| Message ID | faff5310d5070cf3a64e364b3159672e696625b6.1712951445.git.pav@iki.fi (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | d3a6a6459cbda91693106fb8d43de319b334a3a4 |
| Headers | show |
| Series | [BlueZ,1/2] shared/bap: clean up requests for a stream before freeing it | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | success | CheckPatch PASS |
| tedd_an/GitLint | success | Gitlint PASS |
| tedd_an/IncrementalBuild | success | Incremental Build PASS |
diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index 30049f0fb..ff6d6d881 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -879,9 +879,22 @@ static struct bap_setup *setup_new(struct bap_ep *ep) static void setup_free(void *data) { struct bap_setup *setup = data; + DBusMessage *reply; DBG("%p", setup); + if (setup->stream && setup->id) { + bt_bap_stream_cancel(setup->stream, setup->id); + setup->id = 0; + } + + if (setup->msg) { + reply = btd_error_failed(setup->msg, "Canceled"); + g_dbus_send_message(btd_get_dbus_connection(), reply); + dbus_message_unref(setup->msg); + setup->msg = NULL; + } + if (setup->ep) queue_remove(setup->ep->setups, setup);
Before freeing setup, cancel any ongoing stream operations, and indicate failure for pending DBus replies. Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000004758 WRITE of size 4 at 0x60d000004758 thread T0 #0 0x557159 in qos_cb profiles/audio/bap.c:753 #1 0x89c38f in bap_req_complete src/shared/bap.c:1191 #2 0x8cb7fc in bap_req_detach src/shared/bap.c:4789 #3 0x8cb9bb in bt_bap_detach src/shared/bap.c:4801 #4 0x571e25 in bap_disconnect profiles/audio/bap.c:3011 ... freed by thread T0 here: #1 0x558f2b in setup_free profiles/audio/bap.c:890 #2 0x7f34e8 in queue_remove_all src/shared/queue.c:341 #3 0x7f0105 in queue_destroy src/shared/queue.c:60 #4 0x55cdc8 in ep_free profiles/audio/bap.c:1167 ======================================================================= --- profiles/audio/bap.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)