[PATCH BlueZ 0/1] bap: Remove entry of deleted device from bcast_pa

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ 0/1]  bap: Remove entry of deleted device from bcast_pa_requests queue
@ 2024-03-29 15:39 Vlad Pruteanu
  2024-03-29 15:40 ` [PATCH BlueZ 1/1] " Vlad Pruteanu
  0 siblings, 1 reply; 4+ messages in thread
From: Vlad Pruteanu @ 2024-03-29 15:39 UTC (permalink / raw)
  To: linux-bluetooth
  Cc: mihai-octavian.urzica, silviu.barbulescu, iulia.tanasescu,
	andrei.istodorescu, luiz.dentz, Vlad Pruteanu

Currently if Broadcast Source device is removed it's entry in
bcast_pa_requests remains active. Thus, if the removal is done before
short_lived_pa_sync is called, crashes such as the one listed below
can occur. This patch fixes this by removing the deleted devices
from the queue mentioned above.

==105052==ERROR: AddressSanitizer: heap-use-after-free on address
0x60400001c418 at pc 0x55775caf1846 bp 0x7ffc83d9fb90 sp 0x7ffc83d9fb80
READ of size 8 at 0x60400001c418 thread T0
0 0x55775caf1845 in btd_service_get_device src/service.c:325
1 0x55775ca03da2 in short_lived_pa_sync profiles/audio/bap.c:2693
2 0x55775ca03da2 in pa_idle_timer profiles/audio/bap.c:1996

Vlad Pruteanu (1):
  bap: Remove entry of deleted device from bcast_pa_requests queue

 profiles/audio/bap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

-- 
2.39.2


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH BlueZ 1/1] bap: Remove entry of deleted device from bcast_pa_requests queue
  2024-03-29 15:39 [PATCH BlueZ 0/1] bap: Remove entry of deleted device from bcast_pa_requests queue Vlad Pruteanu
@ 2024-03-29 15:40 ` Vlad Pruteanu
  2024-03-29 15:44   ` Luiz Augusto von Dentz
  2024-03-29 17:43   ` bluez.test.bot
  0 siblings, 2 replies; 4+ messages in thread
From: Vlad Pruteanu @ 2024-03-29 15:40 UTC (permalink / raw)
  To: linux-bluetooth
  Cc: mihai-octavian.urzica, silviu.barbulescu, iulia.tanasescu,
	andrei.istodorescu, luiz.dentz, Vlad Pruteanu

Currently if Broadcast Source device is removed it's entry in
bcast_pa_requests remains active. Thus, if the removal is done before
short_lived_pa_sync is called, crashes such as the one listed below
can occur. This patch fixes this by removing the deleted devices
from the queue mentioned above.

==105052==ERROR: AddressSanitizer: heap-use-after-free on address
0x60400001c418 at pc 0x55775caf1846 bp 0x7ffc83d9fb90 sp 0x7ffc83d9fb80
READ of size 8 at 0x60400001c418 thread T0
0 0x55775caf1845 in btd_service_get_device src/service.c:325
1 0x55775ca03da2 in short_lived_pa_sync profiles/audio/bap.c:2693
2 0x55775ca03da2 in pa_idle_timer profiles/audio/bap.c:1996
---
 profiles/audio/bap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index 52a9f5e00..8953e9a57 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -2907,12 +2907,23 @@ static int bap_bcast_probe(struct btd_service *service)
 	return 0;
 }
 
+static bool remove_service(const void *data, const void *match_data)
+{
+	struct bap_bcast_pa_req *pa_req = (struct bap_bcast_pa_req *)data;
+
+	if (pa_req->type == BAP_PA_SHORT_REQ &&
+		pa_req->data.service == match_data)
+		return true;
+	return false;
+}
+
 static void bap_bcast_remove(struct btd_service *service)
 {
 	struct btd_device *device = btd_service_get_device(service);
 	struct bap_data *data;
 	char addr[18];
 
+	queue_remove_if(bcast_pa_requests, remove_service, service);
 	ba2str(device_get_address(device), addr);
 	DBG("%s", addr);
 
