[bionic]blutoothd segfault when you cancel the keyboard pairing during the dialog for pairing code
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
Fix Released
|
Critical
|
Alex Tu | ||
bluez (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Won't Fix
|
High
|
Alex Tu | ||
Eoan |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Groovy |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
This patch is for this issue:
steps:
1. pair bluetooth keyboard
2. see the dialog asking user input the code for pairing.
3. press "esc" to cancel it.
4. blutoothd segfault shows in dmesg after a while.
5. Bluetooth shows off on setting UI of right top corner. dmesg shows: [ 978.138593] bluetoothd[1569]: segfault at 0 ip 000055564abe0a06 sp 00007ffe4bec6410 error 4 in bluetoothd[
[Test Case]
1. pair bluetooth keyboard
2. see the dialog asking user input the code for pairing.
3. press "esc" to cancel it.
4. the bluetooth should still work to pair another bluetooth device.
[Regression Potential]
* This patch workaround the case that a queue node was created but not yet assigned function before user input pairing keycode. If the user cancel the paring before inputting pairing keycode then assign the function pointer a dummy 'direct_match'.
* Bluetoothd responses to Bluetooth functions and "queue" is a shared common data structure, so in case of regression happens then blutoothd systemd service would be crashed.
* We can verify this by operating add/remove BT devices to trigger queue operations.
* I verified on target machine BIOS ID:0983 on BT mouse, keyboard, headset on pairing, remove and functionality checking.
[Other Info]
* NO.
Changed in bluez (Ubuntu): | |
status: | Incomplete → In Progress |
description: | updated |
description: | updated |
Changed in bluez (Ubuntu Bionic): | |
status: | In Progress → Confirmed |
Changed in oem-priority: | |
status: | In Progress → Fix Released |
after this patch, the issue can not be reproduced: 5f6ea87b7f7355c 689c045a80 (HEAD -> refs/heads/master)
commit 24249e091ab3a93
Author: Luiz Augusto von Dentz <email address hidden>
Date: Mon Apr 9 14:48:41 2018 +0300
shared/queue: Handle NULL as direct match on queue_remove_if
As with queue_find when function is set to NULL use direct_match as
callback.
diff --git a/src/shared/ queue.c b/src/shared/ queue.c .60df11143 100644 queue.c queue.c remove_ if(struct queue *queue, queue_match_func_t function,
index 5ddb8326d.
--- a/src/shared/
+++ b/src/shared/
@@ -280,9 +280,12 @@ void *queue_
{
struct queue_entry *entry, *prev = NULL;
- if (!queue || !function)
return NULL;
+ if (!queue)
+ if (!function)
+ function = direct_match;
+
entry = queue->head;