Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
shared/bap: fix crash unregistering media endpoint while streaming
The following ASAN crash is observed when media endpoint is unregistered
(stopping sound server) while streaming from remote BAP client:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
READ of size 8 at 0x60b0000474d8 thread T0
#0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
bluez#1 0x7aff61 in remove_streams src/shared/bap.c:2483
bluez#2 0x71d2d0 in queue_foreach src/shared/queue.c:207
bluez#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
bluez#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
...
0x60b0000474d8 is located 8 bytes inside of 112-byte region
freed by thread T0 here:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
bluez#1 0x7a0504 in bap_stream_free src/shared/bap.c:972
bluez#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
bluez#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
bluez#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
bluez#5 0x7ab18a in stream_release src/shared/bap.c:1985
bluez#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
bluez#7 0x7aff50 in remove_streams src/shared/bap.c:2482
...
previously allocated by thread T0 here:
#0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
bluez#1 0x71e9ae in util_malloc src/shared/util.c:43
bluez#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
bluez#3 0x7a4863 in ep_config src/shared/bap.c:1446
bluez#4 0x7a4f22 in ascs_config src/shared/bap.c:1481
...
When stream->client is false, bt_bap_stream_release already sets the
stream to idle and frees it.
Fix the crash by not setting the state to idle for the second time,
in this case.- Loading branch information
