From patchwork Mon Jan 23 21:32:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13113057 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9254AC25B50 for ; Mon, 23 Jan 2023 21:32:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231537AbjAWVcQ (ORCPT ); Mon, 23 Jan 2023 16:32:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230088AbjAWVcP (ORCPT ); Mon, 23 Jan 2023 16:32:15 -0500 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0F1618B3C for ; Mon, 23 Jan 2023 13:32:14 -0800 (PST) Received: by mail-pj1-x102f.google.com with SMTP id h5-20020a17090a9c0500b0022bb85eb35dso7814722pjp.3 for ; Mon, 23 Jan 2023 13:32:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=NOP5sc6GAk/5mEPeE8p07kGXaiP2fSMYAITGHTtqSyg=; b=OGQX8oezHIRgho1SCiTVu+yoVAJO1fYqG41w9AnYGL1fr4zEak3W7w52Qf5vuEq3Ed G5/FalCeGFHWBt3t/sOqC3gE/iLiuTkuWe0SX9ugE0HyLJW52PNiTzvBLK0Am5/hx2yy MFWospgzzt0xqQ8OP8SO7KAgU/GrvxRVVi9v/meNoX8b4/pN3TdEFsUFyVk4xp6NguYC by3lmBECF1Fmz3+Uu3a3iwCRYkQNrU8qJDUVHmxsqcerhloRiTjHqtMAkgZj3BANsbtb ERhuV72iaORKlFqxWNo2Ohht4j6cBWnHcf4cR+UyipL8QhWQIavl0ffaO24v62s6Uix6 qKwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NOP5sc6GAk/5mEPeE8p07kGXaiP2fSMYAITGHTtqSyg=; b=HEDE6JszfarxbVszozLUIQS7QGchnU+pCP91jjULDXQPL0fH+n9s+xWXYBRpWqEF/K vR3lY5CUmG+dHK3yb2rEqZWAUBwNVGM/v/PIcw3/P2UAhTpv4zZ8vpPJInnTZqBuEnK/ DdMMPiynoST6X4mh4Fr1biI4nJcBKNilSP9ruYHqEWNY9+gkbCvzQzcV2Bb5ImVE15Qq 0NreYYpGQsSv7qhqN3a1DzgTeqWfjKz4tUs4oS0Np/e7Tqxhj3GHkD/0JousJscz8ORU 4jw4C7BVNOF6i4+4584Uk8w+Bm/KOmEoPQ1rnEVpU80kbjPFGj8Y+ootTsFuZitlpSy4 XMKQ== X-Gm-Message-State: AFqh2kpqeZa97HAZ9XQwojuG4Sg5k7JVbSRTMQN44Vqkydhr9cQbolkV T14zQ8EuF9+x57ccrrGB1G8C2uKj6/I= X-Google-Smtp-Source: AMrXdXsmvcLkS8eKcah6LSQPCwRn0TMe6xq5j+IiD3/fqWcDHyP0sIvQksXViIj9mA3l/O8pMIvvbw== X-Received: by 2002:a17:902:b704:b0:192:bbe9:4cab with SMTP id d4-20020a170902b70400b00192bbe94cabmr24068292pls.24.1674509533754; Mon, 23 Jan 2023 13:32:13 -0800 (PST) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id bb9-20020a170902bc8900b00190c6518e30sm142629plb.243.2023.01.23.13.32.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Jan 2023 13:32:13 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH BlueZ 1/2] shared/bap: Fix not detaching streams when PAC is removed Date: Mon, 23 Jan 2023 13:32:11 -0800 Message-Id: <20230123213212.3187747-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz When local PAC is removed we attempt to release the streams but we left it still attached to the endpoint, so this makes sure the stream is properly detached by setting its state to idle. Fixes: https://github.com/bluez/bluez/issues/457 --- src/shared/bap.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/shared/bap.c b/src/shared/bap.c index db7def7999b7..4ba65cbaa8f9 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -2478,8 +2478,10 @@ static void remove_streams(void *data, void *user_data) struct bt_bap_stream *stream; stream = queue_remove_if(bap->streams, match_stream_lpac, pac); - if (stream) + if (stream) { bt_bap_stream_release(stream, NULL, NULL); + stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE); + } } bool bt_bap_remove_pac(struct bt_bap_pac *pac) From patchwork Mon Jan 23 21:32:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13113058 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E456C38142 for ; Mon, 23 Jan 2023 21:32:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232083AbjAWVcS (ORCPT ); Mon, 23 Jan 2023 16:32:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230088AbjAWVcR (ORCPT ); Mon, 23 Jan 2023 16:32:17 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E37A73346D for ; Mon, 23 Jan 2023 13:32:15 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id k18so12784576pll.5 for ; Mon, 23 Jan 2023 13:32:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YQPugu7B9HrwJq2khs0mn0gnme2ItCl7ethv33RJbRQ=; b=fzjwC/p2DHgT8kxUBKkeqZs3NMtCbdJzukHz5IFBZYv4c54YmvgX/xOQpMgsZETjrE NDF6UKKxfmGaooN8ARkuAGyLYFJYShkpjvLLAzSccVQHsOctD4KYzEWDkLWxoJ+wB1M6 2uWZ+h6R1i6/UAlFwTkl8XnTWZtny0AXLcAAVBSvLMeFs12GUIYCNI/LOnkJuc4gzFX1 OWDjyYnsi/gLZI5POs+hWgRmCdhSla+9+1MrUGGqP2t+JyZOTA6g0V/cklZaeOV3qzRn tz8FGeYaxNZyS8TfML3QXhqeEXmsvFfZnc46tTrx80VcRILtTH5OfN5MOHV1i7I0vNWg /4Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YQPugu7B9HrwJq2khs0mn0gnme2ItCl7ethv33RJbRQ=; b=NLvjkItsD1kiUU7PnKOW1HpHQh6cIABVjT1mNKtDJhjvtmab/FrF5FHII4AegHdVlH wYocxytWQN2NdPa89wEwj9zy+zsIqG4gdH8tJ0roDKTjtSINrBKLib7axsqRttEESmbd FgVJpiys37QEC56/GLCGJnGUVwHLYuXbu7vpnBu8KyIn2D1EorCegGjyFhjmjoRQBtZY HJImhWyg2YvHgSmYTN88356w4pH5q7ElW2oSpymkbz3eX4NkvMzMAyP3831SY2zPlrJ4 m9z2Zki6wS2iwPFgV8LEh7ujjcRKTXnZeFBsOPcL2cI/swYA/OGDyBTqKEsOjo+ehoz+ 773A== X-Gm-Message-State: AFqh2krfLkCrfeAww7FysSnhBvGhSszLspJKvw7+ucYAhdu9ix2ibg8b M6X7jAKQ1N0jXWRDX6FRzYQywGO9qZ4= X-Google-Smtp-Source: AMrXdXsY5gexIIY1t4ajm8ERVzMxB6vlo2kWVM1h7XcwyDUwjpYmENeg41/hAIGaomb/arSg+cCysg== X-Received: by 2002:a17:903:11c7:b0:194:58c7:ab79 with SMTP id q7-20020a17090311c700b0019458c7ab79mr33923973plh.63.1674509534924; Mon, 23 Jan 2023 13:32:14 -0800 (PST) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id bb9-20020a170902bc8900b00190c6518e30sm142629plb.243.2023.01.23.13.32.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Jan 2023 13:32:14 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH BlueZ 2/2] bap: Fix not setting stream to NULL Date: Mon, 23 Jan 2023 13:32:12 -0800 Message-Id: <20230123213212.3187747-2-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230123213212.3187747-1-luiz.dentz@gmail.com> References: <20230123213212.3187747-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz If the stream state is idle the ep->stream shall be set to NULL otherwise it may be reused causing the following trace: ==32623==ERROR: AddressSanitizer: heap-use-after-free on address ... READ of size 8 at 0x60b000103550 thread T0 #0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065 #1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082 #2 0x51a7c8 in bap_config profiles/audio/bap.c:584 #3 0x71b907 in queue_foreach src/shared/queue.c:207 #4 0x51b61f in select_cb profiles/audio/bap.c:626 #5 0x4691ed in pac_select_cb profiles/audio/media.c:884 #6 0x4657ea in endpoint_reply profiles/audio/media.c:369 Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1399232486 --- profiles/audio/bap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index ae944b617bb4..8f24117681d2 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -998,9 +998,10 @@ static void bap_state(struct bt_bap_stream *stream, uint8_t old_state, switch (new_state) { case BT_BAP_STREAM_STATE_IDLE: /* Release stream if idle */ - if (ep) + if (ep) { bap_io_close(ep); - else + ep->stream = NULL; + } else queue_remove(data->streams, stream); break; case BT_BAP_STREAM_STATE_CONFIG: