Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4493671ybb;
        Mon, 23 Mar 2020 23:05:34 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsN0gqQVYFVfYyMK7e92r7k90msaxp0KnaL38OLOhUnmGeYkYL3Y8gcpouEzCqWcWx51Ozf
X-Received: by 2002:a9d:7f19:: with SMTP id j25mr6552164otq.129.1585029934257;
        Mon, 23 Mar 2020 23:05:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585029934; cv=none;
        d=google.com; s=arc-20160816;
        b=PeBfAVc1f1uHljjf2c+Rs0U+hIXZmNf8ioMvvgPrtJlOvQ869+5yNPQGVIaqmlo3eS
         3hwDaVqAVwpzEhQMfYg7ezldkm/Sm+dyjwYd+ltL4sPzWj9ZvfRf6i+oAOMIDoFLvzzF
         Kh/HOlPQArH5m8RQsq+A0Ko1VB9wZNy1RZdrOe6/ntI0KKANsDpt6u5Pd9skJpv60B6l
         HJuPDjTblIzIJME/Zntttx5IRIsmhG2dl6u5GCnnopKbTfQPdEijtfcitM1Z9jRG0y6e
         gUIL+FFPUfR8lZB5T0hOfwxL6IKBXwK1gYQnz5HfC4amdya5mmTmXZJghiVyUIadggbg
         vL0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=Vc2PCHKZB1JY/EQw3WjMqKCNYwRxM0w2FAoFej563Wc=;
        b=z+TXRlqdEirkguXxFLk57goCvN/C7tpnIgIbwwKf34pSWzZI1Vp2WNZRjtwtxg2qlJ
         oBkEWWgKnjR6w7qZeMuXAXaJPQymwdCg2u4oihmOCAk1Ee8I5F2fYNgYGkCgtfAEZdg7
         +cX186Jx0WzqpBZshcqGp+ea4TFqLPrqf0dLWNmZ3lqEsTl0+E5yLBSKbHKQXQLojpdB
         vQK9BP/PyoaFTBXwrHFRtTq7jf3jpP9Nxsup6l8HhFvyFe8at1jAwfTaNs/q+rZ/BHoT
         RNu5GF75q8yeQKJnqvsxcFfGfmO+PuTHHSwCr+IWgMpGacSkqtZiMy4EC9oIx7Cn4qCV
         +XaQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=MaQWbVZj;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l13si7800008oib.268.2020.03.23.23.05.03;
        Mon, 23 Mar 2020 23:05:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=MaQWbVZj;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727250AbgCXGFA (ORCPT <rfc822;farzad.panahi@gmail.com>
        + 99 others); Tue, 24 Mar 2020 02:05:00 -0400
Received: from mail-ot1-f66.google.com ([209.85.210.66]:40949 "EHLO
        mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727050AbgCXGFA (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Tue, 24 Mar 2020 02:05:00 -0400
Received: by mail-ot1-f66.google.com with SMTP id e19so15981223otj.7
        for <linux-bluetooth@vger.kernel.org>; Mon, 23 Mar 2020 23:04:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Vc2PCHKZB1JY/EQw3WjMqKCNYwRxM0w2FAoFej563Wc=;
        b=MaQWbVZjsAF18y4zTbp3+MQg2i9/sjJjOrLsnJ1rKEjiYcQtemr19xu48gmCXWcQoQ
         RvwJrOKyrEiuLi8Na40ixcmBE1Gxr+fArGZQOBcFztUE+KsRfR7r0k68Hk2LCukpu9QK
         us05jQZRztiIgitoDs0ULFVKS7dp1XwOFjRGMD0Y9otr8lQLbcrIPWuu3VBjPfMI1oMT
         9GFo3G9IUPW74DVGtXl76hvJarpTfFXq9An7f/cZ7N+FU/9iCXWDZCyBIYh/LzpPi8dk
         rv6H/vZBAEGwubEV6b4k9MAgYRHCxsa2tJWlQ+5qBqJe1phmBdHvAORjVH3qmqqD9pFF
         pubg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Vc2PCHKZB1JY/EQw3WjMqKCNYwRxM0w2FAoFej563Wc=;
        b=t2D64xX2yy43M6ZgJsZn5VlvNtL96UN8n/ckTv5BRo1u/kQkTvbnFrsCxxqhQhvIKK
         WZ63G9pYJEo8TbnChN5UoN0RxukcGy/eTV29GrMXM/ID7OMJbnXUk7nUZxiKpuImJzuc
         rp4ypqsPMqvYdziT20/qAKvAMwz1uBBAMr8pvVJdHlW2qaY1OTcZ6+XZVPtdSvLKaZLH
         CdkefH6c70O13H+zbXqXkn8QYVbYmW9NpulvlMD7+OqHXLPACZpaU4+eKpxrtTcxbNUM
         k8yXGsZPBuXGlvRXf+qAZyemT/e2HD8HT6HpjrhsV7IplhGGCVgBkDmL/RrQ85EqwEVv
         hm9w==
X-Gm-Message-State: ANhLgQ3l0TasvvSHGoWgn9/HKmIylGuOqwsKj7x8VBJJkEbzALHAdzrw
        Af/09kwg5ckUNd6atudgbBiwh+1dZtZZIT1oSfw=
X-Received: by 2002:a9d:67c6:: with SMTP id c6mr533834otn.11.1585029899539;
 Mon, 23 Mar 2020 23:04:59 -0700 (PDT)
MIME-Version: 1.0
References: <20200324112129.Bluez.v2.1.I6c78c0eb9826eb17c944c4903132ee75c1324136@changeid>
In-Reply-To: <20200324112129.Bluez.v2.1.I6c78c0eb9826eb17c944c4903132ee75c1324136@changeid>
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date:   Mon, 23 Mar 2020 23:04:48 -0700
Message-ID: <CABBYNZL+trgHt2V_iKGSyZhUoOxht_Z2jdzD8jJwo1ki-exP0A@mail.gmail.com>
Subject: Re: [Bluez PATCH v2] avdtp: Fix crashes in avdtp_abort
To:     Howard Chung <howardchung@google.com>
Cc:     "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>,
        Luiz Augusto Von Dentz <luiz.von.dentz@intel.com>,
        ChromeOS Bluetooth Upstreaming 
        <chromeos-bluetooth-upstreaming@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Howard,

On Mon, Mar 23, 2020 at 8:28 PM Howard Chung <howardchung@google.com> wrote:
>
> In avdtp_abort, if setup->stream is NULL, trying to access
> stream->lsep will crash.
> ---
>
> Changes in v2:
> - Remove variable 'sep'
>
>  profiles/audio/avdtp.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> index 0e075f9ff..aabc5ce51 100644
> --- a/profiles/audio/avdtp.c
> +++ b/profiles/audio/avdtp.c
> @@ -3566,7 +3566,6 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
>  {
>         struct seid_req req;
>         int ret;
> -       struct avdtp_local_sep *sep = stream->lsep;
>
>         if (!stream && session->discover) {
>                 /* Don't call cb since it being aborted */
> @@ -3581,7 +3580,7 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
>         if (stream->lsep->state == AVDTP_STATE_ABORTING)
>                 return -EINVAL;
>
> -       avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING);
> +       avdtp_sep_set_state(session, stream->lsep, AVDTP_STATE_ABORTING);
>
>         if (session->req && stream == session->req->stream)
>                 return cancel_request(session, ECANCELED);
> --
> 2.25.1.696.g5e7596f4ac-goog

Applied, thanks.

-- 
Luiz Augusto von Dentz