import bluez-5.52-4.el8

This commit is contained in:
CentOS Sources 2021-03-30 10:17:49 -04:00 committed by Stepan Oksanichenko
parent bfa1dc9e35
commit 5023b99235
2 changed files with 165 additions and 1 deletions

View File

@ -0,0 +1,150 @@
From b61877eb3e05b9b9dff36b4eccc46c539634cf15 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Thu, 22 Oct 2020 11:23:00 +0530
Subject: [PATCH BlueZ] shared/att: Fix possible crash on disconnect
commit 1cd644db8c23a2f530ddb93cebed7dacc5f5721a
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed Jul 15 18:25:37 2020 -0700
shared/att: Fix possible crash on disconnect
If there are pending request while disconnecting they would be notified
but clients may endup being freed in the proccess which will then be
calling bt_att_cancel to cancal its requests causing the following
trace:
Invalid read of size 4
at 0x1D894C: enable_ccc_callback (gatt-client.c:1627)
by 0x1D247B: disc_att_send_op (att.c:417)
by 0x1CCC17: queue_remove_all (queue.c:354)
by 0x1D47B7: disconnect_cb (att.c:635)
by 0x1E0707: watch_callback (io-glib.c:170)
by 0x48E963B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.6400.4)
by 0x48E9AC7: ??? (in /usr/lib/libglib-2.0.so.0.6400.4)
by 0x48E9ECF: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.6400.4)
by 0x1E0E97: mainloop_run (mainloop-glib.c:79)
by 0x1E13B3: mainloop_run_with_signal (mainloop-notify.c:201)
by 0x12BC3B: main (main.c:770)
Address 0x7d40a28 is 24 bytes inside a block of size 32 free'd
at 0x484A2E0: free (vg_replace_malloc.c:540)
by 0x1CCC17: queue_remove_all (queue.c:354)
by 0x1CCC83: queue_destroy (queue.c:73)
by 0x1D7DD7: bt_gatt_client_free (gatt-client.c:2209)
by 0x16497B: batt_free (battery.c:77)
by 0x16497B: batt_remove (battery.c:286)
by 0x1A0013: service_remove (service.c:176)
by 0x1A9B7B: device_remove_gatt_service (device.c:3691)
by 0x1A9B7B: gatt_service_removed (device.c:3805)
by 0x1CC90B: queue_foreach (queue.c:220)
by 0x1DE27B: notify_service_changed.isra.0.part.0 (gatt-db.c:369)
by 0x1DE387: notify_service_changed (gatt-db.c:361)
by 0x1DE387: gatt_db_service_destroy (gatt-db.c:385)
by 0x1DE3EF: gatt_db_remove_service (gatt-db.c:519)
by 0x1D674F: discovery_op_complete (gatt-client.c:388)
by 0x1D6877: discover_primary_cb (gatt-client.c:1260)
by 0x1E220B: discovery_op_complete (gatt-helpers.c:628)
by 0x1E249B: read_by_grp_type_cb (gatt-helpers.c:730)
by 0x1D247B: disc_att_send_op (att.c:417)
by 0x1CCC17: queue_remove_all (queue.c:354)
by 0x1D47B7: disconnect_cb (att.c:635)
---
src/shared/att.c | 46 ++++++++++++++++++++++++++++++++++++++++------
1 file changed, 40 insertions(+), 6 deletions(-)
diff --git a/src/shared/att.c b/src/shared/att.c
index 0ea6d55bd..b0fdb8e9f 100644
--- a/src/shared/att.c
+++ b/src/shared/att.c
@@ -62,6 +62,7 @@ struct bt_att {
struct queue *ind_queue; /* Queued ATT protocol indications */
struct att_send_op *pending_ind;
struct queue *write_queue; /* Queue of PDUs ready to send */
+ bool in_disc; /* Cleanup queues on disconnect_cb */
bool writer_active;
struct queue *notify_list; /* List of registered callbacks */
@@ -211,8 +212,10 @@ static void destroy_att_send_op(void *data)
free(op);
}
-static void cancel_att_send_op(struct att_send_op *op)
+static void cancel_att_send_op(void *data)
{
+ struct att_send_op *op = data;
+
if (op->destroy)
op->destroy(op->user_data);
@@ -572,11 +575,6 @@ static bool disconnect_cb(struct io *io, void *user_data)
att->io = NULL;
att->fd = -1;
- /* Notify request callbacks */
- queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
- queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
- queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
-
if (att->pending_req) {
disc_att_send_op(att->pending_req);
att->pending_req = NULL;
@@ -589,6 +587,15 @@ static bool disconnect_cb(struct io *io, void *user_data)
bt_att_ref(att);
+ att->in_disc = true;
+
+ /* Notify request callbacks */
+ queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
+ queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
+ queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
+
+ att->in_disc = false;
+
queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
bt_att_unregister_all(att);
@@ -1306,6 +1313,30 @@ static bool match_op_id(const void *a, const void *b)
return op->id == id;
}
+static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
+{
+ struct att_send_op *op;
+
+ op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
+ if (op)
+ goto done;
+
+ op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
+ if (op)
+ goto done;
+
+ op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
+
+done:
+ if (!op)
+ return false;
+
+ /* Just cancel since disconnect_cb will be cleaning up */
+ cancel_att_send_op(op);
+
+ return true;
+}
+
bool bt_att_cancel(struct bt_att *att, unsigned int id)
{
struct att_send_op *op;
@@ -1325,6 +1356,9 @@ bool bt_att_cancel(struct bt_att *att, unsigned int id)
return true;
}
+ if (att->in_disc)
+ return bt_att_disc_cancel(att, id);
+
op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
if (op)
goto done;
--
2.21.1

View File

@ -1,7 +1,7 @@
Name: bluez
Summary: Bluetooth utilities
Version: 5.52
Release: 1%{?dist}
Release: 4%{?dist}
License: GPLv2+
URL: http://www.bluez.org/
@ -38,6 +38,7 @@ Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch
Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch
Patch28: 0002-HID-accepts-bonded-device-connections-only.patch
Patch29: 0001-shared-att-Fix-possible-crash-on-disconnect.patch
BuildRequires: git-core
BuildRequires: dbus-devel >= 1.6
@ -274,6 +275,19 @@ make check
%{_userunitdir}/obex.service
%changelog
* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-4
+ bluez-5.52-4
- Fixing (#1885378)
* Thu Oct 22 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-3
+ bluez-5.52-3
- Revering the 5.52-2 patch due some mismatch with upsream patch.
* Mon Oct 20 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-2
+ bluez-5.52-2
- Fixing (#1885378)
* Tue Jun 9 2020 Gopal Tiwari <gtiwari@redhat.com> - 5.52-1
+ bluez-5.52-1
- Fixing (#1830397)