From: Howard Chung <howardchung@google.com>
To: linux-bluetooth@vger.kernel.org, luiz.dentz@gmail.com
Cc: Yun-Hao Chung <howardchung@chromium.org>
Subject: [Bluez PATCH v1 14/14] core: fix a possible crash when removing devices
Date: Thu, 8 Jul 2021 14:23:14 +0800 [thread overview]
Message-ID: <20210708142059.Bluez.v1.14.Ib24a67a8a849f311d5213f83eaac3cfbc54b7b58@changeid> (raw)
In-Reply-To: <20210708062314.245754-1-howardchung@google.com>
From: Yun-Hao Chung <howardchung@chromium.org>
This patch changes the logic of probe_service so that the same service
will not be added to a device.
---
The crash can be reproduced in the following steps
1. set service allowlist to ['aaaa']
2. pair with any device
3. after the device is disconnected, set service allowlist to an empty
list
4. remove the device from adapter
In step 3, when allowlist is set to empty, profile that was blocked
will be added to each devices. However, in step 2, profiles the device
provides had already been added. Due the logic of
device.c:probe_service, there will be 2 identical services in
device->services, which causes a double-free error when removing the
device.
src/device.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/device.c b/src/device.c
index 0d7444706336..dba26f787066 100644
--- a/src/device.c
+++ b/src/device.c
@@ -4709,8 +4709,11 @@ static struct btd_service *probe_service(struct btd_device *device,
return NULL;
l = find_service_with_profile(device->services, profile);
+ /* If the service already exists, return NULL so that it won't be added
+ * to the device->services.
+ */
if (l)
- return l->data;
+ return NULL;
service = service_create(device, profile);
--
2.32.0.93.g670b81a890-goog
prev parent reply other threads:[~2021-07-08 6:24 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-08 6:23 [Bluez PATCH v1 00/14] Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 01/14] lib: add hash functions for bt_uuid_t Howard Chung
2021-07-08 6:36 ` [Bluez,v1,01/14] " bluez.test.bot
2021-07-09 5:21 ` [Bluez PATCH v1 01/14] " Luiz Augusto von Dentz
2021-07-12 3:20 ` Yun-hao Chung
2021-07-08 6:23 ` [Bluez PATCH v1 02/14] unit: add uuid unit tests Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 03/14] core: add is_allowed property in btd_service Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 04/14] core: add adapter and device allowed_uuid functions Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 05/14] core: add device state and state callbacks Howard Chung
2021-07-09 5:34 ` Luiz Augusto von Dentz
2021-07-12 3:56 ` Yun-hao Chung
2021-07-08 6:23 ` [Bluez PATCH v1 06/14] audio: Remove Media1 interface when a2dp source disallowed Howard Chung
2021-07-09 5:49 ` Luiz Augusto von Dentz
2021-07-12 8:16 ` Yun-hao Chung
2021-07-12 16:37 ` Luiz Augusto von Dentz
2021-07-08 6:23 ` [Bluez PATCH v1 07/14] plugins: add a new plugin for admin_policy Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 08/14] plugins/admin_policy: add admin_policy adapter driver Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 09/14] plugins/admin_policy: add ServiceAllowList method Howard Chung
2021-07-09 6:01 ` Luiz Augusto von Dentz
2021-07-12 9:09 ` Yun-hao Chung
2021-07-12 16:41 ` Luiz Augusto von Dentz
2021-07-08 6:23 ` [Bluez PATCH v1 10/14] plugins/admin_policy: add ServiceAllowList property Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 11/14] plugins/admin_policy: add device state callback Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 12/14] plugins/admin_policy: add AffectedByPolicy property Howard Chung
2021-07-08 6:23 ` [Bluez PATCH v1 13/14] plugins/admin_policy: persist policy settings Howard Chung
2021-07-08 6:23 ` Howard Chung [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210708142059.Bluez.v1.14.Ib24a67a8a849f311d5213f83eaac3cfbc54b7b58@changeid \
--to=howardchung@google.com \
--cc=howardchung@chromium.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).