From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
If bt_bap_unref/bap_free is called while there is an ongoing pending
request it may endup calling into bap_notify_ready which will try to
notify ready callbacks while holding a reference, but in case the
reference is already 0 that means it would switch to 1 and back 0
causing a double free.
To prevent that bap_notify_ready now checks that the reference is not 0
with use of bt_bap_ref_safe.
---
src/shared/bap.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 25369e619051..21aa8aa6c5ca 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2638,6 +2638,14 @@ struct bt_bap *bt_bap_ref(struct bt_bap *bap)
return bap;
}
+static struct bt_bap *bt_bap_ref_safe(struct bt_bap *bap)
+{
+ if (!bap || !bap->ref_count)
+ return NULL;
+
+ return bt_bap_ref(bap);
+}
+
void bt_bap_unref(struct bt_bap *bap)
{
if (!bap)
@@ -2656,7 +2664,8 @@ static void bap_notify_ready(struct bt_bap *bap)
if (!queue_isempty(bap->pending))
return;
- bt_bap_ref(bap);
+ if (!bt_bap_ref_safe(bap))
+ return;
for (entry = queue_get_entries(bap->ready_cbs); entry;
entry = entry->next) {
--
2.37.3
