From patchwork Fri Apr 12 19:55:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pauli Virtanen X-Patchwork-Id: 788603 Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC8AA69DE4 for ; Fri, 12 Apr 2024 19:56:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=185.185.170.37 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712951774; cv=pass; b=XkzWFmfaTQbHIWEtijEtEy+CCtOwDejOZjpeHOQQWHeDigbeT2JeY06AjAXYT0NX3vyify0k0LBoSMTonUAEtpw9hBzURIjYjUc74XqrOoU15pfTFcKO8DCowsXYWxjgpZX1rOHo23dsKN29TJ5GhL/I+11TosAo2FPI2QKt/ac= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712951774; c=relaxed/simple; bh=+oj9OViQQaUQdbVdzlcQVa4lVgcmH8AOQui+do8Rfs4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=c/Pvneg2m6IJSrU21RAMXjA7Wyvz92Xe89vWWsLdLp5FcQeX5XjqQc9IPlu2faAjm9XDvsBQhuUrVZdDCaIDHxZweTxEl5xPdS0Itfm51xwFi+wY4jh1AKzE7dAia6VpzD7HwRH3XDoWDHhiDdtojS0YNHgbph1PlljVXGw55BQ= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (2048-bit key) header.d=iki.fi header.i=@iki.fi header.b=SQwPmkGB; arc=pass smtp.client-ip=185.185.170.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=iki.fi header.i=@iki.fi header.b="SQwPmkGB" Received: from monolith.lan (unknown [193.138.7.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4VGS414nmvz49Pyk; Fri, 12 Apr 2024 22:56:01 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1712951762; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Fjy1m2Afxz+C3EZr7xyJrsOj+Pj3b7nu0DXzf6z7vl4=; b=SQwPmkGBgpgUPRxTIadVPNb2teDYmceHyrmqpHrxVNmmmX+gcE/Q50HItiCa5nE9dyIfvF JYVVvyuBW1XigQR+Ugu1WWGOTf0m9hMcnSwcyqb59kuK5UkjqN2UIMo7+GHOIkrYoRilEv I6mf2vBVvftS91Pc6vIscE38JlhZ2g8gfkUQnwyj4e8ZLUkjxx2WiuCZSjYgoLeNXOJ7L+ vpyps/Iexh+RkoCrjpHrQFajxpW7HRbrUUyKxWdOR07EgkXBUyqe0jLX+VzQ5e/yYcFnUR UlaxZ1g65/JzjM/JIuhLX0OOBhy2sg4RLrvwpMM8RxR4kP1IqhMwgG1vej+9/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1712951762; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Fjy1m2Afxz+C3EZr7xyJrsOj+Pj3b7nu0DXzf6z7vl4=; b=Ynch9xjYGHyKmf1QXmJuQkv0b4V6uTeMnnj1NM7mAbfAcO6Nc45IoG5PbV/V1s+7V+qooc w/uqslr6aKySpRiUuVQ5JCh7bvAkMYJasVXjXWmCaNyFqKhsDKLGg+Qwps3bqTeyMQGEly TTAgeqZgXgQ81b37FFT5sz0Ui2gN4w/Po4V3S+i44e4NliRWxIrLO2E0DV5DCEL8On8F0n sSFYURhfp45s3yMe8wBZwEesaZAe/G/m5kpOz6k2Ig7fcSjGiGdMl2iTdn8eMs7uBJ7pRw QtA/hk6g7k4pi/HydteswDU2QZtTPvmL8p2KD7CVuz1ca/7G87xVBUKTrzEa1w== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1712951762; a=rsa-sha256; cv=none; b=ZAyOQJs7D+qdsoCm2YFqpSZN8NJ2mU1WSDZ1iTQ74iguCtoJfZxTxI97PtfDcFnq56XdME nBjgZiETDaBpiSa5AL4TBTdmYi+dpxAei2O24+wKW2lM4cYryHMrI6jvDd8ZRsUXFOmMVQ RoptBff1FdglQkHefTKfYlC/fBaJBPb826n/R/gwH0tH61Lp8a1cqTvbcBa5gqnwQrMj0q YGI8vkVv7Rj0JiAFK3Gf0wIVVoBLk0Q8i+vVrvJYjWk/BSJZYogdxhOL+2tbusH7o+0Bmy JBLjigOR5XdaEJukB4sTMsowrYDvgciJKc4PbRyjf7fMeAZZlmEuq/ms5wLtSQ== From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen Subject: [PATCH BlueZ 1/2] shared/bap: clean up requests for a stream before freeing it Date: Fri, 12 Apr 2024 22:55:55 +0300 Message-ID: X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Cancel stream's queued requests before freeing the stream. As the callbacks may do some cleanup on error, be sure to call them before removing the requests. Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000013430 READ of size 8 at 0x60d000013430 thread T0 #0 0x89cb9f in stream_stop_complete src/shared/bap.c:1211 #1 0x89c997 in bap_req_complete src/shared/bap.c:1192 #2 0x8a105f in bap_process_queue src/shared/bap.c:1474 #3 0x93c93f in timeout_callback src/shared/timeout-glib.c:25 ... freed by thread T0 here: #1 0x89b744 in bap_stream_free src/shared/bap.c:1105 #2 0x89bac8 in bap_stream_detach src/shared/bap.c:1122 #3 0x89dbfc in bap_stream_state_changed src/shared/bap.c:1261 #4 0x8a2169 in bap_ucast_set_state src/shared/bap.c:1554 #5 0x89e0d5 in stream_set_state src/shared/bap.c:1291 #6 0x8a78b6 in bap_ucast_release src/shared/bap.c:1927 #7 0x8d45bb in bt_bap_stream_release src/shared/bap.c:5516 #8 0x8ba63f in remove_streams src/shared/bap.c:3538 #9 0x7f23d0 in queue_foreach src/shared/queue.c:207 #10 0x8bb875 in bt_bap_remove_pac src/shared/bap.c:3593 #11 0x47416c in media_endpoint_destroy profiles/audio/media.c:185 ======================================================================= --- src/shared/bap.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/src/shared/bap.c b/src/shared/bap.c index 5fee7b4c5..ccde26431 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -1105,6 +1105,9 @@ static void bap_stream_free(void *data) free(stream); } +static void bap_abort_stream_req(struct bt_bap *bap, + struct bt_bap_stream *stream); + static void bap_stream_detach(struct bt_bap_stream *stream) { struct bt_bap_endpoint *ep = stream->ep; @@ -1114,6 +1117,8 @@ static void bap_stream_detach(struct bt_bap_stream *stream) DBG(stream->bap, "stream %p ep %p", stream, ep); + bap_abort_stream_req(stream->bap, stream); + queue_remove(stream->bap->streams, stream); bap_stream_clear_cfm(stream); @@ -1477,6 +1482,28 @@ static bool bap_process_queue(void *data) return false; } +static bool match_req_stream(const void *data, const void *match_data) +{ + const struct bt_bap_req *pend = data; + + return pend->stream == match_data; +} + +static void bap_req_abort(void *data) +{ + struct bt_bap_req *req = data; + struct bt_bap *bap = req->stream->bap; + + DBG(bap, "req %p", req); + bap_req_complete(req, NULL); +} + +static void bap_abort_stream_req(struct bt_bap *bap, + struct bt_bap_stream *stream) +{ + queue_remove_all(bap->reqs, match_req_stream, stream, bap_req_abort); +} + static bool bap_queue_req(struct bt_bap *bap, struct bt_bap_req *req) { struct bt_bap_req *pend; From patchwork Fri Apr 12 19:55:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pauli Virtanen X-Patchwork-Id: 788399 Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC8F914F9E9 for ; Fri, 12 Apr 2024 19:56:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=185.185.170.37 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712951773; cv=pass; b=H3hX+ziTNCMbYpdgHk9VVbeEz8T7e249uVEmVPlvuXCUpEiN3BBK9Q/kLBfl5KhsJI9AFmswtx3OyJRpFyj9+mHPFNwxmmm8kJnd20+hekUvQ4MjTYKlfStD5CjQeyfg3uDajVc/Ee1JE99YYPzmvzgrQyl06Nplo9l4c9Y81d4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712951773; c=relaxed/simple; bh=gE+UHnx0YPjUC0wvCFUT9AB8n9HVLyj972V05NZoFvw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=p6LKz4wxAWCj0wEroET7qY2U/fl7Bu3i54zhYZeZ3Lrfm2pKW0bsQtNvjspSnLsw6bTFaHU08ynhpV1RSPgU6e7UN/cstKdSFj8HRVvoI6X49UY8gtVKKTjfCGU7RST9ZO9N/3Dv/jdj7f0ctVM5KFsWjNyAc/DuEML6rdvfajo= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (2048-bit key) header.d=iki.fi header.i=@iki.fi header.b=FOg41G5c; arc=pass smtp.client-ip=185.185.170.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=iki.fi header.i=@iki.fi header.b="FOg41G5c" Received: from monolith.lan (unknown [193.138.7.