From the log in .bcm43xx_load_firmware():
/* Wait 50ms to let the firmware placed in download mode */
nanosleep(&tm_mode, NULL);
But timespec tm_mode is real is 50us. Correct the delayed timer count.
Calling gatt_db_register with NULL pointers makes no sense since it does
nothing when the callbacks are NULL so the callback are still reachable
causing invalid memory to accessed:
Invalid read of size 8
at 0x50EAFDC: g_slist_find_custom (in /usr/lib64/libglib-2.0.so.0.5000.3)
by 0x46CDA1: gatt_service_removed (device.c:3563)
by 0x4896F8: queue_foreach (queue.c:220)
by 0x4951FB: notify_service_changed (gatt-db.c:268)
by 0x4951FB: gatt_db_service_destroy (gatt-db.c:279)
by 0x4898F5: queue_remove_all (queue.c:336)
by 0x4952E2: gatt_db_clear_range (gatt-db.c:461)
by 0x48F32B: discovery_op_unref (gatt-client.c:447)
by 0x4979AA: bt_gatt_request_unref (gatt-helpers.c:594)
by 0x490489: bt_gatt_client_cancel_all (gatt-client.c:2083)
by 0x4904D8: bt_gatt_client_free (gatt-client.c:1752)
by 0x46CF70: gatt_client_cleanup (device.c:561)
by 0x46D01A: attio_cleanup (device.c:586)
Address 0x86cb940 is 0 bytes inside a block of size 16 free'd
at 0x4C2ED4A: free (vg_replace_malloc.c:530)
by 0x50D16CD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
by 0x50EA743: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.5000.3)
by 0x46D18C: device_free (device.c:638)
by 0x485B05: remove_interface (object.c:667)
by 0x485FF9: g_dbus_unregister_interface (object.c:1391)
by 0x45EFA9: btd_adapter_remove_device (adapter.c:1200)
by 0x45FBC3: dev_disconnected (adapter.c:6800)
by 0x48A1A5: request_complete (mgmt.c:261)
by 0x48AC0B: can_read_data (mgmt.c:353)
by 0x496954: watch_callback (io-glib.c:170)
by 0x50CBE51: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5000.3)
When remote connects ATT over BR/EDR the code will attempt to resolve
its attributes, but in the meantime a SDP session may be active to
resolve the services exposed over SDP which can cause a crash since ATT
may end up freeing the request causing the following trace:
bluetoothd[31069]: attrib/gattrib.c:g_attrib_unref() 0x73aae0: g_attrib_unref=0
bluetoothd[31069]: src/device.c:connect_profiles()
/org/bluez/hci0/dev_F4_5F_69_01_3D_69 (all), client :1.868
bluetoothd[31069]: src/device.c:connect_profiles() Resolving services for
/org/bluez/hci0/dev_F4_5F_69_01_3D_69
bluetoothd[31069]: src/adapter.c:connected_callback() hci0 device
F4:5F:69:01:3D:69 connected eir_len 13
bluetoothd[31069]: src/gatt-database.c:connect_cb() New incoming BR/EDR ATT
connection
bluetoothd[31069]: attrib/gattrib.c:g_attrib_ref() 0x73d280: g_attrib_ref=1
bluetoothd[31069]: src/device.c:load_gatt_db() Restoring F4:5F:69:01:3D:69 gatt
database from file
bluetoothd[31069]: No cache for F4:5F:69:01:3D:69
bluetoothd[31069]: src/gatt-client.c:btd_gatt_client_connected() Device
connected.
bluetoothd[31069]: src/device.c:gatt_debug() Primary service discovery failed.
