From patchwork Thu Jan 26 20:12:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13117698 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63671C54EAA for ; Thu, 26 Jan 2023 20:12:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230250AbjAZUMq (ORCPT ); Thu, 26 Jan 2023 15:12:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34552 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229784AbjAZUMp (ORCPT ); Thu, 26 Jan 2023 15:12:45 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08C0628D2B for ; Thu, 26 Jan 2023 12:12:45 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id o13so2601563pjg.2 for ; Thu, 26 Jan 2023 12:12:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=NOP5sc6GAk/5mEPeE8p07kGXaiP2fSMYAITGHTtqSyg=; b=CAJefpuWN7ZPtn7NtNPgIDWQM7QDQOvpSLFNZvyNErRQkhr1bviYZ8Qt9z2ioIX1JL hz3puOdko8N4HTqPY+Rb4XptMNAbce5ZzZuHVtIBN1kpl/2/Phh6qYKPTeA2myWFUg91 QKfNgzAj4QVi4obXyEJDzisuejffHQuVR5y4Fg6MHdN2FWpAPSr0w0+xzYjbDJqC8GVc PwTDxvHSpojhDzlQLSnAzo1k3lCgtXh2YZtSvav4CP+0WOlep4WF0ox1Vi0flnMXLRDu 46eoLOiom1lNjIq0tm0bucm/s72fKcUNinWH8OaaShp1M8+rbY7lMWCtYn4OanJcfTZE 7CCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NOP5sc6GAk/5mEPeE8p07kGXaiP2fSMYAITGHTtqSyg=; b=Otwbmkq5eQn0+/2ynMIK8AAkTfO9oxe06WE8iiZqPa+xKkIGr6Fy4NEAjMzIphg2JF KcVhcsEiS9qfC1BvpJcookOt0cN6LEJJw0kmNsD/lGpjWfmfYAERUqVSreeWM+b16xWQ e0Yk4S6oCwNDPcsQCMKbkfrYXy30MNxQvxcEatFcljN/c9dNqdoMDZaIDS2efhr+XTlU boI0EADZFdqZXvKUeN+VdXKk5DYJWbFxtlSkVrEd1xYDor1akRkAOzHeDBf3HIq/tjJl iahqgXb9Xf8jtYA8RDPIxcqT2dUjEermbRW7uRzB+x+FlFdwUUP0aQJ1VCLegFlHSCBO 21mQ== X-Gm-Message-State: AFqh2kqJCebaZQuVK4yNBMh1ZNwEiLDyiRP2+Dlzx5cUswVPMjgWzqxk /pm6zq0g5H7CsSQ3M3hTdnxlmV4psQ0= X-Google-Smtp-Source: AMrXdXvuEJvpkpQCWhOb01D1yKmXRcdnxF2n0GD0x2eIFuyakWjSpS1JaxH3pGZwCtgZom0rtk/o9Q== X-Received: by 2002:a17:902:da8d:b0:194:7a42:2d33 with SMTP id j13-20020a170902da8d00b001947a422d33mr46784859plx.28.1674763964066; Thu, 26 Jan 2023 12:12:44 -0800 (PST) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id w1-20020a170902c78100b00194955b7898sm1341045pla.237.2023.01.26.12.12.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Jan 2023 12:12:43 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 1/5] shared/bap: Fix not detaching streams when PAC is removed Date: Thu, 26 Jan 2023 12:12:38 -0800 Message-Id: <20230126201242.4110305-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz When local PAC is removed we attempt to release the streams but we left it still attached to the endpoint, so this makes sure the stream is properly detached by setting its state to idle. Fixes: https://github.com/bluez/bluez/issues/457 --- src/shared/bap.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/shared/bap.c b/src/shared/bap.c index db7def7999b7..4ba65cbaa8f9 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -2478,8 +2478,10 @@ static void remove_streams(void *data, void *user_data) struct bt_bap_stream *stream; stream = queue_remove_if(bap->streams, match_stream_lpac, pac); - if (stream) + if (stream) { bt_bap_stream_release(stream, NULL, NULL); + stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE); + } } bool bt_bap_remove_pac(struct bt_bap_pac *pac) From patchwork Thu Jan 26 20:12:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13117699 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5E6DC05027 for ; Thu, 26 Jan 2023 20:12:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231378AbjAZUMs (ORCPT ); Thu, 26 Jan 2023 15:12:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229784AbjAZUMr (ORCPT ); Thu, 26 Jan 2023 15:12:47 -0500 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A5FE3586 for ; Thu, 26 Jan 2023 12:12:46 -0800 (PST) Received: by mail-pl1-x629.google.com with SMTP id g23so2855436plq.12 for ; Thu, 26 Jan 2023 12:12:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YQPugu7B9HrwJq2khs0mn0gnme2ItCl7ethv33RJbRQ=; b=QpHk5e+fovpedkJCdVKMPvBp8kv0SH2mw1Zg9bDCqx5cnBugR25A+/A9cC34Pq/Edr 5dRlVWS1uin5evb2JZAQAGMpO20VJTulp1WuYB9FKvPJEKX35BmP5Shj8anqLsLO1S1x mAJEvMIPz7jL6IkcUNpUg+e+LTWithg+bD4sKEfX7Os52DAYYd8tbu6SB9f9DhwLcs5z dgTLy3RAun8Hsbnk88tJvA3b4goy8P+kEsPldY31aYo2UKCxyTrqo6eL3gtiQjiTMCsm 1PgNbGqUPE3BBbXIzTfJmeFBbcKGt+dRyykt1mWpXNoTyyrkfzei+u4y/XH1Rl7KpS43 QqHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YQPugu7B9HrwJq2khs0mn0gnme2ItCl7ethv33RJbRQ=; b=8COuRiFbI2HNPe+kfcGSLmwmS+a162kXCuPmZmbrcX5Y5v20rPdlWnardFcfWjJ5j4 X0aO1Ot+BUsu/SvNndfivFIZEeERov9mHkKk+i9vSdkYdhuKbQM6NJGKhomM2G9Tk73D hu335Mk+Y5ftWk/SSiCfqhoagmSOom3u7tGNfhe0fqcyWuzl6lQXo2d31RVqKqs8R99M 7tCTK3+C8cjyYmA0DKBcGgz2it/R2VM4PatOl6RcGESlZc9/iVwHl+C7cvyaaZIn5N2z CXazAeKS/QLtahsoIOdPf4yo2nw4JH0rByFJWk64kL2YGvxVqa+JExEPHVsBdqDhy6Bz ztJA== X-Gm-Message-State: AFqh2kp2a6NXPV+grMs8/UNUYcZDE7r3h5xZDNlmITpa9S2NwWff456I DryLeDmsHU6+O2gQFeahNV++2bWogJg= X-Google-Smtp-Source: AMrXdXv4dWkhcNyGmmK24Om+EdX3PUOASjgx7BwSn0/m1QiRIuornmATbPOP4/tN/qPQuTik8916wA== X-Received: by 2002:a17:902:ab50:b0:194:d5ed:b9ea with SMTP id ij16-20020a170902ab5000b00194d5edb9eamr22665653plb.57.1674763965112; Thu, 26 Jan 2023 12:12:45 -0800 (PST) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id w1-20020a170902c78100b00194955b7898sm1341045pla.237.2023.01.26.12.12.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Jan 2023 12:12:44 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 2/5] bap: Fix not setting stream to NULL Date: Thu, 26 Jan 2023 12:12:39 -0800 Message-Id: <20230126201242.4110305-2-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230126201242.4110305-1-luiz.dentz@gmail.com> References: <20230126201242.4110305-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz If the stream state is idle the ep->stream shall be set to NULL otherwise it may be reused causing the following trace: ==32623==ERROR: AddressSanitizer: heap-use-after-free on address ... READ of size 8 at 0x60b000103550 thread T0 #0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065 #1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082 #2 0x51a7c8 in bap_config profiles/audio/bap.c:584 #3 0x71b907 in queue_foreach src/shared/queue.c:207 #4 0x51b61f in select_cb profiles/audio/bap.c:626 #5 0x4691ed in pac_select_cb profiles/audio/media.c:884 #6 0x4657ea in endpoint_reply profiles/audio/media.c:369 Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1399232486 --- profiles/audio/bap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index ae944b617bb4..8f24117681d2 