[PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info

[PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This fixes the following crash:

Invalid read of size 1
   at 0x401DEFE: send_command (bthost.c:1101)
   by 0x4021F01: bthost_past_set_info (bthost.c:3758)
   by 0x4006038: test_listen_past (iso-tester.c:3246)
   by 0x494984A: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x4943862: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x494C7A7: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x494CA4E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x402CC4D: mainloop_run (mainloop-glib.c:65)
   by 0x402D224: mainloop_run_with_signal (mainloop-notify.c:196)
   by 0x402C445: tester_run (tester.c:1084)
   by 0x4005609: main (iso-tester.c:4335)
 Address 0x40 is not stack'd, malloc'd or (recently) free'd
---
 emulator/bthost.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/emulator/bthost.c b/emulator/bthost.c
index 79d8305d78cf..faabbaa36a4a 100644
--- a/emulator/bthost.c
+++ b/emulator/bthost.c
@@ -3751,6 +3751,9 @@ void bthost_past_set_info(struct bthost *bthost, uint16_t handle)
 {
 	struct bt_hci_cmd_le_past_set_info cp;
 
+	if (!bthost)
+		return;
+
 	memset(&cp, 0, sizeof(cp));
 	cp.handle = cpu_to_le16(handle);
 	cp.adv_handle = 0x01;
-- 
2.51.0

[PATCH BlueZ v1 2/2] btdev: Fix crash on BIG cleanup

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This fixes the following crash:

Invalid read of size 8
   at 0x400F26F: le_big_free (btdev.c:606)
   by 0x4024636: queue_remove_all (queue.c:341)
   by 0x40246C2: queue_destroy (queue.c:60)
   by 0x401B7C9: btdev_destroy (btdev.c:7820)
   by 0x400CFBF: hciemu_client_destroy (hciemu.c:301)
   by 0x4024636: queue_remove_all (queue.c:341)
   by 0x40246C2: queue_destroy (queue.c:60)
   by 0x400DA91: hciemu_unref (hciemu.c:441)
   by 0x40072F2: test_post_teardown (iso-tester.c:701)
   by 0x402BB0A: tester_teardown_complete (tester.c:713)
   by 0x402BB41: default_teardown (tester.c:266)
   by 0x402B43B: teardown_callback (tester.c:434)
---
 emulator/btdev.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/emulator/btdev.c b/emulator/btdev.c
index 8c72a24290c6..c53db7040d39 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -6863,7 +6863,7 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data,
 {
 	const struct bt_hci_cmd_le_term_big *cmd = data;
 	struct bt_hci_evt_le_big_terminate rsp;
-	struct le_big *big;
+	struct le_big *big, *rbig;
 	struct btdev_conn *conn;
 	struct btdev *remote = NULL;
 
@@ -6875,7 +6875,6 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data,
 
 	big = queue_find(dev->le_big, match_big_handle,
 			UINT_TO_PTR(cmd->handle));
-
 	if (!big)
 		return 0;
 
@@ -6892,14 +6891,17 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data,
 
 			remote = conn->link->dev;
 
-			big = queue_find(remote->le_big, match_bis, conn->link);
-			if (big) {
+			rbig = queue_find(remote->le_big, match_bis,
+							conn->link);
+			if (rbig) {
 				memset(&evt, 0, sizeof(evt));
-				evt.big_handle = big->handle;
+				evt.big_handle = rbig->handle;
 				evt.reason = cmd->reason;
 				le_meta_event(remote,
 						BT_HCI_EVT_LE_BIG_SYNC_LOST,
 						&evt, sizeof(evt));
+				queue_remove(remote->le_big, rbig);
+				le_big_free(rbig);
 			}
 		}
 
-- 
2.51.0

RE: [BlueZ,v1,1/2] bthost: Fix crash on bthost_past_set_info

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1753 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1017827

---Test result---

Test Summary:
CheckPatch                    PENDING   0.34 seconds
GitLint                       PENDING   0.43 seconds
BuildEll                      PASS      20.06 seconds
BluezMake                     PASS      2601.24 seconds
MakeCheck                     PASS      20.41 seconds
MakeDistcheck                 PASS      186.43 seconds
CheckValgrind                 PASS      238.88 seconds
CheckSmatch                   WARNING   309.74 seconds
bluezmakeextell               PASS      129.07 seconds
IncrementalBuild              PENDING   0.42 seconds
ScanBuild                     PASS      911.10 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
emulator/bthost.c:699:28: warning: Variable length array is used.emulator/bthost.c:700:32: warning: Variable length array is used.emulator/bthost.c:917:28: warning: Variable length array is used.emulator/bthost.c:951:28: warning: Variable length array is used.emulator/bthost.c:952:32: warning: Variable length array is used.emulator/btdev.c:459:29: warning: Variable length array is used.
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ v1 1/2] bthost: Fix crash on bthost_past_set_info

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 30 Oct 2025 13:01:25 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> This fixes the following crash:
> 
> Invalid read of size 1
>    at 0x401DEFE: send_command (bthost.c:1101)
>    by 0x4021F01: bthost_past_set_info (bthost.c:3758)
>    by 0x4006038: test_listen_past (iso-tester.c:3246)
>    by 0x494984A: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
>    by 0x4943862: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
>    by 0x494C7A7: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4)
>    by 0x494CA4E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.8400.4)
>    by 0x402CC4D: mainloop_run (mainloop-glib.c:65)
>    by 0x402D224: mainloop_run_with_signal (mainloop-notify.c:196)
>    by 0x402C445: tester_run (tester.c:1084)
>    by 0x4005609: main (iso-tester.c:4335)
>  Address 0x40 is not stack'd, malloc'd or (recently) free'd
> 
> [...]

Here is the summary with links:
  - [BlueZ,v1,1/2] bthost: Fix crash on bthost_past_set_info
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=229d411e5a71
  - [BlueZ,v1,2/2] btdev: Fix crash on BIG cleanup
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=bb82243a6c27

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html