Skip to content

Bluetooth: TBS: write_call_cp does not take mutex of instance when inst != tbs #104571

New issue
New issue
Open
Bug
Open
Bluetooth: TBS: write_call_cp does not take mutex of instance when inst != tbs#104571
Bug
Assignees
ThalleyMaxzuru
Labels
area: Bluetootharea: Bluetooth AudiobugThe issue is a bug, or the PR is fixing a bugpriority: lowLow impact/importance bug
@Thalley

Description

@Thalley
Thalley
opened on Feb 26, 2026

Describe the bug

write_call_cp looks up the appropriate TBS instance when operations are done on GTBS. In those cases, we correctly take the mutex of GTBS, but we never take the mutex of the TBS being looked up, e.g.

		call_index = ccp->accept.call_index;

		if (is_gtbs) {
			tbs = lookup_inst_by_call_index(call_index);
			if (tbs == NULL) {
				status = BT_TBS_RESULT_CODE_INVALID_CALL_INDEX;
				break;
			}
		} else {
			tbs = inst;
		}

		status = accept_call(tbs, &ccp->accept);
		break;

This means that the call may be changed by a different thread while we are handling it here.

Regression

  • This is a regression.

Steps to reproduce

N/A

Relevant log output

N/A

Impact

Functional Limitation – Some features not working as expected, but system usable.

Environment

28e25ea

Additional Context

Relates to #104655

Metadata

Metadata

Assignees

Labels

area: Bluetootharea: Bluetooth AudiobugThe issue is a bug, or the PR is fixing a bugpriority: lowLow impact/importance bug

Type

Bug

Projects

Bluetooth LE Audio

Status

To do

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions