Sync from SUSE:SLFO:Main bluez revision c9246ce2d339c00b66db7a2b600a472f
This commit is contained in:
parent
f5c41b830c
commit
32cca21049
121
Fix-crash-after-bt_uhid_unregister_all.patch
Normal file
121
Fix-crash-after-bt_uhid_unregister_all.patch
Normal file
@ -0,0 +1,121 @@
|
||||
From 9a6a84a8a2b9336c2cdb943146207cb8a5a5260c Mon Sep 17 00:00:00 2001
|
||||
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Mon, 16 Sep 2024 16:00:31 -0400
|
||||
Subject: [PATCH] shared/uhid: Fix crash after bt_uhid_unregister_all
|
||||
|
||||
This fixes the following crash which happens when
|
||||
bt_uhid_unregister_all is called from a notification callback:
|
||||
|
||||
Invalid read of size 8
|
||||
at 0x1D9EFF: queue_foreach (queue.c:206)
|
||||
by 0x1DEE58: uhid_read_handler (uhid.c:164)
|
||||
Address 0x51286d8 is 8 bytes inside a block of size 16 free'd
|
||||
at 0x48478EF: free (vg_replace_malloc.c:989)
|
||||
by 0x1DA08D: queue_remove_if (queue.c:292)
|
||||
by 0x1DA12F: queue_remove_all (queue.c:321)
|
||||
by 0x1DE592: bt_uhid_unregister_all (uhid.c:300)
|
||||
|
||||
Fixes: https://github.com/bluez/bluez/issues/952
|
||||
---
|
||||
src/shared/uhid.c | 47 ++++++++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 44 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/shared/uhid.c b/src/shared/uhid.c
|
||||
index ed21e1399..20bd26781 100644
|
||||
--- a/src/shared/uhid.c
|
||||
+++ b/src/shared/uhid.c
|
||||
@@ -42,6 +42,7 @@ struct bt_uhid {
|
||||
int ref_count;
|
||||
struct io *io;
|
||||
unsigned int notify_id;
|
||||
+ bool notifying;
|
||||
struct queue *notify_list;
|
||||
struct queue *input;
|
||||
uint8_t type;
|
||||
@@ -56,6 +57,7 @@ struct uhid_notify {
|
||||
uint32_t event;
|
||||
bt_uhid_callback_t func;
|
||||
void *user_data;
|
||||
+ bool removed;
|
||||
};
|
||||
|
||||
static void uhid_replay_free(struct uhid_replay *replay)
|
||||
@@ -134,6 +136,28 @@ static int bt_uhid_record(struct bt_uhid *uhid, bool input,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static bool match_removed(const void *a, const void *b)
|
||||
+{
|
||||
+ const struct uhid_notify *notify = a;
|
||||
+
|
||||
+ return notify->removed;
|
||||
+}
|
||||
+
|
||||
+static void uhid_notify(struct bt_uhid *uhid, struct uhid_event *ev)
|
||||
+{
|
||||
+ /* Add a reference to the uhid to ensure it doesn't get freed while at
|
||||
+ * notify_handler.
|
||||
+ */
|
||||
+ bt_uhid_ref(uhid);
|
||||
+
|
||||
+ uhid->notifying = true;
|
||||
+ queue_foreach(uhid->notify_list, notify_handler, ev);
|
||||
+ uhid->notifying = false;
|
||||
+ queue_remove_all(uhid->notify_list, match_removed, NULL, free);
|
||||
+
|
||||
+ bt_uhid_unref(uhid);
|
||||
+}
|
||||
+
|
||||
static bool uhid_read_handler(struct io *io, void *user_data)
|
||||
{
|
||||
struct bt_uhid *uhid = user_data;
|
||||
@@ -161,7 +185,7 @@ static bool uhid_read_handler(struct io *io, void *user_data)
|
||||
break;
|
||||
}
|
||||
|
||||
- queue_foreach(uhid->notify_list, notify_handler, &ev);
|
||||
+ uhid_notify(uhid, &ev);
|
||||
|
||||
return true;
|
||||
}
|
||||
@@ -292,13 +316,30 @@ static bool match_not_id(const void *a, const void *b)
|
||||
return notify->id != id;
|
||||
}
|
||||
|
||||
+static void uhid_notify_removed(void *data, void *user_data)
|
||||
+{
|
||||
+ struct uhid_notify *notify = data;
|
||||
+ struct bt_uhid *uhid = user_data;
|
||||
+
|
||||
+ /* Skip marking start_id as removed since that is not removed with
|
||||
+ * unregister all.
|
||||
+ */
|
||||
+ if (notify->id == uhid->start_id)
|
||||
+ return;
|
||||
+
|
||||
+ notify->removed = true;
|
||||
+}
|
||||
+
|
||||
bool bt_uhid_unregister_all(struct bt_uhid *uhid)
|
||||
{
|
||||
if (!uhid)
|
||||
return false;
|
||||
|
||||
- queue_remove_all(uhid->notify_list, match_not_id,
|
||||
+ if (!uhid->notifying)
|
||||
+ queue_remove_all(uhid->notify_list, match_not_id,
|
||||
UINT_TO_PTR(uhid->start_id), free);
|
||||
+ else
|
||||
+ queue_foreach(uhid->notify_list, uhid_notify_removed, uhid);
|
||||
|
||||
return true;
|
||||
}
|
||||
@@ -588,7 +629,7 @@ int bt_uhid_replay(struct bt_uhid *uhid)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- queue_foreach(uhid->notify_list, notify_handler, ev);
|
||||
+ uhid_notify(uhid, ev);
|
||||
|
||||
return 0;
|
||||
}
|
||||
BIN
bluez-5.77.tar.xz
(Stored with Git LFS)
BIN
bluez-5.77.tar.xz
(Stored with Git LFS)
Binary file not shown.
BIN
bluez-5.78.tar.xz
(Stored with Git LFS)
Normal file
BIN
bluez-5.78.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,3 +1,28 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 18 08:35:40 UTC 2024 - pallas wept <pallaswept@proton.me>
|
||||
|
||||
- add Fix-crash-after-bt_uhid_unregister_all.patch to fix crashes
|
||||
when devices disconnect or go to sleep
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 12 12:46:33 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
|
||||
|
||||
- Mark the configuration files as 'noreplace'.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 12 04:40:31 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
|
||||
|
||||
- Update to 5.78:
|
||||
* Fix issue with handling notification of scanned BISes to BASS
|
||||
* Fix issue with handling checking BIS caps against peer caps.
|
||||
* Fix issue with handling MGMT Set Device Flags overwrites.
|
||||
* Fix issue with handling ASE notification order.
|
||||
* Fix issue with handling BIG Info report events.
|
||||
* Fix issue with handling PACS Server role.
|
||||
* Fix issue with registering UHID_START multiple times.
|
||||
* Fix issue with pairing method not setting auto-connect.
|
||||
- Fix 3 rpmlint warnings, some configuration files were not marked as so.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 15 06:51:24 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
|
||||
|
||||
|
||||
11
bluez.spec
11
bluez.spec
@ -35,7 +35,7 @@
|
||||
%endif
|
||||
|
||||
Name: bluez
|
||||
Version: 5.77
|
||||
Version: 5.78
|
||||
Release: 0
|
||||
Summary: Bluetooth Stack for Linux
|
||||
License: GPL-2.0-or-later
|
||||
@ -62,6 +62,8 @@ Patch14: hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch
|
||||
Patch15: hcidump-Fix-memory-leak-with-malformed-packet.patch
|
||||
# bsc#1013712 CVE-2016-9798
|
||||
Patch16: hcidump-Fixed-malformed-segment-frame-length.patch
|
||||
# Fix crash when devices disconnect or go to sleep. Upstream issue 952
|
||||
Patch17: Fix-crash-after-bt_uhid_unregister_all.patch
|
||||
# Upstream suggests to use btmon instead of hcidump and does not want those patches
|
||||
# => PATCH-FIX-OPENSUSE for those two :-)
|
||||
# fix some memory leak with malformed packet (reported upstream but not yet fixed)
|
||||
@ -422,6 +424,7 @@ done
|
||||
%{_mandir}/man1/bluetoothctl-player.1%{?ext_man}
|
||||
%{_mandir}/man1/bluetoothctl-scan.1%{?ext_man}
|
||||
%{_mandir}/man1/bluetoothctl-transport.1%{?ext_man}
|
||||
%{_mandir}/man1/bluetoothctl-assistant.1%{?ext_man}
|
||||
%{_mandir}/man1/btmgmt.1%{?ext_man}
|
||||
%{_mandir}/man5/org.bluez.*.5%{?ext_man}
|
||||
%{_datadir}/dbus-1/system.d/bluetooth.conf
|
||||
@ -437,9 +440,9 @@ done
|
||||
%{_datadir}/dbus-1/system-services/org.bluez.service
|
||||
# not packaged, boo#1151518
|
||||
###%%{_datadir}/dbus-1/system-services/org.bluez.mesh.service
|
||||
%{_sysconfdir}/bluetooth/input.conf
|
||||
%{_sysconfdir}/bluetooth/mesh-main.conf
|
||||
%{_sysconfdir}/bluetooth/network.conf
|
||||
%config(noreplace) %{_sysconfdir}/bluetooth/input.conf
|
||||
%config(noreplace) %{_sysconfdir}/bluetooth/mesh-main.conf
|
||||
%config(noreplace) %{_sysconfdir}/bluetooth/network.conf
|
||||
|
||||
%files obexd
|
||||
%{_libexecdir}/bluetooth/obexd
|
||||
|
||||
Loading…
Reference in New Issue
Block a user