In bt_bap_stream_release stream is accessed after free
ERROR: AddressSanitizer: heap-use-after-free on address
READ of size 8 at 0x60d0000001e0 thread T0
#0 0x556602a14ce0 in bt_bap_stream_release src/shared/bap.c:5423
#1 0x556602981292 in queue_foreach src/shared/queue.c:207
#2 0x556602a0712a in bt_bap_remove_pac src/shared/bap.c:3572
#3 0x5566026ca846 in media_endpoint_destroy profiles/audio/media.c:180
#4 0x5566026cdef9 in unregister_endpoint profiles/audio/media.c:1708
Silviu Florian Barbulescu (1):
shared/bap: Fix crash unreg bcast src endpoint
src/shared/bap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
base-commit: a16c2ccf9c256285188f4549b7b767cf31b100eb
--
2.39.2
In bt_bap_stream_release stream is accessed after free
---
src/shared/bap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index f5fc14027..626e8f127 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -5411,16 +5411,17 @@ unsigned int bt_bap_stream_release(struct bt_bap_stream *stream,
void *user_data)
{
unsigned int id;
+ struct bt_bap *bap = stream->bap;
if (!stream || !stream->ops || !stream->ops->release)
return 0;
- if (!bt_bap_ref_safe(stream->bap))
+ if (!bt_bap_ref_safe(bap))
return 0;
id = stream->ops->release(stream, func, user_data);
- bt_bap_unref(stream->bap);
+ bt_bap_unref(bap);
return id;
}
--
2.39.2
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Fri, 23 Feb 2024 16:16:08 +0200 you wrote:
> In bt_bap_stream_release stream is accessed after free
> ERROR: AddressSanitizer: heap-use-after-free on address
> READ of size 8 at 0x60d0000001e0 thread T0
> #0 0x556602a14ce0 in bt_bap_stream_release src/shared/bap.c:5423
> #1 0x556602981292 in queue_foreach src/shared/queue.c:207
> #2 0x556602a0712a in bt_bap_remove_pac src/shared/bap.c:3572
> #3 0x5566026ca846 in media_endpoint_destroy profiles/audio/media.c:180
> #4 0x5566026cdef9 in unregister_endpoint profiles/audio/media.c:1708
>
> [...]
Here is the summary with links:
- [BlueZ,1/1] shared/bap: Fix crash unreg bcast src endpoint
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=8f262a27bdf2
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=829116
---Test result---
Test Summary:
CheckPatch PASS 0.46 seconds
GitLint PASS 0.32 seconds
BuildEll PASS 23.94 seconds
BluezMake PASS 720.27 seconds
MakeCheck PASS 12.00 seconds
MakeDistcheck PASS 163.14 seconds
CheckValgrind PASS 225.71 seconds
CheckSmatch PASS 330.14 seconds
bluezmakeextell PASS 109.14 seconds
IncrementalBuild PASS 681.46 seconds
ScanBuild WARNING 956.79 seconds
Details
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
src/shared/bap.c:1145:2: warning: Use of memory after it is freed
DBG(stream->bap, "stream %p", stream);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/bap.c:40:2: note: expanded from macro 'DBG'
bap_debug(_bap, "%s:%s() " fmt, __FILE__, __func__, ## arg)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/bap.c:1698:3: warning: Use of memory after it is freed
stream_set_state(stream, BT_BAP_STREAM_STATE_CONFIG);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
---
Regards,
Linux Bluetooth