Update to bluez5 5.65 #8
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The fact that each client can start its own discovery wasn't clear from the documentation and only becomes obvious when reading the sources.
In a connection without outgoing traffic, conn->tx_num will remain 0. In this case, conn->tx_pkt_med should be simply 0 without calculating "conn->tx_bytes / conn->tx_num". This was likely to happen, for example, when "btmon -w btsnoop.log" was launched in the middle of a LE mouse connection, and a number of incoming ACL Data RX were received as the mouse movements. When running "btmon -a btsnoop.log", it would encounter this error. Reviewed-by: Alain Michaud <alainm@chromium.org> Reviewed-by: Yun-Hao Chung <howardchung@chromium.org> Reviewed-by: Shuo-Peng Liao <deanliao@chromium.org>
s/suuported/supported
Include sys/types.h to avoid the following build failure on musl raised since commit fb57ad9: In file included from src/shared/queue.c:15: ./src/shared/util.h:106:1: error: unknown type name 'ssize_t'; did you mean 'size_t'? 106 | ssize_t util_getrandom(void *buf, size_t buflen, unsigned int flags); | ^~~~~~~ | size_t Fixes: - http://autobuild.buildroot.org/results/83eaeb3863040645409f5787fdbdde79385c5257
dbus_message_iter_recurse only makese sense for container types, this is a string. Fixes: bluez/bluez#300
If no specific index is given attempt to bind the next index if the current one is already in use.
With use of UHID_CREATE2 the code needs to wait for UHID_START in order to know if the reports are numbered or not. Fixes: bluez/bluez#298
This adds an option (-l/--emulator) to start btvirt before processing the command which is convenient to runs tools like bluetoothctl: sudo tools/test-runner -l -d -k <pathto/bzImage> -- client/bluetoothctl power on
This introduces bt_shell_exec which can be used to inject commands into a bt_shell without using stdin/user input.
Instead of parsing the command line, which can contain a shell script, run using /bin/sh so it allows more complex command line to be tested: sudo tools/test-runner -l -d -k <pathto/bzImage> -- 'client/bluetoothctl power on && sleep 2 && client/bluetoothctl power off'
This adds support for entering the transport directly as an scan argument rather than having to first set it scan.transport.
Check whether type of UUIDs property of GattProfile1 object is correct.
%32s expect a buffer of at least 33 bytes since it is a string it needs to be NULL terminated.
The PDU of Create BIG is actually fixed size as the num_bis is related to the number of indexes to be connected and not the BIS parameters.
This adds implementation of BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC generating BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED and BT_HCI_EVT_LE_PER_ADV_REPORT.
This adds implementation of BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC_CANCEL generating BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED if necessary.
This adds implementation of BT_HCI_CMD_LE_PERIODIC_ADV_TERM_SYNC.
This sends BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED if scan is initiated while BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC is pending.
This sends BT_HCI_EVT_LE_PER_SYNC_ESTABLISHED if remote device start to periodic advertise when BT_HCI_CMD_LE_PERIODIC_ADV_CREATE_SYNC is pending.
This renames the use of Periodic Advertising in the API to just PA.
This sends BT_HCI_EVT_LE_BIG_SYNC_ESTABLISHED when handling BT_HCI_CMD_LE_BIG_CREATE_SYNC.
This sends BT_HCI_EVT_DISCONNECT_COMPLETE when handling BT_HCI_CMD_LE_BIG_TERM_SYNC.
This adds sending and receiving BT_H4_ISO_PKT packets.
This adds bthost_set_pa_params and bthost_set_pa_enable.
This adds bthost_create_big
Sample stack trace: 0x0000567c394e4c6b (bluetoothd - a2dp.c: 270) setup_cb_free 0x0000567c394e4a94 (bluetoothd - a2dp.c: 2884) a2dp_discover 0x0000567c394e3c03 (bluetoothd - sink.c: 275) sink_setup_stream 0x0000567c394e3d4f (bluetoothd - sink.c: 299) sink_connect 0x0000567c39535183 (bluetoothd - service.c: 294) btd_service_connect 0x0000567c39539f68 (bluetoothd - device.c: 2006) connect_next 0x0000567c3954086d (bluetoothd - device.c: 2060) service_state_changed 0x0000567c39534efb (bluetoothd - service.c: 111) change_state 0x0000567c3953559c (bluetoothd - service.c: 0) btd_service_connecting_complete 0x0000567c39534a5c (bluetoothd - profile.c: 1641) record_cb 0x0000567c395197cd (bluetoothd - sdp-client.c: 298) connect_watch 0x00007b14bc8034f6 (libglib-2.0.so.0 - gmain.c: 3337) g_main_context_dispatch 0x00007b14bc803801 (libglib-2.0.so.0 - gmain.c: 4131) g_main_context_iterate 0x00007b14bc803a7d (libglib-2.0.so.0 - gmain.c: 4329) g_main_loop_run 0x0000567c39566af1 (bluetoothd - mainloop-glib.c: 79) mainloop_run 0x0000567c39566ddb (bluetoothd - mainloop-notify.c: 201) mainloop_run_with_signal 0x0000567c3954bf4c (bluetoothd - main.c: 1222) main 0x00007b14bc579797 (libc.so.6 - libc-start.c: 332) __libc_start_main 0x0000567c394df449 (bluetoothd) _start 0x00007ffd70145737 This could be triggered from a2dp_discover -> avdtp_discover -> send_request -> send_req -> l2cap_connect (return error) -> avdtp_set_state (to disconnect state)-> channel_remove -> channel_free -> finalize_setup_errno (discover cb is freed) -> error handling all the way back to a2dp_discover -> a2dp_discover (discover cb is freed again, crashed!). The fix is to attach cb with setup after avdtp_discover success. Suggested-by: luiz.dentz@gmail.com Reviewed-by: Archie Pusaka <apusaka@chromium.org>
The response should both the status and TX Power regardless if the command succeeds or not.
This fixes -l/--emulator not able to start depending on what parameters are given as it was not setting the directory properly.
This updates usage so it list -l/--emulator properly: test-runner - Automated test execution utility Usage: test-runner [options] [--] <command> [args] Options: -a, --auto Find tests and run them -d, --dbus Start D-Bus daemon -m, --monitor Start btmon -l, --emulator Start btvirt -u, --unix [path] Provide serial device -q, --qemu <path> QEMU binary -k, --kernel <image> Kernel image (bzImage) -h, --help Show help options
This prints an error if gatt_db_attribut_notify fails.
Makes it possible to disable autopair plugin with build-time configuration flag.
If authentication fails with MGMT_STATUS_NOT_PAIRED the device is obviosuly not connected either and we should notify of it. Also remove from the device since connection attempt is likely to fail.
dcaliste
reviewed
Sep 16, 2022
Patches with bugs associated in this commit: - Add some missing tests and a tool. JB#36849 - Depend on findutils as /etc/obexd.conf requires find. JB#41628 - Use 'bluez5' for pkgconfig target. Fixes JB#36627 - Add tracing file for obexd. JB#36940 - Add package for obexd tracing. JB#36940 - Disable autopair plugin. JB#40419 - obex: Don't try to control systemd user session. Fixes JB#46633 - Split hciattach tool to own subpackage. JB#48791 - Use systemd macros to build on aarch64. JB#49681 - Enable NFC pairing. JB#54815 - Allow D-Bus activation only through systemd. JB#52572 - Don't rename bluez.pc to bluez5.spec. JB#57121 - Disable manpages building. JB#56721 Co-authored-by: Hannu Mallat <hmallat@gmail.com> Co-authored-by: Bea Lam <bea.lam@jolla.com> Co-authored-by: Pekka Vuorela <pekka.vuorela@jolla.com> Co-authored-by: Marko Saukko <marko.saukko@jolla.com> Co-authored-by: Juho Hämäläinen <juho.hamalainen@jolla.com> Co-authored-by: David Greaves <david.greaves@jolla.com> Co-authored-by: Ildar Kamaletdinov <i.kamaletdinov@omprussia.ru>
Instead of waiting for connman we can start already when D-Bus is available. Fixes JB#48911
Patches with bugs associated in this commit: - Forwards mpris control and data over Bluez. This enables music metadata over BT audio, and play/pause commands from Bluetooth devices. Fixes JB#41652 - Automatically restart mpris-proxy service if it crashes. Fixes JB#58244
mlehtima
force-pushed
the
jb58740_update
branch
from
fabb268
to
7d0f4fd
Compare
abranson
approved these changes
Sep 17, 2022
mlehtima
pushed a commit
that referenced
this pull request
Sep 19, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ #1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] #2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] #3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] #4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] #5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] #6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] #7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] #8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] #9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] #10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
mlehtima
pushed a commit
that referenced
this pull request
Sep 19, 2022
This patch fixes the out-of-bounds array access caught by the ASAN.
monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type
'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
#0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
#1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
#2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
#3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
#4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
#5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
#6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
#7 0x7fe2d230b285 in data_callback monitor/control.c:973
#8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
#9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#10 0x7fe2d230324a in main monitor/main.c:290
#11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)
0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list'
defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list'
defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
To look up transports, use BAP stream pointers associated with them, not
the path strings stored in the stream user data. This makes it clearer
that transports presented to the sound server correspond to the actual
streams. The Acquire/etc. of BAP transports are already tied to the
associated stream.
This fixes use-after-free crashes in pac_clear. They occur because the
lifetime of the path string was either that of media transport or media
endpoint, which may be shorter than that of the BAP stream. In such
case, pac_clear is entered with invalid pointer in stream user data,
leading to crash. There are a few code paths for this, e.g. making
sound server delay its SetConfiguration response (e.g. gdb breakpoint)
to get dbus timeout, then disconnecting:
ERROR: AddressSanitizer: heap-use-after-free on address XXXX
READ of size 3 at 0x606000031640 thread T0
...
#4 0x559891 in btd_debug src/log.c:117
#5 0x46abfd in pac_clear profiles/audio/media.c:1096
#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914
#7 0x7a060d in bap_stream_detach src/shared/bap.c:987
#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210
#9 0x7a29cd in stream_set_state src/shared/bap.c:1254
#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820
#11 0x71d15d in queue_foreach src/shared/queue.c:207
#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836
#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342
#14 0x63247c in btd_service_disconnect src/service.c:305
freed by thread T0 here:
#0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc)
#2 0x7047b7 in remove_interface gdbus/object.c:660
#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394
#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217
#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270
#6 0x464d26 in clear_configuration profiles/audio/media.c:292
#7 0x464e69 in clear_endpoint profiles/audio/media.c:300
#8 0x46516e in endpoint_reply profiles/audio/media.c:325
...
Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
Don't call configuration callback if stream's transport was cleared in
the meantime. The clear callback is called just before the stream is
freed.
Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus
reply:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90
READ of size 8 at 0x60b00002eb90 thread T0
#0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201
#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010
#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157
#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165
#4 0x46365b in clear_endpoint profiles/audio/media.c:297
#5 0x463a21 in endpoint_reply profiles/audio/media.c:325
...
freed by thread T0 here:
#0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x78d8cc in bap_stream_free src/shared/bap.c:974
#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991
#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210
#4 0x78fe26 in stream_set_state src/shared/bap.c:1254
#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820
#6 0x70ce06 in queue_foreach src/shared/queue.c:207
#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836
#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342
#9 0x626e57 in btd_service_disconnect src/service.c:305
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
The following crash can be observed if the remote peer send and
unsupported event:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
WRITE of size 1 at 0x60b000148f11 thread T0
#0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
#1 0x559644536c22 in control_response profiles/audio/avctp.c:939
#2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
#3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
#7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#8 0x5596445bb963 in main src/main.c:1289
#9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
#11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
It seems like some implementation of vasprintf set the content of the
str to NULL rather then returning -1 causing the following errors:
=================================================================
==216204==ERROR: AddressSanitizer: attempting free on address which
was not malloc()-ed: 0x55e787722cf0 in thread T0
#0 0x55e784f75872 in __interceptor_free.part.0 asan_malloc_linux.cpp.o
#1 0x55e7850e55f9 in bt_log_vprintf
/usr/src/debug/bluez-git/bluez-git/src/shared/log.c:154:2
#2 0x55e78502db18 in monitor_log
/usr/src/debug/bluez-git/bluez-git/src/log.c:40:2
#3 0x55e78502dab4 in info
/usr/src/debug/bluez-git/bluez-git/src/log.c:52:2
#4 0x55e78502e314 in __btd_log_init
/usr/src/debug/bluez-git/bluez-git/src/log.c:179:2
#5 0x55e78502aa63 in main
/usr/src/debug/bluez-git/bluez-git/src/main.c:1388:2
#6 0x7f1d5fe27ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId:
316d0d3666387f0e8fb98773f51aa1801027c5ab)
#7 0x7f1d5fe27d89 in __libc_start_main
(/usr/lib/libc.so.6+0x27d89) (BuildId:
316d0d3666387f0e8fb98773f51aa1801027c5ab)
#8 0x55e784e88084 in _start
(/usr/lib/bluetooth/bluetoothd+0x36084) (BuildId:
19348ea642303b701c033d773055becb623fe79a)
Address 0x55e787722cf0 is a wild pointer inside of access range of
size 0x000000000001.
