bap: Fix crash on unexpected disconnect

If an unexpected disconnect happens while bt_bap_config is pending the
following trace can be observed, to fix it bt_bap_config is reworked so
it no longer attempts to create and config the stream in place, instead
it just return the new stream and the function is renamed to
bt_bap_stream_new:

Invalid write of size 4
   at 0x3980D8: config_cb (bap.c:395)
   by 0x4DF5A3: bap_req_complete (bap.c:3471)
   by 0x4E9D33: bap_req_detach (bap.c:3807)
   by 0x4E9D33: bt_bap_detach (bap.c:3819)
   by 0x4E9D33: bt_bap_detach (bap.c:3810)
   by 0x397AA9: bap_disconnect (bap.c:1342)
   by 0x4223E0: btd_service_disconnect (service.c:305)
   by 0x4974D8F: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.7200.3)
   by 0x438FC3: att_disconnected_cb (device.c:5160)
   by 0x49A6C6: queue_foreach (queue.c:207)
   by 0x4B463B: disconnect_cb (att.c:701)
   by 0x5054DF: watch_callback (io-glib.c:157)
   by 0x495BFAE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7200.3)
   by 0x49B12C7: ??? (in /usr/lib64/libglib-2.0.so.0.7200.3)
 Address 0x6576940 is 96 bytes inside a block of size 112 free'd
   at 0x48480E4: free (vg_replace_malloc.c:872)
   by 0x48F78D: remove_interface (object.c:660)
   by 0x490489: g_dbus_unregister_interface (object.c:1394)
   by 0x397BA8: ep_remove (bap.c:1330)
   by 0x49ACF4: queue_remove_if (queue.c:279)
   by 0x49B0AC: queue_remove_all (queue.c:321)
   by 0x397A7C: bap_disconnect (bap.c:1339)
   by 0x4223E0: btd_service_disconnect (service.c:305)
   by 0x4974D8F: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.7200.3)
   by 0x438FC3: att_disconnected_cb (device.c:5160)
   by 0x49A6C6: queue_foreach (queue.c:207)
   by 0x4B463B: disconnect_cb (att.c:701)
 Block was alloc'd at
   at 0x484586F: malloc (vg_replace_malloc.c:381)
   by 0x49B432: util_malloc (util.c:43)
   by 0x39A1D9: ep_register (bap.c:563)
   by 0x39A1D9: pac_found (bap.c:664)
   by 0x4E5FEA: bap_foreach_pac (bap.c:3980)
   by 0x4EA437: bap_notify_ready (bap.c:2736)
   by 0x4EA437: bap_idle (bap.c:3711)
   by 0x4B52F0: idle_notify (gatt-client.c:171)
   by 0x49ACF4: queue_remove_if (queue.c:279)
   by 0x49B0AC: queue_remove_all (queue.c:321)
   by 0x4C092C: notify_client_idle (gatt-client.c:180)
   by 0x4C092C: request_unref (gatt-client.c:199)
   by 0x4AACB5: destroy_att_send_op (att.c:209)
   by 0x4B2B88: handle_rsp (att.c:862)
   by 0x4B2B88: can_read_data (att.c:1052)
   by 0x5054DF: watch_callback (io-glib.c:157)

1 files changed, 12 insertions, 16 deletions

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index b8c75f195..dfdf87255 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -466,15 +466,13 @@ static DBusMessage *set_configuration(DBusConnection *conn, DBusMessage *msg,
 	/* TODO: Check if stream capabilities match add support for Latency
 	 * and PHY.
 	 */
-	if (ep->stream)
-		ep->id = bt_bap_stream_config(ep->stream, &ep->qos, ep->caps,
-						config_cb, ep);
-	else
-		ep->stream = bt_bap_config(ep->data->bap, ep->lpac, ep->rpac,
-						&ep->qos, ep->caps,
-						config_cb, ep);
+	if (!ep->stream)
+		ep->stream = bt_bap_stream_new(ep->data->bap, ep->lpac,
+						ep->rpac, &ep->qos, ep->caps);
 
-	if (!ep->stream) {
+	ep->id = bt_bap_stream_config(ep->stream, &ep->qos, ep->caps,
+						config_cb, ep);
+	if (!ep->id) {
 		DBG("Unable to config stream");
 		free(ep->caps);
 		ep->caps = NULL;
@@ -604,15 +602,13 @@ static void bap_config(void *data, void *user_data)
 	/* TODO: Check if stream capabilities match add support for Latency
 	 * and PHY.
 	 */
-	if (ep->stream)
-		ep->id = bt_bap_stream_config(ep->stream, &ep->qos, ep->caps,
-						config_cb, ep);
-	else
-		ep->stream = bt_bap_config(ep->data->bap, ep->lpac, ep->rpac,
-						&ep->qos, ep->caps,
-						config_cb, ep);
+	if (!ep->stream)
+		ep->stream = bt_bap_stream_new(ep->data->bap, ep->lpac,
+						ep->rpac, &ep->qos, ep->caps);
 
-	if (!ep->stream) {
+	ep->id = bt_bap_stream_config(ep->stream, &ep->qos, ep->caps,
+						config_cb, ep);
+	if (!ep->id) {
 		DBG("Unable to config stream");
 		util_iov_free(ep->caps, 1);
 		ep->caps = NULL;