Branch: refs/heads/master Home: https://github.com/bluez/bluez Commit: 6849c64e1fdbed0c18439878151dc19adcc7be2b https://github.com/bluez/bluez/commit/6849c64e1fdbed0c18439878151dc19adcc7be2b Author: Pauli Virtanen <pav@xxxxxx> Date: 2024-03-25 (Mon, 25 Mar 2024) Changed paths: M src/shared/bap.c M src/shared/bap.h Log Message: ----------- shared/bap: add bt_bap_cancel_select to cancel ongoing pac select Add function and PAC ops for canceling a previously initiated SelectProperties() call. Commit: 41d6c4e1c92fc6e0757b0f71ca5062671ff55235 https://github.com/bluez/bluez/commit/41d6c4e1c92fc6e0757b0f71ca5062671ff55235 Author: Pauli Virtanen <pav@xxxxxx> Date: 2024-03-25 (Mon, 25 Mar 2024) Changed paths: M profiles/audio/bap.c M profiles/audio/media.c Log Message: ----------- bap: cancel ongoing SelectProperties() before freeing the ep select_cb() callback is called when the sound server replies. However, at that point the ep or session for which it was made may already be gone if e.g. device disconnects or adapter is powered off. Fix by implementing cancelling select() callbacks, and doing it before freeing ep. Fixes crash: ==889897==ERROR: AddressSanitizer: heap-use-after-free READ of size 8 at 0x60400006b098 thread T0 #0 0x55aeba in setup_new profiles/audio/bap.c:840 #1 0x562158 in select_cb profiles/audio/bap.c:1361 #2 0x47ad66 in pac_select_cb profiles/audio/media.c:920 #3 0x47661b in endpoint_reply profiles/audio/media.c:375 ... freed by thread T0 here: #0 0x7fd20bcd7fb8 in __interceptor_free.part.0 #1 0x55f913 in ep_free profiles/audio/bap.c:1156 #2 0x7d696e in remove_interface gdbus/object.c:660 #3 0x7de622 in g_dbus_unregister_interface gdbus/object.c:1394 #4 0x554536 in ep_unregister profiles/audio/bap.c:193 #5 0x574455 in ep_remove profiles/audio/bap.c:2963 #6 0x7f5341 in queue_remove_if src/shared/queue.c:279 #7 0x7f5aba in queue_remove_all src/shared/queue.c:321 #8 0x57452b in bap_disconnect profiles/audio/bap.c:2972 #9 0x6cd107 in btd_service_disconnect src/service.c:305 ... previously allocated by thread T0 here: #0 0x7fd20bcd92ef in malloc #1 0x7f6e98 in util_malloc src/shared/util.c:46 #2 0x560d28 in ep_register profiles/audio/bap.c:1282 #3 0x562bdf in pac_register profiles/audio/bap.c:1386 #4 0x8cc834 in bap_foreach_pac src/shared/bap.c:4950 #5 0x8cccfc in bt_bap_foreach_pac src/shared/bap.c:4964 #6 0x56330b in bap_ready profiles/audio/bap.c:1457 ... Compare: https://github.com/bluez/bluez/compare/150bd6e81b35...41d6c4e1c92f To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
