From d437e525a944d02d9c387dbc2ff19964c1ed0d54 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Tue, 31 Mar 2020 10:28:23 -0700 Subject: [PATCH] gatt: Fix possible crashes when disconnecting If there are pending AcquireWrite or AcquireNotify when disconnecting the attribute object may be freed (e.g. device is temporary) leading to the following backtrace: bluetoothd[369928]: src/gatt-database.c:gatt_db_service_removed() Local GATT service removed bluetoothd[369928]: src/adapter.c:adapter_service_remove() /org/bluez/hci1 bluetoothd[369928]: src/adapter.c:remove_uuid() sending remove uuid command for index 1 bluetoothd[369928]: src/sdpd-service.c:remove_record_from_server() Removing record with handle 0x1002e bluetoothd[369928]: src/gatt-database.c:send_notification_to_device() GATT server sending indication bluetoothd[369928]: src/device.c:gatt_debug() Write Complete: err -125 bluetoothd[369928]: src/gatt-database.c:client_disconnect_cb() Client disconnected bluetoothd[369928]: src/advertising.c:client_disconnect_cb() Client disconnected bluetoothd[369928]: Failed to acquire write: org.freedesktop.DBus.Error.NoReply Program received signal SIGSEGV, Segmentation fault. 0x0000555555631450 in acquire_write_reply (message=0x55555583dec0, user_data=0x555555843e40) at src/gatt-database.c:2437 2437 send_write(op->device, op->attrib, chrc->proxy, NULL, op->id, Signed-off-by: Anuj Jain Signed-off-by: Ayush Garg --- src/gatt-database.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/gatt-database.c b/src/gatt-database.c index af50ce4..aef5e81 100644 --- a/src/gatt-database.c +++ b/src/gatt-database.c @@ -2891,6 +2891,11 @@ static void acquire_write_reply(DBusMessage *message, void *user_data) int fd; uint16_t mtu; + if (!op->owner_queue) { + DBG("Pending write was canceled when object got removed"); + return; + } + chrc = gatt_db_attribute_get_user_data(op->attrib); dbus_error_init(&err); @@ -2981,6 +2986,11 @@ static void acquire_notify_reply(DBusMessage *message, void *user_data) int fd; uint16_t mtu; + if (!op->owner_queue) { + DBG("Pending notify was canceled when object got removed"); + return; + } + dbus_error_init(&err); if (dbus_set_error_from_message(&err, message) == TRUE) { -- 2.7.4