[PATCH BlueZ 1/4] shared/bap: Fix not unregistering idle callback on detach

[PATCH BlueZ 1/4] shared/bap: Fix not unregistering idle callback on detach

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This make sure idle callback is unregistered before bt_gatt_client is
unref.
---
 src/shared/bap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 952b7be260ab..7a53fbc3e91c 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -3818,6 +3818,8 @@ void bt_bap_detach(struct bt_bap *bap)
 		bap->req = NULL;
 	}
 
+	bt_gatt_client_idle_unregister(bap->client, bap->idle_id);
+
 	/* Cancel queued requests */
 	queue_remove_all(bap->reqs, NULL, NULL, bap_req_detach);
 
-- 
2.39.2

[PATCH BlueZ 2/4] shared/csip: Fix not unregistering idle callback on detach

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This make sure idle callback is unregistered before bt_gatt_client is
unref.
---
 src/shared/csip.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/shared/csip.c b/src/shared/csip.c
index ff2047a4ade0..094f448a3532 100644
--- a/src/shared/csip.c
+++ b/src/shared/csip.c
@@ -122,6 +122,8 @@ void bt_csip_detach(struct bt_csip *csip)
 	if (!queue_remove(sessions, csip))
 		return;
 
+	bt_gatt_client_idle_unregister(csip->client, csip->idle_id);
+
 	bt_gatt_client_unref(csip->client);
 	csip->client = NULL;
 
-- 
2.39.2

[PATCH BlueZ 3/4] shared/gatt-client: Introduce bt_gatt_client_ref_safe

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This introduces bt_gatt_client_ref_save which ensures the instaces
which are being destroyed, e.g. ref_count = 0, do not attempt to reach
callbacks.
---
 src/shared/gatt-client.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index f885076913dc..3a29f807fc85 100644
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -173,9 +173,20 @@ static bool idle_notify(const void *data, const void *user_data)
 	return true;
 }
 
+static struct bt_gatt_client *
+bt_gatt_client_ref_safe(struct bt_gatt_client *client)
+{
+	if (!client && !client->ref_count)
+		return NULL;
+
+	return bt_gatt_client_ref(client);
+}
+
 static void notify_client_idle(struct bt_gatt_client *client)
 {
-	bt_gatt_client_ref(client);
+	client = bt_gatt_client_ref_safe(client);
+	if (!client)
+		return;
 
 	queue_remove_all(client->idle_cbs, idle_notify, NULL, idle_destroy);
 
@@ -1360,10 +1371,13 @@ static void notify_client_ready(struct bt_gatt_client *client, bool success,
 {
 	const struct queue_entry *entry;
 
-	if (client->ready)
+	client = bt_gatt_client_ref_safe(client);
+	if (!client)
 		return;
 
-	bt_gatt_client_ref(client);
+	if (client->ready)
+		goto done;
+
 	client->ready = success;
 
 	if (client->parent)
@@ -1386,6 +1400,7 @@ static void notify_client_ready(struct bt_gatt_client *client, bool success,
 		notify_client_ready(clone, success, att_ecode);
 	}
 
+done:
 	bt_gatt_client_unref(client);
 }
 
-- 
2.39.2

[PATCH BlueZ 4/4] shared/csip: Fix crash on bt_csip_get_sirk

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This fixes the following trace:

Invalid read of size 1
   at 0x1F4282: bt_csip_get_sirk (csip.c:812)
   by 0x176B21: csip_ready (csip.c:259)
   by 0x1F3C74: csip_notify_ready (csip.c:578)
   by 0x1F3C74: csip_idle (csip.c:659)
   by 0x1DCDCC: idle_notify (gatt-client.c:171)
   by 0x1D579A: queue_remove_if (queue.c:279)
   by 0x1D584F: queue_remove_all (queue.c:321)
   by 0x1E036F: notify_client_idle (gatt-client.c:180)
   by 0x1E036F: request_unref (gatt-client.c:199)
   by 0x1DC60D: destroy_att_send_op (att.c:211)
   by 0x1DC60D: handle_rsp (att.c:874)
   by 0x1DC60D: can_read_data (att.c:1064)
   by 0x1F43F4: watch_callback (io-glib.c:157)
   by 0x48BBC7E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7400.6)
   by 0x4912117: ??? (in /usr/lib64/libglib-2.0.so.0.7400.6)
   by 0x48BB24E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7400.6)
 Address 0x0 is not stack'd, malloc'd or (recently) free'd
---
 src/shared/csip.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/shared/csip.c b/src/shared/csip.c
index 094f448a3532..7e90a3c97614 100644
--- a/src/shared/csip.c
+++ b/src/shared/csip.c
@@ -810,6 +810,9 @@ bool bt_csip_get_sirk(struct bt_csip *csip, uint8_t *type,
 	if (!csis)
 		return false;
 
+	if (!csis->sirk_val)
+		return false;
+
 	if (type)
 		*type = csis->sirk_val->type;
 
-- 
2.39.2

RE: [BlueZ,1/4] shared/bap: Fix not unregistering idle callback on detach

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 4254 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=729652

---Test result---

Test Summary:
CheckPatch                    FAIL      2.24 seconds
GitLint                       PASS      1.38 seconds
BuildEll                      PASS      27.19 seconds
BluezMake                     PASS      847.95 seconds
MakeCheck                     PASS      11.14 seconds
MakeDistcheck                 PASS      149.61 seconds
CheckValgrind                 PASS      244.58 seconds
CheckSmatch                   PASS      328.42 seconds
bluezmakeextell               PASS      99.01 seconds
IncrementalBuild              PASS      2848.45 seconds
ScanBuild                     WARNING   1027.16 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,4/4] shared/csip: Fix crash on bt_csip_get_sirk
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#100: 
   by 0x48BBC7E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7400.6)

/github/workspace/src/src/13173430.patch total: 0 errors, 1 warnings, 9 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13173430.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
src/shared/gatt-client.c:179:18: warning: Access to field 'ref_count' results in a dereference of a null pointer (loaded from variable 'client')
        if (!client && !client->ref_count)
                        ^~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
        gatt_db_unregister(op->client->db, op->db_id);
                           ^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
        discovery_op_complete(op, false, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:993:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1099:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1291:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1356:2: warning: Use of memory after it is freed
        discovery_op_complete(op, success, att_ecode);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1631:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1636:2: warning: Use of memory after it is freed
        discover_all(op);
        ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2142:6: warning: Use of memory after it is freed
        if (read_db_hash(op)) {
            ^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2150:8: warning: Use of memory after it is freed
                                                        discovery_op_ref(op),
                                                        ^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3238:2: warning: Use of memory after it is freed
        complete_write_long_op(req, success, 0, false);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3260:2: warning: Use of memory after it is freed
        request_unref(req);
        ^~~~~~~~~~~~~~~~~~
13 warnings generated.



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ 1/4] shared/bap: Fix not unregistering idle callback on detach

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 13 Mar 2023 15:51:47 -0700 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> This make sure idle callback is unregistered before bt_gatt_client is
> unref.
> ---
>  src/shared/bap.c | 2 ++
>  1 file changed, 2 insertions(+)

Here is the summary with links:
  - [BlueZ,1/4] shared/bap: Fix not unregistering idle callback on detach
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=932b90f6c33e
  - [BlueZ,2/4] shared/csip: Fix not unregistering idle callback on detach
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=605ee768b789
  - [BlueZ,3/4] shared/gatt-client: Introduce bt_gatt_client_ref_safe
    (no matching commit)
  - [BlueZ,4/4] shared/csip: Fix crash on bt_csip_get_sirk
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=e040109302d8

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html