| Message ID | 20230826192421.7032-1-dev.git@javispedro.com |
|---|---|
| State | New |
| Headers | show |
| Series | [BlueZ] shared/gatt-client: always send ATT confirmations | expand |
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=779641
---Test result---
Test Summary:
CheckPatch FAIL 0.73 seconds
GitLint PASS 0.31 seconds
BuildEll PASS 34.95 seconds
BluezMake PASS 1115.34 seconds
MakeCheck PASS 13.08 seconds
MakeDistcheck PASS 190.30 seconds
CheckValgrind PASS 306.89 seconds
CheckSmatch PASS 429.57 seconds
bluezmakeextell PASS 127.14 seconds
IncrementalBuild PASS 987.75 seconds
ScanBuild WARNING 1349.03 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ] shared/gatt-client: always send ATT confirmations
WARNING:UNKNOWN_COMMIT_ID: Unknown commit id 'fde32ff9c9c0', maybe rebased or not pulled?
#51:
Commit fde32ff9c9c0 ("shared/gatt-client: Allow registering with NULL
WARNING:UNKNOWN_COMMIT_ID: Unknown commit id 'fde32ff9c9c0', maybe rebased or not pulled?
#66:
Fixes: fde32ff9c9c0 ("shared/gatt-client: Allow registering with NULL callback")
/github/workspace/src/src/13366653.patch total: 0 errors, 2 warnings, 74 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13366653.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
gatt_db_unregister(op->client->db, op->db_id);
^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
discovery_op_complete(op, false, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:993:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1099:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1291:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1356:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1631:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1636:2: warning: Use of memory after it is freed
discover_all(op);
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2140:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2148:8: warning: Use of memory after it is freed
discovery_op_ref(op),
^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3237:2: warning: Use of memory after it is freed
complete_write_long_op(req, success, 0, false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3259:2: warning: Use of memory after it is freed
request_unref(req);
^~~~~~~~~~~~~~~~~~
12 warnings generated.
---
Regards,
Linux Bluetooth
Hi Javier, On Sat, Aug 26, 2023 at 1:08 PM Javier de San Pedro <dev.git@javispedro.com> wrote: > > I noticed after upgrading 5.66->5.68 that Bluez was no longer sending > confirmations (ATT opcode 0x1E) in response to indication opcodes (0x1D). > > Commit fde32ff9c9c0 ("shared/gatt-client: Allow registering with NULL > callback") added an early return to the notify_cb function when the > current client's notify_list is empty. However, in this case, we will > also not send the confirmation back. This breaks protocol. > > The devices I have generally respond to this by stopping > any new indications until ~15sec timeout or disconnection. > > As far as I can see, when using D-Bus API all notify handlers are always > added on client clones, never on the 'root' client itself (the one > with !client->parent), so for the root client the notify_list is always > empty, making this issue very easy to trigger using D-Bus GATT API. > > Ensure that we always send the confirmation, even if notify_list is empty. > > Fixes: fde32ff9c9c0 ("shared/gatt-client: Allow registering with NULL callback") > --- > src/shared/gatt-client.c | 57 ++++++++++++++++++++-------------------- > 1 file changed, 29 insertions(+), 28 deletions(-) > > diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c > index efc013a20..56ecc6a8f 100644 > --- a/src/shared/gatt-client.c > +++ b/src/shared/gatt-client.c > @@ -2230,45 +2230,46 @@ static void notify_cb(struct bt_att_chan *chan, uint8_t opcode, > void *user_data) > { > struct bt_gatt_client *client = user_data; > - struct value_data data; > - > - if (queue_isempty(client->notify_list)) > - return; Instead reversing the if logic here you could just use goto to where we handle the confirmation. > > bt_gatt_client_ref(client); > > - memset(&data, 