diff mbox series

[BlueZ,v1] shared/bap: Fix crash on bt_bap_stream_disable

Message ID 20241023140042.2249809-1-luiz.dentz@gmail.com
State New
Headers show
Series [BlueZ,v1] shared/bap: Fix crash on bt_bap_stream_disable | expand

Commit Message

Luiz Augusto von Dentz Oct. 23, 2024, 2 p.m. UTC 
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Calls to bt_bap_stream_disable with unicast stream shall result in
stream_disable if when acting as a server (!stream->client) otherwise it
may lead to the following trace:

bluetoothd[104990]: src/shared/bap.c:bap_queue_req() req 0x555555732470 (op 0x05) queue 0x55555571e850
bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification
bluetoothd[104990]: src/shared/bap.c:stream_notify_state() stream 0x55555571b7f0
bluetoothd[104990]: src/shared/bap.c:stream_notify_qos() stream 0x55555571b7f0
bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification
bluetoothd[104990]: src/shared/bap.c:bap_process_queue()
bluetoothd[104990]: src/shared/bap.c:bap_send() req 0x555555732470 len 3

Program received signal SIGSEGV, Segmentation fault.
bap_send (bap=bap@entry=0x555555730c50, req=req@entry=0x555555732470) at src/shared/bap.c:1490

Fixes: https://github.com/bluez/bluez/issues/991
---
 src/shared/bap.c | 45 ++++++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 21 deletions(-)
diff mbox series

Patch

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 00c3b9ff6a1b..8d04290f88ae 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -1872,6 +1872,27 @@  static unsigned int bap_ucast_start(struct bt_bap_stream *stream,
 	return req->id;
 }
 
+static uint8_t stream_disable(struct bt_bap_stream *stream, struct iovec *rsp)
+{
+	if (!stream || stream->ep->state == BT_BAP_STREAM_STATE_QOS ||
+			stream->ep->state == BT_BAP_STREAM_STATE_IDLE)
+		return 0;
+
+	DBG(stream->bap, "stream %p", stream);
+
+	ascs_ase_rsp_success(rsp, stream->ep->id);
+
+	/* Sink can autonomously transit to QOS while source needs to go to
+	 * Disabling until BT_ASCS_STOP is received.
+	 */
+	if (stream->ep->dir == BT_BAP_SINK)
+		stream_set_state(stream, BT_BAP_STREAM_STATE_QOS);
+	else
+		stream_set_state(stream, BT_BAP_STREAM_STATE_DISABLING);
+
+	return 0;
+}
+
 static unsigned int bap_ucast_disable(struct bt_bap_stream *stream,
 					bool disable_links,
 					bt_bap_stream_func_t func,
@@ -1881,6 +1902,9 @@  static unsigned int bap_ucast_disable(struct bt_bap_stream *stream,
 	struct bt_ascs_disable disable;
 	struct bt_bap_req *req;
 
+	if (!stream->client)
+		return stream_disable(stream, NULL);
+
 	memset(&disable, 0, sizeof(disable));
 
 	disable.ase = stream->ep->id;
@@ -2790,27 +2814,6 @@  static uint8_t ascs_start(struct bt_ascs *ascs, struct bt_bap *bap,
 	return ep_start(ep, rsp);
 }
 
-static uint8_t stream_disable(struct bt_bap_stream *stream, struct iovec *rsp)
-{
-	if (!stream || stream->ep->state == BT_BAP_STREAM_STATE_QOS ||
-			stream->ep->state == BT_BAP_STREAM_STATE_IDLE)
-		return 0;
-
-	DBG(stream->bap, "stream %p", stream);
-
-	ascs_ase_rsp_success(rsp, stream->ep->id);
-
-	/* Sink can autonomously transit to QOS while source needs to go to
-	 * Disabling until BT_ASCS_STOP is received.
-	 */
-	if (stream->ep->dir == BT_BAP_SINK)
-		stream_set_state(stream, BT_BAP_STREAM_STATE_QOS);
-	else
-		stream_set_state(stream, BT_BAP_STREAM_STATE_DISABLING);
-
-	return 0;
-}
-
 static uint8_t ep_disable(struct bt_bap_endpoint *ep, struct iovec *rsp)
 {
 	struct bt_bap_stream *stream = ep->stream;