bap: cancel stream operation before freeing setup

Before freeing setup, cancel any ongoing stream operations, and indicate failure for pending DBus replies. Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000004758 WRITE of size 4 at 0x60d000004758 thread T0 #0 0x557159 in qos_cb profiles/audio/bap.c:753 #1 0x89c38f in bap_req_complete src/shared/bap.c:1191 #2 0x8cb7fc in bap_req_detach src/shared/bap.c:4789 #3 0x8cb9bb in bt_bap_detach src/shared/bap.c:4801 #4 0x571e25 in bap_disconnect profiles/audio/bap.c:3011 ... freed by thread T0 here: #1 0x558f2b in setup_free profiles/audio/bap.c:890 #2 0x7f34e8 in queue_remove_all src/shared/queue.c:341 #3 0x7f0105 in queue_destroy src/shared/queue.c:60 #4 0x55cdc8 in ep_free profiles/audio/bap.c:1167 =======================================================================
bluez · Apr 16, 2024 · d3a6a64 · d3a6a64
1 parent f78e639
commit d3a6a64
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
@@ -879,9 +879,22 @@ static struct bap_setup *setup_new(struct bap_ep *ep)
 static void setup_free(void *data)
 {
 	struct bap_setup *setup = data;
+	DBusMessage *reply;
 
 	DBG("%p", setup);
 
+	if (setup->stream && setup->id) {
+		bt_bap_stream_cancel(setup->stream, setup->id);
+		setup->id = 0;
+	}
+
+	if (setup->msg) {
+		reply = btd_error_failed(setup->msg, "Canceled");
+		g_dbus_send_message(btd_get_dbus_connection(), reply);
+		dbus_message_unref(setup->msg);
+		setup->msg = NULL;
+	}
+
 	if (setup->ep)
 		queue_remove(setup->ep->setups, setup);