* [RESEND PATCH BlueZ] shared/bap: fix crash unregistering media endpoint while streaming
@ 2023-02-23 17:17 Pauli Virtanen
2023-02-23 18:40 ` [RESEND,BlueZ] " bluez.test.bot
2023-02-23 20:48 ` [RESEND PATCH BlueZ] " Luiz Augusto von Dentz
0 siblings, 2 replies; 6+ messages in thread
From: Pauli Virtanen @ 2023-02-23 17:17 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
The following ASAN crash is observed when media endpoint is unregistered
(stopping sound server) while streaming from remote BAP client:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
READ of size 8 at 0x60b0000474d8 thread T0
#0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
#1 0x7aff61 in remove_streams src/shared/bap.c:2483
#2 0x71d2d0 in queue_foreach src/shared/queue.c:207
#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
...
0x60b0000474d8 is located 8 bytes inside of 112-byte region
freed by thread T0 here:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7a0504 in bap_stream_free src/shared/bap.c:972
#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
#5 0x7ab18a in stream_release src/shared/bap.c:1985
#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
#7 0x7aff50 in remove_streams src/shared/bap.c:2482
...
previously allocated by thread T0 here:
#0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x71e9ae in util_malloc src/shared/util.c:43
#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
#3 0x7a4863 in ep_config src/shared/bap.c:1446
#4 0x7a4f22 in ascs_config src/shared/bap.c:1481
...
When stream->client is false, bt_bap_stream_release already sets the
stream to idle and frees it.
Fix the crash by not setting the state to idle for the second time,
in this case.
---
Notes:
Resend, in case this was missed.
Crash seen when testing BlueZ at commit 67395a3b357d.
Also occurs on current BlueZ master branch.
src/shared/bap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index f16ba1832..5601accde 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2480,8 +2480,11 @@ static void remove_streams(void *data, void *user_data)
stream = queue_remove_if(bap->streams, match_stream_lpac, pac);
if (stream) {
+ bool client = stream->client;
+
bt_bap_stream_release(stream, NULL, NULL);
- stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
+ if (client)
+ stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
}
}
--
2.39.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [RESEND,BlueZ] shared/bap: fix crash unregistering media endpoint while streaming
2023-02-23 17:17 [RESEND PATCH BlueZ] shared/bap: fix crash unregistering media endpoint while streaming Pauli Virtanen
@ 2023-02-23 18:40 ` bluez.test.bot
2023-02-23 20:48 ` [RESEND PATCH BlueZ] " Luiz Augusto von Dentz
1 sibling, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2023-02-23 18:40 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 2615 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=724414
---Test result---
Test Summary:
CheckPatch FAIL 0.66 seconds
GitLint FAIL 0.60 seconds
BuildEll PASS 27.17 seconds
BluezMake PASS 983.76 seconds
MakeCheck PASS 11.49 seconds
MakeDistcheck PASS 149.49 seconds
CheckValgrind PASS 246.57 seconds
CheckSmatch PASS 328.45 seconds
bluezmakeextell PASS 98.42 seconds
IncrementalBuild PASS 830.64 seconds
ScanBuild PASS 1027.50 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[RESEND,BlueZ] shared/bap: fix crash unregistering media endpoint while streaming
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#60:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
/github/workspace/src/src/13150608.patch total: 0 errors, 1 warnings, 12 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13150608.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[RESEND,BlueZ] shared/bap: fix crash unregistering media endpoint while streaming
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
1: T1 Title exceeds max length (81>80): "[RESEND,BlueZ] shared/bap: fix crash unregistering media endpoint while streaming"
42: B2 Line has trailing whitespace: " "
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RESEND PATCH BlueZ] shared/bap: fix crash unregistering media endpoint while streaming
2023-02-23 17:17 [RESEND PATCH BlueZ] shared/bap: fix crash unregistering media endpoint while streaming Pauli Virtanen
2023-02-23 18:40 ` [RESEND,BlueZ] " bluez.test.bot
@ 2023-02-23 20:48 ` Luiz Augusto von Dentz
2023-02-24 18:09 ` [PATCH BlueZ v2] " Pauli Virtanen
1 sibling, 1 reply; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2023-02-23 20:48 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Thu, Feb 23, 2023 at 9:29 AM Pauli Virtanen <pav@iki.fi> wrote:
>
> The following ASAN crash is observed when media endpoint is unregistered
> (stopping sound server) while streaming from remote BAP client:
>
> ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
> READ of size 8 at 0x60b0000474d8 thread T0
> #0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
> #1 0x7aff61 in remove_streams src/shared/bap.c:2483
> #2 0x71d2d0 in queue_foreach src/shared/queue.c:207
> #3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
> #4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
> ...
