[PATCH BlueZ v2 0/1] Fix use-after-free in BAP broadcast cleanup

[PATCH BlueZ v2 0/1] Fix use-after-free in BAP broadcast cleanup

[Sarveshwar Bajaj]

This fixes a use-after-free crash when broadcast audio sources
disconnect or undergo RPA rotation as reported in issue #1866.

The crash occurs because bap_data_free() was freeing streams before
destroying the broadcast sink setups that still held references to them.

Tested with AddressSanitizer on latest 6.19 kernel with NXPs
controller as broadcast sink and Samsung S23 broadcast source.
No crashes observed with disconnect or RPA rotation after fix.

Changes in v2:
- Use safe cleanup pattern to avoid nested queue operations (Pauli Virtanen)
- Apply fix to both bap_bcast_remove() and bap_bcast_disconnect()

Sarveshwar Bajaj (1):
  bap: Fix use-after-free in broadcast sink cleanup

 profiles/audio/bap.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

-- 
2.51.0

[PATCH BlueZ v2 1/1] bap: Fix use-after-free in broadcast sink cleanup

[Sarveshwar Bajaj]

bap_data_free() was calling bt_bap_detach() before destroying
bcast_snks queue. bt_bap_detach() frees all streams but broadcast
sink setups in bcast_snks queue were still holding pointers to these
streams. When queue_destroy() calls setup_free() as its destructor,
it attempts to access these already-freed stream pointers, causing
a use-after-free.

Fix this by destroying the bcast_snks queue before calling
bt_bap_detach() and ensuring stream references are released
while the streams are still valid.

Used safe cleanup pattern to avoid nested queue operations during
destruction as setup_free()may attempt to remove items from queue
being destroyed.

Crash trace:
  AddressSanitizer: heap-use-after-free
  #0 bt_bap_stream_unlock src/shared/bap.c:6384
  #1 setup_free profiles/audio/bap.c:1123
  #2 queue_destroy src/shared/queue.c:60
  #3 bap_data_free profiles/audio/bap.c:210

https://github.com/bluez/bluez/issues/1866
---
 profiles/audio/bap.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index 90a978667..375026440 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -3808,6 +3808,7 @@ static void bap_bcast_remove(struct btd_service *service)
 {
 	struct btd_device *device = btd_service_get_device(service);
 	struct bap_data *data;
+	struct queue *bcast_snks;
 	char addr[18];
 
 	ba2str(device_get_address(device), addr);
@@ -3822,6 +3823,13 @@ static void bap_bcast_remove(struct btd_service *service)
 		return;
 	}
 
+	/* Clean up before bis_remove and data_remove */
+	if (data->bcast_snks) {
+		bcast_snks = data->bcast_snks;
+		data->bcast_snks = NULL;
+		queue_destroy(bcast_snks, setup_free);
+	}
+
 	bt_bap_bis_remove(data->bap);
 
 	bap_data_remove(data);
@@ -3929,6 +3937,7 @@ static int bap_disconnect(struct btd_service *service)
 static int bap_bcast_disconnect(struct btd_service *service)
 {
 	struct bap_data *data;
+	struct queue *bcast_snks;
 
 	/* Lookup the bap session for this service since in case of
 	 * bass_delegator its user data is set by bass plugin.
@@ -3938,6 +3947,12 @@ static int bap_bcast_disconnect(struct btd_service *service)
 		error("BAP service not handled by profile");
 		return -EINVAL;
 	}
+	/* Clean up broadcast sinks before detach (like unicast does) */
+	if (data->bcast_snks) {
+		bcast_snks = data->bcast_snks;
+		data->bcast_snks = NULL;
+		queue_destroy(bcast_snks, setup_free);
+	}
 
 	bt_bap_detach(data->bap);
 
