Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp512613ybc; Tue, 12 Nov 2019 05:11:14 -0800 (PST) X-Google-Smtp-Source: APXvYqz3AS1K97U7DcOfZIURoA08JfqxeAVptVFPU7Ax+zPQ8Xcoaq5PnQHOqdAnOY4UWvQr+XgN X-Received: by 2002:a17:906:80c:: with SMTP id e12mr28614891ejd.59.1573564274465; Tue, 12 Nov 2019 05:11:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573564274; cv=none; d=google.com; s=arc-20160816; b=hYhFpGsLXfE1PqMOwy0Cz7EIB2q3A6++w2JxEX3ywHcYTm7tBGLle7uXQxaPqjGqgW eHBv93ZkobPU4vqccTzXY3bh6LgsObaP2te+b06mhhVzVLUhFFRJ65lDiU6BpMSDw0/v 6JOkRiI3qCMSQPK60YLCeZMgfVE/xD5EW+bgdyqveI8WqS6y2cngzUPzQhlqSHacpl7x K+in0WxWLwa/4PKxi4fvhejQwkrI6HEusaN4IqVWfqyzkkyziJrdlh4ow3EMawlF0zW4 nPiyNvuKJxr71sd4ETBDc2veX6AeQVAuP0DPgneka0QxEdI8bl68iD0eGQwyc9KJHsjv s1lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:organization:references:to:subject:from; bh=qOdrEGoVd/DUtqAqCAi2/gZ+G7DIKozpyu7ue5mLC54=; b=gUgnJGXjJUJxBgoe2hCfvZ/sPWdAXQETrgI8eNZixOf8Dwoi8j9WGGZ48Guz4DbrTu oJz9PNYTuJC9aAyeDBHXmC/whnQo3lUQQIlXpqrxdWvKsj3syd3Za16/IkhOQR619UOr Fs9fL+9kggERVVL4qjgL635cIc46XtbP7dSitRp9OEEh4Hy96KCuMmtZ6a6qOz/5r6f8 B5yAH8ji+k1tY30VDSYBWZ7pkIqh9UlYlniKn5gI/asmKPBZx3A4qILi1vxEVmSDBQie oKn8vWI8F6Hz7Mx2goRjhqa2UK+96DF4CMj/1kD4+yW89sHL/yEC8G7CdCqjiAGqVV1D ChlA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z16si14220434edb.23.2019.11.12.05.10.34; Tue, 12 Nov 2019 05:11:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726979AbfKLNK1 (ORCPT + 99 others); Tue, 12 Nov 2019 08:10:27 -0500 Received: from bsmtp2.bon.at ([213.33.87.16]:10738 "EHLO bsmtp2.bon.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725919AbfKLNK1 (ORCPT ); Tue, 12 Nov 2019 08:10:27 -0500 Received: from [10.2.7.65] (81.89.61.168.host.vnet.sk [81.89.61.168]) by bsmtp2.bon.at (Postfix) with ESMTPSA id 47C7QT0TVMz5tl9 for ; Tue, 12 Nov 2019 14:10:25 +0100 (CET) From: Simon Mikuda Subject: [PATCH BlueZ 1/2] core/advertising: Fix crash when unregistering advertisement too fast To: linux-bluetooth@vger.kernel.org References: <157250771818414> Organization: StreamUnlimited Message-ID: Date: Tue, 12 Nov 2019 14:10:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <157250771818414> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org When advertisement is unregistered during MGMT_OP_ADD_ADVERTISING it will crash in add_adv_callback because struct btd_adv_client no longer exist. This is seen also in debug log from bluetoothd: bluetoothd[29698]: src/advertising.c:register_advertisement() RegisterAdvertisement bluetoothd[29698]: src/advertising.c:client_create() Adding proxy for /org/bluez/example/advertisement0 bluetoothd[29698]: src/advertising.c:register_advertisement() Registered advertisement at path /org/bluez/example/advertisement0 bluetoothd[29698]: src/advertising.c:parse_service_uuids() Adding ServiceUUID: 180D bluetoothd[29698]: src/advertising.c:parse_service_uuids() Adding ServiceUUID: 180F bluetoothd[29698]: src/advertising.c:parse_manufacturer_data() Adding ManufacturerData for ffff bluetoothd[29698]: src/advertising.c:parse_service_data() Adding ServiceData for 9999 bluetoothd[29698]: src/advertising.c:parse_data() Adding Data for type 0x26 len 3 bluetoothd[29698]: src/advertising.c:refresh_adv() Refreshing advertisement: /org/bluez/example/advertisement0 bluetoothd[29698]: src/advertising.c:unregister_advertisement() UnregisterAdvertisement bluetoothd[29698]: src/advertising.c:add_adv_callback() Advertisement registered: � Segmentation fault (core dumped) Signed-off-by: Simon Mikuda --- src/advertising.