LinuxLists.cc - [PATCH 0/1] add hog ref in hog_attach

2020-04-20 14:40:54

Subject: [PATCH 0/1] add hog ref in hog_attach_instance

When I tried to connect a bluetooth gamepad 8718,
I was experiencing a crash which can be reproduced
always.

https://www.amazon.com/Controller-PowerLead-Wireless-Compatible-Android/dp/B07XJ37HPK

After investigation, it appears that instance was not reffed initially
when added to the slist and double free was requested on this hog during
the free of the slist (unref during a destroy_gatt_req).

Stéphane Cerveau (1):
add hog ref in hog_attach_instance

profiles/input/hog-lib.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--
2.17.1

2020-04-20 14:42:03

by Stéphane Cerveau

[permalink] [raw]

Subject: [PATCH] [PATCH BlueZ] add hog ref before adding to instances

To avoid a double hog free, need to add a ref
when adding the hog to the slist.

This bug has been reproduced with gamepad-8718
which was connecting/disconnecting frantically.

Fix also a typo in the method hog_attach_instance
---
profiles/input/hog-lib.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/profiles/input/hog-lib.c b/profiles/input/hog-lib.c
index 9c5c814a7..b9b5d565c 100644
--- a/profiles/input/hog-lib.c
+++ b/profiles/input/hog-lib.c
@@ -1357,7 +1357,7 @@ static struct bt_hog *hog_new(int fd, const char *name, uint16_t vendor,
return hog;
}

-static void hog_attach_instace(struct bt_hog *hog,
+static void hog_attach_instance(struct bt_hog *hog,
struct gatt_db_attribute *attr)
{
struct bt_hog *instance;
@@ -1373,14 +1373,14 @@ static void hog_attach_instace(struct bt_hog *hog,
if (!instance)
return;

- hog->instances = g_slist_append(hog->instances, instance);
+ hog->instances = g_slist_append(hog->instances, bt_hog_ref(instance));
}

static void foreach_hog_service(struct gatt_db_attribute *attr, void *user_data)
{
struct bt_hog *hog = user_data;

- hog_attach_instace(hog, attr);
+ hog_attach_instance(hog, attr);
}

static void dis_notify(uint8_t source, uint16_t vendor, uint16_t product,
@@ -1528,7 +1528,7 @@ static void hog_attach_hog(struct bt_hog *hog, struct gatt_primary *primary)
primary->range.end, find_included_cb, instance);

bt_hog_attach(instance, hog->attrib);
- hog->instances = g_slist_append(hog->instances, instance);
+ hog->instances = g_slist_append(hog->instances, bt_hog_ref(instance));
}

static void primary_cb(uint8_t status, GSList *services, void *user_data)
--
2.17.1