Issue 917314 link

Starred by 2 users

Issue metadata

Status:	Assigned
Owner:	█ yunhanw@chromium.org User never visited
Cc:	█ mcchou@chromium.org
Components:	OS>Systems>Bluetooth
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

gatt: Fix crash while disconnecting ATT

Project Member Reported by yunhanw@google.com, Dec 21

Issue description

svc_chngd_ccc don't actually set a callback thus when cleaning up in
clear_ccc_state has to check if there is any callback set:

invalid address stated on the next line
  at 0x0: ???
  by 0x475C7C: clear_ccc_state (gatt-database.c:287)
  by 0x4D28CF: queue_foreach (queue.c:220)
  by 0x475FE7: att_disconnected (gatt-database.c:310)
  by 0x4D7255: disconn_handler (att.c:538)
  by 0x4D28CF: queue_foreach (queue.c:220)
  by 0x4D8F39: disconnect_cb (att.c:590)
  by 0x4E6B3A: watch_callback (io-glib.c:170)
  by 0x50CD246: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x50CD5E7: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x50CD901: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x40CD90: main (main.c:770)
Address 0x0 is not stack'd, malloc'd or (recently) free'd

Since get_ccc_state can be called from both read and write callbacks it
was causing the disconnect handler to be register twice causing the
following crash:

bluetoothd[31312]: src/gatt-database.c:att_disconnected()
bluetoothd[31312]: src/gatt-database.c:ccc_write_cb() External CCC write received with value: 0x0000
bluetoothd[31312]: src/gatt-database.c:att_disconnected()
Invalid read of size 8
   at 0x475639: att_disconnected (gatt-database.c:301)
   by 0x4D6C75: disconn_handler (att.c:538)
   by 0x4D22EF: queue_foreach (queue.c:220)
   by 0x4D8959: disconnect_cb (att.c:590)
   by 0x4E559A: watch_callback (io-glib.c:170)
   by 0x50CD246: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5200.3)
   by 0x50CD5E7: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3)
   by 0x50CD901: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5200.3)
   by 0x40CD10: main (main.c:770)
 Address 0x8e30250 is 0 bytes inside a block of size 32 free'd
   at 0x4C2FD18: free (vg_replace_malloc.c:530)
   by 0x4756D5: device_state_free (gatt-database.c:271)
   by 0x4756D5: att_disconnected (gatt-database.c:313)
   by 0x4D6C75: disconn_handler (att.c:538)
   by 0x4D22EF: queue_foreach (queue.c:220)
   by 0x4D8959: disconnect_cb (att.c:590)
   by 0x4E559A: watch_callback (io-glib.c:170)
   by 0x50CD246: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5200.3)
   by 0x50CD5E7: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3)
   by 0x50CD901: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5200.3)
   by 0x40CD10: main (main.c:770)

Comment 1 by yunhanw@google.com, Dec 21

Description: Show this description

Comment 2 by benhenry@google.com, Jan 11

Status: Assigned (was: Untriaged)

This issue has an owner, a component and a priority, but is still listed as untriaged or unconfirmed. By definition, this bug is triaged. Changing status to "assigned". Please reach out to me if you disagree with how I've done this.

►

Issue 917314 link

Issue metadata

gatt: Fix crash while disconnecting ATT

Issue description

Comment 1 by yunhanw@google.com, Dec 21

Comment 1 Deleted

Comment 2 by benhenry@google.com, Jan 11

Comment 2 Deleted

Sign in to add a comment