From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Calling gatt_db_register with NULL pointers makes no sense since it does
nothing when the callbacks are NULL so the callback are still reachable
causing invalid memory to accessed:
Invalid read of size 8
at 0x50EAFDC: g_slist_find_custom (in /usr/lib64/libglib-2.0.so.0.5000.3)
by 0x46CDA1: gatt_service_removed (device.c:3563)
by 0x4896F8: queue_foreach (queue.c:220)
by 0x4951FB: notify_service_changed (gatt-db.c:268)
by 0x4951FB: gatt_db_service_destroy (gatt-db.c:279)
by 0x4898F5: queue_remove_all (queue.c:336)
by 0x4952E2: gatt_db_clear_range (gatt-db.c:461)
by 0x48F32B: discovery_op_unref (gatt-client.c:447)
by 0x4979AA: bt_gatt_request_unref (gatt-helpers.c:594)
by 0x490489: bt_gatt_client_cancel_all (gatt-client.c:2083)
by 0x4904D8: bt_gatt_client_free (gatt-client.c:1752)
by 0x46CF70: gatt_client_cleanup (device.c:561)
by 0x46D01A: attio_cleanup (device.c:586)
Address 0x86cb940 is 0 bytes inside a block of size 16 free'd
at 0x4C2ED4A: free (vg_replace_malloc.c:530)
by 0x50D16CD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
by 0x50EA743: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.5000.3)
by 0x46D18C: device_free (device.c:638)
by 0x485B05: remove_interface (object.c:667)
by 0x485FF9: g_dbus_unregister_interface (object.c:1391)
by 0x45EFA9: btd_adapter_remove_device (adapter.c:1200)
by 0x45FBC3: dev_disconnected (adapter.c:6800)
by 0x48A1A5: request_complete (mgmt.c:261)
by 0x48AC0B: can_read_data (mgmt.c:353)
by 0x496954: watch_callback (io-glib.c:170)
by 0x50CBE51: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5000.3)
---
src/device.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/device.c b/src/device.c
index 9736bb6..fb9c0e7 100644
--- a/src/device.c
+++ b/src/device.c
@@ -225,6 +225,7 @@ struct btd_device {
* attribute cache support can be built.
*/
struct gatt_db *db; /* GATT db cache */
+ unsigned int db_id;
struct bt_gatt_client *client; /* GATT client instance */
struct bt_gatt_server *server; /* GATT server instance */
unsigned int gatt_ready_id;
@@ -644,7 +645,7 @@ static void device_free(gpointer user_data)
g_slist_free_full(device->svc_callbacks, svc_dev_remove);
/* Reset callbacks since the device is going to be freed */
- gatt_db_register(device->db, NULL, NULL, NULL, NULL);
+ gatt_db_unregister(device->db, device->db_id);
attio_cleanup(device);
@@ -3666,8 +3667,8 @@ static struct btd_device *device_new(struct btd_adapter *adapter,
device->adapter = adapter;
device->temporary = true;
- gatt_db_register(device->db, gatt_service_added, gatt_service_removed,
- device, NULL);
+ device->db_id = gatt_db_register(device->db, gatt_service_added,
+ gatt_service_removed, device, NULL);
return btd_device_ref(device);
}
--
2.9.4
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
