Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp570574pxk; Thu, 17 Sep 2020 10:12:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwW43xdVSjVXvCa+L8u5Bo/zyvXsC7Av5eG/cu1hLUGDbl2R5WNwmatwCmongN6ZdlTSATl X-Received: by 2002:a17:906:9604:: with SMTP id s4mr32902542ejx.182.1600362742026; Thu, 17 Sep 2020 10:12:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600362742; cv=none; d=google.com; s=arc-20160816; b=tc9NBIEd5lG3jz4TYzqt1sCQWbMUAcQDy4jhmRVoeJYWo+8L1nwJLYKXFYBMstdR4P 3u8CXyiFQaEmajr1wn7Q9tc8nT+HEbrwbgI6sOWiiVCJAKbUTbjCiA1eJNFSYO/RojHd E3MTTnRYftjET8ZmwLipjQ8ft39PUaq4lpJ7tv/XtqJGtmYMz4hLgr+M1ozKsNW66zZ5 cX1nFmGfIber4VFK6xJpoF2ur9UnmFFY9VOOlO5Olj0VQIQGhmr3f6fM6HCqtQzLs8X7 lS28B8p7mbnBDnr8ywY3KCUtbXmv+vRV92glyIxDFz8/pTVGUkhpFeczsBFs8z17cm8m 9Ctg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=bEgouR3aTTkFIdM4Xvtxuyazd73zVsUgCpq6GdG2H78=; b=cyggXLigw7M6ccG4lu0EK3nvXbEZNNfRLue7d+3SRRBpAM3HV762UhNP/LCFSOv/a0 g3WCFT/dE0qrrU/jxPv/X1+ZKY8JIk22JOKjLGcuPf41OkbV2shwmj9H5M0oxowFIaih /tXqiD51GfwaA6CrmhnO4uLxpMU1VR6rDfPD2kJ0vnBOLIeE6IRR1mc8sM5gSWz0NNXX 8CMWlZJDXAdwGeGfVfb1PwuXmrJzpSNkfcyhXFWckRzMc4tHzMAq9gjkLhRe9i9JTNBI HvCm1H9OatMjTMbdcNvlMZ4b1myAArRdeWyZGCAAVdPkWQQ0Vh0UiwHTYDVG4uICnldy wWsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=gHzsCq6O; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m21si378746ejq.199.2020.09.17.10.11.55; Thu, 17 Sep 2020 10:12:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=gHzsCq6O; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727102AbgIQRKu (ORCPT + 99 others); Thu, 17 Sep 2020 13:10:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727061AbgIQRGe (ORCPT ); Thu, 17 Sep 2020 13:06:34 -0400 Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 891E0C06174A for ; Thu, 17 Sep 2020 10:06:33 -0700 (PDT) Received: by mail-oi1-x243.google.com with SMTP id z26so3248280oih.12 for ; Thu, 17 Sep 2020 10:06:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bEgouR3aTTkFIdM4Xvtxuyazd73zVsUgCpq6GdG2H78=; b=gHzsCq6Od2+sEboslx74I8Q6Pr9LR3f/79iJgY3oTzc42b9CN+yrZFDWEU1474nl10 drjJ+yfxEGtGLIAzTDzA/kvtPQeZBCNmyWSZIsa1CHxmKuNh3OLOC5MTHc1PKI/R21E2 BSl6s9ZgOg6jghOhIgU3n/aMIof0F9mTLef4dg1kapxqi701iPZOkspnSnCenHfFy+u7 MXvapWwAz+rYNOvIRBcKbQh+PdoBNi5QRbk2IfnlTTCMiwQYi3+TF2NRxu8vImv22MUw nPDpe4guXj3A78dS6Lb+CgFOa52nWckGl1cQtN7k+vFUvNHYcXFChEycHKCHrTwxGRQq aLgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bEgouR3aTTkFIdM4Xvtxuyazd73zVsUgCpq6GdG2H78=; b=D3NWtDP4G5aowDw1xysHWBO3rZwzIVw7qOrJr2SsxkcZ2Kz9JHFzo8a8cSJ46SFmbt ifDrtdBNIBGVyrlGEYvml80wRfYY5EtgKpROm3nx+XU+uvrfKkfwRCYf4L5Cw4MPmDmb 072yDiInt9CjpiBAgp41j9jMRgQW+6iFZlbN1Ob10/J5w62BeeGUrDvYkmXmKPzbHujR A+6O2QEdRJtPdZnwyyEk9r1pCOaXHHydRP5ZxPInTzBIuZDwW8ddnzKnusL6IXe3vLTH 9ntXNGfx8DrrC41WzMgC19tfVM+/jZV/0DY7qeHTtoW/EdXmjgsPDn3Mkf5MEnYttKL3 1hMg== X-Gm-Message-State: AOAM532Cwy/Az6QdOOY64MAxT8wRfr/64BMVQ/egD4MloFz4ViivhRWT 8LYWLByX5nfnX+EFyOAPIMNVtresH0dXeI2VAsQ= X-Received: by 2002:aca:1b01:: with SMTP id b1mr7172607oib.137.1600362392923; Thu, 17 Sep 2020 10:06:32 -0700 (PDT) MIME-Version: 1.0 References: <20200821061643.16278-1-sonnysasaka@chromium.org> In-Reply-To: From: Luiz Augusto von Dentz Date: Thu, 17 Sep 2020 10:06:21 -0700 Message-ID: Subject: Re: [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting To: Sonny Sasaka Cc: BlueZ , Joseph Hwang Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Sonny, On Wed, Sep 16, 2020 at 3:40 PM Sonny Sasaka wrote: > > Dear BlueZ maintainers, > > Friendly ping to review this patch. Thanks! > > > On Thu, Aug 20, 2020 at 11:17 PM Sonny Sasaka wrote: > > > > From: Joseph Hwang > > > > This patch fixed a bluetoothd crash in register_notify_cb(). The > > crash is incurred by an exception that under some situation, a > > characteristic may be freed when register_notify_cb() is invoked. > > > > When a device is disconnecting, the device interface would hold valid > > for a while until the disconnection procedure between the client and > > the server is completed. If another process happens to request to start > > notification of a characteristic on the disconnecting device, it may > > incur a problem. In this case, the client would still send the > > StartNotify request since the characteristic object is still valid. > > However, the characteristic may be freed soon and become invalid > > when the corresponding callback function is invoked later. This > > leads to the bluetoothd crash due to the segmentation fault. > > > > To handle the exception, if another process requests to start > > notification when the device is disconnecting, it should reject the > > request. > > > > Tested on Chrome OS that this patch fixes bluetoothd crash in > > register_notify_cb(). > > > > --- > > src/gatt-client.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/src/gatt-client.c b/src/gatt-client.c > > index 20c3fbec2..c706307c7 100644 > > --- a/src/gatt-client.c > > +++ b/src/gatt-client.c > > @@ -1545,6 +1545,12 @@ static DBusMessage *characteristic_start_notify(DBusConnection *conn, > > const char *sender = dbus_message_get_sender(msg); > > struct async_dbus_op *op; > > struct notify_client *client; > > + struct btd_device *device = chrc->service->client->device; > > + > > + if (device_is_disconnecting(device)) { > > + error("Device is disconnecting. StartNotify is not allowed."); > > + return btd_error_not_connected(msg); > > + } > > > > if (chrc->notify_io) > > return btd_error_not_permitted(msg, "Notify acquired"); > > -- > > 2.26.2 > > Applied, thanks. -- Luiz Augusto von Dentz