ATT ECODE: 0x0a
bluetoothd[31069]: src/device.c:gatt_client_ready_cb() status: success, error:
0
bluetoothd[31069]: src/gatt-client.c:btd_gatt_client_ready() GATT client ready
bluetoothd[31069]: src/gatt-client.c:create_services() Exporting objects for
GATT services: F4:5F:69:01:3D:69
bluetoothd[31069]: src/device.c:device_svc_resolved()
/org/bluez/hci0/dev_F4_5F_69_01_3D_69 err 0
bluetoothd[31069]: src/device.c:connect_profiles()
/org/bluez/hci0/dev_F4_5F_69_01_3D_69 (all), client :1.868
Program received signal SIGSEGV, Segmentation fault.
0x000000000048eb8d in browse_cb ()
When bluetoothctl runs with the command line option "-a <capability>", it
does not free the variable auto_register_agent registering the initial
agent and allocates new memory for it.
This frees the allocated memory before allocating new memory.
(The related commit id is 6db3470c2ea161b4b808ad1fc80dfd7e014fd359.)
DUT was trying to connect with carkit and due to some reason connection
got aborted. SDP search got error and browse request was freed but
device->browse is still pointing to freed memory. During clean up
bluez removes all device and while removing it find reference to
browse_req and it tries to free again which leads to the crash.
Assign NULL to device browse_req before freeing the browse_req.
Log:
bluetooth: src/service.c:change_state() 0xb700a650: device XX:XX:XX:XX:XX:XX
profile a2dp-sink state changed: connecting -> disconnected (-11)
bluetooth: src/device.c:device_profile_connected()
a2dp-sink Resource temporarily unavailable (11)
bluetooth: src/device.c:device_profile_connected() returning response to :1.300
bluetooth: src/device.c:device_browse_sdp()
bluetooth: src/device.c:browse_request_free()
--Browse req is freed but device->browse is still pointing to freed memory --
While turning OFF freeing each devices:
bluetoothd[2024]: src/adapter.c:adapter_remove()
Removing adapter /org/bluez/hci0
bluetoothd[2024]: src/device.c:device_remove()
Removing device /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX
bluetoothd[2024]: src/device.c:browse_request_cancel()
(gdb)
0 0xb6f981ae in queue_remove_if (queue=0xb7007d70,
function=0xb6f9a319 <match_disconn_id>, user_data=0xb7001ae0)
at src/shared/queue.c:289
1 0xb6f9a87a in bt_att_unregister_disconnect (att=<optimized out>,
id=<optimized out>) at src/shared/att.c:1161
2 0xb6f81bf6 in attio_cleanup (device=0xb6d4d810) at src/device.c:742
3 0xb6f81c3c in browse_request_cancel (req=0xb6fe3038) at src/device.c:777
4 0xb6f87066 in device_remove (device=0xb700ac00, remove_stored=0)
at src/device.c:5238
5 0xb6f6b80c in adapter_remove (adapter=adapter@entry=0xb6fff2f0)
at src/adapter.c:7822
6 0xb6f79068 in adapter_cleanup () at src/adapter.c:11707
This adds release-notify command which closes an existing fd unlocking
the attribute:
[Test peripheral:/service001f/char0020]# release-notify
[CHG] Attribute /org/bluez/hci1/dev_69_16_5B_9A_06_CD/service001f/char0020 NotifyAcquired: no
This implements AcquireNotify creating a pipe and passing the read fd
to the application requesting it, at same time subscribe for
notifications:
bluetoothd[7279]: src/gatt-client.c:notify_client_ref() owner :1.461
bluetoothd[7279]: src/gatt-client.c:characteristic_create_pipe() AcquireNotify: sender :1.461 io 0x8a60540
This adds release-write command which closes an existing fd unlocking
the attribute:
[Test peripheral:/service001f/char0020]# release-write
[CHG] Attribute /org/bluez/hci1/dev_00_1B_DC_07_31_88/service001f/char0020 WriteAcquired: no
This implements AcquireWrite creating a pipe and passing the write fd
to the application requesting it:
bluetoothd[29915]: src/gatt-client.c:characteristic_create_pipe() AcquireWrite: sender :1.378 io 0x89cdfe0
The fd is monitored and in case the client decides close it, or exit/crash,
the daemon detects the HUP and cleanup properly:
bluetoothd[29915]: src/gatt-client.c:characteristic_pipe_hup() /org/bluez/hci1/dev_00_1B_DC_07_31_88/service001f/char0020: io 0x89cdfe0
This makes the ready callbacks much more convenient to track when the
client is ready since its is now possible to notify more than on client
at the same time.
This enables write and notify exclusive access via file descriptors in
case the characteristic is actually trying to emulate a byte stream
transfer or have a protocol on top of GATT.
This adds unregister-descriptor which can be used to unregister
descriptors registered with register-descriptor:
unregister-descriptor /org/bluez/app/service0xf48150/chrc0xf49a40/desc0xf4d350
[DEL] Descriptor
/org/bluez/app/service0xf48150/chrc0xf49a40/desc0xf4d350
8260c653-1a54-426b-9e36-e84c238bc669
Vendor specific
This adds register-descriptor which can be used to register
descriptors to a characteristic registered with register-characteristic:
register-descriptor 8260c653-1a54-426b-9e36-e84c238bc669 read,write
[NEW] Descriptor
/org/bluez/app/service0x902610/chrc0x91d690/desc0x9095a0
8260c653-1a54-426b-9e36-e84c238bc669
Vendor specific
[/org/bluez/app/service0x902610/chrc0x91d690/desc0x9095a0] Enter value: 00
This adds unregister-characteristic which can be used to unregister
characteristics registered with register-characteristic:
unregister-characteristic /org/bluez/app/service0xc80150/chrc0xc99960
[DEL] Characteristic
/org/bluez/app/service0xc80150/chrc0xc99960
00002a06-0000-1000-8000-00805f9b34fb
Alert Level
This adds register-characteristic which can be used to register
characteristic to a service registered with register-service:
register-characteristic 00002a06-0000-1000-8000-00805f9b34fb write-without-response
[NEW] Characteristic
/org/bluez/app/service0x1122150/chrc0x113fa40
00002a06-0000-1000-8000-00805f9b34fb
Alert Level
This adds unregister-service which can be used to unregister an
application service registered with register-service:
register-service 00001820-0000-1000-8000-00805f9b34fb
[NEW] Primary Service
/org/bluez/app/service0x92a150
00001820-0000-1000-8000-00805f9b34fb
Internet Protocol Support
[bluetooth]# unregister-service /org/bluez/app/service0x92a150
[DEL] Primary Service
/org/bluez/app/service0x92a150
00001820-0000-1000-8000-00805f9b34fb
Internet Protocol Support
This adds register-service command which can be used to add GATT services
to the application:
[bluetooth]# register-service 00001820-0000-1000-8000-00805f9b34fb
[NEW] Primary Service
/org/bluez/app/service0x8c2610
00001820-0000-1000-8000-00805f9b34fb
Internet Protocol Support
[/org/bluez/app/service0x8c2610] Primary (yes/no): yes
[bluetooth]# register-application
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 00001112-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 00001801-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 0000110e-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 0000112d-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 00001800-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 00001820-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 00001200-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 0000110c-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 0000110a-0000-1000-8000-00805f9b34fb
[CHG] Controller 00:1B:DC:07:31:88 UUIDs: 0000110b-0000-1000-8000-00805f9b34fb
Note: register-application still has to be called at the end to register
with bluetoothd as everything is done with ObjectManager.
By sending OPP Put request before CONNECT we were able to cause
SIGSEGV in obexd. Crash was caused by null pointer dereference.
Crash was found using Synopsys Defensics Obex Server test suite.
This was fixed by calling os->service->connect if CONNECT was not
done before.
This outputs the help message by two lines as follows if the string of
a command and a argument is long.
set-alias <alias> Set device alias
select-attribute <attribute/UUID>
Select attribute
attribute-info [attribute/UUID]
Select attribute
read Read attribute value
