From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
If there are pending AcquireWrite or AcquireNotify when disconnecting
the attribute object may be freed (e.g. device is temporary) leading to
the following backtrace:
bluetoothd[369928]: src/gatt-database.c:gatt_db_service_removed() Local GATT service removed
bluetoothd[369928]: src/adapter.c:adapter_service_remove() /org/bluez/hci1
bluetoothd[369928]: src/adapter.c:remove_uuid() sending remove uuid command for index 1
bluetoothd[369928]: src/sdpd-service.c:remove_record_from_server() Removing record with handle 0x1002e
bluetoothd[369928]: src/gatt-database.c:send_notification_to_device() GATT server sending indication
bluetoothd[369928]: src/device.c:gatt_debug() Write Complete: err -125
bluetoothd[369928]: src/gatt-database.c:client_disconnect_cb() Client disconnected
bluetoothd[369928]: src/advertising.c:client_disconnect_cb() Client disconnected
bluetoothd[369928]: Failed to acquire write: org.freedesktop.DBus.Error.NoReply
Program received signal SIGSEGV, Segmentation fault.
0x0000555555631450 in acquire_write_reply (message=0x55555583dec0, user_data=0x555555843e40) at src/gatt-database.c:2437
2437 send_write(op->device, op->attrib, chrc->proxy, NULL, op->id,
---
src/gatt-database.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/gatt-database.c b/src/gatt-database.c
index c11d14b41..55fd28a54 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -2405,6 +2405,11 @@ static void acquire_write_reply(DBusMessage *message, void *user_data)
int fd;
uint16_t mtu;
+ if (!op->owner_queue) {
+ DBG("Pending write was canceled when object got removed");
+ return;
+ }
+
chrc = gatt_db_attribute_get_user_data(op->attrib);
dbus_error_init(&err);
@@ -2487,6 +2492,11 @@ static void acquire_notify_reply(DBusMessage *message, void *user_data)
int fd;
uint16_t mtu;
+ if (!op->owner_queue) {
+ DBG("Pending notify was canceled when object got removed");
+ return;
+ }
+
dbus_error_init(&err);
if (dbus_set_error_from_message(&err, message) == TRUE) {
--
2.21.1