SUMMARY: AddressSanitizer: bad-free asan_malloc_linux.cpp.o in
__interceptor_free.part.0
==216204==ABORTING
сен 18 13:10:02 archlinux systemd[1]: bluetooth.service: Main process
exited, code=exited, status=1/FAILURE
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
Primary/Secundary Counters are supposed to be 16 bytes values, if the
server has implemented them incorrectly it may lead to the following
crash:
=================================================================
==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
READ of size 48 at 0x607000001878 thread T0
#0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
#4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
#5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
#6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
#7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
#8 0x564df698b9ee in handle_response gobex/gobex.c:1140
#9 0x564df698cdea in incoming_data gobex/gobex.c:1385
#10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#13 0x564df6977d41 in main obexd/src/main.c:307
#14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
#16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
allocated by thread T0 here:
#0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
mlehtima
pushed a commit
that referenced
this pull request
Jun 13, 2024
This fixes the following crash when a broadcast stream setup is pending and the device is remove: bluetoothd[37]: src/device.c:device_free() 0x89a500 bluetoothd[37]: GLib: Invalid file descriptor. bluetoothd[37]: ++++++++ backtrace ++++++++ bluetoothd[37]: #1 g_logv+0x270 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557e3120] bluetoothd[37]: #2 g_log+0x93 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557e3403] bluetoothd[37]: #3 g_io_channel_error_from_errno+0x4a (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557cd9da] bluetoothd[37]: #4 g_io_unix_close+0x53 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb55839d53] bluetoothd[37]: #5 g_io_channel_shutdown+0x10f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557cdf7f] bluetoothd[37]: #6 g_io_channel_unref+0x39 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557ce1e9] bluetoothd[37]: #7 g_source_unref_internal+0x24f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557db79f] bluetoothd[37]: #8 g_main_context_dispatch+0x288 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557dd638] bluetoothd[37]: #9 g_main_context_iterate.isra.0+0x318 (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb5583b6b8] bluetoothd[37]: #10 g_main_loop_run+0x7f (/usr/lib64/libglib-2.0.so.0.7600.6) [0x7feb557dcaff] bluetoothd[37]: #11 mainloop_run+0x15 (src/shared/mainloop-glib.c:68) [0x662e65] bluetoothd[37]: #12 mainloop_run_with_signal+0x128 (src/shared/mainloop-notify.c:190) [0x663368] bluetoothd[37]: #13 main+0x154b (src/main.c:1454) [0x41521b] bluetoothd[37]: #14 __libc_start_call_main+0x7a (/usr/lib64/libc.so.6) [0x7feb54e1fb8a] bluetoothd[37]: #15 __libc_start_main@@GLIBC_2.34+0x8b (/usr/lib64/libc.so.6) [0x7feb54e1fc4b] bluetoothd[37]: #16 _start+0x25 (src/main.c:1197) [0x416305] bluetoothd[37]: +++++++++++++++++++++++++++
mlehtima
pushed a commit
that referenced
this pull request
Jun 13, 2024
select_cb() callback is called when the sound server replies. However,
at that point the ep or session for which it was made may already be
gone if e.g. device disconnects or adapter is powered off.
Fix by implementing cancelling select() callbacks, and doing it before
freeing ep.
Fixes crash:
==889897==ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x60400006b098 thread T0
#0 0x55aeba in setup_new profiles/audio/bap.c:840
#1 0x562158 in select_cb profiles/audio/bap.c:1361
#2 0x47ad66 in pac_select_cb profiles/audio/media.c:920
#3 0x47661b in endpoint_reply profiles/audio/media.c:375
...
freed by thread T0 here:
#0 0x7fd20bcd7fb8 in __interceptor_free.part.0
#1 0x55f913 in ep_free profiles/audio/bap.c:1156
#2 0x7d696e in remove_interface gdbus/object.c:660
#3 0x7de622 in g_dbus_unregister_interface gdbus/object.c:1394
#4 0x554536 in ep_unregister profiles/audio/bap.c:193
#5 0x574455 in ep_remove profiles/audio/bap.c:2963
#6 0x7f5341 in queue_remove_if src/shared/queue.c:279
#7 0x7f5aba in queue_remove_all src/shared/queue.c:321
#8 0x57452b in bap_disconnect profiles/audio/bap.c:2972
#9 0x6cd107 in btd_service_disconnect src/service.c:305
...
