Hi Anurag,
On Fri, Jul 7, 2017 at 9:36 AM, Anurag B <biradar.a@xxxxxxxxxxx> wrote:
> From: Anurag Biradar <biradar.a@xxxxxxxxxxx>
>
> DUT was trying to connect with carkit and due to some reason connection
> got aborted. SDP search got error and browse request was freed but
> device->browse is still pointing to freed memory. During clean up
> bluez removes all device and while removing it find reference to
> browse_req and it tries to free again which leads to the crash.
>
> Assign NULL to device browse_req before freeing the browse_req.
>
> Log:
>
> bluetooth: src/service.c:change_state() 0xb700a650: device XX:XX:XX:XX:XX:XX
> profile a2dp-sink state changed: connecting -> disconnected (-11)
> bluetooth: src/device.c:device_profile_connected()
> a2dp-sink Resource temporarily unavailable (11)
> bluetooth: src/device.c:device_profile_connected() returning response to :1.300
> bluetooth: src/device.c:device_browse_sdp()
> bluetooth: src/device.c:browse_request_free()
>
> --Browse req is freed but device->browse is still pointing to freed memory --
>
> While turning OFF freeing each devices:
> bluetoothd[2024]: src/adapter.c:adapter_remove()
> Removing adapter /org/bluez/hci0
> bluetoothd[2024]: src/device.c:device_remove()
> Removing device /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX
> bluetoothd[2024]: src/device.c:browse_request_cancel()
>
> (gdb)
> 0 0xb6f981ae in queue_remove_if (queue=0xb7007d70,
> function=0xb6f9a319 <match_disconn_id>, user_data=0xb7001ae0)
> at src/shared/queue.c:289
> 1 0xb6f9a87a in bt_att_unregister_disconnect (att=<optimized out>,
> id=<optimized out>) at src/shared/att.c:1161
> 2 0xb6f81bf6 in attio_cleanup (device=0xb6d4d810) at src/device.c:742
> 3 0xb6f81c3c in browse_request_cancel (req=0xb6fe3038) at src/device.c:777
> 4 0xb6f87066 in device_remove (device=0xb700ac00, remove_stored=0)
> at src/device.c:5238
> 5 0xb6f6b80c in adapter_remove (adapter=adapter@entry=0xb6fff2f0)
> at src/adapter.c:7822
> 6 0xb6f79068 in adapter_cleanup () at src/adapter.c:11707
> ---
> src/device.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/device.c b/src/device.c
> index 6a9936a..73b2c44 100644
> --- a/src/device.c
> +++ b/src/device.c
> @@ -5118,6 +5118,7 @@ static int device_browse_sdp(struct btd_device *device, DBusMessage *msg)
> &device->bdaddr, &uuid, browse_cb, req, NULL,
> req->sdp_flags);
> if (err < 0) {
> + device->browse = NULL;
> browse_request_free(req);
> return err;
> }
> --
> 1.7.9.5
Applied, thanks.
--
Luiz Augusto von Dentz
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
