korg/bluez
0
0
Fork 0
mirror of https://git.kernel.org/pub/scm/bluetooth/bluez.git synced 2024-12-15 23:14:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

src/device: Fix bluetoothd crash

Browse Source 
DUT was trying to connect with carkit and due to some reason connection
got aborted. SDP search got error and browse request was freed but
device->browse is still pointing to freed memory. During clean up
bluez removes all device and while removing it find reference to
browse_req and it tries to free again which leads to the crash.

Assign NULL to device browse_req before freeing the browse_req.

Log:

bluetooth: src/service.c:change_state() 0xb700a650: device XX:XX:XX:XX:XX:XX
           profile a2dp-sink state changed: connecting -> disconnected (-11)
bluetooth: src/device.c:device_profile_connected()
			a2dp-sink Resource temporarily unavailable (11)
bluetooth: src/device.c:device_profile_connected() returning response to :1.300
bluetooth: src/device.c:device_browse_sdp()
bluetooth: src/device.c:browse_request_free()

--Browse req is freed but device->browse is still pointing to freed memory --

While turning OFF freeing each devices:
bluetoothd[2024]: src/adapter.c:adapter_remove()
		Removing adapter /org/bluez/hci0
bluetoothd[2024]: src/device.c:device_remove()
		Removing device /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX
bluetoothd[2024]: src/device.c:browse_request_cancel()

(gdb)
0  0xb6f981ae in queue_remove_if (queue=0xb7007d70,
     function=0xb6f9a319 <match_disconn_id>, user_data=0xb7001ae0)
     at src/shared/queue.c:289
1  0xb6f9a87a in bt_att_unregister_disconnect (att=<optimized out>,
     id=<optimized out>) at src/shared/att.c:1161
2  0xb6f81bf6 in attio_cleanup (device=0xb6d4d810) at src/device.c:742
3  0xb6f81c3c in browse_request_cancel (req=0xb6fe3038) at src/device.c:777
4  0xb6f87066 in device_remove (device=0xb700ac00, remove_stored=0)
     at src/device.c:5238
5  0xb6f6b80c in adapter_remove (adapter=adapter@entry=0xb6fff2f0)
     at src/adapter.c:7822
6  0xb6f79068 in adapter_cleanup () at src/adapter.c:11707
This commit is contained in:
Anurag Biradar 2017-07-07 12:06:08 +05:30 committed by Luiz Augusto von Dentz
parent fd3868ebc7
commit ded317e9c2
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/device.c
View File

@ -5118,6 +5118,7 @@ static int device_browse_sdp(struct btd_device *device, DBusMessage *msg)
&device->bdaddr, &uuid, browse_cb, req, NULL,
req->sdp_flags);
if (err < 0) {
device->browse = NULL;
browse_request_free(req);
return err;
}