From bea5cc4d12b48edb58c851c7e9ad9640bb7cedee Mon Sep 17 00:00:00 2001 From: George Kiagiadakis Date: Thu, 22 May 2025 17:03:59 +0200 Subject: [PATCH] audio/avrcp: fix crash when NowPlaying changes while list_items is in progress The media_item objects are owned by the player and while we keep temporary pointers to them in pending_list_items, clearing the player's playlist destroys them and we will end up crashing in the next call to avrcp_list_items_rsp(). The crash is racy and can only be observed when skipping tracks very quickly in an Apple Music station (where the playlist changes on every next song) --- profiles/audio/avrcp.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c index 8d1e03b93..2d7b4e1e7 100644 --- a/profiles/audio/avrcp.c +++ b/profiles/audio/avrcp.c @@ -3879,6 +3879,15 @@ static void avrcp_now_playing_changed(struct avrcp *session, DBG("NowPlaying changed"); + /* reset the list_items operation, if it is in progress or else we will + * crash because _clear_playlist() frees the items + */ + if (player->p) { + g_slist_free(player->p->items); + g_free(player->p); + player->p = NULL; + } + media_player_clear_playlist(mp); } -- 2.47.3