Update bluez5 to version 5.68 #9
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add names for CIS Central/Peripheral MGMT setting bits: [mgmt]# info Index list with 1 item hci0: Primary controller addr XX:XX:XX:XX:XX:XX version 12 manufacturer 2 class 0x7c0104 supported settings: powered connectable fast-connectable discoverable bondable link-security ssp br/edr le advertising secure-conn debug-keys privacy configuration static-addr phy-configuration wide-band-speech cis-central cis-peripheral current settings: powered bondable ssp br/edr le secure-conn cis-central cis-peripheral name xxx short name hci0: Configuration options supported options: public-address missing options:
Add function for checking adapter current settings.
Don't indicate BAP support in SupportedUUIDs, if adapter supports neither CIS Central nor Peripheral.
This makes use of BIT macro when defining bitfields which makes it clearer what bit it is toggling.
This fixes the printed hex value of some of the frequencies.
Add a method for getting the audio stream associated with a media transport.
To look up transports, use BAP stream pointers associated with them, not
the path strings stored in the stream user data. This makes it clearer
that transports presented to the sound server correspond to the actual
streams. The Acquire/etc. of BAP transports are already tied to the
associated stream.
This fixes use-after-free crashes in pac_clear. They occur because the
lifetime of the path string was either that of media transport or media
endpoint, which may be shorter than that of the BAP stream. In such
case, pac_clear is entered with invalid pointer in stream user data,
leading to crash. There are a few code paths for this, e.g. making
sound server delay its SetConfiguration response (e.g. gdb breakpoint)
to get dbus timeout, then disconnecting:
ERROR: AddressSanitizer: heap-use-after-free on address XXXX
READ of size 3 at 0x606000031640 thread T0
...
#4 0x559891 in btd_debug src/log.c:117
#5 0x46abfd in pac_clear profiles/audio/media.c:1096
#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914
#7 0x7a060d in bap_stream_detach src/shared/bap.c:987
#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210
#9 0x7a29cd in stream_set_state src/shared/bap.c:1254
#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820
#11 0x71d15d in queue_foreach src/shared/queue.c:207
#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836
#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342
#14 0x63247c in btd_service_disconnect src/service.c:305
freed by thread T0 here:
#0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc)
#2 0x7047b7 in remove_interface gdbus/object.c:660
#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394
#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217
#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270
#6 0x464d26 in clear_configuration profiles/audio/media.c:292
#7 0x464e69 in clear_endpoint profiles/audio/media.c:300
#8 0x46516e in endpoint_reply profiles/audio/media.c:325
...
Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")
Don't call configuration callback if stream's transport was cleared in
the meantime. The clear callback is called just before the stream is
freed.
Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus
reply:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90
READ of size 8 at 0x60b00002eb90 thread T0
#0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201
#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010
#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157
#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165
#4 0x46365b in clear_endpoint profiles/audio/media.c:297
#5 0x463a21 in endpoint_reply profiles/audio/media.c:325
...
freed by thread T0 here:
#0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x78d8cc in bap_stream_free src/shared/bap.c:974
#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991
#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210
#4 0x78fe26 in stream_set_state src/shared/bap.c:1254
#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820
#6 0x70ce06 in queue_foreach src/shared/queue.c:207
#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836
#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342
#9 0x626e57 in btd_service_disconnect src/service.c:305
Currently, BAP transport publishes on DBus QOS values obtained at transport creation time. For BAP server the transport creation usually occurs before stream QOS is configured, and these values are then all zero. bap->sdu is also never set. Update transport QOS values in DBus when stream state changes. Since nearly all QOS values are exposed in the transport, use bt_bap_qos to store them there for simplicity.
If the 'enable-external-ell' is not specified in the configure parameter, the build system assumes that the ELL source is located same level where the bluez source is cloned. But the configure doens't check the folder and user will get the build error while building the source. This patch checks if the ELL source path if the 'enable-external-ell' flag is not set and throws an error if the ELL doesn't exist.
On device ATT attach, do not immediately call accept() for profiles, if there is no cached data in GATT database. Instead, wait for service resolution to complete, as likely accept() cannot succeed before that. Several profiles (bap, vcp, midi, deviceinfo) assume that GATT attributes are available when their accept() is called, returning success even if not. In this case, the services never find the remote attributes and are not operable. Other profiles (hog, batt, ...) fail their accept which prompts core to retry after discovery, and work correctly also in this case. Fix the failing services by waiting for service resolution as necessary, so profiles can assume the GATT DB has some content.
Always free BAP stream in bt_bap_stream_release if it is not attached to
a client session, simplifying the cleanup.
Fixes the following ASAN crash is observed when media endpoint is
unregistered (stopping sound server) while streaming from remote BAP
client:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
READ of size 8 at 0x60b0000474d8 thread T0
#0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
#1 0x7aff61 in remove_streams src/shared/bap.c:2483
#2 0x71d2d0 in queue_foreach src/shared/queue.c:207
#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
...
0x60b0000474d8 is located 8 bytes inside of 112-byte region
freed by thread T0 here:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7a0504 in bap_stream_free src/shared/bap.c:972
#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
#5 0x7ab18a in stream_release src/shared/bap.c:1985
#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
#7 0x7aff50 in remove_streams src/shared/bap.c:2482
...
previously allocated by thread T0 here:
#0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x71e9ae in util_malloc src/shared/util.c:43
#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
#3 0x7a4863 in ep_config src/shared/bap.c:1446
#4 0x7a4f22 in ascs_config src/shared/bap.c:1481
...
Change bthost_send_iso to take packet sequence number and timestamp, and allow it to send timestamped HCI ISO data packets. Currently, btdev passes through ISO packets, so this can also be used to test RX timestamping.
This attempts to receive a timestamped HCI ISO data packet on central. With kernel 6.2 HCI ISO packet parsing this test fails with Bluetooth: Frame malformed (len 40, expected len 0) Link: https://lore.kernel.org/linux-bluetooth/1fd2d4523c139deda93aab2c31f1508d79c32472.1676921889.git.pav@iki.fi/
This checks if an att instance already exists before attempting to connect it once again.
This enables transport.send to work with multiple transports instead of sending one by one which can create synchronization problems.
If session is being detached any ongoing/queue request shall be cancelled as well otherwise when the session is attach again they would be invalid.
This introduces the concept of idle callback which can be used to get notified when there is no more pending requests by the client.
A2DP shall depend on MGMT_SETTING_BREDR setting so the likes of bluetoothctl -e don't attempt to register A2DP with controller that are on LE only mode.
This uses bt_gatt_client_idle_register to track when instance is ready instead of using a dedicated queue to track requests. Fixes: bluez/bluez#485
If an unexpected disconnect happens while bt_bap_config is pending the following trace can be observed, to fix it bt_bap_config is reworked so it no longer attempts to create and config the stream in place, instead it just return the new stream and the function is renamed to bt_bap_stream_new: Invalid write of size 4 at 0x3980D8: config_cb (bap.c:395) by 0x4DF5A3: bap_req_complete (bap.c:3471) by 0x4E9D33: bap_req_detach (bap.c:3807) by 0x4E9D33: bt_bap_detach (bap.c:3819) by 0x4E9D33: bt_bap_detach (bap.c:3810) by 0x397AA9: bap_disconnect (bap.c:1342) by 0x4223E0: btd_service_disconnect (service.c:305) by 0x4974D8F: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.7200.3) by 0x438FC3: att_disconnected_cb (device.c:5160) by 0x49A6C6: queue_foreach (queue.c:207) by 0x4B463B: disconnect_cb (att.c:701) by 0x5054DF: watch_callback (io-glib.c:157) by 0x495BFAE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7200.3) by 0x49B12C7: ??? (in /usr/lib64/libglib-2.0.so.0.7200.3) Address 0x6576940 is 96 bytes inside a block of size 112 free'd at 0x48480E4: free (vg_replace_malloc.c:872) by 0x48F78D: remove_interface (object.c:660) by 0x490489: g_dbus_unregister_interface (object.c:1394) by 0x397BA8: ep_remove (bap.c:1330) by 0x49ACF4: queue_remove_if (queue.c:279) by 0x49B0AC: queue_remove_all (queue.c:321) by 0x397A7C: bap_disconnect (bap.c:1339) by 0x4223E0: btd_service_disconnect (service.c:305) by 0x4974D8F: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.7200.3) by 0x438FC3: att_disconnected_cb (device.c:5160) by 0x49A6C6: queue_foreach (queue.c:207) by 0x4B463B: disconnect_cb (att.c:701) Block was alloc'd at at 0x484586F: malloc (vg_replace_malloc.c:381) by 0x49B432: util_malloc (util.c:43) by 0x39A1D9: ep_register (bap.c:563) by 0x39A1D9: pac_found (bap.c:664) by 0x4E5FEA: bap_foreach_pac (bap.c:3980) by 0x4EA437: bap_notify_ready (bap.c:2736) by 0x4EA437: bap_idle (bap.c:3711) by 0x4B52F0: idle_notify (gatt-client.c:171) by 0x49ACF4: queue_remove_if (queue.c:279) by 0x49B0AC: queue_remove_all (queue.c:321) by 0x4C092C: notify_client_idle (gatt-client.c:180) by 0x4C092C: request_unref (gatt-client.c:199) by 0x4AACB5: destroy_att_send_op (att.c:209) by 0x4B2B88: handle_rsp (att.c:862) by 0x4B2B88: can_read_data (att.c:1052) by 0x5054DF: watch_callback (io-glib.c:157)
BT_ATT_OP_MTU_REQ shall only be sent on the so called fixed channel since EATT channels shall use L2CAP procedure to update its MTU.
When updating the device address check if the device is marked as temporary before attempting to call store_device_info otherwise it will have no effect and instead btd_device_set_temporary must be called.
This checks cid before attempting to create device, if the device is using an RPA it could be that the MGMT event has not been processed yet which would lead to create a second copy of the same device using its identity address.
EATT is causing some problem with some platforms as they also attempt to configure it may cause a connection collision which needs to be handled by the kernel.
This makes use of DEFER_SETUP mechanism to do the following checks before accepting the connection: - Checks a valid device object exits - Checks if initiator/central as if the peripheral start connecting it may cause collisions. - Checks if the limit of allowed connections has been reached.
This adds the following tests: L2CAP Ext-Flowctl Server - Success L2CAP Ext-Flowctl Server - Nval SCID L2CAP LE EATT Client - Success L2CAP LE EATT Server - Success L2CAP LE EATT Server - Reject
This updates High Reliability presets as published in BAP 1.0.1: https://www.bluetooth.com/specifications/bap-1-0-1/
This updates High Reliability presets as published in BAP 1.0.1: https://www.bluetooth.com/specifications/bap-1-0-1/
Besides OBEX root, it should be ok to push files to temporary directory. Obex root may be $HOME, but it's cleaner to have in-progress files under temporary directory.
As some carkits have trouble connecting to the default PBAP channel 15, enable channel configuration for PBAP server.
If adapter is disabled while discovering, starting the discovery again after enabling the adapter will fail unless adapters parameters are cleared as when stopping the discovery.
By 4 updates per second. Prevent Obexd from spamming DBus with "Transferred" signals when receiving a file. Co-authored-by: Jarko Poutiainen <jarko.poutiainen@jolla.com>
Makes it possible to disable autopair plugin with build-time configuration flag.
If authentication fails with MGMT_STATUS_NOT_PAIRED the device is obviosuly not connected either and we should notify of it. Also remove from the device since connection attempt is likely to fail.
Patches with bugs associated in this commit: - Add some missing tests and a tool. JB#36849 - Depend on findutils as /etc/obexd.conf requires find. JB#41628 - Use 'bluez5' for pkgconfig target. Fixes JB#36627 - Add tracing file for obexd. JB#36940 - Add package for obexd tracing. JB#36940 - Disable autopair plugin. JB#40419 - obex: Don't try to control systemd user session. Fixes JB#46633 - Split hciattach tool to own subpackage. JB#48791 - Use systemd macros to build on aarch64. JB#49681 - Enable NFC pairing. JB#54815 - Allow D-Bus activation only through systemd. JB#52572 - Don't rename bluez.pc to bluez5.spec. JB#57121 - Disable manpages building. JB#56721 Co-authored-by: Hannu Mallat <hmallat@gmail.com> Co-authored-by: Bea Lam <bea.lam@jolla.com> Co-authored-by: Pekka Vuorela <pekka.vuorela@jolla.com> Co-authored-by: Marko Saukko <marko.saukko@jolla.com> Co-authored-by: Juho Hämäläinen <juho.hamalainen@jolla.com> Co-authored-by: David Greaves <david.greaves@jolla.com> Co-authored-by: Ildar Kamaletdinov <i.kamaletdinov@omprussia.ru>
Instead of waiting for connman we can start already when D-Bus is available. Fixes JB#48911
Patches with bugs associated in this commit: - Forwards mpris control and data over Bluez. This enables music metadata over BT audio, and play/pause commands from Bluetooth devices. Fixes JB#41652 - Automatically restart mpris-proxy service if it crashes. Fixes JB#58244
Fixes build without ell. This reverts commit 1106b28.
mkosola
approved these changes
Jul 10, 2023
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
Primary/Secundary Counters are supposed to be 16 bytes values, if the
server has implemented them incorrectly it may lead to the following
crash:
=================================================================
==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
READ of size 48 at 0x607000001878 thread T0
#0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
#4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
#5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
#6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
#7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
#8 0x564df698b9ee in handle_response gobex/gobex.c:1140
#9 0x564df698cdea in incoming_data gobex/gobex.c:1385
#10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#13 0x564df6977d41 in main obexd/src/main.c:307
#14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
#16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
allocated by thread T0 here:
#0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.