shared/bap: Fix crash when canceling requests

If bt_bap_unref/bap_free is called while there is an ongoing pending request it may endup calling into bap_notify_ready which will try to notify ready callbacks while holding a reference, but in case the reference is already 0 that means it would switch to 1 and back 0 causing a double free. To prevent that bap_notify_ready now checks that the reference is not 0 with use of bt_bap_ref_safe.
author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-11-09 13:02:49 -0800
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-11-15 11:22:39 -0800
commit: 7fcd6889fb13858e3f78e9d5e35ffd80d8e0accb (patch)
tree: 2abf7f1ec22a0dcd075a87307cb5fc40f31b26d5 /src
parent: 918c73acb778e2359abcf5c3fa4c6528164b3910 (diff)
download: bluez-7fcd6889fb13858e3f78e9d5e35ffd80d8e0accb.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 25369e619..21aa8aa6c 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2638,6 +2638,14 @@ struct bt_bap *bt_bap_ref(struct bt_bap *bap)
 	return bap;
 }
 
+static struct bt_bap *bt_bap_ref_safe(struct bt_bap *bap)
+{
+	if (!bap || !bap->ref_count)
+		return NULL;
+
+	return bt_bap_ref(bap);
+}
+
 void bt_bap_unref(struct bt_bap *bap)
 {
 	if (!bap)
@@ -2656,7 +2664,8 @@ static void bap_notify_ready(struct bt_bap *bap)
 	if (!queue_isempty(bap->pending))
 		return;
 
-	bt_bap_ref(bap);
+	if (!bt_bap_ref_safe(bap))
+		return;
 
 	for (entry = queue_get_entries(bap->ready_cbs); entry;
 							entry = entry->next) {
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2022-11-09 13:02:49 -0800
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2022-11-15 11:22:39 -0800
commit	7fcd6889fb13858e3f78e9d5e35ffd80d8e0accb (patch)
tree	2abf7f1ec22a0dcd075a87307cb5fc40f31b26d5 /src
parent	918c73acb778e2359abcf5c3fa4c6528164b3910 (diff)
download	bluez-7fcd6889fb13858e3f78e9d5e35ffd80d8e0accb.tar.gz