* [PATCH BlueZ v1] bass: Fix crash if setup is freed before bass_bcode_req response
@ 2026-02-12 20:57 Luiz Augusto von Dentz
2026-02-12 21:50 ` [BlueZ,v1] " bluez.test.bot
2026-02-13 20:20 ` [PATCH BlueZ v1] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-12 20:57 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
If a the stream is set to idle (e.g. because the endpoint is
unregistered) the bass_bcode_req would be left with a dangling
pointer possibly leading to a crash if the remote peer respond or
the request times out.
---
profiles/audio/bass.c | 42 ++++++++++++++++++++++++++++++++++++------
1 file changed, 36 insertions(+), 6 deletions(-)
diff --git a/profiles/audio/bass.c b/profiles/audio/bass.c
index 031f527be9f5..9c8046dad99b 100644
--- a/profiles/audio/bass.c
+++ b/profiles/audio/bass.c
@@ -385,6 +385,41 @@ static void delegator_disconnect(struct bass_delegator *dg)
}
}
+static bool match_bcode_setup(const void *data, const void *user_data)
+{
+ const struct bass_bcode_req *req = data;
+ const struct bass_setup *setup = user_data;
+
+ return req->setup == setup;
+}
+
+static void setup_clear(struct bass_setup *setup, int bis)
+{
+ struct bass_delegator *dg = setup->dg;
+ struct bass_bcode_req *req;
+
+ DBG("%p", setup);
+
+ bt_bass_clear_bis_sync(dg->src, bis);
+ setup->stream = NULL;
+ queue_remove(setup->dg->setups, setup);
+
+ /* Remove any pending bcode request associated with setup */
+ req = queue_remove_if(dg->bcode_reqs, match_bcode_setup, setup);
+ if (req) {
+ free(req);
+ if (dg->timeout) {
+ g_source_remove(dg->timeout);
+ dg->timeout = 0;
+ }
+ }
+
+ setup_free(setup);
+
+ if (queue_isempty(dg->setups))
+ delegator_disconnect(dg);
+}
+
static void bap_state_changed(struct bt_bap_stream *stream, uint8_t old_state,
uint8_t new_state, void *user_data)
{
@@ -474,12 +509,7 @@ static void bap_state_changed(struct bt_bap_stream *stream, uint8_t old_state,
bt_bass_clear_bis_sync(dg->src, bis);
break;
case BT_BAP_STREAM_STATE_IDLE:
- bt_bass_clear_bis_sync(dg->src, bis);
- setup->stream = NULL;
- queue_remove(setup->dg->setups, setup);
- setup_free(setup);
- if (queue_isempty(dg->setups))
- delegator_disconnect(dg);
+ setup_clear(setup, bis);
break;
}
}
--
2.52.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [BlueZ,v1] bass: Fix crash if setup is freed before bass_bcode_req response
2026-02-12 20:57 [PATCH BlueZ v1] bass: Fix crash if setup is freed before bass_bcode_req response Luiz Augusto von Dentz
@ 2026-02-12 21:50 ` bluez.test.bot
2026-02-13 20:20 ` [PATCH BlueZ v1] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-02-12 21:50 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1053680
---Test result---
Test Summary:
CheckPatch PENDING 0.35 seconds
GitLint PENDING 0.43 seconds
BuildEll PASS 20.88 seconds
BluezMake PASS 645.63 seconds
MakeCheck PASS 18.61 seconds
MakeDistcheck PASS 245.36 seconds
CheckValgrind PASS 296.80 seconds
CheckSmatch PASS 361.71 seconds
bluezmakeextell PASS 184.54 seconds
IncrementalBuild PENDING 0.38 seconds
ScanBuild PASS 1038.90 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH BlueZ v1] bass: Fix crash if setup is freed before bass_bcode_req response
2026-02-12 20:57 [PATCH BlueZ v1] bass: Fix crash if setup is freed before bass_bcode_req response Luiz Augusto von Dentz
2026-02-12 21:50 ` [BlueZ,v1] " bluez.test.bot
@ 2026-02-13 20:20 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-02-13 20:20 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 12 Feb 2026 15:57:10 -0500 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> If a the stream is set to idle (e.g. because the endpoint is
> unregistered) the bass_bcode_req would be left with a dangling
> pointer possibly leading to a crash if the remote peer respond or
> the request times out.
>
> [...]
Here is the summary with links:
- [BlueZ,v1] bass: Fix crash if setup is freed before bass_bcode_req response
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=fe0501126ba5
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-13 20:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-12 20:57 [PATCH BlueZ v1] bass: Fix crash if setup is freed before bass_bcode_req response Luiz Augusto von Dentz
2026-02-12 21:50 ` [BlueZ,v1] " bluez.test.bot
2026-02-13 20:20 ` [PATCH BlueZ v1] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox