From bf5ec167b66fc40f7c5f3abca58752fee0d4153b Mon Sep 17 00:00:00 2001
From: Pauli Virtanen <pav@iki.fi>
Date: Sun, 10 Aug 2025 14:39:10 +0300
Subject: [PATCH] bap: remove bap_update_cigs callback properly whan data is
 freed

setup_free() may re-enable the CIG update callback. If this occurs in
bap_data_free(), the callback crashes with UAF.

Fix by moving clearing the callback after all setups are freed.
---
 profiles/audio/bap.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index bc67c1ef9..2994881cc 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -189,9 +189,6 @@ static void bap_data_free(struct bap_data *data)
 	if (data->io_id)
 		g_source_remove(data->io_id);
 
-	if (data->cig_update_id)
-		g_source_remove(data->cig_update_id);
-
 	if (data->service && btd_service_get_user_data(data->service) == data)
 		btd_service_set_user_data(data->service, NULL);
 
@@ -204,6 +201,10 @@ static void bap_data_free(struct bap_data *data)
 	bt_bap_state_unregister(data->bap, data->state_id);
 	bt_bap_pac_unregister(data->bap, data->pac_id);
 	bt_bap_unref(data->bap);
+
+	if (data->cig_update_id)
+		g_source_remove(data->cig_update_id);
+
 	free(data);
 }
 
-- 
2.47.3