From bb82243a6c27d0a0890005eddbea3a6c54b558b8 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 30 Oct 2025 12:31:13 -0400 Subject: [PATCH] btdev: Fix crash on BIG cleanup This fixes the following crash: Invalid read of size 8 at 0x400F26F: le_big_free (btdev.c:606) by 0x4024636: queue_remove_all (queue.c:341) by 0x40246C2: queue_destroy (queue.c:60) by 0x401B7C9: btdev_destroy (btdev.c:7820) by 0x400CFBF: hciemu_client_destroy (hciemu.c:301) by 0x4024636: queue_remove_all (queue.c:341) by 0x40246C2: queue_destroy (queue.c:60) by 0x400DA91: hciemu_unref (hciemu.c:441) by 0x40072F2: test_post_teardown (iso-tester.c:701) by 0x402BB0A: tester_teardown_complete (tester.c:713) by 0x402BB41: default_teardown (tester.c:266) by 0x402B43B: teardown_callback (tester.c:434) --- emulator/btdev.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/emulator/btdev.c b/emulator/btdev.c index 8c72a2429..c53db7040 100644 --- a/emulator/btdev.c +++ b/emulator/btdev.c @@ -6863,7 +6863,7 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data, { const struct bt_hci_cmd_le_term_big *cmd = data; struct bt_hci_evt_le_big_terminate rsp; - struct le_big *big; + struct le_big *big, *rbig; struct btdev_conn *conn; struct btdev *remote = NULL; @@ -6875,7 +6875,6 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data, big = queue_find(dev->le_big, match_big_handle, UINT_TO_PTR(cmd->handle)); - if (!big) return 0; @@ -6892,14 +6891,17 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data, remote = conn->link->dev; - big = queue_find(remote->le_big, match_bis, conn->link); - if (big) { + rbig = queue_find(remote->le_big, match_bis, + conn->link); + if (rbig) { memset(&evt, 0, sizeof(evt)); - evt.big_handle = big->handle; + evt.big_handle = rbig->handle; evt.reason = cmd->reason; le_meta_event(remote, BT_HCI_EVT_LE_BIG_SYNC_LOST, &evt, sizeof(evt)); + queue_remove(remote->le_big, rbig); + le_big_free(rbig); } } -- 2.47.3