| Message ID | 20250522150359.634879-1-frederic.danis@collabora.com |
|---|---|
| State | New |
| Headers | show |
| Series | [BlueZ] audio/avrcp: fix crash when NowPlaying changes while list_items is in progress | expand |
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c index 8d1e03b93..7296ac164 100644 --- a/profiles/audio/avrcp.c +++ b/profiles/audio/avrcp.c @@ -3879,6 +3879,14 @@ static void avrcp_now_playing_changed(struct avrcp *session, DBG("NowPlaying changed"); + /* reset the list_items operation, if it is in progress + or else we will crash because _clear_playlist() frees the items */ + if (player->p) { + g_slist_free(player->p->items); + g_free(player->p); + player->p = NULL; + } + media_player_clear_playlist(mp); }
From: George Kiagiadakis <george.kiagiadakis@collabora.com> The media_item objects are owned by the player and while we keep temporary pointers to them in pending_list_items, clearing the player's playlist destroys them and we will end up crashing in the next call to avrcp_list_items_rsp(). The crash is racy and can only be observed when skipping tracks very quickly in an Apple Music station (where the playlist changes on every next song) --- profiles/audio/avrcp.c | 8 ++++++++ 1 file changed, 8 insertions(+)