* [PATCH BlueZ] audio/avrcp: fix crash when NowPlaying changes while list_items is in progress
@ 2025-05-22 15:03 Frédéric Danis
2025-05-22 16:35 ` [BlueZ] " bluez.test.bot
0 siblings, 1 reply; 2+ messages in thread
From: Frédéric Danis @ 2025-05-22 15:03 UTC (permalink / raw)
To: linux-bluetooth
From: George Kiagiadakis <george.kiagiadakis@collabora.com>
The media_item objects are owned by the player and while we keep
temporary pointers to them in pending_list_items, clearing the player's
playlist destroys them and we will end up crashing in the next call to
avrcp_list_items_rsp(). The crash is racy and can only be observed
when skipping tracks very quickly in an Apple Music station (where the
playlist changes on every next song)
---
profiles/audio/avrcp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 8d1e03b93..7296ac164 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3879,6 +3879,14 @@ static void avrcp_now_playing_changed(struct avrcp *session,
DBG("NowPlaying changed");
+ /* reset the list_items operation, if it is in progress
+ or else we will crash because _clear_playlist() frees the items */
+ if (player->p) {
+ g_slist_free(player->p->items);
+ g_free(player->p);
+ player->p = NULL;
+ }
+
media_player_clear_playlist(mp);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-05-22 16:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-22 15:03 [PATCH BlueZ] audio/avrcp: fix crash when NowPlaying changes while list_items is in progress Frédéric Danis
2025-05-22 16:35 ` [BlueZ] " bluez.test.bot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.