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -998,9 +998,10 @@ static void bap_state(struct bt_bap_stream *stream, uint8_t old_state, switch (new_state) { case BT_BAP_STREAM_STATE_IDLE: /* Release stream if idle */ - if (ep) + if (ep) { bap_io_close(ep); - else + ep->stream = NULL; + } else queue_remove(data->streams, stream); break; case BT_BAP_STREAM_STATE_CONFIG: From patchwork Thu Jan 26 20:12:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13117700 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C4D1C61DA3 for ; Thu, 26 Jan 2023 20:12:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231777AbjAZUMu (ORCPT ); Thu, 26 Jan 2023 15:12:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230282AbjAZUMs (ORCPT ); Thu, 26 Jan 2023 15:12:48 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E3CA76BB for ; Thu, 26 Jan 2023 12:12:47 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id a18so2907108plm.2 for ; Thu, 26 Jan 2023 12:12:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=pEyfkcYx7LLXIX8X8vph7xamuJaRQUiOEiriStKBkK4=; b=EZ1hCukSv5Niwyn6fTYqJJaYaNyUzFnGEWnSfrlbmkl6DdN5/bR4hwjg+FYerlOINt uN1tOKQYe1jTKcOPtqZ+mnuIpKcoHn544UsLzEXX4W3RUnwqYYCR8yuEmRszeDVIpi2A D0sJk7ArEXThN6PSD+EuzOZauUtTKK1wCo9SzVDeqWw7J4jIkBkyT90yZCrxI75okDGV UbiA6oPRqCOXQ3yS6oBm1ALqIts9AZdXe9TmDyu47ixCtzsTX1mKFdA/+9ELVfttgtWN myc8+eNjipyhxrkkWWvVF7OML7qiNExN+0bFbwpKWjUtPLHNjN8LlvgydwrulcbXM8mj X4qA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pEyfkcYx7LLXIX8X8vph7xamuJaRQUiOEiriStKBkK4=; b=D+6dFlYIsF+8m8iP2kfIOunX5RytH1XCnQnUIbeEJlCBv74bR88u8s3/0j87npB16K PbThgzh7odEeXFyhru71QrRKmfemhDtHaJx7k4WPBUuHplGK3ds8vYGBZnGtPWOQKSWL dsie1cbseWTIbKSVFGi1q17coKPei/pPXBUrOXxR3gmVvXnPAjtWKlh4V38JeHeBxBA1 7Vyjpxx4bHWtAYpccRiu7TEbfi3Yg+wby9S36KoGUauHIpTaRuws0hHu7UUBclxokZc1 sQ11AKDDgEurWXMKs4QQHEvUNNsgqyqXNVockGOPfODEBLD5jHHMwOBZ9giELozjLJFF LTfg== X-Gm-Message-State: AFqh2koFvsjPK2NMltDwZCGRoydSe7NT031yt5uqnS1//0VQRM4ZxZNZ +ADdCXmBDNnfoXJvYONrLpisV18koBY= X-Google-Smtp-Source: AMrXdXtdVRodiQ12o5AnrkVA18M4Mmx3xhnbu5V4CJWvNpyFzefOLroJVsFA9cywpsObD7dBNOW+NA== X-Received: by 2002:a17:902:aa05:b0:190:fbbd:277d with SMTP id be5-20020a170902aa0500b00190fbbd277dmr37063193plb.17.1674763966424; Thu, 26 Jan 2023 12:12:46 -0800 (PST) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id w1-20020a170902c78100b00194955b7898sm1341045pla.237.2023.01.26.12.12.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Jan 2023 12:12:45 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 3/5] bap: Fix not removing endpoint if local PAC is unregistered Date: Thu, 26 Jan 2023 12:12:40 -0800 Message-Id: <20230126201242.4110305-3-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230126201242.4110305-1-luiz.dentz@gmail.com> References: <20230126201242.4110305-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz If local PAC is unregistered it would also notify via pac_removed callback which shall unregister the endpoint D-Bus object. Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1402178691 --- profiles/audio/bap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index 8f24117681d2..5a50a2cc6105 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -1049,12 +1049,12 @@ static void pac_added(struct bt_bap_pac *pac, void *user_data) bt_bap_foreach_pac(data->bap, BT_BAP_SINK, pac_found, service); } -static bool ep_match_rpac(const void *data, const void *match_data) +static bool ep_match_pac(const void *data, const void *match_data) { const struct bap_ep *ep = data; const struct bt_bap_pac *pac = match_data; - return ep->rpac == pac; + return ep->rpac == pac || ep->lpac == pac; } static void pac_removed(struct bt_bap_pac *pac, void *user_data) @@ -1082,7 +1082,7 @@ static void pac_removed(struct bt_bap_pac *pac, void *user_data) return; } - ep = queue_remove_if(queue, ep_match_rpac, pac); + ep = queue_remove_if(queue, ep_match_pac, pac); if (!ep) return; From patchwork Thu Jan 26 20:12:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13117701 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE04DC61DA3 for ; Thu, 26 Jan 2023 20:12:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232161AbjAZUMv (ORCPT ); Thu, 26 Jan 2023 15:12:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230282AbjAZUMu (ORCPT ); Thu, 26 Jan 2023 15:12:50 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7E0EA5E1 for ; Thu, 26 Jan 2023 12:12:48 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id h5-20020a17090a9c0500b0022bb85eb35dso2818596pjp.3 for ; Thu, 26 Jan 2023 12:12:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Mt1++iUS4aFzF9d9LPdS46c9snsj2FOX4BGBYQRWY/s=; b=BPkH+cPgWWIQPtPr0dlPH4gCtw7TQrnNyalJadRTxw5BTdEdCV8NcOGBNl07A2f/mu T6eTVW7PLb5yiKO/8zBpT4HtO/kjH2IFVx3xNXEVk5Mw3S3TAUMTPNW8CJFz0hvZCGnT ytMRZvaHvTwUjfEuWVJAdVYYbWgeSUDjfQJ/B6j5ECrK78hKie7VDETada6HQs0yhs4z gcspSUTFMqiwFjxUR4cKMGOkiRBNYmS9tCQiE/0JyBJCn5RvaHgYYBVbRMuX7g7R+1Lo TPPPffBDRkBpOeqJhhSxOlMnlWBWyl1qGS3hwobDagr9NluDOzWDjHtbgT8a6zYNX/G2 SLmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Mt1++iUS4aFzF9d9LPdS46c9snsj2FOX4BGBYQRWY/s=; b=PmNFfbPv0Sn83/nqYPTqhxKfWwM92UgCmNFYQ58Bp0NTH8CDcdZCVXTpw1hVg41Fu+ v36Znt+XkFSR9yhOq7Ygvo8RpmTIMtXe/VaTTm07uJSZYPNtxYAGmuuYThS4RJlFLw9M cdpNXCa6NNeKoT0l+4uYn4ehb3C0CWXgBAXxCJzZkI0bKIc2VDNvqgmO+U9SG+5/Q0bE vDkkBQGG1w5apq8jrVU8D1opcJLl/0l/SFPK0I28lzFIMUsfMWeJ/eKgdMu28KZ7HnRu G3wOWVKK0NHmLRNn2Lvs4GiohlPC8sMTJnLw5SeNfdBTWCN7+Tas8AvGF6hxVtkdol/l e/aQ== X-Gm-Message-State: AFqh2kr8jHZX6lUC2h19n5FLR0SaZTBZos2Oki9rjb1Lm+JDR0jU2H4F Xs7jncWtjB8Jm2FBwwC1dWjxBHTt2SE= X-Google-Smtp-Source: AMrXdXtG4a6FgwiFpEB/Al9v75peE7i1J7gUpE5SBSFe8z/aVwij3dqDbb4k+YtDVjyyGB2+NZ6GTA== X-Received: by 2002:a17:902:b18f:b0:193:234:443a with SMTP id s15-20020a170902b18f00b001930234443amr33158015plr.45.1674763967858; Thu, 26 Jan 2023 12:12:47 -0800 (PST) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id w1-20020a170902c78100b00194955b7898sm1341045pla.237.2023.01.26.12.12.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Jan 2023 12:12:47 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 4/5] bap: Fix not checking if request fits when grouping Date: Thu, 26 Jan 2023 12:12:41 -0800 Message-Id: <20230126201242.4110305-4-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230126201242.4110305-1-luiz.dentz@gmail.com> References: <20230126201242.4110305-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz When grouping requests with the same opcode the code was queueing them without attempt to check that that would fit in the ATT MTU causing the following trace: stack-buffer-overflow on address 0x7fffdba951f0 at pc 0x7fc15fc49d21 bp 0x7fffdba95020 sp 0x7fffdba947d0 WRITE of size 9 at 0x7fffdba951f0 thread T0 #0 0x7fc15fc49d20 in __interceptor_memcpy (/lib64/libasan.so.8+0x49d20) #1 0x71f698 in util_iov_push_mem src/shared/util.c:266 #2 0x7b9312 in append_group src/shared/bap.c:3424 #3 0x71ba01 in queue_foreach src/shared/queue.c:207 #4 0x7b9b66 in bap_send src/shared/bap.c:3459 #5 0x7ba594 in bap_process_queue src/shared/bap.c:351 Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1403924708 --- src/shared/bap.c | 41 ++++++++++++++++++++++++++++++++++------- 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/src/shared/bap.c b/src/shared/bap.c index 4ba65cbaa8f9..22f2e67146fb 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -3425,20 +3425,34 @@ static void append_group(void *data, void *user_data) req->iov[i].iov_base); } +static uint16_t bap_req_len(struct bt_bap_req *req) +{ + uint16_t len = 0; + size_t i; + const struct queue_entry *e; + + for (i = 0; i < req->len; i++) + len += req->iov[i].iov_len; + + e = queue_get_entries(req->group); + for (; e; e = e->next) + len += bap_req_len(e->data); + + return len; +} + static bool bap_send(struct bt_bap *bap, struct bt_bap_req *req) { struct bt_ascs *ascs = bap_get_ascs(bap); int ret; uint16_t handle; - uint8_t buf[64]; struct bt_ascs_ase_hdr hdr; - struct iovec iov = { - .iov_base = buf, - .iov_len = 0, - }; + struct iovec iov; size_t i; - DBG(bap, "req %p", req); + iov.iov_len = sizeof(hdr) + bap_req_len(req); + + DBG(bap, "req %p len %u", req, iov.iov_len); if (!gatt_db_attribute_get_char_data(ascs->ase_cp, NULL, &handle, NULL, NULL, NULL)) { @@ -3446,6 +3460,9 @@ static bool bap_send(struct bt_bap *bap, struct bt_bap_req *req) return false; } + iov.iov_base = alloca(iov.iov_len); + iov.iov_len = 0; + hdr.op = req->op; hdr.num = 1 + queue_length(req->group); @@ -3531,9 +3548,19 @@ static bool bap_queue_req(struct bt_bap *bap, struct bt_bap_req *req) { struct bt_bap_req *pend; struct queue *queue; + struct bt_att *att = bt_bap_get_att(bap); + uint16_t mtu = bt_att_get_mtu(att); + uint16_t len = 2 + bap_req_len(req); + + if (len > mtu) { + DBG(bap, "Unable to queue request: req len %u > %u mtu", len, + mtu); + return false; + } pend = queue_find(bap->reqs, match_req, req); - if (pend) { + /* Check if req can be grouped together and it fits in the MTU */ + if (pend && (bap_req_len(pend) + len < mtu)) { if (!pend->group) pend->group = queue_new(); /* Group requests with the same opcode */ From patchwork Thu Jan 26 20:12:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13117702 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2019CC05027 for ; Thu, 26 Jan 2023 20:12:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231915AbjAZUMy (ORCPT ); Thu, 26 Jan 2023 15:12:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34686 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232180AbjAZUMw (ORCPT ); Thu, 26 Jan 2023 15:12:52 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6663B65AF