[BlueZ,v1] audio: transport: Fix crash on A2DP suspend

Message ID	20240102180718.3735855-1-luiz.dentz@gmail.com
State	New
Headers	show Received: from mail-yw1-f181.google.com (mail-yw1-f181.google.com [209.85.128.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 544B8156C3 for <linux-bluetooth@vger.kernel.org>; Tue, 2 Jan 2024 18:07:22 +0000 (UTC) From: Luiz Augusto von Dentz <luiz.dentz@gmail.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH BlueZ v1] audio: transport: Fix crash on A2DP suspend Date: Tue, 2 Jan 2024 13:07:18 -0500 Message-ID: <20240102180718.3735855-1-luiz.dentz@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[BlueZ,v1] audio: transport: Fix crash on A2DP suspend \| expand [BlueZ,v1] audio: transport: Fix crash on A2DP suspend

Message ID

20240102180718.3735855-1-luiz.dentz@gmail.com

State

New

Headers

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ v1] audio: transport: Fix crash on A2DP suspend
Date: Tue,  2 Jan 2024 13:07:18 -0500
Message-ID: <20240102180718.3735855-1-luiz.dentz@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[BlueZ,v1] audio: transport: Fix crash on A2DP suspend | expand

Commit Message

Luiz Augusto von Dentz Jan. 2, 2024, 6:07 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Commit 052534ae07b8 ("transport: Update transport release flow for
bcast src") introduced a crash where it assumes transport->data always
refers to struct bap_transport which causes a crash when the transport
is in fact A2DP.

Fixes: https://github.com/bluez/bluez/issues/701
---
 profiles/audio/transport.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index e2073451cc7a..0c60f06eef36 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -643,7 +643,6 @@  static DBusMessage *release(DBusConnection *conn, DBusMessage *msg,
 {
 	struct media_transport *transport = data;
 	struct media_owner *owner = transport->owner;
-	struct bap_transport *bap = transport->data;
 	const char *sender;
 	struct media_request *req;
 	guint id;
@@ -675,11 +674,6 @@  static DBusMessage *release(DBusConnection *conn, DBusMessage *msg,
 	req = media_request_create(msg, id);
 	media_owner_add(owner, req);
 
-	if (bt_bap_stream_get_type(bap->stream) ==
-			BT_BAP_STREAM_TYPE_BCAST) {
-		bap_disable_complete(bap->stream, 0x00, 0x00, owner);
-	}
-
 	return NULL;
 }
 
@@ -1416,6 +1410,7 @@  static guint suspend_bap(struct media_transport *transport,
 {
 	struct bap_transport *bap = transport->data;
 	bt_bap_stream_func_t func = NULL;
+	guint id;
 
 	if (!bap->stream)
 		return 0;
@@ -1427,7 +1422,14 @@  static guint suspend_bap(struct media_transport *transport,
 
 	bap_update_links(transport);
 
-	return bt_bap_stream_disable(bap->stream, bap->linked, func, owner);
+	id = bt_bap_stream_disable(bap->stream, bap->linked, func, owner);
+
+	if (bt_bap_stream_get_type(bap->stream) == BT_BAP_STREAM_TYPE_BCAST) {
+		bap_disable_complete(bap->stream, 0x00, 0x00, owner);
+		return 0;
+	}
+
+	return id;
 }
 
 static void cancel_bap(struct media_transport *transport, guint id)

[BlueZ,v1] audio: transport: Fix crash on A2DP suspend

Commit Message

Patch