From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> The following crash can be observed when a Broadcast endpoint exit when a bap_setup exists: Invalid read of size 8 at 0x4075B30: set_configuration_ready (bap.c:1120) by 0x40766C3: setup_ready (bap.c:748) by 0x407809C: setup_free (bap.c:998) by 0x4078301: bap_state_bcast_src (bap.c:3012) by 0x41319DF: bap_bcast_set_state (bap.c:2392) by 0x412CFFC: stream_set_state (bap.c:1537) by 0x4131AA3: bap_bcast_set_state (bap.c:2404) by 0x412CFFC: stream_set_state (bap.c:1537) by 0x412D0E6: bap_bcast_release (bap.c:2543) by 0x41314EF: bt_bap_stream_release (bap.c:6518) by 0x4131607: remove_lpac_streams (bap.c:4348) by 0x4108444: queue_foreach (queue.c:207) Address 0x56f7758 is 8 bytes inside a block of size 16 free'd at 0x4B85E43: free (vg_replace_malloc.c:989) by 0x407472D: setup_config (bap.c:1778) by 0x407A869: set_configuration (bap.c:1175) by 0x4102A8F: process_message (object.c:293) --- profiles/audio/bap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index f39a4045813d..d90d39bdc134 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -1783,6 +1783,10 @@ static int setup_config(struct bap_setup *setup, bap_setup_ready_func_t cb, bt_bap_stream_metadata(setup->stream, setup->metadata, NULL, NULL); + /* Don't set ready* field if there is no callback pending */ + if (!setup->id) + return 0; + setup->readying = true; setup->ready_cb = cb; setup->ready_cb_data = user_data; -- 2.50.1
