diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2023-03-02 11:56:36 -0800 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2023-03-02 12:57:32 -0800 |
commit | 57f15616abdef2a7a300018c9d32c723b2f9f743 (patch) | |
tree | 78ee6481a9431cc10b6361cdc5d600467af416be /src | |
parent | 07bd8e3a720af1ff7cee85d771dfd39065d5ac11 (diff) | |
download | bluez-57f15616abdef2a7a300018c9d32c723b2f9f743.tar.gz |
bap: Fix crash on unexpected disconnect
If an unexpected disconnect happens while bt_bap_config is pending the
following trace can be observed, to fix it bt_bap_config is reworked so
it no longer attempts to create and config the stream in place, instead
it just return the new stream and the function is renamed to
bt_bap_stream_new:
Invalid write of size 4
at 0x3980D8: config_cb (bap.c:395)
by 0x4DF5A3: bap_req_complete (bap.c:3471)
by 0x4E9D33: bap_req_detach (bap.c:3807)
by 0x4E9D33: bt_bap_detach (bap.c:3819)
by 0x4E9D33: bt_bap_detach (bap.c:3810)
by 0x397AA9: bap_disconnect (bap.c:1342)
by 0x4223E0: btd_service_disconnect (service.c:305)
by 0x4974D8F: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.7200.3)
by 0x438FC3: att_disconnected_cb (device.c:5160)
by 0x49A6C6: queue_foreach (queue.c:207)
by 0x4B463B: disconnect_cb (att.c:701)
by 0x5054DF: watch_callback (io-glib.c:157)
by 0x495BFAE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7200.3)
by 0x49B12C7: ??? (in /usr/lib64/libglib-2.0.so.0.7200.3)
Address 0x6576940 is 96 bytes inside a block of size 112 free'd
at 0x48480E4: free (vg_replace_malloc.c:872)
by 0x48F78D: remove_interface (object.c:660)
by 0x490489: g_dbus_unregister_interface (object.c:1394)
by 0x397BA8: ep_remove (bap.c:1330)
by 0x49ACF4: queue_remove_if (queue.c:279)
by 0x49B0AC: queue_remove_all (queue.c:321)
by 0x397A7C: bap_disconnect (bap.c:1339)
by 0x4223E0: btd_service_disconnect (service.c:305)
by 0x4974D8F: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.7200.3)
by 0x438FC3: att_disconnected_cb (device.c:5160)
by 0x49A6C6: queue_foreach (queue.c:207)
by 0x4B463B: disconnect_cb (att.c:701)
Block was alloc'd at
at 0x484586F: malloc (vg_replace_malloc.c:381)
by 0x49B432: util_malloc (util.c:43)
by 0x39A1D9: ep_register (bap.c:563)
by 0x39A1D9: pac_found (bap.c:664)
by 0x4E5FEA: bap_foreach_pac (bap.c:3980)
by 0x4EA437: bap_notify_ready (bap.c:2736)
by 0x4EA437: bap_idle (bap.c:3711)
by 0x4B52F0: idle_notify (gatt-client.c:171)
by 0x49ACF4: queue_remove_if (queue.c:279)
by 0x49B0AC: queue_remove_all (queue.c:321)
by 0x4C092C: notify_client_idle (gatt-client.c:180)
by 0x4C092C: request_unref (gatt-client.c:199)
by 0x4AACB5: destroy_att_send_op (att.c:209)
by 0x4B2B88: handle_rsp (att.c:862)
by 0x4B2B88: can_read_data (att.c:1052)
by 0x5054DF: watch_callback (io-glib.c:157)
Diffstat (limited to 'src')
-rw-r--r-- | src/shared/bap.c | 16 | ||||
-rw-r--r-- | src/shared/bap.h | 6 |
2 files changed, 4 insertions, 18 deletions
diff --git a/src/shared/bap.c b/src/shared/bap.c index 3ebcd81f1..952b7be26 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -4176,18 +4176,15 @@ int bt_bap_select(struct bt_bap_pac *lpac, struct bt_bap_pac *rpac, return 0; } -struct bt_bap_stream *bt_bap_config(struct bt_bap *bap, +struct bt_bap_stream *bt_bap_stream_new(struct bt_bap *bap, struct bt_bap_pac *lpac, struct bt_bap_pac *rpac, struct bt_bap_qos *pqos, - struct iovec *data, - bt_bap_stream_func_t func, - void *user_data) + struct iovec *data) { struct bt_bap_stream *stream; struct bt_bap_endpoint *ep; struct match_pac match; - int id; if (!bap || !bap->rdb || queue_isempty(bap->remote_eps)) return NULL; @@ -4244,15 +4241,6 @@ struct bt_bap_stream *bt_bap_config(struct bt_bap *bap, if (!stream) stream = bap_stream_new(bap, ep, lpac, rpac, data, true); - id = bt_bap_stream_config(stream, pqos, data, func, user_data); - if (!id) { - DBG(bap, "Unable to config stream"); - queue_remove(bap->streams, stream); - ep->stream = NULL; - free(stream); - return NULL; - } - return stream; } diff --git a/src/shared/bap.h b/src/shared/bap.h index 47a15636c..bd13abef9 100644 --- a/src/shared/bap.h +++ b/src/shared/bap.h @@ -190,13 +190,11 @@ void *bt_bap_pac_get_user_data(struct bt_bap_pac *pac); int bt_bap_select(struct bt_bap_pac *lpac, struct bt_bap_pac *rpac, bt_bap_pac_select_t func, void *user_data); -struct bt_bap_stream *bt_bap_config(struct bt_bap *bap, +struct bt_bap_stream *bt_bap_stream_new(struct bt_bap *bap, struct bt_bap_pac *lpac, struct bt_bap_pac *rpac, struct bt_bap_qos *pqos, - struct iovec *data, - bt_bap_stream_func_t func, - void *user_data); + struct iovec *data); struct bt_bap *bt_bap_stream_get_session(struct bt_bap_stream *stream); uint8_t bt_bap_stream_get_state(struct bt_bap_stream *stream); |