Linux bluetooth development
 help / color / mirror / Atom feed
* [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync
@ 2026-06-29 14:26 Luiz Augusto von Dentz
  2026-06-29 14:26 ` [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release Luiz Augusto von Dentz
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-29 14:26 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

bass_update_bis_sync does use bass_remove_bis which may end up
removing the current entry causing a crash on entry->next, to avoid
that prefetch the next entry.
---
 profiles/audio/bass.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/profiles/audio/bass.c b/profiles/audio/bass.c
index a5ef80fbc835..533d45babfeb 100644
--- a/profiles/audio/bass.c
+++ b/profiles/audio/bass.c
@@ -2014,11 +2014,15 @@ static void bass_update_bis_sync(struct bass_delegator *dg,
 	const struct queue_entry *entry;
 
 	/* Check if existing setups if BIS needs to be added/removed */
-	for (entry = queue_get_entries(dg->setups); entry;
-				entry = entry->next) {
+	for (entry = queue_get_entries(dg->setups); entry;) {
 		struct bass_setup *setup = entry->data;
 		uint8_t state;
 
+		/* Prefetch next entry since the likes of bass_remove_bis can
+		 * end up removing the next entry.
+		 */
+		entry = entry->next;
+
 		state = bt_bap_stream_get_state(setup->stream);
 
 		DBG("stream %p: BIS %d state %s(%u)", setup->stream, setup->bis,
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release
  2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
@ 2026-06-29 14:26 ` Luiz Augusto von Dentz
  2026-06-29 14:26 ` [PATCH BlueZ v3 3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state Luiz Augusto von Dentz
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-29 14:26 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

bt_bap_stream_release shall check if the stream is still valid before
attempting to release it just as done with other operations.
---
 src/shared/bap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 6f2f4fc11f7c..9dd07bc5f2e2 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -6727,6 +6727,9 @@ unsigned int bt_bap_stream_release(struct bt_bap_stream *stream,
 	unsigned int id;
 	struct bt_bap *bap;
 
+	if (!bap_stream_valid(stream))
+		return 0;
+
 	if (!stream || !stream->ops || !stream->ops->release)
 		return 0;
 
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH BlueZ v3 3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state
  2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
  2026-06-29 14:26 ` [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release Luiz Augusto von Dentz
@ 2026-06-29 14:26 ` Luiz Augusto von Dentz
  2026-06-29 14:26 ` [PATCH BlueZ v3 4/5] shared/bap: Use queue_foreach to notify state changes Luiz Augusto von Dentz
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-29 14:26 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Remove the recursive stream_set_state(IDLE) call from the RELEASING
case in bap_bcast_set_state. This call re-entered bap_bcast_set_state
while the state_cbs queue was still being iterated, causing a
use-after-free if a callback unregistered itself during notification.
---
 src/shared/bap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 9dd07bc5f2e2..6086924a9cb7 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2436,7 +2436,6 @@ static void bap_bcast_set_state(struct bt_bap_stream *stream, uint8_t state)
 		break;
 	case BT_ASCS_ASE_STATE_RELEASING:
 		bap_stream_io_detach(stream);
-		stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
 		break;
 	case BT_ASCS_ASE_STATE_ENABLING:
 		if (bt_bap_stream_get_io(stream))
@@ -2579,6 +2578,7 @@ static unsigned int bap_bcast_release(struct bt_bap_stream *stream,
 					void *user_data)
 {
 	stream_set_state(stream, BT_BAP_STREAM_STATE_RELEASING);
+	stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
 
 	return 1;
 }
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH BlueZ v3 4/5] shared/bap: Use queue_foreach to notify state changes
  2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
  2026-06-29 14:26 ` [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release Luiz Augusto von Dentz
  2026-06-29 14:26 ` [PATCH BlueZ v3 3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state Luiz Augusto von Dentz
@ 2026-06-29 14:26 ` Luiz Augusto von Dentz
  2026-06-29 17:37 ` [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync bluez.test.bot
  2026-06-30 20:32 ` [PATCH BlueZ v3 1/5] " patchwork-bot+bluetooth
  4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-29 14:26 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Use queue_foreach to notify state changes since that is considered
safer as it does attempt to detect list modification while traversing
the list.
---
 src/shared/bap.c | 37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 6086924a9cb7..7bcf28bcefe4 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -1447,10 +1447,19 @@ static bool bap_stream_io_detach(struct bt_bap_stream *stream)
 	return true;
 }
 
+static void stream_state_changed(void *data, void *user_data)
+{
+	const struct bt_bap_state *state = data;
+	struct bt_bap_stream *stream = user_data;
+
+	if (state->func)
+		state->func(stream, stream->old_state, stream->state,
+							state->data);
+}
+
 static void bap_stream_state_changed(struct bt_bap_stream *stream)
 {
 	struct bt_bap *bap = stream->bap;
-	const struct queue_entry *entry;
 
 	/* Pre notification updates */
 	switch (stream->ep->state) {
@@ -1475,14 +1484,13 @@ static void bap_stream_state_changed(struct bt_bap_stream *stream)
 		break;
 	}
 
-	for (entry = queue_get_entries(bap->state_cbs); entry;
-							entry = entry->next) {
-		struct bt_bap_state *state = entry->data;
+	stream->old_state = stream->ep->old_state;
+	stream->state = stream->ep->state;
 
-		if (state->func)
-			state->func(stream, stream->ep->old_state,
-					stream->ep->state, state->data);
-	}
+	/* Notify callbacks using queue_foreach since it does attempt to
+	 * protect against concurrent modifications to the list.
+	 */
+	queue_foreach(bap->state_cbs, stream_state_changed, stream);
 
 	/* Post notification updates */
 	switch (stream->ep->state) {
@@ -2407,7 +2415,6 @@ static unsigned int bap_ucast_release(struct bt_bap_stream *stream,
 static void bap_bcast_set_state(struct bt_bap_stream *stream, uint8_t state)
 {
 	struct bt_bap *bap = stream->bap;
-	const struct queue_entry *entry;
 
 	stream->old_state = stream->state;
 	stream->state = state;
@@ -2419,14 +2426,10 @@ static void bap_bcast_set_state(struct bt_bap_stream *stream, uint8_t state)
 			bt_bap_stream_statestr(stream->old_state),
 			bt_bap_stream_statestr(stream->state));
 
-	for (entry = queue_get_entries(bap->state_cbs); entry;
-							entry = entry->next) {
-		struct bt_bap_state *state = entry->data;
-
-		if (state->func)
-			state->func(stream, stream->old_state,
-					stream->state, state->data);
-	}
+	/* Notify callbacks using queue_foreach since it does attempt to
+	 * protect against concurrent modifications to the list.
+	 */
+	queue_foreach(bap->state_cbs, stream_state_changed, stream);
 
 	/* Post notification updates */
 	switch (stream->state) {
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* RE: [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync
  2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
                   ` (2 preceding siblings ...)
  2026-06-29 14:26 ` [PATCH BlueZ v3 4/5] shared/bap: Use queue_foreach to notify state changes Luiz Augusto von Dentz
@ 2026-06-29 17:37 ` bluez.test.bot
  2026-06-30 20:32 ` [PATCH BlueZ v3 1/5] " patchwork-bot+bluetooth
  4 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-06-29 17:37 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz

[-- Attachment #1: Type: text/plain, Size: 3103 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1118322

---Test result---

Test Summary:
CheckPatch                    PASS      4.37 seconds
GitLint                       PASS      2.74 seconds
BuildEll                      PASS      20.52 seconds
BluezMake                     PASS      528.64 seconds
MakeCheck                     PASS      15.00 seconds
MakeDistcheck                 PASS      155.99 seconds
CheckValgrind                 PASS      206.07 seconds
CheckSmatch                   WARNING   306.66 seconds
bluezmakeextell               PASS      100.00 seconds
IncrementalBuild              PASS      586.32 seconds
ScanBuild                     PASS      949.69 seconds

Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures


https://github.com/bluez/bluez/pull/2257

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync
  2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
                   ` (3 preceding siblings ...)
  2026-06-29 17:37 ` [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync bluez.test.bot
@ 2026-06-30 20:32 ` patchwork-bot+bluetooth
  4 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2026-06-30 20:32 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 29 Jun 2026 10:26:45 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> bass_update_bis_sync does use bass_remove_bis which may end up
> removing the current entry causing a crash on entry->next, to avoid
> that prefetch the next entry.
> ---
>  profiles/audio/bass.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Here is the summary with links:
  - [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=27a4c48b0481
  - [BlueZ,v3,2/5] shared/bap: Check if stream is valid before attempting to release
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=2262e3715649
  - [BlueZ,v3,3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=c0fec57e9fa2
  - [BlueZ,v3,4/5] shared/bap: Use queue_foreach to notify state changes
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=a9b6c8a2ea62
  - [BlueZ,v3,5/5] shared/bap: Protect bap_stream_notify_connecting
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=a2c7bc03b759

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-06-30 20:33 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 4/5] shared/bap: Use queue_foreach to notify state changes Luiz Augusto von Dentz
2026-06-29 17:37 ` [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync bluez.test.bot
2026-06-30 20:32 ` [PATCH BlueZ v3 1/5] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox