diff -Nru bluez-4.101/debian/changelog bluez-4.101/debian/changelog --- bluez-4.101/debian/changelog 2014-12-19 16:14:53.000000000 +0000 +++ bluez-4.101/debian/changelog 2015-01-14 20:48:45.000000000 +0000 @@ -1,3 +1,14 @@ +bluez (4.101-0ubuntu22) vivid; urgency=medium + + * debian/patches/fix_armhf_hcigetconninfo_free.patch: drop, fails in some + cases to properly fix the issue. + * debian/patches/fix_hcigetconninfo.patch: replaces the patch above; double + the size of the memory requested to hold struct hci_conn_info; which + should allow enough space for the kernel to write the connection data in + all cases. (LP: #1400827) + + -- Mathieu Trudel-Lapierre Wed, 14 Jan 2015 11:26:22 -0500 + bluez (4.101-0ubuntu21) vivid; urgency=medium * debian/patches/fix_armhf_hcigetconninfo_free.patch: fix alignment on armhf: diff -Nru bluez-4.101/debian/patches/fix_armhf_hcigetconninfo_free.patch bluez-4.101/debian/patches/fix_armhf_hcigetconninfo_free.patch --- bluez-4.101/debian/patches/fix_armhf_hcigetconninfo_free.patch 2014-12-17 17:20:39.000000000 +0000 +++ bluez-4.101/debian/patches/fix_armhf_hcigetconninfo_free.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,400 +0,0 @@ -From: Mathieu Trudel-Lapierre -Subject: Fix alignment for HCIGETCONNINFO. - -HACK ALERT: This is very brittle. It will likely blow up in flames if the -hci_conn_info / hci_conn_info_req structures change. - -Deal with the alignment requirements for ARM by aligning the memory request -to the size of 'struct hci_conn_info'; it's not too likely to change (but it's -still possible, see above), and it just happens to be 16 bytes, which serves -our purpose well. - -This is required because as you malloc the memory space required to hold the -request and response for the HCIGETCONNINFO ioctl, it doesn't take into -consideration that on some architectures, the kernel may be padding data for -you as required by the architecture. Doing so means we get more data for the -pointer than we allocated, and freeing that data will therefore fail: - - *** Error in `./toto': free(): invalid next size (fast): 0x0009f008 *** - -With this patch we're aligning to word boundary because hci_conn_info's size -is fortunately, for now, a multiple of it. - ---- - plugins/hciops.c | 7 ++ - tools/hcitool.c | 148 +++++++++++++++++++++++++++++++++---------------------- - 2 files changed, 96 insertions(+), 59 deletions(-) - -Index: b/plugins/hciops.c -=================================================================== ---- a/plugins/hciops.c -+++ b/plugins/hciops.c -@@ -826,7 +826,12 @@ static int hciops_encrypt_link(int index - if (dd < 0) - return -errno; - -- cr = g_malloc0(sizeof(*cr) + sizeof(struct hci_conn_info)); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) -+ goto fail; -+ - cr->type = ACL_LINK; - bacpy(&cr->bdaddr, dst); - -Index: b/tools/hcitool.c -=================================================================== ---- a/tools/hcitool.c -+++ b/tools/hcitool.c -@@ -716,8 +716,12 @@ static void cmd_scan(int dev_id, int arg - cc = 0; - - if (extinf) { -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (cr) { -+ int err = 0; -+ -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err == 0) { - bacpy(&cr->bdaddr, &(info+i)->bdaddr); - cr->type = ACL_LINK; - if (ioctl(dd, HCIGETCONNINFO, (unsigned long) cr) < 0) { -@@ -881,7 +885,7 @@ static void cmd_info(int dev_id, int arg - struct hci_version version; - struct hci_dev_info di; - struct hci_conn_info_req *cr; -- int i, opt, dd, cc = 0; -+ int i, opt, dd, cc = 0, err; - - for_each_opt(opt, info_options, NULL) { - switch (opt) { -@@ -918,9 +922,11 @@ static void cmd_info(int dev_id, int arg - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't get connection info"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't get connection info:", strerror(err)); - close(dd); - exit(1); - } -@@ -1296,7 +1302,7 @@ static void cmd_dc(int dev_id, int argc, - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; - uint8_t reason; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, dc_options, NULL) { - switch (opt) { -@@ -1324,9 +1330,11 @@ static void cmd_dc(int dev_id, int argc, - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -1423,7 +1431,7 @@ static void cmd_rssi(int dev_id, int arg - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; - int8_t rssi; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, rssi_options, NULL) { - switch (opt) { -@@ -1450,9 +1458,11 @@ static void cmd_rssi(int dev_id, int arg - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -1491,7 +1501,7 @@ static void cmd_lq(int dev_id, int argc, - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; - uint8_t lq; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, lq_options, NULL) { - switch (opt) { -@@ -1518,9 +1528,11 @@ static void cmd_lq(int dev_id, int argc, - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -1560,7 +1572,7 @@ static void cmd_tpl(int dev_id, int argc - bdaddr_t bdaddr; - uint8_t type; - int8_t level; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, tpl_options, NULL) { - switch (opt) { -@@ -1588,9 +1600,11 @@ static void cmd_tpl(int dev_id, int argc - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -1631,7 +1645,7 @@ static void cmd_afh(int dev_id, int argc - bdaddr_t bdaddr; - uint16_t handle; - uint8_t mode, map[10]; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, afh_options, NULL) { - switch (opt) { -@@ -1658,9 +1672,11 @@ static void cmd_afh(int dev_id, int argc - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -1711,7 +1727,7 @@ static void cmd_cpt(int dev_id, int argc - evt_conn_ptype_changed rp; - bdaddr_t bdaddr; - unsigned int ptype; -- int dd, opt; -+ int dd, opt, err; - - for_each_opt(opt, cpt_options, NULL) { - switch (opt) { -@@ -1739,9 +1755,11 @@ static void cmd_cpt(int dev_id, int argc - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -1790,7 +1808,7 @@ static void cmd_lp(int dev_id, int argc, - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; - uint16_t policy; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, lp_options, NULL) { - switch (opt) { -@@ -1817,9 +1835,11 @@ static void cmd_lp(int dev_id, int argc, - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -1883,7 +1903,7 @@ static void cmd_lst(int dev_id, int argc - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; - uint16_t timeout; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, lst_options, NULL) { - switch (opt) { -@@ -1910,9 +1930,11 @@ static void cmd_lst(int dev_id, int argc - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -1967,7 +1989,7 @@ static void cmd_auth(int dev_id, int arg - { - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, auth_options, NULL) { - switch (opt) { -@@ -1994,9 +2016,11 @@ static void cmd_auth(int dev_id, int arg - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -2033,7 +2057,7 @@ static void cmd_enc(int dev_id, int argc - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; - uint8_t encrypt; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, enc_options, NULL) { - switch (opt) { -@@ -2060,9 +2084,11 @@ static void cmd_enc(int dev_id, int argc - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -2100,7 +2126,7 @@ static void cmd_key(int dev_id, int argc - { - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, key_options, NULL) { - switch (opt) { -@@ -2127,9 +2153,11 @@ static void cmd_key(int dev_id, int argc - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -2166,7 +2194,7 @@ static void cmd_clkoff(int dev_id, int a - struct hci_conn_info_req *cr; - bdaddr_t bdaddr; - uint16_t offset; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, clkoff_options, NULL) { - switch (opt) { -@@ -2193,9 +2221,11 @@ static void cmd_clkoff(int dev_id, int a - exit(1); - } - -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - -@@ -2236,7 +2266,7 @@ static void cmd_clock(int dev_id, int ar - uint8_t which; - uint32_t handle, clock; - uint16_t accuracy; -- int opt, dd; -+ int opt, dd, err; - - for_each_opt(opt, clock_options, NULL) { - switch (opt) { -@@ -2270,9 +2300,11 @@ static void cmd_clock(int dev_id, int ar - } - - if (bacmp(&bdaddr, BDADDR_ANY)) { -- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); -- if (!cr) { -- perror("Can't allocate memory"); -+ err = posix_memalign((void **)&cr, -+ sizeof(struct hci_conn_info), -+ sizeof(*cr) + sizeof(struct hci_conn_info)); -+ if (err < 0) { -+ fprintf(stderr, "Can't allocate memory:", strerror(err)); - exit(1); - } - diff -Nru bluez-4.101/debian/patches/fix_hcigetconninfo.patch bluez-4.101/debian/patches/fix_hcigetconninfo.patch --- bluez-4.101/debian/patches/fix_hcigetconninfo.patch 1970-01-01 00:00:00.000000000 +0000 +++ bluez-4.101/debian/patches/fix_hcigetconninfo.patch 2015-01-14 19:08:55.000000000 +0000 @@ -0,0 +1,181 @@ +From: Mathieu Trudel-Lapierre +Subject: Allow more space for struct hci_conn_info + +HACK ALERT: This is very brittle. It will likely blow up in flames if the +hci_conn_info / hci_conn_info_req structures change. + +Deal with the alignment requirements for ARM by requesting more memory from +malloc, double the size of 'struct hci_conn_info'. + +This is required because as you malloc the memory space required to hold the +request and response for the HCIGETCONNINFO ioctl, it doesn't take into +consideration that on some architectures, the kernel may be padding data for +you as required by the architecture. Doing so means we get more data for the +pointer than we allocated, and freeing that data will therefore fail: + + *** Error in `./toto': free(): invalid next size (fast): 0x0009f008 *** + +With this patch we're simply requesting more space (twice the size of +struct hci_conn_info; so 32 bytes); which means we have 16 more bytes +allocated for us in hope to catch the extra padding from the kernel. + +I've calculated the extra to about 12 bytes if all variables are aligned +to a word boundary in that struct. + +--- + plugins/hciops.c | 2 +- + tools/hcitool.c | 30 +++++++++++++++--------------- + 2 files changed, 16 insertions(+), 16 deletions(-) + +Index: b/plugins/hciops.c +=================================================================== +--- a/plugins/hciops.c ++++ b/plugins/hciops.c +@@ -826,7 +826,7 @@ static int hciops_encrypt_link(int index + if (dd < 0) + return -errno; + +- cr = g_malloc0(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = g_malloc0(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + cr->type = ACL_LINK; + bacpy(&cr->bdaddr, dst); + +Index: b/tools/hcitool.c +=================================================================== +--- a/tools/hcitool.c ++++ b/tools/hcitool.c +@@ -716,7 +716,7 @@ static void cmd_scan(int dev_id, int arg + cc = 0; + + if (extinf) { +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (cr) { + bacpy(&cr->bdaddr, &(info+i)->bdaddr); + cr->type = ACL_LINK; +@@ -918,7 +918,7 @@ static void cmd_info(int dev_id, int arg + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't get connection info"); + close(dd); +@@ -1324,7 +1324,7 @@ static void cmd_dc(int dev_id, int argc, + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -1450,7 +1450,7 @@ static void cmd_rssi(int dev_id, int arg + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -1518,7 +1518,7 @@ static void cmd_lq(int dev_id, int argc, + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -1588,7 +1588,7 @@ static void cmd_tpl(int dev_id, int argc + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -1658,7 +1658,7 @@ static void cmd_afh(int dev_id, int argc + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -1739,7 +1739,7 @@ static void cmd_cpt(int dev_id, int argc + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -1817,7 +1817,7 @@ static void cmd_lp(int dev_id, int argc, + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -1910,7 +1910,7 @@ static void cmd_lst(int dev_id, int argc + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -1994,7 +1994,7 @@ static void cmd_auth(int dev_id, int arg + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -2060,7 +2060,7 @@ static void cmd_enc(int dev_id, int argc + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -2127,7 +2127,7 @@ static void cmd_key(int dev_id, int argc + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -2193,7 +2193,7 @@ static void cmd_clkoff(int dev_id, int a + exit(1); + } + +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); +@@ -2270,7 +2270,7 @@ static void cmd_clock(int dev_id, int ar + } + + if (bacmp(&bdaddr, BDADDR_ANY)) { +- cr = malloc(sizeof(*cr) + sizeof(struct hci_conn_info)); ++ cr = malloc(sizeof(*cr) + 2*sizeof(struct hci_conn_info)); + if (!cr) { + perror("Can't allocate memory"); + exit(1); diff -Nru bluez-4.101/debian/patches/series bluez-4.101/debian/patches/series --- bluez-4.101/debian/patches/series 2014-12-17 02:35:44.000000000 +0000 +++ bluez-4.101/debian/patches/series 2015-01-14 16:28:57.000000000 +0000 @@ -21,4 +21,4 @@ sco_watch_hup_workaround_mako.patch ssp_parameter.patch telephony_ofono_disable_inband_default.patch -fix_armhf_hcigetconninfo_free.patch +fix_hcigetconninfo.patch