Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp31257pxb; Mon, 2 Nov 2020 13:08:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJyZLXApGV6DedlkvaXUJsgVR+VQ7gQPPXYMCwqrn41DYQspcpcUQasVro76nAg/MlPgNJ+F X-Received: by 2002:a17:907:20d6:: with SMTP id qq22mr16560297ejb.187.1604351310978; Mon, 02 Nov 2020 13:08:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604351310; cv=none; d=google.com; s=arc-20160816; b=U/UM9+whi0yQYjizrkrfwnEfV7g9w6ZbgZzl8osElfvapApRjOXF+XkCcgkmeHOr3V Cl+nchjGffzBn4j5KzvkllYztmThl8RBaVkgr/TKRksJ2us1OH+nvSz/Ed1ev0PL6Crd HMDqq5r+H6DmSvnwyzpCQVYt8Tk/Bm4utReneF3bdZ2MGpebwPzJQOiyimE8tBzfR92a LTG/tpqFhfsZplErMzcDlvsMIxA9pwf6IGbavZgBV41WYZIuC7bRWLGFz8h/aJNfXRSm ZbA7DoXvVY5tH6cOBKPDlpORcBQu4PmUf5W3Rqd5/c5nt5wSHpoy2wusUef8/xbElZmB knBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=BBLu0vM655XowNrIyRKKleuRbrL4Z0mxVWraxuQk1yA=; b=E+/pG3QaFOy57NHLEt6Y16kHwcTwCGxOpnfpkyzoYL4J56K3O8W0o1BivZ5JkHIg51 OI/gluyj0PF7Ro24ume+d5ejbkVFX6+unMZ0W9wbEFkuZEdRcx6ulCSx3rLq/MHN1H8H IPYh+67h8Ohz6PGOfR9TzoCqAOZyfsa7zV3AhgFtx8CoaoarrBs7VXH19abzT+WI1iXe c20IQW2Azi23E4/QsWoBoaSjrKnhGAmFlRPzkExywcLm3F6oPzpcxjWUl//UpHO454KD iD4Zk7scj+3PMbDYvP44nKUVQWt6g++2LjjxQKvF0binIjzzlvATTXZIenGU5ZcRRvgx rjrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ey8R9GBe; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d14si6565732edj.545.2020.11.02.13.07.32; Mon, 02 Nov 2020 13:08:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ey8R9GBe; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725833AbgKBVH0 (ORCPT + 99 others); Mon, 2 Nov 2020 16:07:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725806AbgKBVH0 (ORCPT ); Mon, 2 Nov 2020 16:07:26 -0500 Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A90F2C0617A6 for ; Mon, 2 Nov 2020 13:07:25 -0800 (PST) Received: by mail-lj1-x244.google.com with SMTP id m8so10538857ljj.0 for ; Mon, 02 Nov 2020 13:07:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BBLu0vM655XowNrIyRKKleuRbrL4Z0mxVWraxuQk1yA=; b=Ey8R9GBeMQRSQXCV7WOS0TyN0sjwxNl39cNnYamkmGtpS35j79toOPoLwxpel4OadD jQ2aDmeGzGRC0wjM/I2B4X1PzuorXgAT5gvr4CqTIJjsjyLpqKMr1biHUmB5HnATMN5G haCg3I7SjYEWB9/YF4ZNFr8axiHHTGjowSrhU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BBLu0vM655XowNrIyRKKleuRbrL4Z0mxVWraxuQk1yA=; b=i6fj2elJAZDHn6RI4kE72Viuh3247+Bp7yv2WXGAU6ohFHCIM70xkGscpx5wUrDRJI SHWk0tfC8ap40L9Kh9UnpRG6bVvkCX60smXHWicWlRpdz17F002JcHlEP2FeV90Rigx5 RGwpvSBJYDqoKjX9KT7wqW8fqiV/RqQhges7kjb1Cw0aMMPk76vIQQdOeEM7jssrz7tb kyRtL0Vf9OSvZouxkYQo4fscU31y9g5+Xwmywt60vku9Y435p86Hwfg4bxUJp6ltaA4F nMAdzJcNOXHpmcHk9YM8VASbISLE7Kzcosm/dCgAXfxltYIyUtVoCjiITlbn3bGxk/9i KQEg== X-Gm-Message-State: AOAM532Q8ogjqMusAupPpUtNYwhGolmTb1mPIVxM+LdebYBgZlDx7QZM p+JWGvuLEy8UvWDZlJEp0G5xHFhwLqTK+l68NHarPA== X-Received: by 2002:a2e:9188:: with SMTP id f8mr7586111ljg.333.1604351244205; Mon, 02 Nov 2020 13:07:24 -0800 (PST) MIME-Version: 