All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting
@ 2020-08-21  6:16 Sonny Sasaka
  2020-08-21  6:16 ` [PATCH BlueZ 2/2] doc/gatt-api: Add new error for StartNotify Sonny Sasaka
  2020-09-16 22:38 ` [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting Sonny Sasaka
  0 siblings, 2 replies; 4+ messages in thread
From: Sonny Sasaka @ 2020-08-21  6:16 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Joseph Hwang

From: Joseph Hwang <josephsih@chromium.org>

This patch fixed a bluetoothd crash in register_notify_cb(). The
crash is incurred by an exception that under some situation, a
characteristic may be freed when register_notify_cb() is invoked.

When a device is disconnecting, the device interface would hold valid
for a while until the disconnection procedure between the client and
the server is completed. If another process happens to request to start
notification of a characteristic on the disconnecting device, it may
incur a problem. In this case, the client would still send the
StartNotify request since the characteristic object is still valid.
However, the characteristic may be freed soon and become invalid
when the corresponding callback function is invoked later. This
leads to the bluetoothd crash due to the segmentation fault.

To handle the exception, if another process requests to start
notification when the device is disconnecting, it should reject the
request.

Tested on Chrome OS that this patch fixes bluetoothd crash in
register_notify_cb().

---
 src/gatt-client.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/gatt-client.c b/src/gatt-client.c
index 20c3fbec2..c706307c7 100644
--- a/src/gatt-client.c
+++ b/src/gatt-client.c
@@ -1545,6 +1545,12 @@ static DBusMessage *characteristic_start_notify(DBusConnection *conn,
 	const char *sender = dbus_message_get_sender(msg);
 	struct async_dbus_op *op;
 	struct notify_client *client;
+	struct btd_device *device = chrc->service->client->device;
+
+	if (device_is_disconnecting(device)) {
+		error("Device is disconnecting. StartNotify is not allowed.");
+		return btd_error_not_connected(msg);
+	}
 
 	if (chrc->notify_io)
 		return btd_error_not_permitted(msg, "Notify acquired");
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH BlueZ 2/2] doc/gatt-api: Add new error for StartNotify
  2020-08-21  6:16 [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting Sonny Sasaka
@ 2020-08-21  6:16 ` Sonny Sasaka
  2020-09-16 22:38 ` [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting Sonny Sasaka
  1 sibling, 0 replies; 4+ messages in thread
From: Sonny Sasaka @ 2020-08-21  6:16 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Joseph Hwang

From: Joseph Hwang <josephsih@chromium.org>

When a device is disconnecting, StartNotify is not allowed. This adds a
new error type to the doc.

---
 doc/gatt-api.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/gatt-api.txt b/doc/gatt-api.txt
index 98fe7487c..04789c6d3 100644
--- a/doc/gatt-api.txt
+++ b/doc/gatt-api.txt
@@ -186,6 +186,7 @@ Methods		array{byte} ReadValue(dict options)
 			Possible Errors: org.bluez.Error.Failed
 					 org.bluez.Error.NotPermitted
 					 org.bluez.Error.InProgress
+					 org.bluez.Error.NotConnected
 					 org.bluez.Error.NotSupported
 
 		void StopNotify()
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting
  2020-08-21  6:16 [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting Sonny Sasaka
  2020-08-21  6:16 ` [PATCH BlueZ 2/2] doc/gatt-api: Add new error for StartNotify Sonny Sasaka
@ 2020-09-16 22:38 ` Sonny Sasaka
  2020-09-17 17:06   ` Luiz Augusto von Dentz
  1 sibling, 1 reply; 4+ messages in thread
From: Sonny Sasaka @ 2020-09-16 22:38 UTC (permalink / raw)
  To: BlueZ; +Cc: Joseph Hwang

Dear BlueZ maintainers,

Friendly ping to review this patch. Thanks!


