[BlueZ] gatt: Fix crash when a device is removed

Message ID	20210119193512.821918-1-luiz.dentz@gmail.com (mailing list archive)
State	Accepted
Delegated to:	Luiz Von Dentz
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> From: Luiz Augusto von Dentz <luiz.dentz@gmail.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH BlueZ] gatt: Fix crash when a device is removed Date: Tue, 19 Jan 2021 11:35:12 -0800 Message-Id: <20210119193512.821918-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[BlueZ] gatt: Fix crash when a device is removed \| expand [BlueZ] gatt: Fix crash when a device is removed

Message ID

20210119193512.821918-1-luiz.dentz@gmail.com (mailing list archive)

State

Accepted

Delegated to:

Luiz Von Dentz

Headers

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ] gatt: Fix crash when a device is removed
Date: Tue, 19 Jan 2021 11:35:12 -0800
Message-Id: <20210119193512.821918-1-luiz.dentz@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[BlueZ] gatt: Fix crash when a device is removed | expand

Commit Message

Luiz Augusto von Dentz Jan. 19, 2021, 7:35 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

If a device is removed with notifications enabled that would lead to
device_state being freed while att_disconnected has not been called
yet.

gh-issue: https://github.com/bluez/bluez/issues/82
---
 src/gatt-database.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Comments

bluez.test.bot@gmail.com Jan. 19, 2021, 8:27 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=417643

---Test result---

##############################
Test: CheckPatch - PASS

##############################
Test: CheckGitLint - PASS

##############################
Test: CheckBuild - PASS

##############################
Test: MakeCheck - PASS



---
Regards,
Linux Bluetooth

Luiz Augusto von Dentz Jan. 20, 2021, 10:06 p.m. UTC | #2

Hi,

On Tue, Jan 19, 2021 at 12:27 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=417643
>
> ---Test result---
>
> ##############################
> Test: CheckPatch - PASS
>
> ##############################
> Test: CheckGitLint - PASS
>
> ##############################
> Test: CheckBuild - PASS
>
> ##############################
> Test: MakeCheck - PASS
>
>
>
> ---
> Regards,
> Linux Bluetooth

Pushed.

diff --git a/src/gatt-database.c b/src/gatt-database.c
index d99604826..d635c3214 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -1350,11 +1350,17 @@  static void send_notification_to_device(void *data, void *user_data)
 	if (!ccc->value || (notify->conf && !(ccc->value & 0x0002)))
 		return;
 
-	device = btd_adapter_get_device(notify->database->adapter,
+	device = btd_adapter_find_device(notify->database->adapter,
 						&device_state->bdaddr,
 						device_state->bdaddr_type);
-	if (!device)
+	if (!device) {
+		/* If ATT has not disconnect yet don't remove the state as it
+		 * will eventually be removed when att_disconnected is called.
+		 */
+		if (device_state->disc_id)
+			return;
 		goto remove;
+	}
 
 	server = btd_device_get_gatt_server(device);
 	if (!server) {