1A0013: service_remove (service.c:176)
|
||||||
|
by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
|
||||||
|
by 0x1A9B7B: gatt_service_removed (device.c:3805)
|
||||||
|
by 0x1CC90B: queue_foreach (queue.c:220)
|
||||||
|
by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
|
||||||
|
by 0x1DE387: notify_service_changed (gatt-db.c:361)
|
||||||
|
by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
|
||||||
|
by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
|
||||||
|
by 0x1D674F: discovery_op_complete (gatt-client.c:388)
|
||||||
|
by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
|
||||||
|
by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
|
||||||
|
by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
|
||||||
|
by 0x1D247B: disc_att_send_op (att.c:417)
|
||||||
|
by 0x1CCC17: queue_remove_all (queue.c:354)
|
||||||
|
by 0x1D47B7: disconnect_cb (att.c:635)
|
||||||
|
---
|
||||||
|
src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------
|
||||||
|
1 file changed, 40 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/shared/att.c b/src/shared/att.c
|
||||||
|
index 0ea6d55bd..b0fdb8e9f 100644
|
||||||
|
--- a/src/shared/att.c
|
||||||
|
+++ b/src/shared/att.c
|
||||||
|
@@ -62,6 +62,7 @@ struct bt_att {
|
||||||
|
struct queue *ind_queue; /* Queued ATT protocol indications */
|
||||||
|
struct att_send_op *pending_ind;
|
||||||
|
struct queue *write_queue; /* Queue of PDUs ready to send */
|
||||||
|
+ bool in_disc; /* Cleanup queues on disconnect_cb */
|
||||||
|
bool writer_active;
|
||||||
|
|
||||||
|
struct queue *notify_list; /* List of registered callbacks */
|
||||||
|
@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data)
|
||||||
|
free(op);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void cancel_att_send_op(struct att_send_op *op)
|
||||||
|
+static void cancel_att_send_op(void *data)
|
||||||
|
{
|
||||||
|
+ struct att_send_op *op = data;
|
||||||
|
+
|
||||||
|
if (op->destroy)
|
||||||
|
op->destroy(op->user_data);
|
||||||
|
|
||||||
|
@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
|
||||||
|
att->io = NULL;
|
||||||
|
att->fd = -1;
|
||||||
|
|
||||||
|
- /* Notify request callbacks */
|
||||||
|
- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
|
||||||
|
- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
|
||||||
|
- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
|
||||||
|
-
|
||||||
|
if (att->pending_req) {
|
||||||
|
disc_att_send_op(att->pending_req);
|
||||||
|
att->pending_req = NULL;
|
||||||
|
@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
|
||||||
|
|
||||||
|
bt_att_ref(att);
|
||||||
|
|
||||||
|
+ att->in_disc = true;
|
||||||
|
+
|
||||||
|
+ /* Notify request callbacks */
|
||||||
|
+ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
|
||||||
|
+ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
|
||||||
|
+ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
|
||||||
|
+
|
||||||
|
+ att->in_disc = false;
|
||||||
|
+
|
||||||
|
queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
|
||||||
|
|
||||||
|
bt_att_unregister_all(att);
|
||||||
|
@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b)
|
||||||
|
return op->id == id;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
|
||||||
|
+{
|
||||||
|
+ struct att_send_op *op;
|
||||||
|
+
|
||||||
|
+ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
|
||||||
|
+ if (op)
|
||||||
|
+ goto done;
|
||||||
|
+
|
||||||
|
+ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
|
||||||
|
+ if (op)
|
||||||
|
+ goto done;
|
||||||
|
+
|
||||||
|
+ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ if (!op)
|
||||||
|
+ return false;
|
||||||
|
+
|
||||||
|
+ /* Just cancel since disconnect_cb will be cleaning up */
|
||||||
|
+ cancel_att_send_op(op);
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
bool bt_att_cancel(struct bt_att *att, unsigned int id)
|
||||||
|
{
|
||||||
|
struct att_send_op *op;
|
||||||
|
@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (att->in_disc)
|
||||||
|
+ return bt_att_disc_cancel(att, id);
|
||||||
|
+
|
||||||
|
op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
|
||||||
|
if (op)
|
||||||
|
goto done;
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Name: bluez
|
Name: bluez
|
||||||
Summary: Bluetooth utilities
|
Summary: Bluetooth utilities
|
||||||
Version: 5.52
|
Version: 5.52
|
||||||
Release: 1%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
URL: http://www.bluez.org/
|
URL: http://www.bluez.org/
|
||||||
|
|
||||||
@ -38,6 +38,7 @@ Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
|
|||||||
|
|
||||||
Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
|
Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
|
||||||
Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
|
Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
|
||||||
|
Patch29: 0001-shared-att-Fix-possible-crash-on-disconnect.patch
|
||||||
|
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
BuildRequires: dbus-devel >= 1.6
|
BuildRequires: dbus-devel >= 1.6
|
||||||
@ -274,6 +275,19 @@ make check
|
|||||||
%{_userunitdir}/obex.service
|
%{_userunitdir}/obex.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
|
||||||
|
* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-4
|
||||||
|
+ bluez-5.52-4
|
||||||
|
- Fixing (#1885378)
|
||||||
|
|
||||||
|
* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-3
|
||||||
|
+ bluez-5.52-3
|
||||||
|
- Revering the 5.52-2 patch due some mismatch with upsream patch.
|
||||||
|
|
||||||
|
* Mon Oct 20 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-2
|
||||||
|
+ bluez-5.52-2
|
||||||
|
- Fixing (#1885378)
|
||||||
|
|
||||||
* Tue Jun 9 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-1
|
* Tue Jun 9 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-1
|
||||||
+ bluez-5.52-1
|
+ bluez-5.52-1
|
||||||
- Fixing (#1830397)
|
- Fixing (#1830397)
|
||||||
|
Loading…
Reference in New Issue
Block a user