On Thu, Aug 20, 2020 at 11:17 PM Sonny Sasaka <sonnysasaka@chromium.org> wrote:
>
> From: Joseph Hwang <josephsih@chromium.org>
>
> This patch fixed a bluetoothd crash in register_notify_cb(). The
> crash is incurred by an exception that under some situation, a
> characteristic may be freed when register_notify_cb() is invoked.
>
> When a device is disconnecting, the device interface would hold valid
> for a while until the disconnection procedure between the client and
> the server is completed. If another process happens to request to start
> notification of a characteristic on the disconnecting device, it may
> incur a problem. In this case, the client would still send the
> StartNotify request since the characteristic object is still valid.
> However, the characteristic may be freed soon and become invalid
> when the corresponding callback function is invoked later. This
> leads to the bluetoothd crash due to the segmentation fault.
>
> To handle the exception, if another process requests to start
> notification when the device is disconnecting, it should reject the
> request.
>
> Tested on Chrome OS that this patch fixes bluetoothd crash in
> register_notify_cb().
>
> ---
>  src/gatt-client.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/src/gatt-client.c b/src/gatt-client.c
> index 20c3fbec2..c706307c7 100644
> --- a/src/gatt-client.c
> +++ b/src/gatt-client.c
> @@ -1545,6 +1545,12 @@ static DBusMessage *characteristic_start_notify(DBusConnection *conn,
>         const char *sender = dbus_message_get_sender(msg);
>         struct async_dbus_op *op;
>         struct notify_client *client;
> +       struct btd_device *device = chrc->service->client->device;
> +
> +       if (device_is_disconnecting(device)) {
> +               error("Device is disconnecting. StartNotify is not allowed.");
> +               return btd_error_not_connected(msg);
> +       }
>
>         if (chrc->notify_io)
>                 return btd_error_not_permitted(msg, "Notify acquired");
> --
> 2.26.2
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting
  2020-09-16 22:38 ` [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting Sonny Sasaka
@ 2020-09-17 17:06   ` Luiz Augusto von Dentz
  0 siblings, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2020-09-17 17:06 UTC (permalink / raw)
  To: Sonny Sasaka; +Cc: BlueZ, Joseph Hwang

Hi Sonny,

On Wed, Sep 16, 2020 at 3:40 PM Sonny Sasaka <sonnysasaka@chromium.org> wrote:
>
> Dear BlueZ maintainers,
>
> Friendly ping to review this patch. Thanks!
>
>
> On Thu, Aug 20, 2020 at 11:17 PM Sonny Sasaka <sonnysasaka@chromium.org> wrote:
> >
> > From: Joseph Hwang <josephsih@chromium.org>
> >
> > This patch fixed a bluetoothd crash in register_notify_cb(). The
> > crash is incurred by an exception that under some situation, a
> > characteristic may be freed when register_notify_cb() is invoked.
> >
> > When a device is disconnecting, the device interface would hold valid
> > for a while until the disconnection procedure between the client and
> > the server is completed. If another process happens to request to start
> > notification of a characteristic on the disconnecting device, it may
> > incur a problem. In this case, the client would still send the
> > StartNotify request since the characteristic object is still valid.
> > However, the characteristic may be freed soon and become invalid
> > when the corresponding callback function is invoked later. This
> > leads to the bluetoothd crash due to the segmentation fault.
> >
> > To handle the exception, if another process requests to start
> > notification when the device is disconnecting, it should reject the
> > request.
> >
> > Tested on Chrome OS that this patch fixes bluetoothd crash in
> > register_notify_cb().
> >
> > ---
> >  src/gatt-client.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/src/gatt-client.c b/src/gatt-client.c
> > index 20c3fbec2..c706307c7 100644
> > --- a/src/gatt-client.c
> > +++ b/src/gatt-client.c
> > @@ -1545,6 +1545,12 @@ static DBusMessage *characteristic_start_notify(DBusConnection *conn,
> >         const char *sender = dbus_message_get_sender(msg);
> >         struct async_dbus_op *op;
> >         struct notify_client *client;
> > +       struct btd_device *device = chrc->service->client->device;
> > +
> > +       if (device_is_disconnecting(device)) {
> > +               error("Device is disconnecting. StartNotify is not allowed.");
> > +               return btd_error_not_connected(msg);
> > +       }
> >
> >         if (chrc->notify_io)
> >                 return btd_error_not_permitted(msg, "Notify acquired");
> > --
> > 2.26.2
> >

Applied, thanks.


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-17 17:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-21  6:16 [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting Sonny Sasaka
2020-08-21  6:16 ` [PATCH BlueZ 2/2] doc/gatt-api: Add new error for StartNotify Sonny Sasaka
2020-09-16 22:38 ` [PATCH BlueZ 1/2] gatt: StartNotify is not allowed when device is disconnecting Sonny Sasaka
2020-09-17 17:06   ` Luiz Augusto von Dentz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.