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/src/advertising.c b/src/advertising.c index 3ed1376..f53c14c 100644 --- a/src/advertising.c +++ b/src/advertising.c @@ -73,6 +73,7 @@ struct btd_adv_client { uint16_t discoverable_to; unsigned int to_id; unsigned int disc_to_id; + unsigned int add_adv_id; GDBusClient *client; GDBusProxy *proxy; DBusMessage *reg; @@ -117,6 +118,15 @@ static void client_free(void *data) g_dbus_client_unref(client->client); } + if (client->reg) { + g_dbus_send_message(btd_get_dbus_connection(), + dbus_message_new_method_return(client->reg)); + dbus_message_unref(client->reg); + } + + if (client->add_adv_id) + mgmt_cancel(client->manager->mgmt, client->add_adv_id); + if (client->instance) util_clear_uid(&client->manager->instance_bitmap, client->instance); @@ -765,7 +775,8 @@ static uint8_t *generate_scan_rsp(struct btd_adv_client *client, return bt_ad_generate(client->scan, len); } -static int refresh_adv(struct btd_adv_client *client, mgmt_request_func_t func) +static int refresh_adv(struct btd_adv_client *client, mgmt_request_func_t func, + unsigned int *mgmt_id) { struct mgmt_cp_add_advertising *cp; uint8_t param_len; @@ -774,6 +785,7 @@ static int refresh_adv(struct btd_adv_client *client, mgmt_request_func_t func) uint8_t *scan_rsp; size_t scan_rsp_len = -1; uint32_t flags = 0; + unsigned int mgmt_ret; DBG("Refreshing advertisement: %s", client->path); @@ -822,13 +834,17 @@ static int refresh_adv(struct btd_adv_client *client, mgmt_request_func_t func) free(adv_data); free(scan_rsp); - if (!mgmt_send(client->manager->mgmt, MGMT_OP_ADD_ADVERTISING, - client->manager->mgmt_index, param_len, cp, - func, client, NULL)) { + mgmt_ret = mgmt_send(client->manager->mgmt, MGMT_OP_ADD_ADVERTISING, + client->manager->mgmt_index, param_len, cp, + func, client, NULL); + + if (!mgmt_ret) { error("Failed to add Advertising Data"); free(cp); return -EINVAL; } + if (mgmt_id) + *mgmt_id = mgmt_ret; free(cp); @@ -845,7 +861,7 @@ static gboolean client_discoverable_timeout(void *user_data) bt_ad_clear_flags(client->data); - refresh_adv(client, NULL); + refresh_adv(client, NULL, NULL); return FALSE; } @@ -948,7 +964,7 @@ static void properties_changed(GDBusProxy *proxy, const char *name, continue; if (parser->func(iter, client)) { - refresh_adv(client, NULL); + refresh_adv(client, NULL, NULL); break; } } @@ -980,6 +996,8 @@ static void add_adv_callback(uint8_t status, uint16_t length, struct btd_adv_client *client = user_data; const struct mgmt_rp_add_advertising *rp = param; + client->add_adv_id = 0; + if (status) goto done; @@ -1059,7 +1077,7 @@ static DBusMessage *parse_advertisement(struct btd_adv_client *client) goto fail; } - err = refresh_adv(client, add_adv_callback); + err = refresh_adv(client, add_adv_callback, &client->add_adv_id); if (!err) return NULL; @@ -1449,7 +1467,7 @@ void btd_adv_manager_destroy(struct btd_adv_manager *manager) static void manager_refresh(void *data, void *user_data) { - refresh_adv(data, user_data); + refresh_adv(data, user_data, NULL); } void btd_adv_manager_refresh(struct btd_adv_manager *manager) -- 2.7.4