> 0x60b0000474d8 is located 8 bytes inside of 112-byte region
> freed by thread T0 here:
> #0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
> #1 0x7a0504 in bap_stream_free src/shared/bap.c:972
> #2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
> #3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
> #4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
> #5 0x7ab18a in stream_release src/shared/bap.c:1985
> #6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
> #7 0x7aff50 in remove_streams src/shared/bap.c:2482
> ...
> previously allocated by thread T0 here:
> #0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
> #1 0x71e9ae in util_malloc src/shared/util.c:43
> #2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
> #3 0x7a4863 in ep_config src/shared/bap.c:1446
> #4 0x7a4f22 in ascs_config src/shared/bap.c:1481
> ...
>
> When stream->client is false, bt_bap_stream_release already sets the
> stream to idle and frees it.
>
> Fix the crash by not setting the state to idle for the second time,
> in this case.
> ---
>
> Notes:
> Resend, in case this was missed.
>
> Crash seen when testing BlueZ at commit 67395a3b357d.
> Also occurs on current BlueZ master branch.
>
> src/shared/bap.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/shared/bap.c b/src/shared/bap.c
> index f16ba1832..5601accde 100644
> --- a/src/shared/bap.c
> +++ b/src/shared/bap.c
> @@ -2480,8 +2480,11 @@ static void remove_streams(void *data, void *user_data)
>
> stream = queue_remove_if(bap->streams, match_stream_lpac, pac);
> if (stream) {
> + bool client = stream->client;
> +
> bt_bap_stream_release(stream, NULL, NULL);
> - stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
> + if (client)
> + stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
> }
> }
>
> --
> 2.39.2
How about we do this inside bt_bap_stream_release:
diff --git a/src/shared/bap.c b/src/shared/bap.c
index f16ba1832aaa..49c521b1d9eb 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2479,10 +2479,8 @@ static void remove_streams(void *data, void *user_data)
struct bt_bap_stream *stream;
stream = queue_remove_if(bap->streams, match_stream_lpac, pac);
- if (stream) {
+ if (stream)
bt_bap_stream_release(stream, NULL, NULL);
- stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
- }
}
bool bt_bap_remove_pac(struct bt_bap_pac *pac)
@@ -4590,6 +4588,10 @@ unsigned int bt_bap_stream_release(struct
bt_bap_stream *stream,
return 0;
}
+ /* Check if stream still attached, otherwise consider it released */
+ if (!queue_find(stream->bap, NULL, stream))
+ stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
+
return req->id;
}
--
Luiz Augusto von Dentz
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH BlueZ v2] shared/bap: fix crash unregistering media endpoint while streaming
2023-02-23 20:48 ` [RESEND PATCH BlueZ] " Luiz Augusto von Dentz
@ 2023-02-24 18:09 ` Pauli Virtanen
2023-02-24 19:11 ` [BlueZ,v2] " bluez.test.bot
2023-02-27 21:40 ` [PATCH BlueZ v2] " patchwork-bot+bluetooth
0 siblings, 2 replies; 6+ messages in thread
From: Pauli Virtanen @ 2023-02-24 18:09 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
Always free BAP stream in bt_bap_stream_release if it is not attached to
a client session, simplifying the cleanup.
Fixes the following ASAN crash is observed when media endpoint is
unregistered (stopping sound server) while streaming from remote BAP
client:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
READ of size 8 at 0x60b0000474d8 thread T0
#0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
#1 0x7aff61 in remove_streams src/shared/bap.c:2483
#2 0x71d2d0 in queue_foreach src/shared/queue.c:207
#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
...
0x60b0000474d8 is located 8 bytes inside of 112-byte region
freed by thread T0 here:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7a0504 in bap_stream_free src/shared/bap.c:972
#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
#5 0x7ab18a in stream_release src/shared/bap.c:1985
#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
#7 0x7aff50 in remove_streams src/shared/bap.c:2482
...
previously allocated by thread T0 here:
#0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x71e9ae in util_malloc src/shared/util.c:43
#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
#3 0x7a4863 in ep_config src/shared/bap.c:1446
#4 0x7a4f22 in ascs_config src/shared/bap.c:1481
...
