| Message ID | be8d0573d2fb7f326439c79e4bc07b7bb30cc9f7.1676499415.git.pav@iki.fi (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 5d347b54714e0f2d750253be09b68b0c3119dd0a |
| Headers | show |
| Series | [BlueZ,v2,1/3] audio/transport: add media_transport_get_stream method for transports | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | warning | WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #67: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) /github/workspace/src/src/13142252.patch total: 0 errors, 1 warnings, 12 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13142252.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. |
| tedd_an/GitLint | fail | WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 34: B2 Line has trailing whitespace: " " |
| tedd_an/IncrementalBuild | success | Incremental Build PASS |
diff --git a/profiles/audio/media.c b/profiles/audio/media.c index b722278ba..326e50a09 100644 --- a/profiles/audio/media.c +++ b/profiles/audio/media.c @@ -1003,6 +1003,12 @@ static void pac_config_cb(struct media_endpoint *endpoint, void *ret, int size, { struct pac_config_data *data = user_data; gboolean *ret_value = ret; + struct media_transport *transport; + + /* If transport was cleared, configuration was cancelled */ + transport = find_transport(endpoint, data->stream); + if (!transport) + return; data->cb(data->stream, ret_value ? 0 : -EINVAL); }
Don't call configuration callback if stream's transport was cleared in the meantime. The clear callback is called just before the stream is freed. Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus reply: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 #1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 #2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 #3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 #4 0x46365b in clear_endpoint profiles/audio/media.c:297 #5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) #1 0x78d8cc in bap_stream_free src/shared/bap.c:974 #2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 #3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 #4 0x78fe26 in stream_set_state src/shared/bap.c:1254 #5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 #6 0x70ce06 in queue_foreach src/shared/queue.c:207 #7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 #8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 #9 0x626e57 in btd_service_disconnect src/service.c:305 --- Notes: Reproducer: Make sound server delay its SetConfiguration response, and disconnect device before DBus timeout is reached. profiles/audio/media.c | 6 ++++++ 1 file changed, 6 insertions(+)