From 9145b3624f88a6580d33bb279f26495e563444b2 Mon Sep 17 00:00:00 2001 From: howardchung Date: Fri, 10 Jan 2020 15:57:28 +0800 Subject: [PATCH] audio/a2dp - fix crash during recovering process The crash with stack trace: (libc-2.27.so -raise.c:51 ) raise (libc-2.27.so -abort.c:79 ) abort (libc-2.27.so -libc_fatal.c:181 ) __libc_message (libc-2.27.so -malloc.c:5350 ) malloc_printerr (libc-2.27.so -malloc.c:4157 ) _int_free (libglib-2.0.so.0.5200.3 -gslist.c:878 ) g_slist_free_full (bluetoothd -a2dp.c:165 ) setup_unref (bluetoothd -a2dp.c:2184 ) a2dp_cancel (bluetoothd -sink.c:317 ) sink_unregister (bluetoothd -service.c:176 ) service_remove (bluetoothd -device.c:4678 ) device_remove (bluetoothd -adapter.c:6573 ) adapter_remove (bluetoothd -adapter.c:8832 ) index_removed (bluetoothd -queue.c:220 ) queue_foreach (bluetoothd -mgmt.c:304 ) can_read_data (bluetoothd -io-glib.c:170 ) watch_callback (libglib-2.0.so.0.5200.3 -gmain.c:3234 ) g_main_context_dispatch (libglib-2.0.so.0.5200.3 -gmain.c:3972 ) g_main_context_iterate (libglib-2.0.so.0.5200.3 -gmain.c:4168 ) g_main_loop_run (bluetoothd -main.c:798 ) main (libc-2.27.so -libc-start.c:308 ) __libc_start_main (bluetoothd + 0x0000b089 ) _start (bluetoothd + 0x0000b05f ) _init triggered when 'usb disconnect' happened during AVDTP_SET_CONFIGURATION request is sent but haven't received the response. In this situation, the recovering process goes into sink.c:sink_free and then a2dp.c:a2dp_cancel, avdtp.c:cancel_request, avdtp.c:connection_lost, avdtp.c:release_stream. During recovering, the reference count of setup and avdtp decrease more than it increase, which ends up causing the crash. The reference count of setup decreases one more time since a2dp.c:setconf_cfm(called by cfm->set_configuration in avdtp.c:cancel_request) was called in the 'error mode', which didn't reference the setup, but in a2dp.c:abort_cfm(called by cfm->abort in avdtp.c:release_stream), the reference count decreased by 1. In this case, abort_cfm shouldn't be called as we already know setconf_cfm didn't send any request. Setting avdtp_sep_state to AVDTP_STATE_ABORTING should avoid this issue. The reference count of avdtp decrease one more time since both sink.c:sink_free and sink.c:sink_set_state(called from avdtp.c:connection_lost -> avdtp.c:avdtp_set_state) unreference avdtp for the session. The changes in sink.c should avoid the issue. Signed-off-by: Anuj Jain Signed-off-by: Ayush Garg --- profiles/audio/avdtp.c | 3 +++ profiles/audio/sink.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c index 13ceeb7..8fc54ba 100644 --- a/profiles/audio/avdtp.c +++ b/profiles/audio/avdtp.c @@ -4107,6 +4107,7 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream) { struct seid_req req; int ret; + struct avdtp_local_sep *sep = stream->lsep; if (!stream && session->discover) { /* Don't call cb since it being aborted */ @@ -4121,6 +4122,8 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream) if (stream->lsep->state == AVDTP_STATE_ABORTING) return -EINVAL; + avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING); + if (session->req && stream == session->req->stream) return cancel_request(session, ECANCELED); diff --git a/profiles/audio/sink.c b/profiles/audio/sink.c index 01cd461..8407a07 100755 --- a/profiles/audio/sink.c +++ b/profiles/audio/sink.c @@ -333,10 +333,13 @@ static void sink_free(struct btd_service *service) /* We need to clear the avdtp discovery procedure */ finalize_discovery(sink->session, ECANCELED); avdtp_unref(sink->session); + sink->session = NULL; } #else - if (sink->session) + if (sink->session) { avdtp_unref(sink->session); + sink->session = NULL; + } #endif if (sink->connect_id > 0) { -- 2.7.4