previously allocated by thread T0 here:
#0 0x7fd20bcd92ef in malloc
#1 0x7f6e98 in util_malloc src/shared/util.c:46
#2 0x560d28 in ep_register profiles/audio/bap.c:1282
#3 0x562bdf in pac_register profiles/audio/bap.c:1386
#4 0x8cc834 in bap_foreach_pac src/shared/bap.c:4950
#5 0x8cccfc in bt_bap_foreach_pac src/shared/bap.c:4964
#6 0x56330b in bap_ready profiles/audio/bap.c:1457
...
mlehtima
pushed a commit
that referenced
this pull request
Jun 13, 2024
Cancel stream's queued requests before freeing the stream.
As the callbacks may do some cleanup on error, be sure to call them
before removing the requests.
Fixes:
=======================================================================
ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000013430
READ of size 8 at 0x60d000013430 thread T0
#0 0x89cb9f in stream_stop_complete src/shared/bap.c:1211
#1 0x89c997 in bap_req_complete src/shared/bap.c:1192
#2 0x8a105f in bap_process_queue src/shared/bap.c:1474
#3 0x93c93f in timeout_callback src/shared/timeout-glib.c:25
...
freed by thread T0 here:
#1 0x89b744 in bap_stream_free src/shared/bap.c:1105
#2 0x89bac8 in bap_stream_detach src/shared/bap.c:1122
#3 0x89dbfc in bap_stream_state_changed src/shared/bap.c:1261
#4 0x8a2169 in bap_ucast_set_state src/shared/bap.c:1554
#5 0x89e0d5 in stream_set_state src/shared/bap.c:1291
#6 0x8a78b6 in bap_ucast_release src/shared/bap.c:1927
#7 0x8d45bb in bt_bap_stream_release src/shared/bap.c:5516
#8 0x8ba63f in remove_streams src/shared/bap.c:3538
#9 0x7f23d0 in queue_foreach src/shared/queue.c:207
#10 0x8bb875 in bt_bap_remove_pac src/shared/bap.c:3593
#11 0x47416c in media_endpoint_destroy profiles/audio/media.c:185
=======================================================================
mlehtima
pushed a commit
that referenced
this pull request
Jun 13, 2024
Currently, btd_set_add_device decrypts the sirk in-place, modifying the
key passed to it.
This causes store_sirk() later on to save the wrong (decrypted) key
value, resulting to invalid duplicate device set.
It also allows devices->sirk list to contain same set multiple times,
which crashes later on as sirks-set are assumed to be 1-to-1 in
btd_set_add/remove_device().
Fixes:
=======================================================================
ERROR: AddressSanitizer: heap-use-after-free on address 0x60600001c068
READ of size 8 at 0x60600001c068 thread T0
#0 0x762721 in btd_set_remove_device src/set.c:347
#1 0x7341e7 in remove_sirk_info src/device.c:7145
#2 0x7f2cee in queue_foreach src/shared/queue.c:207
#3 0x734499 in btd_device_unref src/device.c:7159
#4 0x719f65 in device_remove src/device.c:4788
#5 0x682382 in adapter_remove src/adapter.c:6959
...
0x60600001c068 is located 40 bytes inside of 56-byte region [0x60600001c040,0x60600001c078)
freed by thread T0 here:
#1 0x7605a6 in set_free src/set.c:170
#2 0x7d4eff in remove_interface gdbus/object.c:660
#3 0x7dcbb3 in g_dbus_unregister_interface gdbus/object.c:1394
#4 0x762990 in btd_set_remove_device src/set.c:362
#5 0x7341e7 in remove_sirk_info src/device.c:7145
#6 0x7f2cee in queue_foreach src/shared/queue.c:207
#7 0x734499 in btd_device_unref src/device.c:7159
#8 0x719f65 in device_remove src/device.c:4788
#9 0x682382 in adapter_remove src/adapter.c:6959
...
previously allocated by thread T0 here:
#1 0x7f5429 in util_malloc src/shared/util.c:46
#2 0x7605f1 in set_new src/set.c:178
#3 0x7625b9 in btd_set_add_device src/set.c:324
#4 0x6f8fc8 in add_set src/device.c:1916
#5 0x7f2cee in queue_foreach src/shared/queue.c:207
#6 0x6f982c in device_set_ltk src/device.c:1940
#7 0x667b97 in load_ltks src/adapter.c:4478
...
=======================================================================
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.