-- 
2.39.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH BlueZ 1/1] bap: Remove entry of deleted device from bcast_pa_requests queue
  2024-03-29 15:40 ` [PATCH BlueZ 1/1] " Vlad Pruteanu
@ 2024-03-29 15:44   ` Luiz Augusto von Dentz
  2024-03-29 17:43   ` bluez.test.bot
  1 sibling, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2024-03-29 15:44 UTC (permalink / raw)
  To: Vlad Pruteanu
  Cc: linux-bluetooth, mihai-octavian.urzica, silviu.barbulescu,
	iulia.tanasescu, andrei.istodorescu

Hi Vlad,

On Fri, Mar 29, 2024 at 11:40 AM Vlad Pruteanu <vlad.pruteanu@nxp.com> wrote:
>
> Currently if Broadcast Source device is removed it's entry in
> bcast_pa_requests remains active. Thus, if the removal is done before
> short_lived_pa_sync is called, crashes such as the one listed below
> can occur. This patch fixes this by removing the deleted devices
> from the queue mentioned above.

Actually we need to redesign these, the list should be per adapter,
not global as it is currently and we probably should stop doing the
enumeration if the user stop scanning.

> ==105052==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x60400001c418 at pc 0x55775caf1846 bp 0x7ffc83d9fb90 sp 0x7ffc83d9fb80
> READ of size 8 at 0x60400001c418 thread T0
> 0 0x55775caf1845 in btd_service_get_device src/service.c:325
> 1 0x55775ca03da2 in short_lived_pa_sync profiles/audio/bap.c:2693
> 2 0x55775ca03da2 in pa_idle_timer profiles/audio/bap.c:1996
> ---
>  profiles/audio/bap.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>
> diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
> index 52a9f5e00..8953e9a57 100644
> --- a/profiles/audio/bap.c
> +++ b/profiles/audio/bap.c
> @@ -2907,12 +2907,23 @@ static int bap_bcast_probe(struct btd_service *service)
>         return 0;
>  }
>
> +static bool remove_service(const void *data, const void *match_data)
> +{
> +       struct bap_bcast_pa_req *pa_req = (struct bap_bcast_pa_req *)data;
> +
> +       if (pa_req->type == BAP_PA_SHORT_REQ &&
> +               pa_req->data.service == match_data)
> +               return true;
> +       return false;
> +}
> +
>  static void bap_bcast_remove(struct btd_service *service)
>  {
>         struct btd_device *device = btd_service_get_device(service);
>         struct bap_data *data;
>         char addr[18];
>
> +       queue_remove_if(bcast_pa_requests, remove_service, service);
>         ba2str(device_get_address(device), addr);
>         DBG("%s", addr);
>
> --
> 2.39.2
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: bap: Remove entry of deleted device from bcast_pa_requests queue
  2024-03-29 15:40 ` [PATCH BlueZ 1/1] " Vlad Pruteanu
  2024-03-29 15:44   ` Luiz Augusto von Dentz
@ 2024-03-29 17:43   ` bluez.test.bot
  1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2024-03-29 17:43 UTC (permalink / raw)
  To: linux-bluetooth, vlad.pruteanu

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=839813

---Test result---

Test Summary:
CheckPatch                    PASS      0.46 seconds
GitLint                       PASS      0.33 seconds
BuildEll                      PASS      24.86 seconds
BluezMake                     PASS      1704.97 seconds
MakeCheck                     PASS      13.69 seconds
MakeDistcheck                 PASS      179.83 seconds
CheckValgrind                 PASS      250.94 seconds
CheckSmatch                   PASS      359.17 seconds
bluezmakeextell               PASS      121.78 seconds
IncrementalBuild              PASS      1491.25 seconds
ScanBuild                     PASS      1022.71 seconds



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-03-29 17:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-29 15:39 [PATCH BlueZ 0/1] bap: Remove entry of deleted device from bcast_pa_requests queue Vlad Pruteanu
2024-03-29 15:40 ` [PATCH BlueZ 1/1] " Vlad Pruteanu
2024-03-29 15:44   ` Luiz Augusto von Dentz
2024-03-29 17:43   ` bluez.test.bot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.