Bluetooth: ISO: Null pointer deference in iso.c on link disconnect #96155
Description
Describe the bug
Following crash is observed when ISO is being disconnected:
[Switching to Thread 0xf61fdb40 (LWP 212735)]
0x08082544 in bt_iso_cleanup_acl (iso=0x0) at /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/iso.c:1160
1160 if (iso->iso.acl) {
(gdb) bt
#0 0x08082544 in bt_iso_cleanup_acl (iso=0x0) at /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/iso.c:1160
#1 0x08082623 in bt_iso_chan_disconnected (chan=0x80f1c44 <iso_pool+100>, reason=22 '\026') at /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/iso.c:486
#2 0x080b449e in work_queue_main (workq_ptr=0x80f7cc0 <k_sys_work_q>, p2=0x0, p3=0x0) at /home/janc/devel/zephyr/zephyr/kernel/work.c:737
#3 0x08060078 in z_thread_entry (entry=0x80b42a3 <work_queue_main>, p1=0x80f7cc0 <k_sys_work_q>, p2=0x0, p3=0x0) at /home/janc/devel/zephyr/zephyr/lib/os/thread_entry.c:48
#4 0x080657fc in posix_arch_thread_entry (pa_thread_status=0x8105c60 <sys_work_q_stack+2024>) at /home/janc/devel/zephyr/zephyr/arch/posix/core/thread.c:96
#5 0x080b96b8 in nct_thread_starter (arg_el=0x92596c0) at /home/janc/devel/zephyr/zephyr/scripts/native_simulator//common/src/nct.c:290
#6 0xf7c51b20 in start_thread () from /lib/libc.so.6
#7 0xf7cd7c58 in __clone3 () from /lib/libc.so.6
Apparently chan->iso is being set to NULL in
if (chan->ops->disconnected) {
chan->ops->disconnected(chan, reason);
}
which makes assert from begining of bt_iso_chan_disconnected() invalid.
__ASSERT(chan->iso != NULL, "NULL conn for iso chan %p", chan);
Regression
- This is a regression.
Steps to reproduce
I'm able to reproduce this with AutoPTS running CAP tests eg. CAP/INI/UST/BV-18-C
Relevant log output
Impact
Major – Severely degrades functionality; workaround is difficult or unavailable.
Environment
zephyr 18497c5
autopts 0dac867efc547948058a47c7f1a44c832a924cd4
tester application built for native_sim and overlay-le-audio.conf included
Additional Context
.config used