When BLE disconnection happens, att_disconnect is triggered from two locations, the new added location is gatt_server_cleanup, it would cause several blueetoothd crashes. This bus is introduced from commit 634f0a6e1125af8d5959bff119d9336a8d81c028, where gatt fix, gatt subscriptions are not cleared after disconnection from a temporary device with private/random address. In order to workaround this issue, btd_gatt_database_att_disconnected can only be triggered when address type is random, and for others, it can continue to use original disconnect code path.
crash 1
Program received signal SIGSEGV, Segmentation fault.
queue_remove (queue=0x30, data=data@entry=0x555555872a40) at /repo/src/shared/queue.c:256
256 for (entry = queue->head, prev = NULL; entry;
(gdb) backtrace
at /bluez/repo/src/gatt-database.c:350
at bluez/repo/src/shared/queue.c:220
at bluez/repo/src/shared/att.c:592
at bluez/repo/src/shared/io-glib.c:170
crash 2
at bluez/repo/src/shared/queue.c:220
at bluez/repo/src/shared/att.c:592
at bluez/repo/src/shared/io-glib.c:170
(gdb) print state->db->adapter
Cannot access memory at address 0x61672f6269727474
---
src/gatt-database.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/gatt-database.c b/src/gatt-database.c
index 783b692d5..2f0eb83b5 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3365,6 +3365,8 @@ void btd_gatt_database_att_disconnected(struct btd_gatt_database *database,
addr = device_get_address(device);
type = btd_device_get_bdaddr_type(device);
+ if (type != BDADDR_LE_RANDOM)
+ return;
state = find_device_state(database, addr, type);
if (!state)
--
2.19.1.568.g152ad8e336-goog
