* [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync
@ 2026-06-29 14:26 Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release Luiz Augusto von Dentz
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-29 14:26 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
bass_update_bis_sync does use bass_remove_bis which may end up
removing the current entry causing a crash on entry->next, to avoid
that prefetch the next entry.
---
profiles/audio/bass.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/profiles/audio/bass.c b/profiles/audio/bass.c
index a5ef80fbc835..533d45babfeb 100644
--- a/profiles/audio/bass.c
+++ b/profiles/audio/bass.c
@@ -2014,11 +2014,15 @@ static void bass_update_bis_sync(struct bass_delegator *dg,
const struct queue_entry *entry;
/* Check if existing setups if BIS needs to be added/removed */
- for (entry = queue_get_entries(dg->setups); entry;
- entry = entry->next) {
+ for (entry = queue_get_entries(dg->setups); entry;) {
struct bass_setup *setup = entry->data;
uint8_t state;
+ /* Prefetch next entry since the likes of bass_remove_bis can
+ * end up removing the next entry.
+ */
+ entry = entry->next;
+
state = bt_bap_stream_get_state(setup->stream);
DBG("stream %p: BIS %d state %s(%u)", setup->stream, setup->bis,
--
2.54.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release
2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
@ 2026-06-29 14:26 ` Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state Luiz Augusto von Dentz
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-29 14:26 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
bt_bap_stream_release shall check if the stream is still valid before
attempting to release it just as done with other operations.
---
src/shared/bap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 6f2f4fc11f7c..9dd07bc5f2e2 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -6727,6 +6727,9 @@ unsigned int bt_bap_stream_release(struct bt_bap_stream *stream,
unsigned int id;
struct bt_bap *bap;
+ if (!bap_stream_valid(stream))
+ return 0;
+
if (!stream || !stream->ops || !stream->ops->release)
return 0;
--
2.54.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH BlueZ v3 3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state
2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release Luiz Augusto von Dentz
@ 2026-06-29 14:26 ` Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 4/5] shared/bap: Use queue_foreach to notify state changes Luiz Augusto von Dentz
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-29 14:26 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Remove the recursive stream_set_state(IDLE) call from the RELEASING
case in bap_bcast_set_state. This call re-entered bap_bcast_set_state
while the state_cbs queue was still being iterated, causing a
use-after-free if a callback unregistered itself during notification.
---
src/shared/bap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 9dd07bc5f2e2..6086924a9cb7 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2436,7 +2436,6 @@ static void bap_bcast_set_state(struct bt_bap_stream *stream, uint8_t state)
break;
case BT_ASCS_ASE_STATE_RELEASING:
bap_stream_io_detach(stream);
- stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
break;
case BT_ASCS_ASE_STATE_ENABLING:
if (bt_bap_stream_get_io(stream))
@@ -2579,6 +2578,7 @@ static unsigned int bap_bcast_release(struct bt_bap_stream *stream,
void *user_data)
{
stream_set_state(stream, BT_BAP_STREAM_STATE_RELEASING);
+ stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
return 1;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH BlueZ v3 4/5] shared/bap: Use queue_foreach to notify state changes
2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state Luiz Augusto von Dentz
@ 2026-06-29 14:26 ` Luiz Augusto von Dentz
2026-06-29 17:37 ` [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync bluez.test.bot
2026-06-30 20:32 ` [PATCH BlueZ v3 1/5] " patchwork-bot+bluetooth
4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-29 14:26 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Use queue_foreach to notify state changes since that is considered
safer as it does attempt to detect list modification while traversing
the list.
---
src/shared/bap.c | 37 ++++++++++++++++++++-----------------
1 file changed, 20 insertions(+), 17 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 6086924a9cb7..7bcf28bcefe4 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -1447,10 +1447,19 @@ static bool bap_stream_io_detach(struct bt_bap_stream *stream)
return true;
}
+static void stream_state_changed(void *data, void *user_data)
+{
+ const struct bt_bap_state *state = data;
+ struct bt_bap_stream *stream = user_data;
+
+ if (state->func)
+ state->func(stream, stream->old_state, stream->state,
+ state->data);
+}
+
static void bap_stream_state_changed(struct bt_bap_stream *stream)
{
struct bt_bap *bap = stream->bap;
- const struct queue_entry *entry;
/* Pre notification updates */
switch (stream->ep->state) {
@@ -1475,14 +1484,13 @@ static void bap_stream_state_changed(struct bt_bap_stream *stream)
break;
}
- for (entry = queue_get_entries(bap->state_cbs); entry;
- entry = entry->next) {
- struct bt_bap_state *state = entry->data;
+ stream->old_state = stream->ep->old_state;
+ stream->state = stream->ep->state;
- if (state->func)
- state->func(stream, stream->ep->old_state,
- stream->ep->state, state->data);
- }
+ /* Notify callbacks using queue_foreach since it does attempt to
+ * protect against concurrent modifications to the list.
