From: hadess <noreply@github.com>
To: linux-bluetooth@vger.kernel.org
Subject: [bluez/bluez] c915f8: media: Fix possible crash on exit/adapter removal
Date: Tue, 12 May 2026 04:29:41 -0700 [thread overview]
Message-ID: <bluez/bluez/push/refs/heads/1093445/000000-c915f8@github.com> (raw)
Branch: refs/heads/1093445
Home: https://github.com/bluez/bluez
Commit: c915f8eb390fba5588ce1425025d4a4274a3fbed
https://github.com/bluez/bluez/commit/c915f8eb390fba5588ce1425025d4a4274a3fbed
Author: Bastien Nocera <hadess@hadess.net>
Date: 2026-05-12 (Tue, 12 May 2026)
Changed paths:
M profiles/audio/media.c
Log Message:
-----------
media: Fix possible crash on exit/adapter removal
Nothing protects media_endpoint_remove() from being called multiple
times for the same structure. Before a g_free() call is made on
endpoint->capabilities, there are NULL checks, and NULL setting,
for every variable that might get modified, so a second call to the same
function, even though it's still using-after-free, is only
reading-after-free, and might crash at the first attempt at modifying
that freed memory.
The reason why this function might be called multiple times is because
in some circumstances, another signal might be received that the
endpoint is getting removed while we're already in the process of
removing that endpoint.
For example, release_endpoint() (which should appear in between
path_free() and media_endpoint_remove() in the below backtrace, as
that's the function called at profiles/audio/media.c:3651), will send a
D-Bus message which it then waits for the answer to, meaning that other
D-Bus message could be received while we're waiting for the answer, and
then destroying the endpoint.
#11 media_endpoint_destroy at profiles/audio/media.c:231
#12 media_endpoint_remove at profiles/audio/media.c:314
#13 path_free at profiles/audio/media.c:3651
#14 remove_interface at gdbus/object.c:742
#15 g_dbus_unregister_interface at gdbus/object.c:1499
#16 g_slist_foreach at ../glib/gslist.c:837
#17 unload_drivers at src/adapter.c:5932
#18 adapter_remove at src/adapter.c:7088
#19 adapter_unregister at src/adapter.c:9504
#20 index_removed at src/adapter.c:10693
#21 queue_foreach at src/shared/queue.c:207
#23 process_notify at src/shared/mgmt.c:349
#24 can_read_data at src/shared/mgmt.c:409
#25 watch_callback at src/shared/io-glib.c:173
#27 g_main_context_dispatch_unlocked at ../glib/gmain.c:4451
#28 g_main_context_iterate_unlocked at ../glib/gmain.c:4516
#30 mainloop_run at src/shared/mainloop-glib.c:65
#31 mainloop_run_with_signal at src/shared/mainloop-notify.c:196
in profiles/audio/media.c:
231 g_free(endpoint->capabilities);
See https://bugzilla.redhat.com/show_bug.cgi?id=2467980
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
reply other threads:[~2026-05-12 11:29 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bluez/bluez/push/refs/heads/1093445/000000-c915f8@github.com \
--to=noreply@github.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox