Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp19739pxa;
        Thu, 20 Aug 2020 23:17:48 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzNt1yPy2NzWKjEoj21/4Xaf8pXdtl1eR5qP0df/cU5jujPHu9V3HmVHGLjfdY51J6jckZH
X-Received: by 2002:a17:906:5495:: with SMTP id r21mr1362631ejo.33.1597990668155;
        Thu, 20 Aug 2020 23:17:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597990668; cv=none;
        d=google.com; s=arc-20160816;
        b=KhunRuYp8EumSjgGRD0b84ny3NTrJduBwlIWcrtukTWo7D0MUN10FJXIwTmrZaNvvL
         wOo/HOIYxtJCHrVj6nf5NGiUNkFzbq/x0mWh08KEB1eik1nmi/mPFJUSW+lsyygJdNdk
         kjxHjlhvuQj+IIuPXaLdKvGXS0hZ4ZGc3hVuSpB92nsQEyp1fdcAl54d/pZnqUqKGROl
         EKZXVCv7beSQR5owr5mXSo2oz9quRKZbTww8qh4sELvuoJXNJPxkR4OmGmfPcwacghJ7
         Zpmy47WbXI4VNRbx2urwSWXkGZkm49toE0PpmGNQ4ikQs5XbiZEwBswJuzO+5ZselsMN
         qF/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=DDwu5BrtHT0GUTjSCVzrISlqfRedLF7fjEJej4jrdw0=;
        b=IdfCVKmyMUHbDzyScwk+t4sh5x478fBgPRkWTiFySU4s9iBKLw2Scpnmp/bW4cwnGp
         hqeQmuw4jDhPB8oYi3h6yfYAIWOcxuE9aYcXiNGlZKA1vwFX09YeB/6dtHKMqCPg22Dc
         TaEG42PO95fYCBvsTE7VSPMOM767uA+jtduLLoMyYSQggxw2OCjECsGETaQ5GtAt1hKS
         DqfXlq1wMfN0nYSOknsUEuFvLfGLYY1kvtaKAM6feGg3QAn7TvNDCVQR6I2SiLl+1Upk
         Zbz7z25x1YaL+IS3phUgvkSgwB/ctEPSiBHwvgLEJd+NsbvUn27zluPwqhFVVu+633JX
         1xRg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=J67vyKvQ;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id re10si645964ejb.140.2020.08.20.23.17.04;
        Thu, 20 Aug 2020 23:17:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=J67vyKvQ;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725867AbgHUGQ7 (ORCPT <rfc822;termic.technology@gmail.com>
        + 99 others); Fri, 21 Aug 2020 02:16:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52258 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725268AbgHUGQ6 (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 21 Aug 2020 02:16:58 -0400
Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A246DC061385
        for <linux-bluetooth@vger.kernel.org>; Thu, 20 Aug 2020 23:16:58 -0700 (PDT)
Received: by mail-pj1-x1043.google.com with SMTP id mw10so380166pjb.2
        for <linux-bluetooth@vger.kernel.org>; Thu, 20 Aug 2020 23:16:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=DDwu5BrtHT0GUTjSCVzrISlqfRedLF7fjEJej4jrdw0=;
        b=J67vyKvQKaqoVBADWghS2x0hYbNL+miW3jRTs4563mo9NevCpvLYzrWuxL5zAPYPz0
         XEgSH2G6rC6QGzYRLHgNQ0LFkkdx7mSUr5t52REDy/0VWWiRig3ow+9JZldOm6EA0whJ
         ydr5go4g14bLkCR/gJJ352iomAksNNDmw1UJg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=DDwu5BrtHT0GUTjSCVzrISlqfRedLF7fjEJej4jrdw0=;
        b=CKlzqAVcbs6sT62/gE+Lnvs4TQYZu/apuPZ7JpeAwkWQg525LCZTK+dlhSPpllrqcM
         cAV8p/sj49U0N6f9wk/1dxOScF0brvvyfhgy7SnHhGZZd1/vHFJO0JsIDCtYHTzNDTZ2
         kTK8+sQUhjhGLZodKxxtLkypYArMgdydWWNg5S0/ASM+qcCEOhLsElR45INgDQ4IaO8B
         Us+v2PiUuPq0+sJ0pq5IY5Xjm67yNMkvGx1aytZD6BC9s7mnrZlTtIH7nEDB32RaAVRs
         nhACksbUt1l1CM4s4bNr41Vw+xnB7mNY8epwJtCZsDaVGwt+zPkwBJiw1wK/TIghK6wL
         V5Kw==
X-Gm-Message-State: AOAM5334JS1gE/GNwXbMil7UxYQKcQNKu+y7QK9laE1NMks88dBkZOrg
        DDHl/PR0tm5OMQnzQf+u2fnXD7v5RvTzmg==
X-Received: by 2002:a17:902:fe0d:: with SMTP id g13mr1140105plj.287.1597990616558;
        Thu, 20 Aug 2020 23:16:56 -0700 (PDT)
Received: from sonnysasaka-chrome.mtv.corp.google.com ([2620:15c:202:201:4a0f:cfff:fe66:e60c])
        by smtp.gmail.com with ESMTPSA id h1sm927356pgs.77.2020.08.20.23.16.55
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 20 Aug 2020 23:16:55 -0700 (PDT)
From:   Sonny Sasaka <sonnysasaka@chromium.org>
To:     linux-bluetooth@vger.kernel.org
Cc:     Joseph Hwang <josephsih@chromium.org>
Subject: [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting
Date:   Thu, 20 Aug 2020 23:16:42 -0700
Message-Id: <20200821061643.16278-1-sonnysasaka@chromium.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

From: Joseph Hwang <josephsih@chromium.org>

This patch fixed a bluetoothd crash in register_notify_cb(). The
crash is incurred by an exception that under some situation, a
characteristic may be freed when register_notify_cb() is invoked.

When a device is disconnecting, the device interface would hold valid
for a while until the disconnection procedure between the client and
the server is completed. If another process happens to request to start
notification of a characteristic on the disconnecting device, it may
incur a problem. In this case, the client would still send the
StartNotify request since the characteristic object is still valid.
However, the characteristic may be freed soon and become invalid
when the corresponding callback function is invoked later. This
leads to the bluetoothd crash due to the segmentation fault.

To handle the exception, if another process requests to start
notification when the device is disconnecting, it should reject the
request.

Tested on Chrome OS that this patch fixes bluetoothd crash in
register_notify_cb().

---
 src/gatt-client.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/gatt-client.c b/src/gatt-client.c
index 20c3fbec2..c706307c7 100644
--- a/src/gatt-client.c
+++ b/src/gatt-client.c
@@ -1545,6 +1545,12 @@ static DBusMessage *characteristic_start_notify(DBusConnection *conn,
 	const char *sender = dbus_message_get_sender(msg);
 	struct async_dbus_op *op;
 	struct notify_client *client;
+	struct btd_device *device = chrc->service->client->device;
+
+	if (device_is_disconnecting(device)) {
+		error("Device is disconnecting. StartNotify is not allowed.");
+		return btd_error_not_connected(msg);
+	}
 
 	if (chrc->notify_io)
 		return btd_error_not_permitted(msg, "Notify acquired");
-- 
2.26.2