The following ASAN crash is observed when media endpoint is unregistered
(stopping sound server) while streaming from remote BAP client:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
READ of size 8 at 0x60b0000474d8 thread T0
#0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
#1 0x7aff61 in remove_streams src/shared/bap.c:2483
#2 0x71d2d0 in queue_foreach src/shared/queue.c:207
#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
...
0x60b0000474d8 is located 8 bytes inside of 112-byte region
freed by thread T0 here:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7a0504 in bap_stream_free src/shared/bap.c:972
#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
#5 0x7ab18a in stream_release src/shared/bap.c:1985
#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
#7 0x7aff50 in remove_streams src/shared/bap.c:2482
...
previously allocated by thread T0 here:
#0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x71e9ae in util_malloc src/shared/util.c:43
#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
#3 0x7a4863 in ep_config src/shared/bap.c:1446
#4 0x7a4f22 in ascs_config src/shared/bap.c:1481
...
When stream->client is false, bt_bap_stream_release already sets the
stream to idle and frees it.
Fix the crash by not setting the state to idle for the second time,
in this case.
---
Notes:
Crash seen when testing BlueZ at commit 67395a3b357d.
src/shared/bap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 22f2e6714..812fba4c8 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2479,8 +2479,11 @@ static void remove_streams(void *data, void *user_data)
stream = queue_remove_if(bap->streams, match_stream_lpac, pac);
if (stream) {
+ bool client = stream->client;
+
bt_bap_stream_release(stream, NULL, NULL);
- stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
+ if (client)
+ stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
}
}
--
2.39.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=718927
---Test result---
Test Summary:
CheckPatch FAIL 0.89 seconds
GitLint PASS 0.27 seconds
BuildEll PASS 26.96 seconds
BluezMake PASS 950.69 seconds
MakeCheck PASS 11.26 seconds
MakeDistcheck PASS 148.56 seconds
CheckValgrind PASS 243.93 seconds
CheckSmatch PASS 324.61 seconds
bluezmakeextell PASS 96.97 seconds
IncrementalBuild PASS 809.84 seconds
ScanBuild PASS 1007.16 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ] shared/bap: fix crash unregistering media endpoint while streaming
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#60:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
/github/workspace/src/src/13129108.patch total: 0 errors, 1 warnings, 12 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13129108.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
---
Regards,
Linux Bluetooth