[PATCH] gobex: Fix segfault caused by interrupted transfer

[PATCH] gobex: Fix segfault caused by interrupted transfer

[Denis Grigorev]

When a obex transfer is interrupted by a peer in the middle, the response
G_OBEX_RSP_FORBIDDEN comes and the transfer is freed in transfer_complete.
However gobex is still ref'ed and gobex->io continues to be writable,
so write_data() and, if a tx packet was queued, put_get_data() and then
g_obex_abort() are called. When the abort response comes, the data of
complete_func callback is already freed, which leads to the crash.

Backtrace :
__GI___pthread_mutex_lock (mutex=0x65732f74) at pthread_mutex_lock.c:67
0xecc6eeda in dbus_connection_get_object_path_data () from /usr/lib/libdbus-1.so.3
0x000457d4 in g_dbus_emit_property_changed_full () at gdbus/object.c:1794
0x00045868 in g_dbus_emit_property_changed () at gdbus/object.c:1832
0x000367f0 in transfer_set_status () at obexd/client/transfer.c:211
0x0003681e in transfer_set_status () at obexd/client/transfer.c:206
xfer_complete () at obexd/client/transfer.c:672
0x00022df6 in transfer_complete () at gobex/gobex-transfer.c:103
0x00022f44 in transfer_abort_response () at gobex/gobex-transfer.c:124
0x00020a0e in handle_response () at gobex/gobex.c:1128
0x00020dde in incoming_data () at gobex/gobex.c:1373

This commit introduces g_obex_drop_tx_queue(), which will be called if
a transfer error detected. After the tx queue is dropped, obex shuts down
gracefully.

To be able to close L2CAP connection when there are pending frames,
Linux kernels below v4.3 must have the following commits cherry-picked:

2baea85dec1aebe0b100d4836dee8bcf29a51e94 - Bluetooth: L2CAP ERTM shutdown protect sk and chan
f65468f6e26c3bd05e642e10e80a485b99b7de05 - Bluetooth: Make __l2cap_wait_ack more efficient
451e4c6c6b3fd1a9f446a10eb9f6d4c2c476043c - Bluetooth: Add BT_DBG to l2cap_sock_shutdown()
cb02a25583b59ce48267472cd092485d754964f9 - Bluetooth: __l2cap_wait_ack() use msecs_to_jiffies()
e432c72c464d2deb6c66d1e2a5f548dc1f0ef4dc - Bluetooth: __l2cap_wait_ack() add defensive timeout
e7456437c15a2fd42cedd25c2b12b06876f285f0 - Bluetooth: Unwind l2cap_sock_shutdown()
04ba72e6b24f1e0e2221fcd73f08782870473fa1 - Bluetooth: Reorganize mutex lock in l2cap_sock_shutdown()
9f7378a9d6ced1784e08d3e21a9ddb769523baf2 - Bluetooth: l2cap_disconnection_req priority over shutdown

Signed-off-by: Denis Grigorev <d.grigorev@omprussia.ru>
---
 gobex/gobex-transfer.c |  5 +++++
 gobex/gobex.c          | 10 ++++++++++
 gobex/gobex.h          |  1 +
 3 files changed, 16 insertions(+)

diff --git a/gobex/gobex-transfer.c b/gobex/gobex-transfer.c
index bc9930679..e96e61fbc 100644
--- a/gobex/gobex-transfer.c
+++ b/gobex/gobex-transfer.c
@@ -100,6 +100,11 @@ static void transfer_complete(struct transfer *transfer, GError *err)
 
 	g_obex_debug(G_OBEX_DEBUG_TRANSFER, "transfer %u", id);
 
+	if (err) {
+		/* No further tx must be performed */
+		g_obex_drop_tx_queue(transfer->obex);
+	}
+
 	transfer->complete_func(transfer->obex, err, transfer->user_data);
 	/* Check if the complete_func removed the transfer */
 	if (find_transfer(id) == NULL)
diff --git a/gobex/gobex.c b/gobex/gobex.c
index 77f1aaafd..d68a85eb6 100644
--- a/gobex/gobex.c
+++ b/gobex/gobex.c
@@ -521,6 +521,16 @@ static void enable_tx(GObex *obex)
 	obex->write_source = g_io_add_watch(obex->io, cond, write_data, obex);
 }
 
