From c8c680e14a2f299fe1825c6981edcdbe131cf2fd Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 24 Aug 2017 15:08:50 +0300 Subject: [PATCH] gatt: Fix crash while disconnecting The following crash happens if user shutdown the its pipe before the device gets disconnected: Invalid read of size 8 at 0x4E47ED: io_shutdown (io-glib.c:285) by 0x4D1366: queue_remove_all (queue.c:351) by 0x4A1D22: btd_gatt_client_disconnected (gatt-client.c:2207) by 0x4A517B: att_disconnected_cb (device.c:4663) by 0x4D5945: disconn_handler (att.c:538) by 0x4D0FBF: queue_foreach (queue.c:220) by 0x4D75D9: disconnect_cb (att.c:590) by 0x4E419A: watch_callback (io-glib.c:170) by 0x50CD246: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5200.3) by 0x50CD5E7: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3) by 0x50CD901: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5200.3) by 0x40CD0E: main (main.c:781) Address 0x9240bc8 is 8 bytes inside a block of size 40 free'd at 0x4C2FD18: free (vg_replace_malloc.c:530) by 0x50D2B4D: g_free (in /usr/lib64/libglib-2.0.so.0.5200.3) by 0x4E4200: io_unref (io-glib.c:68) by 0x4E4257: watch_destroy (io-glib.c:107) by 0x50C9C67: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3) by 0x50CD27B: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5200.3) by 0x50CD5E7: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3) by 0x50CD901: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5200.3) by 0x40CD0E: main (main.c:781) --- src/gatt-client.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/gatt-client.c b/src/gatt-client.c index 1cd7fbcf5..419dadb99 100644 --- a/src/gatt-client.c +++ b/src/gatt-client.c @@ -1087,6 +1087,8 @@ static void pipe_io_destroy(struct pipe_io *io) static void characteristic_destroy_pipe(struct characteristic *chrc, struct io *io) { + queue_remove(chrc->service->client->ios, io); + if (chrc->write_io && io == chrc->write_io->io) { pipe_io_destroy(chrc->write_io); chrc->write_io = NULL; @@ -1584,8 +1586,7 @@ static DBusMessage *characteristic_stop_notify(DBusConnection *conn, return btd_error_failed(msg, "No notify session started"); if (chrc->notify_io) { - pipe_io_destroy(chrc->notify_io); - chrc->notify_io = NULL; + characteristic_destroy_pipe(chrc, chrc->notify_io->io); return dbus_message_new_method_return(msg); } @@ -1646,11 +1647,15 @@ static void characteristic_free(void *data) queue_destroy(chrc->descs, NULL); queue_destroy(chrc->notify_clients, NULL); - if (chrc->write_io) + if (chrc->write_io) { + queue_remove(chrc->service->client->ios, chrc->write_io->io); pipe_io_destroy(chrc->write_io); + } - if (chrc->notify_io) + if (chrc->notify_io) { + queue_remove(chrc->service->client->ios, chrc->notify_io->io); pipe_io_destroy(chrc->notify_io); + } g_free(chrc->path); free(chrc); -- 2.47.3