0, sizeof(data)); > + if (!queue_isempty(client->notify_list)) { > + struct value_data data; > > - if (opcode == BT_ATT_OP_HANDLE_NFY_MULT) { > - while (length >= 4) { > - data.handle = get_le16(pdu); > - length -= 2; > - pdu += 2; > + memset(&data, 0, sizeof(data)); > > - data.len = get_le16(pdu); > - length -= 2; > - pdu += 2; > + if (opcode == BT_ATT_OP_HANDLE_NFY_MULT) { > + while (length >= 4) { > + data.handle = get_le16(pdu); > + length -= 2; > + pdu += 2; > > - if (data.len > length) > - data.len = length; > + data.len = get_le16(pdu); > + length -= 2; > + pdu += 2; > > - data.data = pdu; > + if (data.len > length) > + data.len = length; > > - queue_foreach(client->notify_list, notify_handler, > - &data); > + data.data = pdu; > > - length -= data.len; > - pdu += data.len; > - } > - } else { > - data.handle = get_le16(pdu); > - length -= 2; > - pdu += 2; > + queue_foreach(client->notify_list, > + notify_handler, &data); > > - data.len = length; > - data.data = pdu; > + length -= data.len; > + pdu += data.len; > + } > + } else { > + data.handle = get_le16(pdu); > + length -= 2; > + pdu += 2; > + > + data.len = length; > + data.data = pdu; > > - queue_foreach(client->notify_list, notify_handler, &data); > + queue_foreach(client->notify_list, > + notify_handler, &data); > + } > } > > if (opcode == BT_ATT_OP_HANDLE_IND && !client->parent) > -- > 2.41.0 >
diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c index efc013a20..56ecc6a8f 100644 --- a/src/shared/gatt-client.c +++ b/src/shared/gatt-client.c @@ -2230,45 +2230,46 @@ static void notify_cb(struct bt_att_chan *chan, uint8_t opcode, void *user_data) { struct bt_gatt_client *client = user_data; - struct value_data data; - - if (queue_isempty(client->notify_list)) - return; bt_gatt_client_ref(client); - memset(&data, 0, sizeof(data)); + if (!queue_isempty(client->notify_list)) { + struct value_data data; - if (opcode == BT_ATT_OP_HANDLE_NFY_MULT) { - while (length >= 4) { - data.handle = get_le16(pdu); - length -= 2; - pdu += 2; + memset(&data, 0, sizeof(data)); - data.len = get_le16(pdu); - length -= 2; - pdu += 2; + if (opcode == BT_ATT_OP_HANDLE_NFY_MULT) { + while (length >= 4) { + data.handle = get_le16(pdu); + length -= 2; + pdu += 2; - if (data.len > length) - data.len = length; + data.len = get_le16(pdu); + length -= 2; + pdu += 2; - data.data = pdu; + if (data.len > length) + data.len = length; - queue_foreach(client->notify_list, notify_handler, - &data); + data.data = pdu; - length -= data.len; - pdu += data.len; - } - } else { - data.handle = get_le16(pdu); - length -= 2; - pdu += 2; + queue_foreach(client->notify_list, + notify_handler, &data); - data.len = length; - data.data = pdu; + length -= data.len; + pdu += data.len; + } + } else { + data.handle = get_le16(pdu); + length -= 2; + pdu += 2; + + data.len = length; + data.data = pdu; - queue_foreach(client->notify_list, notify_handler, &data); + queue_foreach(client->notify_list, + notify_handler, &data); + } } if (opcode == BT_ATT_OP_HANDLE_IND && !client->parent)
I noticed after upgrading 5.66->5.68 that Bluez was no longer sending confirmations (ATT opcode 0x1E) in response to indication opcodes (0x1D). Commit fde32ff9c9c0 ("shared/gatt-client: Allow registering with NULL callback") added an early return to the notify_cb function when the current client's notify_list is empty. However, in this case, we will also not send the confirmation back. This breaks protocol. The devices I have generally respond to this by stopping any new indications until ~15sec timeout or disconnection. As far as I can see, when using D-Bus API all notify handlers are always added on client clones, never on the 'root' client itself (the one with !client->parent), so for the root client the notify_list is always empty, making this issue very easy to trigger using D-Bus GATT API. Ensure that we always send the confirmation, even if notify_list is empty. Fixes: fde32ff9c9c0 ("shared/gatt-client: Allow registering with NULL callback") --- src/shared/gatt-client.c | 57 ++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 28 deletions(-)