---
Notes:
v2: move cleanup inside bt_bap_stream_release
Following the suggestion, maybe like this then?
The rule then is that bt_bap_stream_free frees the stream if it does not
belong to a client session.
The dangling stream pointer should not be put into req.
src/shared/bap.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index f16ba1832..41b39f868 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2479,10 +2479,8 @@ static void remove_streams(void *data, void *user_data)
struct bt_bap_stream *stream;
stream = queue_remove_if(bap->streams, match_stream_lpac, pac);
- if (stream) {
+ if (stream)
bt_bap_stream_release(stream, NULL, NULL);
- stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
- }
}
bool bt_bap_remove_pac(struct bt_bap_pac *pac)
@@ -4567,6 +4565,7 @@ unsigned int bt_bap_stream_release(struct bt_bap_stream *stream,
struct iovec iov;
struct bt_ascs_release rel;
struct bt_bap_req *req;
+ struct bt_bap *bap;
if (!stream)
return 0;
@@ -4583,9 +4582,17 @@ unsigned int bt_bap_stream_release(struct bt_bap_stream *stream,
iov.iov_base = &rel;
iov.iov_len = sizeof(rel);
+ bap = stream->bap;
+
+ /* If stream does not belong to a client session, clean it up now */
+ if (!bap_stream_valid(stream)) {
+ stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
+ stream = NULL;
+ }
+
req = bap_req_new(stream, BT_ASCS_RELEASE, &iov, 1, func, user_data);
- if (!bap_queue_req(stream->bap, req)) {
+ if (!bap_queue_req(bap, req)) {
bap_req_free(req);
return 0;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [BlueZ,v2] shared/bap: fix crash unregistering media endpoint while streaming
2023-02-24 18:09 ` [PATCH BlueZ v2] " Pauli Virtanen
@ 2023-02-24 19:11 ` bluez.test.bot
2023-02-27 21:40 ` [PATCH BlueZ v2] " patchwork-bot+bluetooth
1 sibling, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2023-02-24 19:11 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 2570 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=724727
---Test result---
Test Summary:
CheckPatch FAIL 0.96 seconds
GitLint FAIL 0.63 seconds
BuildEll PASS 26.04 seconds
BluezMake PASS 738.47 seconds
MakeCheck PASS 11.00 seconds
MakeDistcheck PASS 146.15 seconds
CheckValgrind PASS 238.35 seconds
CheckSmatch PASS 319.64 seconds
bluezmakeextell PASS 95.26 seconds
IncrementalBuild PASS 597.16 seconds
ScanBuild PASS 935.23 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v2] shared/bap: fix crash unregistering media endpoint while streaming
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#68:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
/github/workspace/src/src/13151651.patch total: 0 errors, 1 warnings, 36 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13151651.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,v2] shared/bap: fix crash unregistering media endpoint while streaming
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
40: B2 Line has trailing whitespace: " "
42: B2 Line has trailing whitespace: " "
45: B2 Line has trailing whitespace: " "
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ v2] shared/bap: fix crash unregistering media endpoint while streaming
2023-02-24 18:09 ` [PATCH BlueZ v2] " Pauli Virtanen
2023-02-24 19:11 ` [BlueZ,v2] " bluez.test.bot
@ 2023-02-27 21:40 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2023-02-27 21:40 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Fri, 24 Feb 2023 18:09:46 +0000 you wrote:
> Always free BAP stream in bt_bap_stream_release if it is not attached to
> a client session, simplifying the cleanup.
>
> Fixes the following ASAN crash is observed when media endpoint is
> unregistered (stopping sound server) while streaming from remote BAP
> client:
>
> [...]
Here is the summary with links:
- [BlueZ,v2] shared/bap: fix crash unregistering media endpoint while streaming
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=fcdd38acf6b2
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-02-27 21:40 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-23 17:17 [RESEND PATCH BlueZ] shared/bap: fix crash unregistering media endpoint while streaming Pauli Virtanen
2023-02-23 18:40 ` [RESEND,BlueZ] " bluez.test.bot
2023-02-23 20:48 ` [RESEND PATCH BlueZ] " Luiz Augusto von Dentz
2023-02-24 18:09 ` [PATCH BlueZ v2] " Pauli Virtanen
2023-02-24 19:11 ` [BlueZ,v2] " bluez.test.bot
2023-02-27 21:40 ` [PATCH BlueZ v2] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).