+ */
+ queue_foreach(bap->state_cbs, stream_state_changed, stream);
/* Post notification updates */
switch (stream->ep->state) {
@@ -2407,7 +2415,6 @@ static unsigned int bap_ucast_release(struct bt_bap_stream *stream,
static void bap_bcast_set_state(struct bt_bap_stream *stream, uint8_t state)
{
struct bt_bap *bap = stream->bap;
- const struct queue_entry *entry;
stream->old_state = stream->state;
stream->state = state;
@@ -2419,14 +2426,10 @@ static void bap_bcast_set_state(struct bt_bap_stream *stream, uint8_t state)
bt_bap_stream_statestr(stream->old_state),
bt_bap_stream_statestr(stream->state));
- for (entry = queue_get_entries(bap->state_cbs); entry;
- entry = entry->next) {
- struct bt_bap_state *state = entry->data;
-
- if (state->func)
- state->func(stream, stream->old_state,
- stream->state, state->data);
- }
+ /* Notify callbacks using queue_foreach since it does attempt to
+ * protect against concurrent modifications to the list.
+ */
+ queue_foreach(bap->state_cbs, stream_state_changed, stream);
/* Post notification updates */
switch (stream->state) {
--
2.54.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync
2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
` (2 preceding siblings ...)
2026-06-29 14:26 ` [PATCH BlueZ v3 4/5] shared/bap: Use queue_foreach to notify state changes Luiz Augusto von Dentz
@ 2026-06-29 17:37 ` bluez.test.bot
2026-06-30 20:32 ` [PATCH BlueZ v3 1/5] " patchwork-bot+bluetooth
4 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-06-29 17:37 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 3103 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1118322
---Test result---
Test Summary:
CheckPatch PASS 4.37 seconds
GitLint PASS 2.74 seconds
BuildEll PASS 20.52 seconds
BluezMake PASS 528.64 seconds
MakeCheck PASS 15.00 seconds
MakeDistcheck PASS 155.99 seconds
CheckValgrind PASS 206.07 seconds
CheckSmatch WARNING 306.66 seconds
bluezmakeextell PASS 100.00 seconds
IncrementalBuild PASS 586.32 seconds
ScanBuild PASS 949.69 seconds
Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures
https://github.com/bluez/bluez/pull/2257
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync
2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
` (3 preceding siblings ...)
2026-06-29 17:37 ` [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync bluez.test.bot
@ 2026-06-30 20:32 ` patchwork-bot+bluetooth
4 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2026-06-30 20:32 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 29 Jun 2026 10:26:45 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> bass_update_bis_sync does use bass_remove_bis which may end up
> removing the current entry causing a crash on entry->next, to avoid
> that prefetch the next entry.
> ---
> profiles/audio/bass.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
Here is the summary with links:
- [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=27a4c48b0481
- [BlueZ,v3,2/5] shared/bap: Check if stream is valid before attempting to release
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=2262e3715649
- [BlueZ,v3,3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=c0fec57e9fa2
- [BlueZ,v3,4/5] shared/bap: Use queue_foreach to notify state changes
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=a9b6c8a2ea62
- [BlueZ,v3,5/5] shared/bap: Protect bap_stream_notify_connecting
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=a2c7bc03b759
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-30 20:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 14:26 [PATCH BlueZ v3 1/5] bass: Fix possible crash on bass_update_bis_sync Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 2/5] shared/bap: Check if stream is valid before attempting to release Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 3/5] shared/bap: Don't transition to IDLE inside bap_bcast_set_state Luiz Augusto von Dentz
2026-06-29 14:26 ` [PATCH BlueZ v3 4/5] shared/bap: Use queue_foreach to notify state changes Luiz Augusto von Dentz
2026-06-29 17:37 ` [BlueZ,v3,1/5] bass: Fix possible crash on bass_update_bis_sync bluez.test.bot
2026-06-30 20:32 ` [PATCH BlueZ v3 1/5] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox