SLFO-pool/bluez
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main bluez revision c9246ce2d339c00b66db7a2b600a472f

Browse Source
This commit is contained in:
Adrian Schröter 2024-10-03 17:04:38 +02:00
parent f5c41b830c
commit 32cca21049
5 changed files with 156 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
Fix-crash-after-bt_uhid_unregister_all.patch Normal file
View File

@ -0,0 +1,121 @@
From 9a6a84a8a2b9336c2cdb943146207cb8a5a5260c Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 16 Sep 2024 16:00:31 -0400
Subject: [PATCH] shared/uhid: Fix crash after bt_uhid_unregister_all
This fixes the following crash which happens when
bt_uhid_unregister_all is called from a notification callback:
Invalid read of size 8
at 0x1D9EFF: queue_foreach (queue.c:206)
by 0x1DEE58: uhid_read_handler (uhid.c:164)
Address 0x51286d8 is 8 bytes inside a block of size 16 free'd
at 0x48478EF: free (vg_replace_malloc.c:989)
by 0x1DA08D: queue_remove_if (queue.c:292)
by 0x1DA12F: queue_remove_all (queue.c:321)
by 0x1DE592: bt_uhid_unregister_all (uhid.c:300)
Fixes: https://github.com/bluez/bluez/issues/952
---
src/shared/uhid.c | 47 ++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 44 insertions(+), 3 deletions(-)
diff --git a/src/shared/uhid.c b/src/shared/uhid.c
index ed21e1399..20bd26781 100644
--- a/src/shared/uhid.c
+++ b/src/shared/uhid.c
@@ -42,6 +42,7 @@ struct bt_uhid {
int ref_count;
struct io *io;
unsigned int notify_id;
+ bool notifying;
struct queue *notify_list;
struct queue *input;
uint8_t type;
@@ -56,6 +57,7 @@ struct uhid_notify {
uint32_t event;
bt_uhid_callback_t func;
void *user_data;
+ bool removed;
};
static void uhid_replay_free(struct uhid_replay *replay)
@@ -134,6 +136,28 @@ static int bt_uhid_record(struct bt_uhid *uhid, bool input,
return 0;
}
+static bool match_removed(const void *a, const void *b)
+{
+ const struct uhid_notify *notify = a;
+
+ return notify->removed;
+}
+
+static void uhid_notify(struct bt_uhid *uhid, struct uhid_event *ev)
+{
+ /* Add a reference to the uhid to ensure it doesn't get freed while at
+ * notify_handler.
+ */
+ bt_uhid_ref(uhid);
+
+ uhid->notifying = true;
+ queue_foreach(uhid->notify_list, notify_handler, ev);
+ uhid->notifying = false;
+ queue_remove_all(uhid->notify_list, match_removed, NULL, free);
+
+ bt_uhid_unref(uhid);
+}
+
static bool uhid_read_handler(struct io *io, void *user_data)
{
struct bt_uhid *uhid = user_data;
@@ -161,7 +185,7 @@ static bool uhid_read_handler(struct io *io, void *user_data)
break;
}
- queue_foreach(uhid->notify_list, notify_handler, &ev);
+ uhid_notify(uhid, &ev);
return true;
}
@@ -292,13 +316,30 @@ static bool match_not_id(const void *a, const void *b)
return notify->id != id;
}
+static void uhid_notify_removed(void *data, void *user_data)
+{
+ struct uhid_notify *notify = data;
+ struct bt_uhid *uhid = user_data;
+
+ /* Skip marking start_id as removed since that is not removed with
+ * unregister all.
+ */
+ if (notify->id == uhid->start_id)
+ return;
+
+ notify->removed = true;
+}
+
bool bt_uhid_unregister_all(struct bt_uhid *uhid)
{
if (!uhid)
return false;
- queue_remove_all(uhid->notify_list, match_not_id,
+ if (!uhid->notifying)
+ queue_remove_all(uhid->notify_list, match_not_id,
UINT_TO_PTR(uhid->start_id), free);
+ else
+ queue_foreach(uhid->notify_list, uhid_notify_removed, uhid);
return true;
}
@@ -588,7 +629,7 @@ int bt_uhid_replay(struct bt_uhid *uhid)
return 0;
}
- queue_foreach(uhid->notify_list, notify_handler, ev);
+ uhid_notify(uhid, ev);
return 0;
}

