[PATCH BlueZ 0/3] BAP fixes

[PATCH BlueZ 0/3] BAP fixes

[Iulia Tanasescu]

This patch fixes crashes at Broadcast Sink cleanup.

I reproduced the crashes with the following setup:

[bluetooth]# endpoint.register 00001851-0000-1000-8000-00805f9b34fb 0x06

[bluetooth]# scan on
[NEW] Endpoint /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/ pac_bcast0

[bluetooth]# endpoint.config
/org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/pac_bcast0 /local/endpoint/ep0
16_2_1
[NEW] Transport /org/bluez/hci12/dev_XX_XX_XX_XX_XX_XX/pac_bcast0/fd0
...
[CHG] Transport /org/bluez/hci12/dev_XX_XX_XX_XX_XX_XX/pac_bcast0/fd0
State: active

[bluetooth]# scan off

Iulia Tanasescu (3):
  shared/bap: Properly cleanup bap remote endpoints
  bap: Fix incorrect parsing of caps and meta in parse_base
  bap: Remove incorrect assignment of listen io

 profiles/audio/bap.c | 41 +++++++++++++++++++++++++----------------
 src/shared/bap.c     | 12 +++++++++++-
 2 files changed, 36 insertions(+), 17 deletions(-)


base-commit: a692cc44dc8735b9303f8893f784306b4d2654fe
-- 
2.39.2

[PATCH BlueZ 1/3] shared/bap: Properly cleanup bap remote endpoints

[Iulia Tanasescu]

When freeing a remote bap endpoint, the endpoint reference inside the
stream should be set to NULL, to avoid later use after free errors.
---
 src/shared/bap.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 851d6a5fa..60fb826c3 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2979,6 +2979,16 @@ static void bap_state_free(void *data)
 	free(state);
 }
 
+static void bap_ep_free(void *data)
+{
+	struct bt_bap_endpoint *ep = data;
+
+	if (ep && ep->stream)
+		ep->stream->ep = NULL;
+
+	free(ep);
+}
+
 static void bap_detached(void *data, void *user_data)
 {
 	struct bt_bap_cb *cb = data;
@@ -3001,7 +3011,7 @@ static void bap_free(void *data)
 	queue_destroy(bap->ready_cbs, bap_ready_free);
 	queue_destroy(bap->state_cbs, bap_state_free);
 	queue_destroy(bap->local_eps, free);
-	queue_destroy(bap->remote_eps, free);
+	queue_destroy(bap->remote_eps, bap_ep_free);
 
 	queue_destroy(bap->reqs, bap_req_free);
 	queue_destroy(bap->notify, NULL);
-- 
2.39.2

RE: BAP fixes

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 947 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=822537

---Test result---

Test Summary:
CheckPatch                    PASS      1.36 seconds
GitLint                       PASS      0.97 seconds
BuildEll                      PASS      24.14 seconds
BluezMake                     PASS      735.14 seconds
MakeCheck                     PASS      11.36 seconds
MakeDistcheck                 PASS      162.88 seconds
CheckValgrind                 PASS      226.40 seconds
CheckSmatch                   PASS      327.49 seconds
bluezmakeextell               PASS      107.14 seconds
IncrementalBuild              PASS      2114.75 seconds
ScanBuild                     PASS      936.54 seconds



---
Regards,
Linux Bluetooth

[PATCH BlueZ 2/3] bap: Fix incorrect parsing of caps and meta in parse_base

[Iulia Tanasescu]

