From: Pauli Virtanen <pav@iki.fi>
To: linux-bluetooth@vger.kernel.org
Cc: Pauli Virtanen <pav@iki.fi>
Subject: [PATCH BlueZ 2/2] bap: cancel stream operation before freeing setup
Date: Fri, 12 Apr 2024 22:55:56 +0300 [thread overview]
Message-ID: <faff5310d5070cf3a64e364b3159672e696625b6.1712951445.git.pav@iki.fi> (raw)
In-Reply-To: <d52ddf4759720a2879677fca0129d3fd1a32dda0.1712951445.git.pav@iki.fi>
Before freeing setup, cancel any ongoing stream operations, and indicate
failure for pending DBus replies.
Fixes:
=======================================================================
ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000004758
WRITE of size 4 at 0x60d000004758 thread T0
#0 0x557159 in qos_cb profiles/audio/bap.c:753
#1 0x89c38f in bap_req_complete src/shared/bap.c:1191
#2 0x8cb7fc in bap_req_detach src/shared/bap.c:4789
#3 0x8cb9bb in bt_bap_detach src/shared/bap.c:4801
#4 0x571e25 in bap_disconnect profiles/audio/bap.c:3011
...
freed by thread T0 here:
#1 0x558f2b in setup_free profiles/audio/bap.c:890
#2 0x7f34e8 in queue_remove_all src/shared/queue.c:341
#3 0x7f0105 in queue_destroy src/shared/queue.c:60
#4 0x55cdc8 in ep_free profiles/audio/bap.c:1167
=======================================================================
---
profiles/audio/bap.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index 30049f0fb..ff6d6d881 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -879,9 +879,22 @@ static struct bap_setup *setup_new(struct bap_ep *ep)
static void setup_free(void *data)
{
struct bap_setup *setup = data;
+ DBusMessage *reply;
DBG("%p", setup);
+ if (setup->stream && setup->id) {
+ bt_bap_stream_cancel(setup->stream, setup->id);
+ setup->id = 0;
+ }
+
+ if (setup->msg) {
+ reply = btd_error_failed(setup->msg, "Canceled");
+ g_dbus_send_message(btd_get_dbus_connection(), reply);
+ dbus_message_unref(setup->msg);
+ setup->msg = NULL;
+ }
+
if (setup->ep)
queue_remove(setup->ep->setups, setup);
--
2.44.0
next prev parent reply other threads:[~2024-04-12 19:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-12 19:55 [PATCH BlueZ 1/2] shared/bap: clean up requests for a stream before freeing it Pauli Virtanen
2024-04-12 19:55 ` Pauli Virtanen [this message]
2024-04-12 22:04 ` [BlueZ,1/2] " bluez.test.bot
2024-04-16 15:16 ` [PATCH BlueZ 1/2] " Luiz Augusto von Dentz
2024-04-16 15:40 ` patchwork-bot+bluetooth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=faff5310d5070cf3a64e364b3159672e696625b6.1712951445.git.pav@iki.fi \
--to=pav@iki.fi \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.