BIN
bluez-5.77.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

BIN
bluez-5.78.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

25
bluez.changes
View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Wed Sep 18 08:35:40 UTC 2024 - pallas wept <pallaswept@proton.me>
- add Fix-crash-after-bt_uhid_unregister_all.patch to fix crashes
when devices disconnect or go to sleep
-------------------------------------------------------------------
Thu Sep 12 12:46:33 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Mark the configuration files as 'noreplace'.
-------------------------------------------------------------------
Thu Sep 12 04:40:31 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Update to 5.78:
* Fix issue with handling notification of scanned BISes to BASS
* Fix issue with handling checking BIS caps against peer caps.
* Fix issue with handling MGMT Set Device Flags overwrites.
* Fix issue with handling ASE notification order.
* Fix issue with handling BIG Info report events.
* Fix issue with handling PACS Server role.
* Fix issue with registering UHID_START multiple times.
* Fix issue with pairing method not setting auto-connect.
- Fix 3 rpmlint warnings, some configuration files were not marked as so.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 15 06:51:24 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com> Thu Aug 15 06:51:24 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>

11
bluez.spec
View File

@ -35,7 +35,7 @@
%endif %endif
Name: bluez Name: bluez
Version: 5.77 Version: 5.78
Release: 0 Release: 0
Summary: Bluetooth Stack for Linux Summary: Bluetooth Stack for Linux
License: GPL-2.0-or-later License: GPL-2.0-or-later
@ -62,6 +62,8 @@ Patch14: hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch
Patch15: hcidump-Fix-memory-leak-with-malformed-packet.patch Patch15: hcidump-Fix-memory-leak-with-malformed-packet.patch
# bsc#1013712 CVE-2016-9798 # bsc#1013712 CVE-2016-9798
Patch16: hcidump-Fixed-malformed-segment-frame-length.patch Patch16: hcidump-Fixed-malformed-segment-frame-length.patch
# Fix crash when devices disconnect or go to sleep. Upstream issue 952
Patch17: Fix-crash-after-bt_uhid_unregister_all.patch
# Upstream suggests to use btmon instead of hcidump and does not want those patches # Upstream suggests to use btmon instead of hcidump and does not want those patches
# => PATCH-FIX-OPENSUSE for those two :-) # => PATCH-FIX-OPENSUSE for those two :-)
# fix some memory leak with malformed packet (reported upstream but not yet fixed) # fix some memory leak with malformed packet (reported upstream but not yet fixed)
@ -422,6 +424,7 @@ done
%{_mandir}/man1/bluetoothctl-player.1%{?ext_man} %{_mandir}/man1/bluetoothctl-player.1%{?ext_man}
%{_mandir}/man1/bluetoothctl-scan.1%{?ext_man} %{_mandir}/man1/bluetoothctl-scan.1%{?ext_man}
%{_mandir}/man1/bluetoothctl-transport.1%{?ext_man} %{_mandir}/man1/bluetoothctl-transport.1%{?ext_man}
%{_mandir}/man1/bluetoothctl-assistant.1%{?ext_man}
%{_mandir}/man1/btmgmt.1%{?ext_man} %{_mandir}/man1/btmgmt.1%{?ext_man}
%{_mandir}/man5/org.bluez.*.5%{?ext_man} %{_mandir}/man5/org.bluez.*.5%{?ext_man}
%{_datadir}/dbus-1/system.d/bluetooth.conf %{_datadir}/dbus-1/system.d/bluetooth.conf
@ -437,9 +440,9 @@ done
%{_datadir}/dbus-1/system-services/org.bluez.service %{_datadir}/dbus-1/system-services/org.bluez.service
# not packaged, boo#1151518 # not packaged, boo#1151518
###%%{_datadir}/dbus-1/system-services/org.bluez.mesh.service ###%%{_datadir}/dbus-1/system-services/org.bluez.mesh.service
%{_sysconfdir}/bluetooth/input.conf %config(noreplace) %{_sysconfdir}/bluetooth/input.conf
%{_sysconfdir}/bluetooth/mesh-main.conf %config(noreplace) %{_sysconfdir}/bluetooth/mesh-main.conf
%{_sysconfdir}/bluetooth/network.conf %config(noreplace) %{_sysconfdir}/bluetooth/network.conf
%files obexd %files obexd
%{_libexecdir}/bluetooth/obexd %{_libexecdir}/bluetooth/obexd