Accepting request 1222453 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1222453 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bluez?expand=0&rev=209
This commit is contained in:
commit
ef8133416a
@ -1,121 +0,0 @@
|
||||
From 9a6a84a8a2b9336c2cdb943146207cb8a5a5260c Mon Sep 17 00:00:00 2001
|
||||
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
Date: Mon, 16 Sep 2024 16:00:31 -0400
|
||||
Subject: [PATCH] shared/uhid: Fix crash after bt_uhid_unregister_all
|
||||
|
||||
This fixes the following crash which happens when
|
||||
bt_uhid_unregister_all is called from a notification callback:
|
||||
|
||||
Invalid read of size 8
|
||||
at 0x1D9EFF: queue_foreach (queue.c:206)
|
||||
by 0x1DEE58: uhid_read_handler (uhid.c:164)
|
||||
Address 0x51286d8 is 8 bytes inside a block of size 16 free'd
|
||||
at 0x48478EF: free (vg_replace_malloc.c:989)
|
||||
by 0x1DA08D: queue_remove_if (queue.c:292)
|
||||
by 0x1DA12F: queue_remove_all (queue.c:321)
|
||||
by 0x1DE592: bt_uhid_unregister_all (uhid.c:300)
|
||||
|
||||
Fixes: https://github.com/bluez/bluez/issues/952
|
||||
---
|
||||
src/shared/uhid.c | 47 ++++++++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 44 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/shared/uhid.c b/src/shared/uhid.c
|
||||
index ed21e1399..20bd26781 100644
|
||||
--- a/src/shared/uhid.c
|
||||
+++ b/src/shared/uhid.c
|
||||
@@ -42,6 +42,7 @@ struct bt_uhid {
|
||||
int ref_count;
|
||||
struct io *io;
|
||||
unsigned int notify_id;
|
||||
+ bool notifying;
|
||||
struct queue *notify_list;
|
||||
struct queue *input;
|
||||
uint8_t type;
|
||||
@@ -56,6 +57,7 @@ struct uhid_notify {
|
||||
uint32_t event;
|
||||
bt_uhid_callback_t func;
|
||||
void *user_data;
|
||||
+ bool removed;
|
||||
};
|
||||
|
||||
static void uhid_replay_free(struct uhid_replay *replay)
|
||||
@@ -134,6 +136,28 @@ static int bt_uhid_record(struct bt_uhid *uhid, bool input,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static bool match_removed(const void *a, const void *b)
|
||||
+{
|
||||
+ const struct uhid_notify *notify = a;
|
||||
+
|
||||
+ return notify->removed;
|
||||
+}
|
||||
+
|
||||
+static void uhid_notify(struct bt_uhid *uhid, struct uhid_event *ev)
|
||||
+{
|
||||
+ /* Add a reference to the uhid to ensure it doesn't get freed while at
|
||||
+ * notify_handler.
|
||||
+ */
|
||||
+ bt_uhid_ref(uhid);
|
||||
+
|
||||
+ uhid->notifying = true;
|
||||
+ queue_foreach(uhid->notify_list, notify_handler, ev);
|
||||
+ uhid->notifying = false;
|
||||
+ queue_remove_all(uhid->notify_list, match_removed, NULL, free);
|
||||
+
|
||||
+ bt_uhid_unref(uhid);
|
||||
+}
|
||||
+
|
||||
static bool uhid_read_handler(struct io *io, void *user_data)
|
||||
{
|
||||
struct bt_uhid *uhid = user_data;
|
||||
@@ -161,7 +185,7 @@ static bool uhid_read_handler(struct io *io, void *user_data)
|
||||
break;
|
||||
}
|
||||
|
||||
- queue_foreach(uhid->notify_list, notify_handler, &ev);
|
||||
+ uhid_notify(uhid, &ev);
|
||||
|
||||
return true;
|
||||
}
|
||||
@@ -292,13 +316,30 @@ static bool match_not_id(const void *a, const void *b)
|
||||
return notify->id != id;
|
||||
}
|
||||
|
||||
+static void uhid_notify_removed(void *data, void *user_data)
|
||||
+{
|
||||
+ struct uhid_notify *notify = data;
|
||||
+ struct bt_uhid *uhid = user_data;
|
||||
+
|
||||
+ /* Skip marking start_id as removed since that is not removed with
|
||||
+ * unregister all.