This adds a fix to properly parse the stream capabilities and
metadata in parse base.
---
 profiles/audio/bap.c | 40 +++++++++++++++++++++++++---------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index 7faa6be7f..909d57121 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -433,7 +433,8 @@ static bool parse_base(void *data, size_t len, util_debug_func_t func,
 	};
 
 	uint8_t capsLen, metaLen;
-	uint8_t *hexstream;
+	struct iovec cc;
+	struct iovec metadata;
 
 	if (presDelay) {
 		if (!util_iov_pull_le24(&iov, presDelay))
@@ -467,15 +468,21 @@ static bool parse_base(void *data, size_t len, util_debug_func_t func,
 
 	if (!capsLen)
 		return false;
+
+	cc.iov_len = capsLen;
+	cc.iov_base = util_iov_pull_mem(&iov, capsLen);
+	if (!cc.iov_base)
+		return false;
+
 	if (caps) {
-		if (!(*caps))
-			*caps = new0(struct iovec, 1);
-		(*caps)->iov_len = capsLen;
-		(*caps)->iov_base = iov.iov_base;
+		if (*caps)
+			util_iov_free(*caps, 1);
+
+		*caps = util_iov_dup(&cc, 1);
 	}
 
 	for (int i = 0; capsLen > 1; i++) {
-		struct bt_ltv *ltv = util_iov_pull_mem(&iov, sizeof(*ltv));
+		struct bt_ltv *ltv = util_iov_pull_mem(&cc, sizeof(*ltv));
 		uint8_t *caps;
 
 		if (!ltv) {
@@ -487,7 +494,7 @@ static bool parse_base(void *data, size_t len, util_debug_func_t func,
 		util_debug(func, NULL, "%s #%u: len %u type %u",
 					"CC", i, ltv->len, ltv->type);
 
-		caps = util_iov_pull_mem(&iov, ltv->len - 1);
+		caps = util_iov_pull_mem(&cc, ltv->len - 1);
 		if (!caps) {
 			util_debug(func, NULL, "Unable to parse %s",
 								"CC");
@@ -504,17 +511,20 @@ static bool parse_base(void *data, size_t len, util_debug_func_t func,
 
 	if (!metaLen)
 		return false;
+
+	metadata.iov_len = metaLen;
+	metadata.iov_base = util_iov_pull_mem(&iov, metaLen);
+	if (!metadata.iov_base)
+		return false;
+
 	if (meta) {
-		if (!(*meta))
-			*meta = new0(struct iovec, 1);
-		(*meta)->iov_len = metaLen;
-		(*meta)->iov_base = iov.iov_base;
+		if (*meta)
+			util_iov_free(*meta, 1);
+
+		*meta = util_iov_dup(&metadata, 1);
 	}
 
-	hexstream = util_iov_pull_mem(&iov, metaLen);
-	if (!hexstream)
-		return false;
-	util_hexdump(' ', hexstream, metaLen, func, NULL);
+	util_hexdump(' ', metadata.iov_base, metaLen, func, NULL);
 
 	return true;
 }
-- 
2.39.2

[PATCH BlueZ 3/3] bap: Remove incorrect assignment of listen io

[Iulia Tanasescu]

For a broadacst sink, the io that is notified in iso_bcast_confirm_cb
is the stream io, so the listen io should not be updated.
---
 profiles/audio/bap.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index 909d57121..94c1de1c6 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -1061,7 +1061,6 @@ static void iso_bcast_confirm_cb(GIOChannel *io, GError *err, void *user_data)
 					setup->metadata);
 	setup->id = bt_bap_stream_config(setup->stream, &setup->qos,
 					setup->caps, NULL, NULL);
-	data->listen_io = io;
 
 	bt_bap_stream_set_user_data(setup->stream, ep->path);
 
-- 
2.39.2

Re: [PATCH BlueZ 0/3] BAP fixes

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Fri,  2 Feb 2024 16:10:33 +0200 you wrote:
> This patch fixes crashes at Broadcast Sink cleanup.
> 
> I reproduced the crashes with the following setup:
> 
> [bluetooth]# endpoint.register 00001851-0000-1000-8000-00805f9b34fb 0x06
> 
> [bluetooth]# scan on
> [NEW] Endpoint /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX/ pac_bcast0
> 
> [...]

Here is the summary with links:
  - [BlueZ,1/3] shared/bap: Properly cleanup bap remote endpoints
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=29dee7b54303
  - [BlueZ,2/3] bap: Fix incorrect parsing of caps and meta in parse_base
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=35032a6075c5
  - [BlueZ,3/3] bap: Remove incorrect assignment of listen io
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=05efcccdcc5e

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html