Bluetooth: host: Fix crash when receiving response after ATT timeout

Fix crash in ATT when the response for a request is received after
the ATT timeout has fired and the ATT channel has been detached.
Add similar handling for all ATT channel operations.

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
This commit is contained in:
Joakim Andersson 2020-12-09 16:35:40 +01:00 committed by Carles Cufí
commit 577cd82b0d

View file

@ -284,6 +284,11 @@ static void bt_att_sent(struct bt_l2cap_chan *ch)
atomic_clear_bit(chan->flags, ATT_PENDING_SENT);
if (!att) {
BT_DBG("Ignore sent on detached ATT chan");
return;
}
/* Process pending requests first since they require a response they
* can only be processed one at time while if other queues were
* processed before they may always contain a buffer starving the
@ -2433,6 +2438,11 @@ static int bt_att_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
BT_DBG("Received ATT chan %p code 0x%02x len %zu", att_chan, hdr->code,
net_buf_frags_len(buf));
if (!att_chan->att) {
BT_DBG("Ignore recv on detached ATT chan");
return 0;
}
for (i = 0, handler = NULL; i < ARRAY_SIZE(handlers); i++) {
if (hdr->code == handlers[i].op) {
handler = &handlers[i];
@ -2690,6 +2700,11 @@ static void bt_att_encrypt_change(struct bt_l2cap_chan *chan,
BT_DBG("chan %p conn %p handle %u sec_level 0x%02x status 0x%02x", ch,
conn, conn->handle, conn->sec_level, hci_status);
if (!att_chan->att) {
BT_DBG("Ignore encrypt change on detached ATT chan");
return;
}
/*
* If status (HCI status of security procedure) is non-zero, notify
* outstanding request about security failure.
@ -2734,6 +2749,11 @@ static void bt_att_status(struct bt_l2cap_chan *ch, atomic_t *status)
return;
}
if (!chan->att) {
BT_DBG("Ignore status on detached ATT chan");
return;
}
/* If there is a request pending don't attempt to send */
if (chan->req) {
return;