* [PATCH BlueZ v3] bap: don't pass in stream's own metadata to enable()
@ 2025-06-20 20:42 Pauli Virtanen
2025-06-20 21:10 ` patchwork-bot+bluetooth
2025-06-20 22:07 ` [BlueZ,v3] " bluez.test.bot
0 siblings, 2 replies; 3+ messages in thread
From: Pauli Virtanen @ 2025-06-20 20:42 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
Stream owned metadata pointers may be invalidated in bt_bap_stream
operations. Just pass in NULL to keep the current value.
Fixes:
ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x7b86a76f5d18 thread T0
#0 0x000000836745 in util_iov_dup src/shared/util.c:353
#1 0x0000008ea96b in bap_stream_metadata src/shared/bap.c:1991
#2 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
#3 0x0000009226e7 in bt_bap_stream_enable src/shared/bap.c:6392
#4 0x00000044037d in transport_bap_resume profiles/audio/transport.c:1981
freed by thread T0 here:
#0 0x7f66a92e5bcb in free.part.0 (/lib64/libasan.so.8+0xe5bcb)
#1 0x000000837002 in util_iov_free src/shared/util.c:392
#2 0x0000008ea94e in bap_stream_metadata src/shared/bap.c:1990
#3 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
---
Notes:
The other option is to specify semantics as in v1. In that case,
because other bt_bap functions invalidate only if util_iov_memcmp() is
different, it's best that it's the same and not only pointer comparison.
profiles/audio/transport.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 9bf3b47ee..4800570d9 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -1957,7 +1957,6 @@ static guint transport_bap_resume(struct media_transport *transport,
struct media_owner *owner)
{
struct bap_transport *bap = transport->data;
- struct iovec *meta;
guint id;
if (!bap->stream)
@@ -1977,8 +1976,7 @@ static guint transport_bap_resume(struct media_transport *transport,
return bap->resume_id;
}
- meta = bt_bap_stream_get_metadata(bap->stream);
- id = bt_bap_stream_enable(bap->stream, bap->linked, meta,
+ id = bt_bap_stream_enable(bap->stream, bap->linked, NULL,
bap_enable_complete, owner);
if (!id)
return 0;
--
2.49.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH BlueZ v3] bap: don't pass in stream's own metadata to enable()
2025-06-20 20:42 [PATCH BlueZ v3] bap: don't pass in stream's own metadata to enable() Pauli Virtanen
@ 2025-06-20 21:10 ` patchwork-bot+bluetooth
2025-06-20 22:07 ` [BlueZ,v3] " bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2025-06-20 21:10 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Fri, 20 Jun 2025 23:42:48 +0300 you wrote:
> Stream owned metadata pointers may be invalidated in bt_bap_stream
> operations. Just pass in NULL to keep the current value.
>
> Fixes:
>
> ERROR: AddressSanitizer: heap-use-after-free
> READ of size 8 at 0x7b86a76f5d18 thread T0
> #0 0x000000836745 in util_iov_dup src/shared/util.c:353
> #1 0x0000008ea96b in bap_stream_metadata src/shared/bap.c:1991
> #2 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
> #3 0x0000009226e7 in bt_bap_stream_enable src/shared/bap.c:6392
> #4 0x00000044037d in transport_bap_resume profiles/audio/transport.c:1981
> freed by thread T0 here:
> #0 0x7f66a92e5bcb in free.part.0 (/lib64/libasan.so.8+0xe5bcb)
> #1 0x000000837002 in util_iov_free src/shared/util.c:392
> #2 0x0000008ea94e in bap_stream_metadata src/shared/bap.c:1990
> #3 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
>
> [...]
Here is the summary with links:
- [BlueZ,v3] bap: don't pass in stream's own metadata to enable()
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=01f3ef3cd9d6
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: [BlueZ,v3] bap: don't pass in stream's own metadata to enable()
2025-06-20 20:42 [PATCH BlueZ v3] bap: don't pass in stream's own metadata to enable() Pauli Virtanen
2025-06-20 21:10 ` patchwork-bot+bluetooth
@ 2025-06-20 22:07 ` bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2025-06-20 22:07 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=974407
---Test result---
Test Summary:
CheckPatch PENDING 0.25 seconds
GitLint PENDING 0.23 seconds
BuildEll PASS 21.27 seconds
BluezMake PASS 2699.55 seconds
MakeCheck PASS 20.55 seconds
MakeDistcheck PASS 200.82 seconds
CheckValgrind PASS 276.34 seconds
CheckSmatch PASS 305.64 seconds
bluezmakeextell PASS 128.79 seconds
IncrementalBuild PENDING 0.20 seconds
ScanBuild PASS 909.61 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-06-20 22:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-20 20:42 [PATCH BlueZ v3] bap: don't pass in stream's own metadata to enable() Pauli Virtanen
2025-06-20 21:10 ` patchwork-bot+bluetooth
2025-06-20 22:07 ` [BlueZ,v3] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox