* [PATCH] Fix crash when acquiring a2dp stream
@ 2011-03-30 12:32 Luiz Augusto von Dentz
2011-03-30 16:44 ` Johan Hedberg
0 siblings, 1 reply; 2+ messages in thread
From: Luiz Augusto von Dentz @ 2011-03-30 12:32 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Disconnecting l2cap before getting a response for avdtp start cause a
crash while we try to abort it:
avdtp_sep_set_state (session=0x9c210, sep=0x9ada0, state=AVDTP_STATE_IDLE)
0x000256dc in connection_lost (session=0x9c210, err=-5)
0x00025d44 in cancel_request (session=0x9c210, err=-5)
0x00026a98 in avdtp_abort (session=0x9c210, stream=0x9bee8)
0x00020e74 in a2dp_cancel (dev=<value optimized out>, id=<value optimized out>)
0x0002d5b4 in acquire_request_free (req=0x9b1a0)
0x0002d638 in media_owner_remove (owner=0x9a4a0)
0x0002da94 in media_transport_free (data=<value optimized out>)
0x000115a0 in remove_interface (data=0xa1f88, name=<value optimized out>)
0x0002e2a0 in media_transport_remove (transport=0x8fad8)
0x0002c624 in media_endpoint_clear_configuration (endpoint=0x9b098)
0x000260c8 in avdtp_sep_set_state (session=0x9c210, sep=0x9ada0, state=AVDTP_STATE_IDLE)
To fix this callbacks are called after handling the state change, so
any pending request are properly removed before state is set to idle.
---
audio/avdtp.c | 14 ++++++++------
audio/transport.c | 12 +-----------
2 files changed, 9 insertions(+), 17 deletions(-)
diff --git a/audio/avdtp.c b/audio/avdtp.c
index 83b1aa2..23281ac 100644
--- a/audio/avdtp.c
+++ b/audio/avdtp.c
@@ -1050,11 +1050,6 @@ static void avdtp_sep_set_state(struct avdtp *session,
old_state = sep->state;
sep->state = state;
- for (l = stream->callbacks; l != NULL; l = g_slist_next(l)) {
- struct stream_callback *cb = l->data;
- cb->cb(stream, old_state, state, err_ptr, cb->user_data);
- }
-
switch (state) {
case AVDTP_STATE_CONFIGURED:
if (sep->info.type == AVDTP_SEP_TYPE_SINK)
@@ -1086,11 +1081,18 @@ static void avdtp_sep_set_state(struct avdtp *session,
handle_unanswered_req(session, stream);
/* Remove pending commands for this stream from the queue */
cleanup_queue(session, stream);
- stream_free(stream);
break;
default:
break;
}
+
+ for (l = stream->callbacks; l != NULL; l = g_slist_next(l)) {
+ struct stream_callback *cb = l->data;
+ cb->cb(stream, old_state, state, err_ptr, cb->user_data);
+ }
+
+ if (state == AVDTP_STATE_IDLE)
+ stream_free(stream);
}
static void finalize_discovery(struct avdtp *session, int err)
diff --git a/audio/transport.c b/audio/transport.c
index 8ff6c85..aa3308d 100644
--- a/audio/transport.c
+++ b/audio/transport.c
@@ -224,15 +224,6 @@ static gboolean media_transport_set_fd(struct media_transport *transport,
return TRUE;
}
-static gboolean remove_owner(gpointer data)
-{
- struct media_owner *owner = data;
-
- media_transport_remove(owner->transport, owner);
-
- return FALSE;
-}
-
static void a2dp_resume_complete(struct avdtp *session,
struct avdtp_error *err, void *user_data)
{
@@ -279,8 +270,7 @@ static void a2dp_resume_complete(struct avdtp *session,
return;
fail:
- /* Let the stream state change before removing the owner */
- g_idle_add(remove_owner, owner);
+ media_transport_remove(transport, owner);
}
static guint resume_a2dp(struct media_transport *transport,
--
1.7.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] Fix crash when acquiring a2dp stream
2011-03-30 12:32 [PATCH] Fix crash when acquiring a2dp stream Luiz Augusto von Dentz
@ 2011-03-30 16:44 ` Johan Hedberg
0 siblings, 0 replies; 2+ messages in thread
From: Johan Hedberg @ 2011-03-30 16:44 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi Luiz,
On Wed, Mar 30, 2011, Luiz Augusto von Dentz wrote:
> Disconnecting l2cap before getting a response for avdtp start cause a
> crash while we try to abort it:
>
> avdtp_sep_set_state (session=0x9c210, sep=0x9ada0, state=AVDTP_STATE_IDLE)
> 0x000256dc in connection_lost (session=0x9c210, err=-5)
> 0x00025d44 in cancel_request (session=0x9c210, err=-5)
> 0x00026a98 in avdtp_abort (session=0x9c210, stream=0x9bee8)
> 0x00020e74 in a2dp_cancel (dev=<value optimized out>, id=<value optimized out>)
> 0x0002d5b4 in acquire_request_free (req=0x9b1a0)
> 0x0002d638 in media_owner_remove (owner=0x9a4a0)
> 0x0002da94 in media_transport_free (data=<value optimized out>)
> 0x000115a0 in remove_interface (data=0xa1f88, name=<value optimized out>)
> 0x0002e2a0 in media_transport_remove (transport=0x8fad8)
> 0x0002c624 in media_endpoint_clear_configuration (endpoint=0x9b098)
> 0x000260c8 in avdtp_sep_set_state (session=0x9c210, sep=0x9ada0, state=AVDTP_STATE_IDLE)
>
> To fix this callbacks are called after handling the state change, so
> any pending request are properly removed before state is set to idle.
> ---
> audio/avdtp.c | 14 ++++++++------
> audio/transport.c | 12 +-----------
> 2 files changed, 9 insertions(+), 17 deletions(-)
Pushed upstream. Thanks.
Johan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-03-30 16:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-30 12:32 [PATCH] Fix crash when acquiring a2dp stream Luiz Augusto von Dentz
2011-03-30 16:44 ` Johan Hedberg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox