Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp847248pxb; Thu, 5 Nov 2020 14:51:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJxh5owvrfKkB8+SBdRW+afQ1cgVrDzuj/Nt4MMr2K0GTAt8CnDyQJsp5VsSa4wPHizW7bLR X-Received: by 2002:a05:6402:40e:: with SMTP id q14mr4835802edv.169.1604616670499; Thu, 05 Nov 2020 14:51:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604616670; cv=none; d=google.com; s=arc-20160816; b=DTXGIPwiiQXsqfS+vrqEovaESsgVtx49Wn2DRA1CjFMhOtcJf7b9EnFRurlpYbGCc2 izvYp0FR6bJHzvcCzjD1ExwigyrjWZQVDu4rTCBQGT25gj7556KqsF2qNGyB2gT9A9SY Rn93iGsit4+IcnJX4jDW8adwv1Gi2mHPnzXy3gvtNobPg5vQkIo11P2Xs+FLywRCoBR7 l830RW3XTKmxR9thKyOQ+jxs4/4ReZmMKIHEjbqoEjdu2Rmgu2uXkbi+OBnugaE6UzNU LOJFjufMlaW/ljdA2a2XXiByVQyNfkY+mWqIqTPYEhxhW2eP/yDPZo9lflBkNiHBR1yD pccg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=qjEW48iqNOIEJkng92xffd5UTNQ6qj4/CxAzhaz5mss=; b=VPJoLtwSa/ktPbdJM6JF9pz2lz6HEFAgcZDa95jpMiFRLJTgI5bftlLFicbR7zifEh Yb3dsjzojFF4tC0iii5YX4JyxdHq+2vQenRXNgZjT7YmKUlLmJpxlZ1hRyjMrx1eGzY1 rQtN66ny0hM/0Tu1AdJFuOLN3W/4Sjce9rQ4/LghW9teSeLBdhBDMbVrUPdE1yb6yeun 6Pf9RWM4ZdrWgsQwdEhwisoPUsuWXN68QI43eEbi1FD4v2+xTFKaR2nj6tGYPMwVtzpK MDQQRL5xSvE7YaLDoa/7WwHa4ZxXRgyvmOd2wBivOSZSsSYHPlFEJkGdu96vHfDi1fUN j1fQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=g3SJd+fG; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i2si2168047ejs.498.2020.11.05.14.50.27; Thu, 05 Nov 2020 14:51:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=g3SJd+fG; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731860AbgKEWuW (ORCPT + 99 others); Thu, 5 Nov 2020 17:50:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38366 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726801AbgKEWuW (ORCPT ); Thu, 5 Nov 2020 17:50:22 -0500 Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com [IPv6:2607:f8b0:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09D2EC0613CF for ; Thu, 5 Nov 2020 14:50:22 -0800 (PST) Received: by mail-pl1-x644.google.com with SMTP id x23so1498367plr.6 for ; Thu, 05 Nov 2020 14:50:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=qjEW48iqNOIEJkng92xffd5UTNQ6qj4/CxAzhaz5mss=; b=g3SJd+fGUC+VinzrF55zAvgPyKEv+MX78tBd0B88kM+Tb7gjWN36WUwcDSs+KTBV6C SsyNTCcoLDXhjwo7NYrSo9X+ExnK6cZI5gTpARQyzxnlny6EuAE1jYP3QMkMzqN4L1eL CqSCfVSAw3F+2bRDz+1Xg8HctSlRyKJboMcPM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=qjEW48iqNOIEJkng92xffd5UTNQ6qj4/CxAzhaz5mss=; b=G3USHYc83RTwBf7/xl80l/FqfnjNU4ihcg9xc9POgd9depGgSQzFiIKo9N3ZRci8fx OOH6HjXt7CpkGaxGJ0T3ym3dPBksDZVAvvRbXXJ45EDss5F/xVKJmW9Sf3fZY0/sON3j 6mPYeXn+wSAQZgKoV7P/H2EfGxXbqnvFq7ZfrVdYCZnaD5Oyvc6/TczRPghcGD8qm5Dy 5UBZnPxcc0+KvwpMP9Uyo1Ab4feKmqw/7gWbfqJuklot83iG3jl6qiTSVJ0LSy6amvwp 0VMAnr5AW1SR40aCBd13lt+MPV1J//B133PWbO9500h8fKOHkkkrBZMU4l72pmfnJj1j jExQ== X-Gm-Message-State: AOAM532WXQjsZvFR53PBpdSotGA3YxaOlyM4sQwl8/tdr2KDJl4Fjcq8 ckHYdOv0DVmVr78eEdFKZEVYBp1P5mLJFA== X-Received: by 2002:a17:902:a717:b029:d6:e91:d02b with SMTP id w23-20020a170902a717b02900d60e91d02bmr4211527plq.23.1604616621283; Thu, 05 Nov 2020 14:50:21 -0800 (PST) Received: from sonnysasaka-chrome.mtv.corp.google.com ([2620:15c:202:201:4a0f:cfff:fe66:e60c]) by smtp.gmail.com with ESMTPSA id p127sm644974pfp.93.2020.11.05.14.50.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Nov 2020 14:50:20 -0800 (PST) From: Sonny Sasaka To: linux-bluetooth@vger.kernel.org Cc: Sonny Sasaka Subject: [PATCH BlueZ] Cancel GATT client operations when cleaning up GATT cache Date: Thu, 5 Nov 2020 14:49:23 -0800 Message-Id: <20201105224923.377-1-sonnysasaka@chromium.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org A crash is found when discovery_complete_op is invoked but gatt_db_attribute objects have been freed. A solution is to always cancel GATT client operations every time we clean GATT cache. The crash is reproducible by connecting to an LE mouse and then calling RemoveDevice immediately, triggering disconnection while GATT service discovery is in progress. Sample crash stack trace: 0 gatt_db_service_get_handles (service=0x1751130, service=0x1751130, end_handle=0x7ffcd600806e, start_handle=0x7ffcd600806c) at src/shared/gatt-db.c:569 1 gatt_db_attribute_get_service_data (attrib=, start_handle=0x7ffcd600806c, end_handle=0x7ffcd600806e, primary=0x0, uuid=0x0) at src/shared/gatt-db.c:1657 2 0x00000000004983a8 in discovery_op_complete (op=op@entry=0x173b320, success=, err=err@entry=10 '\n') at src/shared/gatt-client.c:406 3 0x000000000049a548 in discover_descs_cb (success=, att_ecode=, result=, user_data=0x173b320) at src/shared/gatt-client.c:915 4 0x00000000004a1d87 in discovery_op_complete (op=0x1748450, success=, ecode=) at src/shared/gatt-helpers.c:615 5 0x00000000004a2379 in discover_descs_cb (opcode=, pdu=0x174d551, length=, user_data=0x1748450) at src/shared/gatt-helpers.c:1465 6 0x00000000004966db in handle_rsp (pdu_len=4, pdu=, opcode=, chan=0x17483c0) at src/shared/att.c:814 7 can_read_data (io=, user_data=0x17483c0) at src/shared/att.c:1011 8 0x00000000004a0853 in watch_callback (channel=, cond=, user_data=) at src/shared/io-glib.c:157 9 0x00007fb3f2d7fe87 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0 10 0x00007fb3f2d80230 in ?? () from /usr/lib64/libglib-2.0.so.0 11 0x00007fb3f2d80542 in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0 12 0x00000000004a0e25 in mainloop_run () at src/shared/mainloop-glib.c:66 13 0x00000000004a11f2 in mainloop_run_with_signal (func=func@entry=0x43f200 , user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188 14 0x000000000040c72e in main (argc=, argv=) at src/main.c:959 Change-Id: I17b8ccc5322b0a83fc63d711e83c9f4a58a0374c --- src/device.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/device.c b/src/device.c index a5ef46730..d5e884ff4 100644 --- a/src/device.c +++ b/src/device.c @@ -569,6 +569,7 @@ static void gatt_cache_cleanup(struct btd_device *device) if (gatt_cache_is_enabled(device)) return; + bt_gatt_client_cancel_all(device->client); gatt_db_clear(device->db); } -- 2.26.2