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4VGS430GNyz49Q3T; Fri, 12 Apr 2024 22:56:02 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1712951763; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cKXYvvaT7qFbssRo2MwF2eEWFSmp2R2fhKw7/edvDZU=; b=FOg41G5cdbiYu+rbLljeVxBFucC/ieGtfvjsVWYLzYOD46c5BW03M/6jwgpcAJukVfGL7i 5pS9xkfo/yvt1by665GSO9ptjEq5K4ANQvHmIKjdtButLPnALOV07cFhZZDdMqOyiaRbKN JD8UPGSvYioA4d1ewIbC3cVyXNebBj4KopOA63aCXLuWmtfPM/Y1FflUPcPbnayE2/Zcwa EEMuO+hxaURSxsChzcKxQ518h3ZUVeMjJvXXrkbKCfsztDE97peC/cgLI7FAUmdObSRbLH HycUn4+pVQY2Oceuegq2iOtutx2th8AySHAx7iuU4Lnq024RZTKF4MiEiswyQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1712951763; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cKXYvvaT7qFbssRo2MwF2eEWFSmp2R2fhKw7/edvDZU=; b=u6dlI47sQtaNhzIePzRgdKzoLKtEKHCLb5VpXns0YsvRc1dWIzwutloD+wuL6WZxcY16n9 GhyYEL7dXvwn5ZBWSBQzwyS0505TozG+uwMGeNvlDIGq2rzy3p4GT3KUT4jTwqk0k3XPMH gLOqZasViQqQ2JhDOVesiMm3mccvLFDfJQunPMcuUo/N0rYI5ISSNzMVIONeAEZyDZ2eB2 Grxkog2phVCw8OFHRR/jOXNjKB+O4m8OkH9QcGblSI4/ZQvazFaJbk1l3EFyu3Nl+y+mZQ /SUfEG9gy6F2z+HYMXlurr2J9UJnQPWfbye0/XYGB591zEmIgE3rwcIdHDWPRA== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1712951763; a=rsa-sha256; cv=none; b=UphiOmUipsODgfNpUXn7bZcllVmZrqaEMj4yeCKQMMyX4NNoOyN/savlhWniidHvOLaRep 7ANdWESdVUwlll0Kc7r1i6ON9ecGQe0tNyGDV+2dPdfDtYnpSZv4n/wuLlMCQif08Hrijs t8BA6waDH753xvlqCV0o5YEmIcxoKA53vlvmTdqcUv/SzrallDg76zGdl7ctxXDKXSofIV rRAmGjQdV62twnX0Q3Lo3jgSuMWe+7vBnsM/r/+dV8ZSyv0BKNJ0YrB4uSybR4fIwM4Xzt VLlstgt4w3pG4duURLFKhEOEQ2zFFb1/ioRfYUla+nfWRIG9ahN/erc7EJoTPA== From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen Subject: [PATCH BlueZ 2/2] bap: cancel stream operation before freeing setup Date: Fri, 12 Apr 2024 22:55:56 +0300 Message-ID: X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Before freeing setup, cancel any ongoing stream operations, and indicate failure for pending DBus replies. Fixes: ======================================================================= ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000004758 WRITE of size 4 at 0x60d000004758 thread T0 #0 0x557159 in qos_cb profiles/audio/bap.c:753 #1 0x89c38f in bap_req_complete src/shared/bap.c:1191 #2 0x8cb7fc in bap_req_detach src/shared/bap.c:4789 #3 0x8cb9bb in bt_bap_detach src/shared/bap.c:4801 #4 0x571e25 in bap_disconnect profiles/audio/bap.c:3011 ... freed by thread T0 here: #1 0x558f2b in setup_free profiles/audio/bap.c:890 #2 0x7f34e8 in queue_remove_all src/shared/queue.c:341 #3 0x7f0105 in queue_destroy src/shared/queue.c:60 #4 0x55cdc8 in ep_free profiles/audio/bap.c:1167 ======================================================================= --- profiles/audio/bap.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index 30049f0fb..ff6d6d881 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -879,9 +879,22 @@ static struct bap_setup *setup_new(struct bap_ep *ep) static void setup_free(void *data) { struct bap_setup *setup = data; + DBusMessage *reply; DBG("%p", setup); + if (setup->stream && setup->id) { + bt_bap_stream_cancel(setup->stream, setup->id); + setup->id = 0; + } + + if (setup->msg) { + reply = btd_error_failed(setup->msg, "Canceled"); + g_dbus_send_message(btd_get_dbus_connection(), reply); + dbus_message_unref(setup->msg); + setup->msg = NULL; + } + if (setup->ep) queue_remove(setup->ep->setups, setup);