for ; Thu, 26 Jan 2023 12:12:50 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id d9so2870327pll.9 for ; Thu, 26 Jan 2023 12:12:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=91fk8UQcmph4sRXVIFsVDlzR6bO+9TiL/3utzzRGgmo=; b=dSskUUDdwmfXa92tg3KKpHKTPaXplpfuuDO0OeWso7+Q8TynV2Gp9qSqVW+FaNsIhL JPjDkXY5Qe59sJmTmfM0OCLF4oMARDQozWsNSvKmIb0kQKatT2WmGrwZxLpKj5Ah6igb B0UbPAOeRJoqb8GFf9P78TbBSWutupN9moH7IneYs4eN4DQKASwyr+NPbDlxhM5e/qJ7 M6yus1Qdf91HHevunf5kzEzVHCz+EFoi93v3UvZfeSLHJwvL2G+IAI+2Asq4H7g6AjYQ cr7yYfm9pBgq/Gl6Cv5YC2Yqjw+yMI86+vxIoWjJjtiWHv95HUcZJMVvyGBPDGvDKPL5 mwGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=91fk8UQcmph4sRXVIFsVDlzR6bO+9TiL/3utzzRGgmo=; b=ft8YM/3D4VZpr9Tqnjp+vfmMgqBburIlXshEYaWexsA96zIp42CHDuYKS1ZYh8Hjw6 VgSGdtJ7mQscof3+jMyZgzgSmyOWB7kuBPibEOFGGJujTiRlM1/My1wVY7K+79hWdQIa gOSTIAcC5xfcg7qRGHKsonsUflA3mSdZ+UjIo8wcCvRRdGZI++HndK5xo14krviYpN2a 6YXsMGH162nmtNz2YKCkAUR2mAeTxvmyLUc/u4+WiUovg/daIzTAxzxZL82deXa1RcJJ W+v09tNUgF9Abu6swAzNAqozv20mv8TDG5buRjfCeoQ/wHeu7DcVBDYPxWb5jOVQtHGs X+GQ== X-Gm-Message-State: AO0yUKWcxUFowxRK/Xm2/mpusIBylMqTQ40MaFEZtwV99wH7Kskl2DIh 3+gS9PwqRCeKQsb7rEXflwBK/TfFQx4= X-Google-Smtp-Source: AK7set9sdqp4k58aF7dIEwWg94V5R8Aq3RZ0GoqqBVTv9sOo1fmoHk/JOB4k3A8q/bU7Vo1lSxhFRw== X-Received: by 2002:a17:902:ec88:b0:196:1d60:b1b8 with SMTP id x8-20020a170902ec8800b001961d60b1b8mr11106580plg.34.1674763969340; Thu, 26 Jan 2023 12:12:49 -0800 (PST) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id w1-20020a170902c78100b00194955b7898sm1341045pla.237.2023.01.26.12.12.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Jan 2023 12:12:48 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 5/5] bap: Fix registering multiple endpoint for the same PAC set Date: Thu, 26 Jan 2023 12:12:42 -0800 Message-Id: <20230126201242.4110305-5-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230126201242.4110305-1-luiz.dentz@gmail.com> References: <20230126201242.4110305-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz This makes sure there is only one endpoint representing a local and remote PAC set. --- profiles/audio/bap.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index 5a50a2cc6105..e5ffb7230580 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -510,6 +510,22 @@ static void ep_free(void *data) free(ep); } +struct match_ep { + struct bt_bap_pac *lpac; + struct bt_bap_pac *rpac; +}; + +static bool match_ep(const void *data, const void *user_data) +{ + const struct bap_ep *ep = data; + const struct match_ep *match = user_data; + + if (ep->lpac != match->lpac) + return false; + + return ep->rpac == match->rpac; +} + static struct bap_ep *ep_register(struct btd_service *service, struct bt_bap_pac *lpac, struct bt_bap_pac *rpac) @@ -520,6 +536,7 @@ static struct bap_ep *ep_register(struct btd_service *service, struct queue *queue; int i, err; const char *suffix; + struct match_ep match = { lpac, rpac }; switch (bt_bap_pac_get_type(rpac)) { case BT_BAP_SINK: @@ -536,6 +553,10 @@ static struct bap_ep *ep_register(struct btd_service *service, return NULL; } + ep = queue_find(queue, match_ep, &match); + if (ep) + return ep; + ep = new0(struct bap_ep, 1); ep->data = data; ep->lpac = lpac;