Skip to content

Null pointer deference in bt_iso_chan_disconnected() #98331

New issue
New issue
Open
Bug
Open
Null pointer deference in bt_iso_chan_disconnected()#98331
Bug
Assignees
Thalley
Labels
area: Bluetootharea: Bluetooth Audioarea: Bluetooth HostBluetooth Host (excluding BR/EDR)area: Bluetooth ISOBluetooth LE Isochronous ChannelsbugThe issue is a bug, or the PR is fixing a bugpriority: lowLow impact/importance bug
@sjanc

Description

@sjanc
sjanc
opened on Oct 27, 2025

Describe the bug

Occasionally when executing BT qualification tests we notice following assertion

[00:00:13.870,000] �[0m<inf> bttester_bap_audio_stream: Stream 0x82520c0 sent 500 SDUs of size 40�[0m [00:00:13.910,000] �[0m<inf> bttester_bap_audio_stream: Stream 0x8252224 sent 500 SDUs of size 40�[0m [00:00:15.210,000] �[0m<inf> bttester_bap_audio_stream: Stream 0x82520c0 sent 600 SDUs of size 40�[0m [00:00:15.230,000] �[0m<inf> bttester_bap_audio_stream: Stream 0x8252224 sent 600 SDUs of size 40�[0m [00:00:16.030,000] �[0m<dbg> bttester: cmd_handler: cmd service 0x01 opcode 0x05 index 0x00�[0m [00:00:16.030,000] �[0m<dbg> bttester_bap_broadcast: stream_stopped: Stopped stream 0x82520c0 with reason 0x1F�[0m [00:00:16.030,000] �[0m<inf> bttester_bap_audio_stream: Unregistered 0x82520c0 for TX�[0m [00:00:16.030,000] �[0m<dbg> bttester_bap_broadcast: stream_stopped: Stopped stream 0x8252224 with reason 0x1F�[0m [00:00:16.030,000] �[0m<inf> bttester_bap_audio_stream: Unregistered 0x8252224 for TX�[0m [00:00:16.030,000] �[0m<dbg> bttester_cap: broadcast_stopped_cb: �[0m AddressSanitizer:DEADLYSIGNAL ================================================================= ==36081==ERROR: AddressSanitizer: SEGV on unknown address 0x0000006c (pc 0x08104cb0 bp 0xf01eb128 sp 0xf01eb100 T4) ==36081==The signal is caused by a READ memory access. ==36081==Hint: address points to the zero page. #0 0x08104cb0 in bt_iso_chan_disconnected /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/iso.c:457 #1 0x080cea67 in deferred_work /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/conn.c:2213 #2 0x0819c833 in work_queue_main /home/janc/devel/zephyr/zephyr/kernel/work.c:737 #3 0x08096286 in z_thread_entry /home/janc/devel/zephyr/zephyr/lib/os/thread_entry.c:48 #4 0x080a9dce in posix_arch_thread_entry /home/janc/devel/zephyr/zephyr/arch/posix/core/thread.c:96 #5 0x081a8527 in nct_thread_starter /home/janc/devel/zephyr/zephyr/scripts/native_simulator//common/src/nct.c:291 #6 0xf78cb8fd in asan_thread_start(void*) (/lib/libasan.so.8+0x248fd) (BuildId: 51b2b89222df75cabd1a4b631a605e0673894250) ==36081==Register values: eax = 0x08260280 ebx = 0x08260280 ecx = 0x00000000 edx = 0x00000007 edi = 0x00000000 esi = 0x00000000 ebp = 0xf01eb128 esp = 0xf01eb100 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/iso.c:457 in bt_iso_chan_disconnected

this is happening randomly (but not often) in tests, however I suspect that that all occurrences are when bt_disable() is being called when there is existing ISO connection.

This seems to be related to #98316 although it seems to happen more often (~7 times more likely to hit this instead of assertion).

zephyr hash: b25a218

Regression

  • This is a regression.

Steps to reproduce

it happens randomly when LE Audio qualification tests are executed

Relevant log output

 
Impact
 
Annoyance – Minor irritation; no significant impact on usability or functionality.
 
Environment
 
No response
 
Additional Context
 
No response
Metadata
Metadata
Assignees
Labels
area: Bluetootharea: Bluetooth Audioarea: Bluetooth HostBluetooth Host (excluding BR/EDR)area: Bluetooth ISOBluetooth LE Isochronous ChannelsbugThe issue is a bug, or the PR is fixing a bugpriority: lowLow impact/importance bug
Type
Bug
Projects
Bluetooth LE Audio
Status
To do
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions