Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3282544pxv;
        Mon, 12 Jul 2021 13:42:32 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwwKXtWHbCv5xvWLEI3mmS958OtL3j/n1fbo2z0GIsnZiIHZJJAkinfslYb7+qKC75QJuDJ
X-Received: by 2002:a92:a30d:: with SMTP id a13mr493740ili.236.1626122552346;
        Mon, 12 Jul 2021 13:42:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626122552; cv=none;
        d=google.com; s=arc-20160816;
        b=aGVF8VvM5XquwwgLeTyUWXVhNBjjQ3IUBsDO0V2J/JeoQADDbZAfRTuQO/OZV3phsr
         ZozcUNiYw/PW0B7jqnDLcR5BymLLT32qtvAgZKxlfujFcLL4jjcVC+lKtqb82b8Kw/23
         qELBiaZvIGAtOjYBXOQEfJMxxfclwYx6ir9TVWTOFdb3mFvs5DyLUT6c8HSxLKfA705L
         B7V0OZvIme5oIun7h+e1Cnj75q+VjYJOlUZZNLV5vasSBunauHQv4uOg8StXLTo3PSuh
         neSXeQa5MpTRwAGoJr7N/47Ik1jvzj8nTuM9KLSsR/sWogfyxw1lXbC+q/UifkfR/sQH
         0cJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=X6mcThMdQ+3MofnxAx6uoNfHyPruYidEtPFBcQDzWEA=;
        b=Tf+46uzNIGEOb+wA4ffoO2CriRtsaqByx2I7HcUuoKJ+LY/uI2CFaRjPzi7KWd2m7E
         oV27jdslNwSXkV2aKC6XYeYg4/TJ2FtaP4Hdjsu6HXLBKNA9DYigpWfLOaUdviZwZ63Q
         dzuyqATI9Xw4HQtbYk7s3Q6InAlVfC+uamtZleUizezqqArmTB0xcarmLOmV8bhVNBiE
         aG/diVCHFOfIyQZoZ8swSh6eaxK401ts2dXxEzxpqM8Uc5wtZcRJTqx7Ls0KJRl4Y8h+
         SV8ZQZHx8ch/XPyKDUtvADDAww6272TZmURxxX7JqL09AIyHxQTC51g1dnPgE0W3cO05
         ZmtQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Eler6PR6;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y9si3253571ilv.11.2021.07.12.13.42.04;
        Mon, 12 Jul 2021 13:42:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Eler6PR6;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230122AbhGLUnx (ORCPT <rfc822;manfred.donn@gmail.com>
        + 99 others); Mon, 12 Jul 2021 16:43:53 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58068 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230058AbhGLUnw (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Mon, 12 Jul 2021 16:43:52 -0400
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25970C0613DD
        for <linux-bluetooth@vger.kernel.org>; Mon, 12 Jul 2021 13:41:04 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id r135so31231031ybc.0
        for <linux-bluetooth@vger.kernel.org>; Mon, 12 Jul 2021 13:41:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=X6mcThMdQ+3MofnxAx6uoNfHyPruYidEtPFBcQDzWEA=;
        b=Eler6PR6EIL+Um8kuizSr6zz7YXDDTcoc53M4yG4h29+CLz6qq7vvV0+wcAIYs+RNr
         9PC7uDX2GZ76wYiMkOpzCCVsP/100jrHBsyI+0l7PJYvCWjH8+vm5YwslxkqSVPYjI/o
         fRN/PjxsDVm85yyTCgKx8LsANLen0GHa+nJxnJXQxSGn376ZZ9rr8ntimCZCKV6SRpnO
         GsUBMYry3jxfm49szO0J2z2UEgr45c0pCqC2yXAwJFK/BOPS/QSIXoT0OUA3l/QbYNSe
         2JDnCxoEwCF4npnCejNb9MhKe33aWubtYRZHvWwA0f62AfAN/tlso8Vc3Wpd3EVLYDaD
         0tCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=X6mcThMdQ+3MofnxAx6uoNfHyPruYidEtPFBcQDzWEA=;
        b=Y0nckkQqAWeOWaS0GycPIJlPF17aREq2ScZmoh4bjVCXuKlcNzLa3nRp+xHVFG1wQy
         FFVPHbjxrx/Kt4dzqU8gsrjxpgTiWlpJyA4h/Pl7JNVw4TjicvIdXebKQjgnoCb53xdF
         N6x0xNg5/1mUcfY1WRGAyL/nGu1QknBwkO/CeXM3t2Z4luLEWdlv5bIh+NzyyOgMRjlz
         ZxpG5nh+htTBBcXBd4t50cXHpsNSXUM2ies9t6Z2Tnk6PJvSZU6Ob3QYaMNhzVgBHvCy
         iWPLeddvq0xCpkn7xM0tyqaQ1vDFFj0m7uIYYiEsRx4TVamTjf7RNdTQjGuqhIoa6Tm8
         v7bw==
X-Gm-Message-State: AOAM531UbOkwmSEUHmycp85zSLWeC9mvr3cAcIyfTd0Q5e1JHJLEstHm
        4maGow9hJ/3z/pnSI6gVBwtfgqUF2hTYVy/4G1s=
X-Received: by 2002:a25:b741:: with SMTP id e1mr1091716ybm.347.1626122463178;
 Mon, 12 Jul 2021 13:41:03 -0700 (PDT)
MIME-Version: 1.0
References: <20210712203813.Bluez.v1.1.Id7aa1152377161d17b442bf258773d9b6c624ca3@changeid>
In-Reply-To: <20210712203813.Bluez.v1.1.Id7aa1152377161d17b442bf258773d9b6c624ca3@changeid>
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date:   Mon, 12 Jul 2021 13:40:52 -0700
Message-ID: <CABBYNZJ-Oc=H7icDxBVk8iNAfcBjZDL_CgKq7r8k82iwT66pVQ@mail.gmail.com>
Subject: Re: [Bluez PATCH v1] a2dp: Fix crash in channel_free while waiting
 cmd resp
To:     Howard Chung <howardchung@google.com>
Cc:     "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>,
        Yun-Hao Chung <howardchung@chromium.org>,
        Archie Pusaka <apusaka@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Howard,

On Mon, Jul 12, 2021 at 5:39 AM Howard Chung <howardchung@google.com> wrote:
>
> From: Yun-Hao Chung <howardchung@chromium.org>
>
> When channel_free is called and we are waiting for a command response
> from the peer, bluez NULL the setup->session but would not free its
> setup_cb. Since setup_cb holds a ref of setup, the setup wouldn't be
> freed and if service_removed is called after channel_free, a2dp_cancel
> tries to abort the ongoing avdtp commands, which accesses the
> setup->session and triggers a crash.
>
> This change finalizes all avdtp commands before assigning setup->session
> to NULL in channel_free.
>
> Crash stack trace:
> 0x000059f01943e688      (bluetoothd -avdtp.c:3690)
> avdtp_abort
> 0x000059f01943928a      (bluetoothd -a2dp.c:3069)
> a2dp_cancel
> 0x000059f0194377fa      (bluetoothd -sink.c:324)
> sink_unregister
> 0x000059f01948715a      (bluetoothd -service.c:177)
> service_remove
> 0x000059f01948d77c      (bluetoothd -device.c:5346)
> device_remove
> 0x000059f019476d14      (bluetoothd -adapter.c:7202)
> adapter_remove
> 0x000059f019476c3e      (bluetoothd -adapter.c:10827)
> adapter_cleanup
> 0x000059f01949d8d7      (bluetoothd -main.c:1114)               main
> 0x0000787b36185d74      (libc.so.6 -libc-start.c:308)
> __libc_start_main
> 0x000059f019433e39      (bluetoothd + 0x00026e39)               _start
> 0x00007fff2d2c0127
>
> Reviewed-by: Archie Pusaka <apusaka@chromium.org>
> ---
> There are two other options to fix this crash.
> 1. add a NULL check in a2dp_cancel before calling avdtp_abort.
> 2. call setup_cb_free to every setup_cb in setup->cb in channel_free.
>
> Since each setup_cb needs setup->session, I think there is no need to
> keep the setup_cb after assigning setup->session to NULL. So the first
> option is not ideal. If the second option is adopted, there would be
> some time that sink/source->connect_id/disconnect_id is not zero, but
> there is no corresponding setup_cb.
>
> Test steps:
> Reproduce the crash with the following steps. Verify the crash is
> no longer observed after this change.
> 1. ignore AVDTP_SET_CONFIGURATION resp by modifying avdtp.c
> 2. turn on a paired headset
> 3. check the bluetooth.log, while bluez is waiting for
>    AVDTP_SET_CONFIGURATION resp, stop bluetoothd immediately.
>    This will trigger:
>    session_cb (I/O error) -> connection_lost
>    -> avdtp_set_state (AVDTP_SESSION_STATE_DISCONNECTED)
>    -> avdtp_state_cb -> channel_remove -> channel_free
>    then:
>    adapter_cleanup -> adapter_remove -> device_remove -> service_remove
>    -> a2dp_sink_remove -> sink_unregister -> sink_free -> a2dp_cancel
> 4. check if bluetoothd crash
> The above steps can trigger the crash 100%.
>
>  profiles/audio/a2dp.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> index d31ed845cbe7..f201b98c79d0 100644
> --- a/profiles/audio/a2dp.c
> +++ b/profiles/audio/a2dp.c
> @@ -1540,9 +1540,14 @@ static void channel_free(void *data)
>         setup = find_setup_by_session(chan->session);
>         if (setup) {
>                 setup->chan = NULL;
> +               /* Finalize pending commands before we NULL setup->session */
> +               finalize_setup_errno(setup, -ENOTCONN, finalize_discover,
> +                                                       finalize_select,
> +                                                       finalize_config,
> +                                                       finalize_resume,
> +                                                       finalize_suspend, NULL);

While the analysis seems correct I wonder if wouldn't be a better idea
to have a finalize_all so we don't have to iterate the callback list
multiple times, other than that the patch looks good and I would
prioritize it to have it included asap.

>                 avdtp_unref(setup->session);
>                 setup->session = NULL;
> -               finalize_setup_errno(setup, -ENOTCONN, NULL);
>         }
>
>         g_free(chan);
> --
> 2.32.0.93.g670b81a890-goog
>


-- 
Luiz Augusto von Dentz