diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2022-11-09 13:02:49 -0800 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2022-11-15 11:22:39 -0800 |
commit | 7fcd6889fb13858e3f78e9d5e35ffd80d8e0accb (patch) | |
tree | 2abf7f1ec22a0dcd075a87307cb5fc40f31b26d5 /src | |
parent | 918c73acb778e2359abcf5c3fa4c6528164b3910 (diff) | |
download | bluez-7fcd6889fb13858e3f78e9d5e35ffd80d8e0accb.tar.gz |
shared/bap: Fix crash when canceling requests
If bt_bap_unref/bap_free is called while there is an ongoing pending
request it may endup calling into bap_notify_ready which will try to
notify ready callbacks while holding a reference, but in case the
reference is already 0 that means it would switch to 1 and back 0
causing a double free.
To prevent that bap_notify_ready now checks that the reference is not 0
with use of bt_bap_ref_safe.
Diffstat (limited to 'src')
-rw-r--r-- | src/shared/bap.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/shared/bap.c b/src/shared/bap.c index 25369e619..21aa8aa6c 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -2638,6 +2638,14 @@ struct bt_bap *bt_bap_ref(struct bt_bap *bap) return bap; } +static struct bt_bap *bt_bap_ref_safe(struct bt_bap *bap) +{ + if (!bap || !bap->ref_count) + return NULL; + + return bt_bap_ref(bap); +} + void bt_bap_unref(struct bt_bap *bap) { if (!bap) @@ -2656,7 +2664,8 @@ static void bap_notify_ready(struct bt_bap *bap) if (!queue_isempty(bap->pending)) return; - bt_bap_ref(bap); + if (!bt_bap_ref_safe(bap)) + return; for (entry = queue_get_entries(bap->ready_cbs); entry; entry = entry->next) { |