|
||||
+ */
|
||||
+ if (notify->id == uhid->start_id)
|
||||
+ return;
|
||||
+
|
||||
+ notify->removed = true;
|
||||
+}
|
||||
+
|
||||
bool bt_uhid_unregister_all(struct bt_uhid *uhid)
|
||||
{
|
||||
if (!uhid)
|
||||
return false;
|
||||
|
||||
- queue_remove_all(uhid->notify_list, match_not_id,
|
||||
+ if (!uhid->notifying)
|
||||
+ queue_remove_all(uhid->notify_list, match_not_id,
|
||||
UINT_TO_PTR(uhid->start_id), free);
|
||||
+ else
|
||||
+ queue_foreach(uhid->notify_list, uhid_notify_removed, uhid);
|
||||
|
||||
return true;
|
||||
}
|
||||
@@ -588,7 +629,7 @@ int bt_uhid_replay(struct bt_uhid *uhid)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- queue_foreach(uhid->notify_list, notify_handler, ev);
|
||||
+ uhid_notify(uhid, ev);
|
||||
|
||||
return 0;
|
||||
}
|
BIN
bluez-5.78.tar.xz
(Stored with Git LFS)
BIN
bluez-5.78.tar.xz
(Stored with Git LFS)
Binary file not shown.
3
bluez-5.79.tar.xz
Normal file
3
bluez-5.79.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4164a5303a9f71c70f48c03ff60be34231b568d93a9ad5e79928d34e6aa0ea8a
|
||||
size 2457612
|
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 6 08:16:30 UTC 2024 - Frederic Crozat <fcrozat@suse.com>
|
||||
|
||||
- Update to 5.79:
|
||||
* Fix issue with handling address type while pairing.
|
||||
* Add support for allowing to set A2DP transport delay.
|
||||
* Add support for persistent userspace HID operation.
|
||||
* Add support for handling syncing to multiple BISes.
|
||||
- Drop Fix-crash-after-bt_uhid_unregister_all.patch, merged
|
||||
upstream.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 18 08:35:40 UTC 2024 - pallas wept <pallaswept@proton.me>
|
||||
|
||||
|
@ -35,7 +35,7 @@
|
||||
%endif
|
||||
|
||||
Name: bluez
|
||||
Version: 5.78
|
||||
Version: 5.79
|
||||
Release: 0
|
||||
Summary: Bluetooth Stack for Linux
|
||||
License: GPL-2.0-or-later
|
||||
@ -62,8 +62,6 @@ Patch14: hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch
|
||||
Patch15: hcidump-Fix-memory-leak-with-malformed-packet.patch
|
||||
# bsc#1013712 CVE-2016-9798
|
||||
Patch16: hcidump-Fixed-malformed-segment-frame-length.patch
|
||||
# Fix crash when devices disconnect or go to sleep. Upstream issue 952
|
||||
Patch17: Fix-crash-after-bt_uhid_unregister_all.patch
|
||||
# Upstream suggests to use btmon instead of hcidump and does not want those patches
|
||||
# => PATCH-FIX-OPENSUSE for those two :-)
|
||||
# fix some memory leak with malformed packet (reported upstream but not yet fixed)
|
||||
@ -427,6 +425,7 @@ done
|
||||
%{_mandir}/man1/bluetoothctl-assistant.1%{?ext_man}
|
||||
%{_mandir}/man1/btmgmt.1%{?ext_man}
|
||||
%{_mandir}/man5/org.bluez.*.5%{?ext_man}
|
||||
%{_mandir}/man7/hci.7%{?ext_man}
|
||||
%{_datadir}/dbus-1/system.d/bluetooth.conf
|
||||
# not packaged, boo#1151518
|
||||
###%%{_datadir}/dbus-1/system.d/bluetooth-mesh.conf
|
||||
@ -437,6 +436,7 @@ done
|
||||
%if %{with mesh}
|
||||
%{_unitdir}/bluetooth-mesh.service
|
||||
%endif
|
||||
%{_userunitdir}/mpris-proxy.service
|
||||
%{_datadir}/dbus-1/system-services/org.bluez.service
|
||||
# not packaged, boo#1151518
|
||||
###%%{_datadir}/dbus-1/system-services/org.bluez.mesh.service
|
||||
|
Loading…
Reference in New Issue
Block a user