From: Luiz Augusto von Dentz <[email protected]>
This make sure idle callback is unregistered before bt_gatt_client is
unref.
---
src/shared/bap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 952b7be260ab..7a53fbc3e91c 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -3818,6 +3818,8 @@ void bt_bap_detach(struct bt_bap *bap)
bap->req = NULL;
}
+ bt_gatt_client_idle_unregister(bap->client, bap->idle_id);
+
/* Cancel queued requests */
queue_remove_all(bap->reqs, NULL, NULL, bap_req_detach);
--
2.39.2
From: Luiz Augusto von Dentz <[email protected]>
This make sure idle callback is unregistered before bt_gatt_client is
unref.
---
src/shared/csip.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/shared/csip.c b/src/shared/csip.c
index ff2047a4ade0..094f448a3532 100644
--- a/src/shared/csip.c
+++ b/src/shared/csip.c
@@ -122,6 +122,8 @@ void bt_csip_detach(struct bt_csip *csip)
if (!queue_remove(sessions, csip))
return;
+ bt_gatt_client_idle_unregister(csip->client, csip->idle_id);
+
bt_gatt_client_unref(csip->client);
csip->client = NULL;
--
2.39.2
From: Luiz Augusto von Dentz <[email protected]>
This fixes the following trace:
Invalid read of size 1
at 0x1F4282: bt_csip_get_sirk (csip.c:812)
by 0x176B21: csip_ready (csip.c:259)
by 0x1F3C74: csip_notify_ready (csip.c:578)
by 0x1F3C74: csip_idle (csip.c:659)
by 0x1DCDCC: idle_notify (gatt-client.c:171)
by 0x1D579A: queue_remove_if (queue.c:279)
by 0x1D584F: queue_remove_all (queue.c:321)
by 0x1E036F: notify_client_idle (gatt-client.c:180)
by 0x1E036F: request_unref (gatt-client.c:199)
by 0x1DC60D: destroy_att_send_op (att.c:211)
by 0x1DC60D: handle_rsp (att.c:874)
by 0x1DC60D: can_read_data (att.c:1064)
by 0x1F43F4: watch_callback (io-glib.c:157)
by 0x48BBC7E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7400.6)
by 0x4912117: ??? (in /usr/lib64/libglib-2.0.so.0.7400.6)
by 0x48BB24E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7400.6)
Address 0x0 is not stack'd, malloc'd or (recently) free'd
---
src/shared/csip.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/shared/csip.c b/src/shared/csip.c
index 094f448a3532..7e90a3c97614 100644
--- a/src/shared/csip.c
+++ b/src/shared/csip.c
@@ -810,6 +810,9 @@ bool bt_csip_get_sirk(struct bt_csip *csip, uint8_t *type,
if (!csis)
return false;
+ if (!csis->sirk_val)
+ return false;
+
if (type)
*type = csis->sirk_val->type;
--
2.39.2
From: Luiz Augusto von Dentz <[email protected]>
This introduces bt_gatt_client_ref_save which ensures the instaces
which are being destroyed, e.g. ref_count = 0, do not attempt to reach
callbacks.
---
src/shared/gatt-client.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index f885076913dc..3a29f807fc85 100644
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -173,9 +173,20 @@ static bool idle_notify(const void *data, const void *user_data)
return true;
}
+static struct bt_gatt_client *
+bt_gatt_client_ref_safe(struct bt_gatt_client *client)
+{
+ if (!client && !client->ref_count)
+ return NULL;
+
+ return bt_gatt_client_ref(client);
+}
+
static void notify_client_idle(struct bt_gatt_client *client)
{
- bt_gatt_client_ref(client);
+ client = bt_gatt_client_ref_safe(client);
+ if (!client)
+ return;
queue_remove_all(client->idle_cbs, idle_notify, NULL, idle_destroy);
@@ -1360,10 +1371,13 @@ static void notify_client_ready(struct bt_gatt_client *client, bool success,
{
const struct queue_entry *entry;
- if (client->ready)
+ client = bt_gatt_client_ref_safe(client);
+ if (!client)
return;
- bt_gatt_client_ref(client);
+ if (client->ready)
+ goto done;
+
client->ready = success;
if (client->parent)
@@ -1386,6 +1400,7 @@ static void notify_client_ready(struct bt_gatt_client *client, bool success,
notify_client_ready(clone, success, att_ecode);
}
+done:
bt_gatt_client_unref(client);
}
--
2.39.2
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=729652
---Test result---
Test Summary:
CheckPatch FAIL 2.24 seconds
GitLint PASS 1.38 seconds
BuildEll PASS 27.19 seconds
BluezMake PASS 847.95 seconds
MakeCheck PASS 11.14 seconds
MakeDistcheck PASS 149.61 seconds
CheckValgrind PASS 244.58 seconds
CheckSmatch PASS 328.42 seconds
bluezmakeextell PASS 99.01 seconds
IncrementalBuild PASS 2848.45 seconds
ScanBuild WARNING 1027.16 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,4/4] shared/csip: Fix crash on bt_csip_get_sirk
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#100:
by 0x48BBC7E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7400.6)
/github/workspace/src/src/13173430.patch total: 0 errors, 1 warnings, 9 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13173430.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
src/shared/gatt-client.c:179:18: warning: Access to field 'ref_count' results in a dereference of a null pointer (loaded from variable 'client')
if (!client && !client->ref_count)
^~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
gatt_db_unregister(op->client->db, op->db_id);
^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
discovery_op_complete(op, false, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:993:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1099:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1291:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1356:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1631:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1636:2: warning: Use of memory after it is freed
discover_all(op);
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2142:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2150:8: warning: Use of memory after it is freed
discovery_op_ref(op),
^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3238:2: warning: Use of memory after it is freed
complete_write_long_op(req, success, 0, false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3260:2: warning: Use of memory after it is freed
request_unref(req);
^~~~~~~~~~~~~~~~~~
13 warnings generated.
---
Regards,
Linux Bluetooth
Hello:
This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Mon, 13 Mar 2023 15:51:47 -0700 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> This make sure idle callback is unregistered before bt_gatt_client is
> unref.
> ---
> src/shared/bap.c | 2 ++
> 1 file changed, 2 insertions(+)
Here is the summary with links:
- [BlueZ,1/4] shared/bap: Fix not unregistering idle callback on detach
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=932b90f6c33e
- [BlueZ,2/4] shared/csip: Fix not unregistering idle callback on detach
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=605ee768b789
- [BlueZ,3/4] shared/gatt-client: Introduce bt_gatt_client_ref_safe
(no matching commit)
- [BlueZ,4/4] shared/csip: Fix crash on bt_csip_get_sirk
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=e040109302d8
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html