From e6be04eb93c36aa180dbbb841317c92021ed574b Mon Sep 17 00:00:00 2001 From: Daniel Beer Date: Mon, 15 Apr 2024 18:37:52 +1200 Subject: [PATCH] backend-ofono: fix double-close of file descriptor. When the acquire() method is called on a transport, the caller becomes the owner of the returned fd. The caller is responsible for closing the file descriptor, and does in the bluez5 device module. The code here in release() causes the file descriptor to be shutdown/closed a second time. If, in the meantime, the file descriptor has been recycled by the kernel, this causes all kinds of unpredictable errors. Most notably, crashes like the following during a switch back to A2DP following a phonecall: E: [bluetooth] rtpoll.c: Assertion '(i->pollfd[0].revents & ~0x001) == 0' failed at ../src/pulsecore/rtpoll.c:542, function asyncmsgq_read_after(). Aborting. --- src/modules/bluetooth/backend-ofono.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/modules/bluetooth/backend-ofono.c b/src/modules/bluetooth/backend-ofono.c index 36fe787cf..251207bda 100644 --- a/src/modules/bluetooth/backend-ofono.c +++ b/src/modules/bluetooth/backend-ofono.c @@ -319,6 +319,7 @@ static int socket_accept(int sock) static int hf_audio_agent_transport_acquire(pa_bluetooth_transport *t, bool optional, size_t *imtu, size_t *omtu) { struct hf_audio_card *card = t->userdata; int err; + int fd; pa_assert(card); @@ -349,7 +350,10 @@ static int hf_audio_agent_transport_acquire(pa_bluetooth_transport *t, bool opti return -1; } - return card->fd; + /* File descriptor belongs to the caller now */ + fd = card->fd; + card->fd = -1; + return fd; } static void hf_audio_agent_transport_release(pa_bluetooth_transport *t) { -- 2.30.2