[PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available
@ 2016-06-15 12:26 Luiz Augusto von Dentz
  2016-06-15 12:26 ` [PATCH BlueZ 2/2] audio/avdtp: Fix memory leak Luiz Augusto von Dentz
  2016-06-16  9:34 ` [PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available Luiz Augusto von Dentz
  0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2016-06-15 12:26 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

It seems some Samsung Android devices may actually report no players
at all causing the following crash:

Program terminated with signal 11, Segmentation fault.
  #0  set_ct_player (player=0x0, session=<value optimized out>)
    at profiles/audio/avrcp.c:3139
  #1  0xb76c0aab in player_remove (data=0xb849a100)
    at profiles/audio/avrcp.c:3278
---
 profiles/audio/avrcp.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 6c8ed81..c100149 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3200,7 +3200,8 @@ static void set_ct_player(struct avrcp *session, struct avrcp_player *player)
 
 	session->controller->player = player;
 	service = btd_device_get_service(session->dev, AVRCP_TARGET_UUID);
-	control_set_player(service, media_player_get_path(player->user_data));
+	control_set_player(service, player ?
+			media_player_get_path(player->user_data) : NULL);
 }
 
 static struct avrcp_player *create_ct_player(struct avrcp *session,
@@ -3330,6 +3331,10 @@ static void player_remove(gpointer data)
 	struct avrcp_player *player = data;
 	GSList *l;
 
+	/* Don't remove reserved player */
+	if (!player->id)
+		return;
+
 	for (l = player->sessions; l; l = l->next) {
 		struct avrcp *session = l->data;
 		struct avrcp_data *controller = session->controller;
@@ -3393,6 +3398,10 @@ static gboolean avrcp_get_media_player_list_rsp(struct avctp *conn,
 
 	g_slist_free_full(removed, player_remove);
 
+	/* There should always be an active player */
+	if (!session->controller->player)
+		create_ct_player(session, 0);
+
 	return FALSE;
 }
 
-- 
2.5.5


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH BlueZ 2/2] audio/avdtp: Fix memory leak
  2016-06-15 12:26 [PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available Luiz Augusto von Dentz
@ 2016-06-15 12:26 ` Luiz Augusto von Dentz
  2016-06-16  9:34 ` [PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available Luiz Augusto von Dentz
  1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2016-06-15 12:26 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Fixes not freeing the stream if endpoint response with an error
causing the followin trace:

146 (104 direct, 42 indirect) bytes in 1 blocks are definitely lost in loss record 209 of 244
   at 0x4C2A988: calloc (vg_replace_malloc.c:711)
   by 0x50CE580: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.4600.2)
   by 0x42600F: avdtp_setconf_cmd (avdtp.c:1474)
   by 0x42600F: avdtp_parse_cmd (avdtp.c:1966)
   by 0x42600F: session_cb (avdtp.c:2165)
   by 0x50C8E59: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4600.2)
   by 0x50C91EF: ??? (in /usr/lib64/libglib-2.0.so.0.4600.2)
   by 0x50C9511: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4600.2)
   by 0x40BFC8: main (main.c:687)
---
 profiles/audio/avdtp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 82de98b..4ec9cca 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1397,6 +1397,7 @@ static void setconf_cb(struct avdtp *session, struct avdtp_stream *stream,
 		avdtp_send(session, session->in.transaction,
 				AVDTP_MSG_TYPE_REJECT, AVDTP_SET_CONFIGURATION,
 				&rej, sizeof(rej));
+		stream_free(stream);
 		return;
 	}
 
-- 
2.5.5


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available
  2016-06-15 12:26 [PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available Luiz Augusto von Dentz
  2016-06-15 12:26 ` [PATCH BlueZ 2/2] audio/avdtp: Fix memory leak Luiz Augusto von Dentz
@ 2016-06-16  9:34 ` Luiz Augusto von Dentz
  1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2016-06-16  9:34 UTC (permalink / raw)
  To: linux-bluetooth@vger.kernel.org

Hi,

On Wed, Jun 15, 2016 at 3:26 PM, Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> It seems some Samsung Android devices may actually report no players
> at all causing the following crash:
>
> Program terminated with signal 11, Segmentation fault.
>   #0  set_ct_player (player=0x0, session=<value optimized out>)
>     at profiles/audio/avrcp.c:3139
>   #1  0xb76c0aab in player_remove (data=0xb849a100)
>     at profiles/audio/avrcp.c:3278
> ---
>  profiles/audio/avrcp.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 6c8ed81..c100149 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -3200,7 +3200,8 @@ static void set_ct_player(struct avrcp *session, struct avrcp_player *player)
>
>         session->controller->player = player;
>         service = btd_device_get_service(session->dev, AVRCP_TARGET_UUID);
> -       control_set_player(service, media_player_get_path(player->user_data));
> +       control_set_player(service, player ?
> +                       media_player_get_path(player->user_data) : NULL);
>  }
>
>  static struct avrcp_player *create_ct_player(struct avrcp *session,
> @@ -3330,6 +3331,10 @@ static void player_remove(gpointer data)
>         struct avrcp_player *player = data;
>         GSList *l;
>
> +       /* Don't remove reserved player */
> +       if (!player->id)
> +               return;
> +
>         for (l = player->sessions; l; l = l->next) {
>                 struct avrcp *session = l->data;
>                 struct avrcp_data *controller = session->controller;
> @@ -3393,6 +3398,10 @@ static gboolean avrcp_get_media_player_list_rsp(struct avctp *conn,
>
>         g_slist_free_full(removed, player_remove);
>
> +       /* There should always be an active player */
> +       if (!session->controller->player)
> +               create_ct_player(session, 0);
> +
>         return FALSE;
>  }
>
> --
> 2.5.5

Applied.


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-06-16  9:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-15 12:26 [PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available Luiz Augusto von Dentz
2016-06-15 12:26 ` [PATCH BlueZ 2/2] audio/avdtp: Fix memory leak Luiz Augusto von Dentz
2016-06-16  9:34 ` [PATCH BlueZ 1/2] audio/avrcp: Fix crash if no player is available Luiz Augusto von Dentz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).