+void g_obex_drop_tx_queue(GObex *obex)
+{
+	struct pending_pkt *p;
+
+	g_obex_debug(G_OBEX_DEBUG_COMMAND, "");
+
+	while ((p = g_queue_pop_head(obex->tx_queue)))
+		pending_pkt_free(p);
+}
+
 static gboolean g_obex_send_internal(GObex *obex, struct pending_pkt *p,
 								GError **err)
 {
diff --git a/gobex/gobex.h b/gobex/gobex.h
index b223a2fac..a94d9246e 100644
--- a/gobex/gobex.h
+++ b/gobex/gobex.h
@@ -63,6 +63,7 @@ gboolean g_obex_remove_request_function(GObex *obex, guint id);
 void g_obex_suspend(GObex *obex);
 void g_obex_resume(GObex *obex);
 gboolean g_obex_srm_active(GObex *obex);
+void g_obex_drop_tx_queue(GObex *obex);
 
 GObex *g_obex_new(GIOChannel *io, GObexTransportType transport_type,
 						gssize rx_mtu, gssize tx_mtu);
-- 
2.17.1

RE: gobex: Fix segfault caused by interrupted transfer

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3074 bytes --]


This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While we are preparing for reviewing the patches, we found the following
issue/warning.

Test Result:
checkpatch Failed

Outputs:
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#15: 
0xecc6eeda in dbus_connection_get_object_path_data () from /usr/lib/libdbus-1.so.3

ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: bad o ("36dee8bcf29a51e94")'
#33: 
2baea85dec1aebe0b100d4836dee8bcf29a51e94 - Bluetooth: L2CAP ERTM shutdown protect sk and chan

ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: bad o ("0e80a485b99b7de05")'
#34: 
f65468f6e26c3bd05e642e10e80a485b99b7de05 - Bluetooth: Make __l2cap_wait_ack more efficient

ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: bad o ("eb9f6d4c2c476043c")'
#35: 
451e4c6c6b3fd1a9f446a10eb9f6d4c2c476043c - Bluetooth: Add BT_DBG to l2cap_sock_shutdown()

ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: bad o ("cd092485d754964f9")'
#36: 
cb02a25583b59ce48267472cd092485d754964f9 - Bluetooth: __l2cap_wait_ack() use msecs_to_jiffies()

ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: bad o ("2a5f548dc1f0ef4dc")'
#37: 
e432c72c464d2deb6c66d1e2a5f548dc1f0ef4dc - Bluetooth: __l2cap_wait_ack() add defensive timeout

ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: bad o ("c2b12b06876f285f0")'
#38: 
e7456437c15a2fd42cedd25c2b12b06876f285f0 - Bluetooth: Unwind l2cap_sock_shutdown()

ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: bad o ("73f08782870473fa1")'
#39: 
04ba72e6b24f1e0e2221fcd73f08782870473fa1 - Bluetooth: Reorganize mutex lock in l2cap_sock_shutdown()

ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: bad o ("21a9ddb769523baf2")'
#40: 
9f7378a9d6ced1784e08d3e21a9ddb769523baf2 - Bluetooth: l2cap_disconnection_req priority over shutdown

- total: 8 errors, 1 warnings, 34 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

Your patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPLIT_STRING

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.



---
Regards,
Linux Bluetooth

RE: gobex: Fix segfault caused by interrupted transfer

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1534 bytes --]


This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While we are preparing for reviewing the patches, we found the following
issue/warning.

Test Result:
checkgitlint Failed

Outputs:
12: B1 Line exceeds max length (82>80): "0xecc6eeda in dbus_connection_get_object_path_data () from /usr/lib/libdbus-1.so.3"
30: B1 Line exceeds max length (93>80): "2baea85dec1aebe0b100d4836dee8bcf29a51e94 - Bluetooth: L2CAP ERTM shutdown protect sk and chan"
31: B1 Line exceeds max length (90>80): "f65468f6e26c3bd05e642e10e80a485b99b7de05 - Bluetooth: Make __l2cap_wait_ack more efficient"
32: B1 Line exceeds max length (89>80): "451e4c6c6b3fd1a9f446a10eb9f6d4c2c476043c - Bluetooth: Add BT_DBG to l2cap_sock_shutdown()"
33: B1 Line exceeds max length (95>80): "cb02a25583b59ce48267472cd092485d754964f9 - Bluetooth: __l2cap_wait_ack() use msecs_to_jiffies()"
34: B1 Line exceeds max length (94>80): "e432c72c464d2deb6c66d1e2a5f548dc1f0ef4dc - Bluetooth: __l2cap_wait_ack() add defensive timeout"
35: B1 Line exceeds max length (82>80): "e7456437c15a2fd42cedd25c2b12b06876f285f0 - Bluetooth: Unwind l2cap_sock_shutdown()"
36: B1 Line exceeds max length (100>80): "04ba72e6b24f1e0e2221fcd73f08782870473fa1 - Bluetooth: Reorganize mutex lock in l2cap_sock_shutdown()"
37: B1 Line exceeds max length (100>80): "9f7378a9d6ced1784e08d3e21a9ddb769523baf2 - Bluetooth: l2cap_disconnection_req priority over shutdown"



---
Regards,
Linux Bluetooth