From: Howard Chung <howardchung@google.com>
To: linux-bluetooth@vger.kernel.org, luiz.dentz@gmail.com
Cc: Yun-Hao Chung <howardchung@chromium.org>
Subject: [Bluez PATCH v1] core: fix a possible crash when removing devices
Date: Tue, 20 Jul 2021 19:51:37 +0800 [thread overview]
Message-ID: <20210720195130.Bluez.v1.1.Ib24a67a8a849f311d5213f83eaac3cfbc54b7b58@changeid> (raw)
From: Yun-Hao Chung <howardchung@chromium.org>
In probe_service, if the service already exists in device->services, it
returns the service. This might cause dev_probe and device_probe_profile
to add a duplicate service into device->services. When removing the
device, a double-free error might occur.
This patch changes the logic of probe_service so that the same service
will not be added to a device.
---
Hi maintainers,
This was originally found by removing/reprobing profiles in admin_policy
plugin. Since we are going to adopt the other way to block incoming
connection, this patch is no longer causing any issue, but I think it
is still nice to have to prevent potential crashes.
Thanks,
Howard
src/device.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/device.c b/src/device.c
index faf07ba22270..b29aa195d19b 100644
--- a/src/device.c
+++ b/src/device.c
@@ -4624,8 +4624,11 @@ static struct btd_service *probe_service(struct btd_device *device,
return NULL;
l = find_service_with_profile(device->services, profile);
+ /* If the service already exists, return NULL so that it won't be added
+ * to the device->services.
+ */
if (l)
- return l->data;
+ return NULL;
service = service_create(device, profile);
--
2.32.0.402.g57bb445576-goog
next reply other threads:[~2021-07-20 11:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-20 11:51 Howard Chung [this message]
2021-07-20 12:49 ` [Bluez,v1] core: fix a possible crash when removing devices bluez.test.bot
2021-07-20 17:40 ` Luiz Augusto von Dentz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210720195130.Bluez.v1.1.Ib24a67a8a849f311d5213f83eaac3cfbc54b7b58@changeid \
--to=howardchung@google.com \
--cc=howardchung@chromium.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.