1.0 References: <20201030160833.BlueZ.v1.1.Ia45f3edc48142d9db0dc4b315c84ab60a149697f@changeid> In-Reply-To: From: Miao-chen Chou Date: Mon, 2 Nov 2020 13:07:13 -0800 Message-ID: Subject: Re: [BlueZ PATCH v1] adapter: Fix a crash caused by lingering discovery client pointer To: Luiz Augusto von Dentz Cc: Bluetooth Kernel Mailing List , Marcel Holtmann , Alain Michaud , Sonny Sasaka , ChromeOS Bluetooth Upstreaming , Luiz Augusto von Dentz Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Luiz, On Fri, Oct 30, 2020 at 4:48 PM Luiz Augusto von Dentz wrote: > > Hi Miao-chen, > > On Fri, Oct 30, 2020 at 4:13 PM Miao-chen Chou wrote: > > > > This cleans up the lingering pointer, adapter->client, during powering > > off the adapter. The crash occurs when a D-Bus client set Powered > > property to false and immediately calls StopDiscovery() when there is > > ongoing discovery. As a part of powering off the adapter, > > adapter->discovery_list gets cleared, and given that adapter->client > > refers to one of the clients in adapter->discovery_list, adapter->client > > should be cleared along with it. > > > > Reviewed-by: Alain Michaud > > Reviewed-by: Sonny Sasaka > > --- > > > > src/adapter.c | 17 ++++++++++++++++- > > 1 file changed, 16 insertions(+), 1 deletion(-) > > > > diff --git a/src/adapter.c b/src/adapter.c > > index c0053000a..74bfb0448 100644 > > --- a/src/adapter.c > > +++ b/src/adapter.c > > @@ -1507,8 +1507,10 @@ static void discovery_free(void *user_data) > > client->discovery_filter = NULL; > > } > > > > - if (client->msg) > > + if (client->msg) { > > dbus_message_unref(client->msg); > > + client->msg = NULL; > > + } > > This shouldn't make any difference as the whole list is freed and so > is the client. Please see my below reply. > > > > > g_free(client->owner); > > g_free(client); > > @@ -5301,6 +5303,19 @@ static void free_service_auth(gpointer data, gpointer user_data) > > > > static void remove_discovery_list(struct btd_adapter *adapter) > > { > > + DBusMessage *msg; > > + > > + if (adapter->client) { > > + msg = adapter->client->msg; > > + if (msg) { > > + g_dbus_send_message(dbus_conn, btd_error_busy(msg)); > > + dbus_message_unref(msg); > > + adapter->client->msg = NULL; > > + } > > + > > + adapter->client = NULL; > > Shouldn't you call discovery_free as well here? Or perhaps we could > move the lines above inside discovery_free so it detects if the > adapter->client is pointing to a client that is being freed. > discovery_free are done in the following lines, so there is no need to call discovery_free() for a referencing pointer, adapter->client. It's a good point to move it so discovery_free() instead. > > + } > > + > > g_slist_free_full(adapter->set_filter_list, discovery_free); > > adapter->set_filter_list = NULL; > > > > -- > > 2.26.2 > > > > > -- > Luiz Augusto von Dentz Regards, Miao