[BlueZ,v1] shared/bap: Fix crash on bt_bap_stream_disable

Message ID	20241023140042.2249809-1-luiz.dentz@gmail.com (mailing list archive)
State	Accepted
Commit	f93a73b2a54c8b742f601bd3e15b6fb8407e4f44
Headers	show Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com [209.85.217.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 784B41B86F7 for <linux-bluetooth@vger.kernel.org>; Wed, 23 Oct 2024 14:00:52 +0000 (UTC) From: Luiz Augusto von Dentz <luiz.dentz@gmail.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH BlueZ v1] shared/bap: Fix crash on bt_bap_stream_disable Date: Wed, 23 Oct 2024 10:00:42 -0400 Message-ID: <20241023140042.2249809-1-luiz.dentz@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[BlueZ,v1] shared/bap: Fix crash on bt_bap_stream_disable \| expand [BlueZ,v1] shared/bap: Fix crash on bt_bap_stream_disable

Message ID

20241023140042.2249809-1-luiz.dentz@gmail.com (mailing list archive)

State

Accepted

Commit

f93a73b2a54c8b742f601bd3e15b6fb8407e4f44

Headers

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ v1] shared/bap: Fix crash on bt_bap_stream_disable
Date: Wed, 23 Oct 2024 10:00:42 -0400
Message-ID: <20241023140042.2249809-1-luiz.dentz@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[BlueZ,v1] shared/bap: Fix crash on bt_bap_stream_disable | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	warning	WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #95: bluetoothd[104990]: src/shared/bap.c:bap_queue_req() req 0x555555732470 (op 0x05) queue 0x55555571e850 /github/workspace/src/src/13847144.patch total: 0 errors, 1 warnings, 63 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13847144.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 9: B1 Line exceeds max length (102>80): "bluetoothd[104990]: src/shared/bap.c:bap_queue_req() req 0x555555732470 (op 0x05) queue 0x55555571e850" 10: B1 Line exceeds max length (102>80): "bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification" 13: B1 Line exceeds max length (102>80): "bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification" 18: B1 Line exceeds max length (94>80): "bap_send (bap=bap@entry=0x555555730c50, req=req@entry=0x555555732470) at src/shared/bap.c:1490"
tedd_an/BuildEll	success	Build ELL PASS
tedd_an/BluezMake	success	Bluez Make PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

warning

WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #95: bluetoothd[104990]: src/shared/bap.c:bap_queue_req() req 0x555555732470 (op 0x05) queue 0x55555571e850 /github/workspace/src/src/13847144.patch total: 0 errors, 1 warnings, 63 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13847144.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 9: B1 Line exceeds max length (102>80): "bluetoothd[104990]: src/shared/bap.c:bap_queue_req() req 0x555555732470 (op 0x05) queue 0x55555571e850" 10: B1 Line exceeds max length (102>80): "bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification" 13: B1 Line exceeds max length (102>80): "bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification" 18: B1 Line exceeds max length (94>80): "bap_send (bap=bap@entry=0x555555730c50, req=req@entry=0x555555732470) at src/shared/bap.c:1490"

tedd_an/BuildEll

success

Build ELL PASS

tedd_an/BluezMake

success

Bluez Make PASS

Commit Message

Luiz Augusto von Dentz Oct. 23, 2024, 2 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Calls to bt_bap_stream_disable with unicast stream shall result in
stream_disable if when acting as a server (!stream->client) otherwise it
may lead to the following trace:

bluetoothd[104990]: src/shared/bap.c:bap_queue_req() req 0x555555732470 (op 0x05) queue 0x55555571e850
bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification
bluetoothd[104990]: src/shared/bap.c:stream_notify_state() stream 0x55555571b7f0
bluetoothd[104990]: src/shared/bap.c:stream_notify_qos() stream 0x55555571b7f0
bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification
bluetoothd[104990]: src/shared/bap.c:bap_process_queue()
bluetoothd[104990]: src/shared/bap.c:bap_send() req 0x555555732470 len 3

Program received signal SIGSEGV, Segmentation fault.
bap_send (bap=bap@entry=0x555555730c50, req=req@entry=0x555555732470) at src/shared/bap.c:1490

Fixes: https://github.com/bluez/bluez/issues/991
---
 src/shared/bap.c | 45 ++++++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

Comments

patchwork-bot+bluetooth@kernel.org Oct. 24, 2024, 2:30 p.m. UTC | #1

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 23 Oct 2024 10:00:42 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> Calls to bt_bap_stream_disable with unicast stream shall result in
> stream_disable if when acting as a server (!stream->client) otherwise it
> may lead to the following trace:
> 
> bluetoothd[104990]: src/shared/bap.c:bap_queue_req() req 0x555555732470 (op 0x05) queue 0x55555571e850
> bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification
> bluetoothd[104990]: src/shared/bap.c:stream_notify_state() stream 0x55555571b7f0
> bluetoothd[104990]: src/shared/bap.c:stream_notify_qos() stream 0x55555571b7f0
> bluetoothd[104990]: src/gatt-database.c:send_notification_to_device() GATT server sending notification
> bluetoothd[104990]: src/shared/bap.c:bap_process_queue()
> bluetoothd[104990]: src/shared/bap.c:bap_send() req 0x555555732470 len 3
> 
> [...]

Here is the summary with links:
  - [BlueZ,v1] shared/bap: Fix crash on bt_bap_stream_disable
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=f93a73b2a54c

You are awesome, thank you!

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 00c3b9ff6a1b..8d04290f88ae 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -1872,6 +1872,27 @@  static unsigned int bap_ucast_start(struct bt_bap_stream *stream,
 	return req->id;
 }
 
+static uint8_t stream_disable(struct bt_bap_stream *stream, struct iovec *rsp)
+{
+	if (!stream || stream->ep->state == BT_BAP_STREAM_STATE_QOS ||
+			stream->ep->state == BT_BAP_STREAM_STATE_IDLE)
+		return 0;
+
+	DBG(stream->bap, "stream %p", stream);
+
+	ascs_ase_rsp_success(rsp, stream->ep->id);
+
+	/* Sink can autonomously transit to QOS while source needs to go to
+	 * Disabling until BT_ASCS_STOP is received.
+	 */
+	if (stream->ep->dir == BT_BAP_SINK)
+		stream_set_state(stream, BT_BAP_STREAM_STATE_QOS);
+	else
+		stream_set_state(stream, BT_BAP_STREAM_STATE_DISABLING);
+
+	return 0;
+}
+
 static unsigned int bap_ucast_disable(struct bt_bap_stream *stream,
 					bool disable_links,
 					bt_bap_stream_func_t func,
@@ -1881,6 +1902,9 @@  static unsigned int bap_ucast_disable(struct bt_bap_stream *stream,
 	struct bt_ascs_disable disable;
 	struct bt_bap_req *req;
 
+	if (!stream->client)
+		return stream_disable(stream, NULL);
+
 	memset(&disable, 0, sizeof(disable));
 
 	disable.ase = stream->ep->id;
@@ -2790,27 +2814,6 @@  static uint8_t ascs_start(struct bt_ascs *ascs, struct bt_bap *bap,
 	return ep_start(ep, rsp);
 }
 
-static uint8_t stream_disable(struct bt_bap_stream *stream, struct iovec *rsp)
-{
-	if (!stream || stream->ep->state == BT_BAP_STREAM_STATE_QOS ||
-			stream->ep->state == BT_BAP_STREAM_STATE_IDLE)
-		return 0;
-
-	DBG(stream->bap, "stream %p", stream);
-
-	ascs_ase_rsp_success(rsp, stream->ep->id);
-
-	/* Sink can autonomously transit to QOS while source needs to go to
-	 * Disabling until BT_ASCS_STOP is received.
-	 */
-	if (stream->ep->dir == BT_BAP_SINK)
-		stream_set_state(stream, BT_BAP_STREAM_STATE_QOS);
-	else
-		stream_set_state(stream, BT_BAP_STREAM_STATE_DISABLING);
-
-	return 0;
-}
-
 static uint8_t ep_disable(struct bt_bap_endpoint *ep, struct iovec *rsp)
 {
 	struct bt_bap_stream *stream = ep->stream;