According to user reported crash dumps, function 'report_map_read_cb'
can pass down a null channel pointer, which will cause a segfault later
at g_io_channel_unix_get_fd upon dereferencing. Add null check to
prevent crashes.
thread #1, stop reason = signal SIGSEGV
frame #0: 0x00007ac089e199f7 libglib-2.0.so.0`g_io_channel_unix_get_fd at giounix.c:655
frame #1: 0x00005cdb60776a52 bluetoothd`bt_io_get_type at btio.c:105
frame #2: 0x00005cdb60777224 bluetoothd`bt_io_get at btio.c:1548
frame #3: 0x00005cdb607706ca bluetoothd`report_map_read_cb at hog-lib.c:993
frame #4: 0x00005cdb60775a60 bluetoothd`read_blob_helper at gatt.c:804
frame #5: 0x00005cdb60775f13 bluetoothd`attrib_callback_result at gattrib.c:273
frame #6: 0x00005cdb607bf30b bluetoothd`can_read_data at att.c:820
frame #7: 0x00005cdb607ca58f bluetoothd`watch_callback at io-glib.c:170
frame #8: 0x00007ac089dda73b libglib-2.0.so.0`g_main_context_dispatch at gmain.c:3182
frame #9: 0x00007ac089ddaa5a libglib-2.0.so.0`g_main_context_iterate at gmain.c:3920
frame #10: 0x00007ac089ddac9f libglib-2.0.so.0`g_main_loop_run at gmain.c:4116
frame #11: 0x00005cdb607ca712 bluetoothd`mainloop_run at mainloop-glib.c:79
frame #12: 0x00005cdb607ca9fe bluetoothd`mainloop_run_with_signal at mainloop-notify.c:201
frame #13: 0x00005cdb607b04bb bluetoothd`main at main.c:969
frame #14: 0x00007ac0894c0ad4 libc.so.6`__libc_start_main at libc-start.c:308
frame #15: 0x00005cdb6074eb0a bluetoothd`_start + 42
Reviewed-by: Abhishek Pandit-Subedi <[email protected]>
Reviewed-by: Archie Pusaka <[email protected]>
Signed-off-by: Michael Sun <[email protected]>
---
profiles/input/hog-lib.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/profiles/input/hog-lib.c b/profiles/input/hog-lib.c
index e96c969b7755..58d6b556dc9c 100644
--- a/profiles/input/hog-lib.c
+++ b/profiles/input/hog-lib.c
@@ -945,6 +945,7 @@ static void report_map_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
char itemstr[20]; /* 5x3 (data) + 4 (continuation) + 1 (null) */
int i, err;
GError *gerr = NULL;
+ GIOChannel *io = NULL;
destroy_gatt_req(req);
@@ -988,7 +989,13 @@ static void report_map_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
memset(&ev, 0, sizeof(ev));
ev.type = UHID_CREATE;
- bt_io_get(g_attrib_get_channel(hog->attrib), &gerr,
+ io = g_attrib_get_channel(hog->attrib);
+ if (!io) {
+ error("Get channel failed");
+ return;
+ }
+
+ bt_io_get(io, &gerr,
BT_IO_OPT_SOURCE, ev.u.create.phys,
BT_IO_OPT_DEST, ev.u.create.uniq,
BT_IO_OPT_INVALID);
--
2.28.0.709.gb0816b6eb0-goog
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=356703
---Test result---
##############################
Test: CheckPatch - FAIL
Output:
hog: null-check attrib channel at report_map_read_cb
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#12:
frame #0: 0x00007ac089e199f7 libglib-2.0.so.0`g_io_channel_unix_get_fd at giounix.c:655
- total: 0 errors, 1 warnings, 21 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
Your patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: CheckGitLint - FAIL
Output:
hog: null-check attrib channel at report_map_read_cb
9: B1 Line exceeds max length (87>80): "frame #0: 0x00007ac089e199f7 libglib-2.0.so.0`g_io_channel_unix_get_fd at giounix.c:655"
17: B1 Line exceeds max length (85>80): "frame #8: 0x00007ac089dda73b libglib-2.0.so.0`g_main_context_dispatch at gmain.c:3182"
18: B1 Line exceeds max length (84>80): "frame #9: 0x00007ac089ddaa5a libglib-2.0.so.0`g_main_context_iterate at gmain.c:3920"
21: B1 Line exceeds max length (90>80): "frame #12: 0x00005cdb607ca9fe bluetoothd`mainloop_run_with_signal at mainloop-notify.c:201"
##############################
Test: CheckBuild - PASS
##############################
Test: MakeCheck - PASS
---
Regards,
Linux Bluetooth