-- 
2.51.0

RE: Fix use-after-free in BAP broadcast cleanup

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1054177

---Test result---

Test Summary:
CheckPatch                    PENDING   0.45 seconds
GitLint                       PENDING   0.38 seconds
BuildEll                      PASS      20.91 seconds
BluezMake                     PASS      651.67 seconds
MakeCheck                     PASS      18.79 seconds
MakeDistcheck                 PASS      248.06 seconds
CheckValgrind                 PASS      300.04 seconds
CheckSmatch                   PASS      361.86 seconds
bluezmakeextell               PASS      185.00 seconds
IncrementalBuild              PENDING   0.41 seconds
ScanBuild                     PASS      1034.35 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ v2 0/1] Fix use-after-free in BAP broadcast cleanup

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sat, 14 Feb 2026 21:06:14 +0530 you wrote:
> This fixes a use-after-free crash when broadcast audio sources
> disconnect or undergo RPA rotation as reported in issue #1866.
> 
> The crash occurs because bap_data_free() was freeing streams before
> destroying the broadcast sink setups that still held references to them.
> 
> Tested with AddressSanitizer on latest 6.19 kernel with NXPs
> controller as broadcast sink and Samsung S23 broadcast source.
> No crashes observed with disconnect or RPA rotation after fix.
> 
> [...]

Here is the summary with links:
  - [BlueZ,v2,1/1] bap: Fix use-after-free in broadcast sink cleanup
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=feb4ee9dcd4b

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH BlueZ v1 1/1] bap: Fix use-after-free in broadcast sink cleanup

[Sarveshwar Bajaj]

bap_data_free() was calling bt_bap_detach() before destroying
bcast_snks queue. bt_bap_detach() frees all streams but broadcast
sink setups in bcast_snks queue were still holding pointers to these
streams. When queue_destroy() calls setup_free() as its destructor,
it attempts to access these already-freed stream pointers, causing
a use-after-free.

Fix this by destroying the bcast_snks queue before calling
bt_bap_detach() and ensuring stream references are released while the
streams are still valid. This matches the cleanup order already used
for unicast.

Crash trace:
  AddressSanitizer: heap-use-after-free
  #0 bt_bap_stream_unlock src/shared/bap.c:6384
  #1 setup_free profiles/audio/bap.c:1123
  #2 queue_destroy src/shared/queue.c:60
  #3 bap_data_free profiles/audio/bap.c:210

https://github.com/bluez/bluez/issues/1866
---
 profiles/audio/bap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index 90a978667..9108bf729 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -3822,6 +3822,12 @@ static void bap_bcast_remove(struct btd_service *service)
 		return;
 	}
 
+	/* Clean up before bis_remove and data_remove */
+	if (data->bcast_snks) {
+		queue_destroy(data->bcast_snks, setup_free);
+		data->bcast_snks = NULL;
+	}
+
 	bt_bap_bis_remove(data->bap);
 
 	bap_data_remove(data);
@@ -3938,6 +3944,11 @@ static int bap_bcast_disconnect(struct btd_service *service)
 		error("BAP service not handled by profile");
 		return -EINVAL;
 	}
+	/* Clean up broadcast sinks before detach (like unicast does) */
+	if (data->bcast_snks) {
+		queue_destroy(data->bcast_snks, setup_free);
+		data->bcast_snks = NULL;
+	}
 
 	bt_bap_detach(data->bap);
 
-- 
2.51.0

RE: Fix use-after-free in BAP broadcast cleanup

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1053982

---Test result---

Test Summary:
CheckPatch                    PENDING   0.34 seconds
GitLint                       PENDING   0.44 seconds
BuildEll                      PASS      21.03 seconds
BluezMake                     PASS      657.97 seconds
MakeCheck                     PASS      18.76 seconds
MakeDistcheck                 PASS      246.97 seconds
CheckValgrind                 PASS      298.14 seconds
CheckSmatch                   PASS      363.40 seconds
bluezmakeextell               PASS      184.16 seconds
IncrementalBuild              PENDING   0.41 seconds
ScanBuild                     PASS      1035.30 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth