The patch fixes following clang warning:
...
profiles/audio/avdtp.c:3293:2: warning: Null pointer passed as an
argument to a 'nonnull' parameter
memcpy(cap->data, data, length);
^ ~~~~
This makes signalling priority 6 so it can push commands before the
stream channel, without this the stream channel may be schedule
first and cause the signalling commands to timeout while waiting a slot.
If callback releases the last reference it can cause the following:
Invalid free() / delete / delete[] / realloc()
at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x386244EF7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x410356: finalize_discovery (avdtp.c:933)
by 0x414462: session_cb (avdtp.c:2555)
by 0x38624492A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x3862449627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x3862449A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x403A95: main (main.c:439)
Address 0x4cf7af0 is 0 bytes inside a block of size 24 free'd
at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x386244EF7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x410356: finalize_discovery (avdtp.c:933)
by 0x4110BC: avdtp_unref (avdtp.c:1026)
by 0x416491: a2dp_device_free (a2dp.c:122)
by 0x4165DF: bt_a2dp_notify_state (a2dp.c:166)
by 0x417170: discover_cb (a2dp.c:333)
by 0x41034E: finalize_discovery (avdtp.c:931)
by 0x414462: session_cb (avdtp.c:2555)
by 0x38624492A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x3862449627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x3862449A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2)
This use dup to create a new fd to be used by AVDTP session leaving the
caller free to close the original fd. Note that even if the caller
decides to keep the original fd it will still be notified when
avdtp_shutdown is called since it uses shutdown.
It is possible that stream->start_timer can be set on stream_free which
should then should take care of remove it properly otherwise it can
trigger which would very likely cause a crash.
Thanks to Hannu Mallat <hannu.mallat@jolla.com> for reporting it.
