projects / platform / upstream / bluez.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: dc250d0) | patch
audio/a2dp - fix crash during recovering process
authorhowardchung <howardchung@google.com>
Fri, 10 Jan 2020 07:57:28 +0000 (15:57 +0800)
committerAyush Garg <ayush.garg@samsung.com>
Mon, 12 Apr 2021 09:00:48 +0000 (14:30 +0530)
commit9145b3624f88a6580d33bb279f26495e563444b2
tree661f1b4a76a9c8259b980c0b79f1bf9e7ffd7063tree | snapshot
parentdc250d03b1ed5ea00349fd3ce27b2b130c5d51b4commit | diff
audio/a2dp - fix crash during recovering process

The crash with stack trace:

(libc-2.27.so -raise.c:51 )       raise
(libc-2.27.so -abort.c:79 )       abort
(libc-2.27.so -libc_fatal.c:181 )         __libc_message
(libc-2.27.so -malloc.c:5350 )    malloc_printerr
(libc-2.27.so -malloc.c:4157 )    _int_free
(libglib-2.0.so.0.5200.3 -gslist.c:878 )        g_slist_free_full
(bluetoothd -a2dp.c:165 )        setup_unref
(bluetoothd -a2dp.c:2184 )       a2dp_cancel
(bluetoothd -sink.c:317 )        sink_unregister
(bluetoothd -service.c:176 )     service_remove
(bluetoothd -device.c:4678 )     device_remove
(bluetoothd -adapter.c:6573 )    adapter_remove
(bluetoothd -adapter.c:8832 )    index_removed
(bluetoothd -queue.c:220 )       queue_foreach
(bluetoothd -mgmt.c:304 )        can_read_data
(bluetoothd -io-glib.c:170 )     watch_callback
(libglib-2.0.so.0.5200.3 -gmain.c:3234 )        g_main_context_dispatch
(libglib-2.0.so.0.5200.3 -gmain.c:3972 )        g_main_context_iterate
(libglib-2.0.so.0.5200.3 -gmain.c:4168 )        g_main_loop_run
(bluetoothd -main.c:798 )        main
(libc-2.27.so -libc-start.c:308 )         __libc_start_main
(bluetoothd + 0x0000b089 )       _start
(bluetoothd + 0x0000b05f )       _init

triggered when 'usb disconnect' happened during AVDTP_SET_CONFIGURATION
request is sent but haven't received the response.
In this situation, the recovering process goes into sink.c:sink_free and
then a2dp.c:a2dp_cancel, avdtp.c:cancel_request, avdtp.c:connection_lost,
avdtp.c:release_stream.

During recovering, the reference count of setup and avdtp decrease more
than it increase, which ends up causing the crash.

The reference count of setup decreases one more time since
a2dp.c:setconf_cfm(called by cfm->set_configuration in
avdtp.c:cancel_request) was called in the 'error mode', which didn't
reference the setup, but in a2dp.c:abort_cfm(called by cfm->abort in
avdtp.c:release_stream), the reference count decreased by 1.

In this case, abort_cfm shouldn't be called as we already know
setconf_cfm didn't send any request. Setting avdtp_sep_state to
AVDTP_STATE_ABORTING should avoid this issue.

The reference count of avdtp decrease one more time since
both sink.c:sink_free and sink.c:sink_set_state(called from
avdtp.c:connection_lost -> avdtp.c:avdtp_set_state) unreference avdtp
for the session. The changes in sink.c should avoid the issue.

Signed-off-by: Anuj Jain <anuj01.jain@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>
profiles/audio/avdtp.c diff | blob | history
profiles/audio/sink.c diff | blob | history
Domain: Network & Connectivity / Bluetooth;