This patch fixes crashes at Broadcast Sink cleanup.
I reproduced the crashes with the following setup:
[bluetooth]# endpoint.register 00001851-0000-1000-8000-00805f9b34fb 0x06
[bluetooth]# scan on
[NEW] Endpoint /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/ pac_bcast0
[bluetooth]# endpoint.config
/org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/pac_bcast0 /local/endpoint/ep0
16_2_1
[NEW] Transport /org/bluez/hci12/dev_XX_XX_XX_XX_XX_XX/pac_bcast0/fd0
...
[CHG] Transport /org/bluez/hci12/dev_XX_XX_XX_XX_XX_XX/pac_bcast0/fd0
State: active
[bluetooth]# scan off
Iulia Tanasescu (3):
shared/bap: Properly cleanup bap remote endpoints
bap: Fix incorrect parsing of caps and meta in parse_base
bap: Remove incorrect assignment of listen io
profiles/audio/bap.c | 41 +++++++++++++++++++++++++----------------
src/shared/bap.c | 12 +++++++++++-
2 files changed, 36 insertions(+), 17 deletions(-)
base-commit: a692cc44dc8735b9303f8893f784306b4d2654fe
--
2.39.2
When freeing a remote bap endpoint, the endpoint reference inside the
stream should be set to NULL, to avoid later use after free errors.
---
src/shared/bap.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 851d6a5fa..60fb826c3 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2979,6 +2979,16 @@ static void bap_state_free(void *data)
free(state);
}
+static void bap_ep_free(void *data)
+{
+ struct bt_bap_endpoint *ep = data;
+
+ if (ep && ep->stream)
+ ep->stream->ep = NULL;
+
+ free(ep);
+}
+
static void bap_detached(void *data, void *user_data)
{
struct bt_bap_cb *cb = data;
@@ -3001,7 +3011,7 @@ static void bap_free(void *data)
queue_destroy(bap->ready_cbs, bap_ready_free);
queue_destroy(bap->state_cbs, bap_state_free);
queue_destroy(bap->local_eps, free);
- queue_destroy(bap->remote_eps, free);
+ queue_destroy(bap->remote_eps, bap_ep_free);
queue_destroy(bap->reqs, bap_req_free);
queue_destroy(bap->notify, NULL);
--
2.39.2
Hello:
This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Fri, 2 Feb 2024 16:10:33 +0200 you wrote:
> This patch fixes crashes at Broadcast Sink cleanup.
>
> I reproduced the crashes with the following setup:
>
> [bluetooth]# endpoint.register 00001851-0000-1000-8000-00805f9b34fb 0x06
>
> [bluetooth]# scan on
> [NEW] Endpoint /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/ pac_bcast0
>
> [...]
Here is the summary with links:
- [BlueZ,1/3] shared/bap: Properly cleanup bap remote endpoints
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=29dee7b54303
- [BlueZ,2/3] bap: Fix incorrect parsing of caps and meta in parse_base
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=35032a6075c5
- [BlueZ,3/3] bap: Remove incorrect assignment of listen io
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=05efcccdcc5e
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=822537
---Test result---
Test Summary:
CheckPatch PASS 1.36 seconds
GitLint PASS 0.97 seconds
BuildEll PASS 24.14 seconds
BluezMake PASS 735.14 seconds
MakeCheck PASS 11.36 seconds
MakeDistcheck PASS 162.88 seconds
CheckValgrind PASS 226.40 seconds
CheckSmatch PASS 327.49 seconds
bluezmakeextell PASS 107.14 seconds
IncrementalBuild PASS 2114.75 seconds
ScanBuild PASS 936.54 seconds
---
Regards,
Linux Bluetooth