[PATCH BlueZ v3 3/5] shared/gatt-client: Fix crash on bt_gatt_client_unref

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>

Calling gatt_client_clear_services after notify_list is destroyed cause
the following backtrace:

Invalid read of size 8
   at 0x404CC9: queue_remove_all (queue.c:312)
   by 0x401FC6: gatt_client_remove_all_notify_in_range (gatt-client.c:350)
   by 0x403170: bt_gatt_client_free (gatt-client.c:357)
   by 0x401A93: test_client (test-gatt.c:224)
   by 0x4E9E5E0: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9EB1A: g_test_run_suite (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4015EE: main (test-gatt.c:259)
 Address 0x5752718 is 8 bytes inside a block of size 32 free'd
   at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x40315E: bt_gatt_client_free (gatt-client.c:1233)
   by 0x401A93: test_client (test-gatt.c:224)
   by 0x4E9E5E0: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9EB1A: g_test_run_suite (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4015EE: main (test-gatt.c:259)
---
 src/shared/gatt-client.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index 782e6b3..ddedaf0 100644
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -1224,12 +1224,12 @@ static void bt_gatt_client_free(struct bt_gatt_client *client)
 	bt_att_unregister(client->att, client->notify_id);
 	bt_att_unregister(client->att, client->ind_id);
 
+	gatt_client_clear_services(client);
+
 	queue_destroy(client->svc_chngd_queue, free);
 	queue_destroy(client->long_write_queue, long_write_op_unref);
 	queue_destroy(client->notify_list, notify_data_unref);
 
-	gatt_client_clear_services(client);
-
 	bt_att_unref(client->att);
 	free(client);
 }
-- 
1.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux