| Message ID | 20200601213902.389278-1-luiz.dentz@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [BlueZ] a2dp: Fix crash on transport_cb | expand |
Hi, On Mon, Jun 1, 2020 at 2:52 PM Alain Michaud <alainmichaud@google.com> wrote: > > Hi Luiz, > > On Mon., Jun. 1, 2020, 5:39 p.m. Luiz Augusto von Dentz, <luiz.dentz@gmail.com> wrote: >> >> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> >> >> There have been reports of crashes on transport_cb where the setup >> would most likely already have been freed but transport_cb would still >> be called, so instead of assuming the setup pointer would be valid try >> to lookup the list of active setups and log a warning when it happens. > > > Reviewed-by: Alain Michaud <alainm@chromium.org> >> >> --- >> profiles/audio/a2dp.c | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c >> index 7f14c880a..d88d1fa69 100644 >> --- a/profiles/audio/a2dp.c >> +++ b/profiles/audio/a2dp.c >> @@ -2217,6 +2217,14 @@ static void transport_cb(GIOChannel *io, GError *err, gpointer user_data) >> { >> struct a2dp_setup *setup = user_data; >> uint16_t omtu, imtu; >> + GSList *l; >> + >> + l = g_slist_find(setups, setup); >> + if (!l) { >> + warn("bt_io_accept: setup %p no longer valid", setup); >> + g_io_channel_shutdown(io, TRUE, NULL); >> + return; >> + } >> >> if (err) { >> error("%s", err->message); >> -- >> 2.25.3 Pushed.
Thanks Luiz! On Tue, Jun 2, 2020 at 1:01 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > Hi, > > On Mon, Jun 1, 2020 at 2:52 PM Alain Michaud <alainmichaud@google.com> wrote: > > > > Hi Luiz, > > > > On Mon., Jun. 1, 2020, 5:39 p.m. Luiz Augusto von Dentz, <luiz.dentz@gmail.com> wrote: > >> > >> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > >> > >> There have been reports of crashes on transport_cb where the setup > >> would most likely already have been freed but transport_cb would still > >> be called, so instead of assuming the setup pointer would be valid try > >> to lookup the list of active setups and log a warning when it happens. > > > > > > Reviewed-by: Alain Michaud <alainm@chromium.org> > >> > >> --- > >> profiles/audio/a2dp.c | 8 ++++++++ > >> 1 file changed, 8 insertions(+) > >> > >> diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c > >> index 7f14c880a..d88d1fa69 100644 > >> --- a/profiles/audio/a2dp.c > >> +++ b/profiles/audio/a2dp.c > >> @@ -2217,6 +2217,14 @@ static void transport_cb(GIOChannel *io, GError *err, gpointer user_data) > >> { > >> struct a2dp_setup *setup = user_data; > >> uint16_t omtu, imtu; > >> + GSList *l; > >> + > >> + l = g_slist_find(setups, setup); > >> + if (!l) { > >> + warn("bt_io_accept: setup %p no longer valid", setup); > >> + g_io_channel_shutdown(io, TRUE, NULL); > >> + return; > >> + } > >> > >> if (err) { > >> error("%s", err->message); > >> -- > >> 2.25.3 > > Pushed. > > -- > Luiz Augusto von Dentz
diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c index 7f14c880a..d88d1fa69 100644 --- a/profiles/audio/a2dp.c +++ b/profiles/audio/a2dp.c @@ -2217,6 +2217,14 @@ static void transport_cb(GIOChannel *io, GError *err, gpointer user_data) { struct a2dp_setup *setup = user_data; uint16_t omtu, imtu; + GSList *l; + + l = g_slist_find(setups, setup); + if (!l) { + warn("bt_io_accept: setup %p no longer valid", setup); + g_io_channel_shutdown(io, TRUE, NULL); + return; + } if (err) { error("%s", err->message);
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> There have been reports of crashes on transport_cb where the setup would most likely already have been freed but transport_cb would still be called, so instead of assuming the setup pointer would be valid try to lookup the list of active setups and log a warning when it happens. --- profiles/audio/a2dp.c | 8 ++++++++ 1 file changed, 8 insertions(+)