From: Luiz Augusto von Dentz <[email protected]>
When local PAC is removed we attempt to release the streams but we left
it still attached to the endpoint, so this makes sure the stream is
properly detached by setting its state to idle.
Fixes: https://github.com/bluez/bluez/issues/457
---
src/shared/bap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index db7def7999b7..4ba65cbaa8f9 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2478,8 +2478,10 @@ static void remove_streams(void *data, void *user_data)
struct bt_bap_stream *stream;
stream = queue_remove_if(bap->streams, match_stream_lpac, pac);
- if (stream)
+ if (stream) {
bt_bap_stream_release(stream, NULL, NULL);
+ stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
+ }
}
bool bt_bap_remove_pac(struct bt_bap_pac *pac)
--
2.37.3
From: Luiz Augusto von Dentz <[email protected]>
If the stream state is idle the ep->stream shall be set to NULL
otherwise it may be reused causing the following trace:
==32623==ERROR: AddressSanitizer: heap-use-after-free on address ...
READ of size 8 at 0x60b000103550 thread T0
#0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065
#1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082
#2 0x51a7c8 in bap_config profiles/audio/bap.c:584
#3 0x71b907 in queue_foreach src/shared/queue.c:207
#4 0x51b61f in select_cb profiles/audio/bap.c:626
#5 0x4691ed in pac_select_cb profiles/audio/media.c:884
#6 0x4657ea in endpoint_reply profiles/audio/media.c:369
Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1399232486
---
profiles/audio/bap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index ae944b617bb4..8f24117681d2 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -998,9 +998,10 @@ static void bap_state(struct bt_bap_stream *stream, uint8_t old_state,
switch (new_state) {
case BT_BAP_STREAM_STATE_IDLE:
/* Release stream if idle */
- if (ep)
+ if (ep) {
bap_io_close(ep);
- else
+ ep->stream = NULL;
+ } else
queue_remove(data->streams, stream);
break;
case BT_BAP_STREAM_STATE_CONFIG:
--
2.37.3
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=714905
---Test result---
Test Summary:
CheckPatch PASS 1.04 seconds
GitLint PASS 0.69 seconds
BuildEll PASS 30.05 seconds
BluezMake PASS 950.84 seconds
MakeCheck PASS 12.74 seconds
MakeDistcheck PASS 165.14 seconds
CheckValgrind PASS 272.77 seconds
CheckSmatch PASS 367.49 seconds
bluezmakeextell PASS 112.71 seconds
IncrementalBuild PASS 1569.53 seconds
ScanBuild PASS 1132.55 seconds
---
Regards,
Linux Bluetooth