FROMGIT: avdtp: Fix crashes in avdtp_abort
In avdtp_abort, if setup->stream is NULL, trying to access
stream->lsep will crash.
(cherry picked from commit 622d98afbb4f147d0ead1961c80406072bc45aa7
git://git.kernel.org/pub/scm/bluetooth/bluez.git master)
BUG=b:150714532
TEST=run connect-disconnect loop with Parrot Zik 3 on Kindred.
Bluetoohd crashed within ~20 iterations before this change.
There is no crash in 100 iterations after this change.
Change-Id: I7ac724dfd593d422ec6ebb341f0da83fda3aca49
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/bluez/+/2119972
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
Commit-Queue: Yun-Hao Chung <howardchung@google.com>
Tested-by: Yun-Hao Chung <howardchung@google.com>
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index f42f21b..0eb9ef8 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -3550,7 +3550,6 @@
{
struct seid_req req;
int ret;
- struct avdtp_local_sep *sep = stream->lsep;
if (!stream && session->discover) {
/* Don't call cb since it being aborted */
@@ -3565,7 +3564,7 @@
if (stream->lsep->state == AVDTP_STATE_ABORTING)
return -EINVAL;
- avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING);
+ avdtp_sep_set_state(session, stream->lsep, AVDTP_STATE_ABORTING);
if (session->req && stream == session->req->stream)
return cancel_request(session, ECANCELED);
