https://bugzilla.kernel.org/show_bug.cgi?id=198685 Bug ID: 198685 Summary: bluez 5.48 memory use after free crash Product: Drivers Version: 2.5 Kernel Version: 4.14.16-300.fc27.x86_64 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Bluetooth Assignee: linux-bluetooth@xxxxxxxxxxxxxxx Reporter: npmccallum@xxxxxxxxxx Regression: No ==7643== Invalid read of size 8 ==7643== at 0x181119: register_notify_io_cb (gatt-client.c:1437) ==7643== by 0x1AD2EF: complete_notify_request (gatt-client.c:1215) ==7643== by 0x1AD2EF: enable_ccc_callback (gatt-client.c:1297) ==7643== by 0x1AA597: handle_rsp (att.c:713) ==7643== by 0x1AA597: can_read_data (att.c:885) ==7643== by 0x1B3362: watch_callback (io-glib.c:170) ==7643== by 0x4E87A66: g_main_dispatch (gmain.c:3177) ==7643== by 0x4E87A66: g_main_context_dispatch (gmain.c:3830) ==7643== by 0x4E87E0F: g_main_context_iterate.isra.21 (gmain.c:3903) ==7643== by 0x4E88121: g_main_loop_run (gmain.c:4099) ==7643== by 0x1260FA: main (main.c:770) ==7643== Address 0x7b956e0 is 0 bytes inside a block of size 32 free'd ==7643== at 0x4C30D18: free (vg_replace_malloc.c:530) ==7643== by 0x180602: pipe_io_destroy (gatt-client.c:1082) ==7643== by 0x180667: characteristic_destroy_pipe (gatt-client.c:1104) ==7643== by 0x180717: characteristic_pipe_hup (gatt-client.c:1119) ==7643== by 0x1B3362: watch_callback (io-glib.c:170) ==7643== by 0x4E87A66: g_main_dispatch (gmain.c:3177) ==7643== by 0x4E87A66: g_main_context_dispatch (gmain.c:3830) ==7643== by 0x4E87E0F: g_main_context_iterate.isra.21 (gmain.c:3903) ==7643== by 0x4E88121: g_main_loop_run (gmain.c:4099) ==7643== by 0x1260FA: main (main.c:770) ==7643== Block was alloc'd at ==7643== at 0x4C2FB6B: malloc (vg_replace_malloc.c:299) ==7643== by 0x1A576D: btd_malloc (util.c:46) ==7643== by 0x180923: notify_client_create (gatt-client.c:1330) ==7643== by 0x180C68: characteristic_acquire_notify (gatt-client.c:1486) ==7643== by 0x1A1F8A: process_message.isra.7 (object.c:259) ==7643== by 0x51773DF: _dbus_object_tree_dispatch_and_unlock (dbus-object-tree.c:1020) ==7643== by 0x5168209: dbus_connection_dispatch (dbus-connection.c:4744) ==7643== by 0x19E80F: message_dispatch (mainloop.c:72) ==7643== by 0x4E84436: g_idle_dispatch (gmain.c:5535) ==7643== by 0x4E87A66: g_main_dispatch (gmain.c:3177) ==7643== by 0x4E87A66: g_main_context_dispatch (gmain.c:3830) ==7643== by 0x4E87E0F: g_main_context_iterate.isra.21 (gmain.c:3903) ==7643== by 0x4E88121: g_main_loop_run (gmain.c:4099) ==7643== It looks like characteristic_pipe_hup() frees the chrc but leaves around a reference to it. I run into this every time I call AcquireNotify in the GATT interface. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
