[PATCH BlueZ v2] bass: Fix crashing on BT_BASS_MOD_SRC

[PATCH BlueZ v2] bass: Fix crashing on BT_BASS_MOD_SRC

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

If assistant attempt o modify source the code would attempt to iterate
over all valid range of BIS indexes which may lead to the following
trace since the delegator maybe freed in the process:

 #0  queue_find (queue=<optimized out>, function=function@entry=0x58b8761109c0 <setup_match_bis>, match_data=match_data@entry=0x3) at src/shared/queue.c:230
 #1  0x000058b8761127fb in bass_update_bis_sync (bcast_src=<optimized out>, dg=<optimized out>) at profiles/audio/bass.c:1824
 #2  handle_mod_src_req (data=<optimized out>, params=<optimized out>, bcast_src=0x58b894661be0) at profiles/audio/bass.c:1862
 #3  cp_handler (bcast_src=0x58b894661be0, op=<optimized out>, params=<optimized out>, user_data=<optimized out>) at profiles/audio/bass.c:1910
 #4  0x000058b8761bc978 in bass_handle_mod_src_op (bass=<optimized out>, attrib=<optimized out>, opcode=<optimized out>, id=<optimized out>, iov=<optimized out>, att=<optimized out>)
    at src/shared/bass.c:1069

To fix the code will now just interate at existing setups checking if
they match the BIS index then adding/removing the stream so it is no
longer possible to free the delegator before all setups are processed.
---
 profiles/audio/bass.c | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/profiles/audio/bass.c b/profiles/audio/bass.c
index bf0db0555963..1fd7704a77a2 100644
--- a/profiles/audio/bass.c
+++ b/profiles/audio/bass.c
@@ -1854,32 +1854,24 @@ static int handle_set_bcode_req(struct bt_bcast_src *bcast_src,
 	return 0;
 }
 
-static bool setup_match_bis(const void *data, const void *match_data)
-{
-	const struct bass_setup *setup = data;
-	const int bis =  PTR_TO_INT(match_data);
-
-	return setup->bis == bis;
-}
-
 static void bass_update_bis_sync(struct bass_delegator *dg,
 				struct bt_bcast_src *bcast_src)
 {
-	for (int bis = 1; bis < ISO_MAX_NUM_BIS; bis++) {
-		struct bass_setup *setup = queue_find(dg->setups,
-				setup_match_bis, INT_TO_PTR(bis));
-		uint8_t state;
+	const struct queue_entry *entry;
 
-		if (!setup)
-			continue;
+	/* Check if existing setups if BIS needs to be added/removed */
+	for (entry = queue_get_entries(dg->setups); entry;
+				entry = entry->next) {
+		struct bass_setup *setup = entry->data;
+		uint8_t state;
 
 		state = bt_bap_stream_get_state(setup->stream);
 
-		if (!setup->stream && bt_bass_check_bis(bcast_src, bis))
+		if (!setup->stream && bt_bass_check_bis(bcast_src, setup->bis))
 			bass_add_bis(setup);
 		else if (setup->stream &&
 				state == BT_BAP_STREAM_STATE_STREAMING &&
-				!bt_bass_check_bis(bcast_src, bis))
+				!bt_bass_check_bis(bcast_src, setup->bis))
 			bass_remove_bis(setup);
 	}
 }
-- 
2.53.0

RE: [BlueZ,v2] bass: Fix crashing on BT_BASS_MOD_SRC

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3610 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1081265

---Test result---

Test Summary:
CheckPatch                    FAIL      0.79 seconds
GitLint                       FAIL      0.63 seconds
BuildEll                      PASS      20.20 seconds
BluezMake                     PASS      647.42 seconds
MakeCheck                     PASS      18.85 seconds
MakeDistcheck                 PASS      243.52 seconds
CheckValgrind                 PASS      296.43 seconds
CheckSmatch                   PASS      346.73 seconds
bluezmakeextell               PASS      181.18 seconds
IncrementalBuild              FAIL      0.00 seconds
ScanBuild                     PASS      1008.46 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v2] bass: Fix crashing on BT_BASS_MOD_SRC
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#101: 
 #0  queue_find (queue=<optimized out>, function=function@entry=0x58b8761109c0 <setup_match_bis>, match_data=match_data@entry=0x3) at src/shared/queue.c:230

/github/workspace/src/patch/14524659.patch total: 0 errors, 1 warnings, 40 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14524659.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,v2] bass: Fix crashing on BT_BASS_MOD_SRC

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
9: B1 Line exceeds max length (156>80): " #0  queue_find (queue=<optimized out>, function=function@entry=0x58b8761109c0 <setup_match_bis>, match_data=match_data@entry=0x3) at src/shared/queue.c:230"
10: B1 Line exceeds max length (125>80): " #1  0x000058b8761127fb in bass_update_bis_sync (bcast_src=<optimized out>, dg=<optimized out>) at profiles/audio/bass.c:1824"
11: B1 Line exceeds max length (126>80): " #2  handle_mod_src_req (data=<optimized out>, params=<optimized out>, bcast_src=0x58b894661be0) at profiles/audio/bass.c:1862"
12: B1 Line exceeds max length (143>80): " #3  cp_handler (bcast_src=0x58b894661be0, op=<optimized out>, params=<optimized out>, user_data=<optimized out>) at profiles/audio/bass.c:1910"
13: B1 Line exceeds max length (182>80): " #4  0x000058b8761bc978 in bass_handle_mod_src_op (bass=<optimized out>, attrib=<optimized out>, opcode=<optimized out>, id=<optimized out>, iov=<optimized out>, att=<optimized out>)"
##############################
Test: IncrementalBuild - FAIL
Desc: Incremental build with the patches in the series
Output:
Failed to reset to base commit


https://github.com/bluez/bluez/pull/2036

---
Regards,
Linux Bluetooth

RE: [BlueZ,v2] bass: Fix crashing on BT_BASS_MOD_SRC

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3456 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1081265

---Test result---

Test Summary:
CheckPatch                    FAIL      0.46 seconds
GitLint                       FAIL      0.32 seconds
BuildEll                      PASS      19.97 seconds
BluezMake                     PASS      610.01 seconds
MakeCheck                     PASS      18.73 seconds
MakeDistcheck                 PASS      235.34 seconds
CheckValgrind                 PASS      274.55 seconds
CheckSmatch                   PASS      322.65 seconds
bluezmakeextell               PASS      164.79 seconds
IncrementalBuild              PASS      610.16 seconds
ScanBuild                     PASS      924.97 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v2] bass: Fix crashing on BT_BASS_MOD_SRC
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#101: 
 #0  queue_find (queue=<optimized out>, function=function@entry=0x58b8761109c0 <setup_match_bis>, match_data=match_data@entry=0x3) at src/shared/queue.c:230

/github/workspace/src/patch/14524659.patch total: 0 errors, 1 warnings, 40 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14524659.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,v2] bass: Fix crashing on BT_BASS_MOD_SRC

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
9: B1 Line exceeds max length (156>80): " #0  queue_find (queue=<optimized out>, function=function@entry=0x58b8761109c0 <setup_match_bis>, match_data=match_data@entry=0x3) at src/shared/queue.c:230"
10: B1 Line exceeds max length (125>80): " #1  0x000058b8761127fb in bass_update_bis_sync (bcast_src=<optimized out>, dg=<optimized out>) at profiles/audio/bass.c:1824"
11: B1 Line exceeds max length (126>80): " #2  handle_mod_src_req (data=<optimized out>, params=<optimized out>, bcast_src=0x58b894661be0) at profiles/audio/bass.c:1862"
12: B1 Line exceeds max length (143>80): " #3  cp_handler (bcast_src=0x58b894661be0, op=<optimized out>, params=<optimized out>, user_data=<optimized out>) at profiles/audio/bass.c:1910"
13: B1 Line exceeds max length (182>80): " #4  0x000058b8761bc978 in bass_handle_mod_src_op (bass=<optimized out>, attrib=<optimized out>, opcode=<optimized out>, id=<optimized out>, iov=<optimized out>, att=<optimized out>)"


https://github.com/bluez/bluez/pull/2036

---
Regards,
Linux Bluetooth