bap: cancel stream operation before freeing setup

Before freeing setup, cancel any ongoing stream operations, and indicate
failure for pending DBus replies.

Fixes:
=======================================================================
ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000004758
WRITE of size 4 at 0x60d000004758 thread T0
    #0 0x557159 in qos_cb profiles/audio/bap.c:753
    #1 0x89c38f in bap_req_complete src/shared/bap.c:1191
    #2 0x8cb7fc in bap_req_detach src/shared/bap.c:4789
    #3 0x8cb9bb in bt_bap_detach src/shared/bap.c:4801
    #4 0x571e25 in bap_disconnect profiles/audio/bap.c:3011
    ...
freed by thread T0 here:
    #1 0x558f2b in setup_free profiles/audio/bap.c:890
    #2 0x7f34e8 in queue_remove_all src/shared/queue.c:341
    #3 0x7f0105 in queue_destroy src/shared/queue.c:60
    #4 0x55cdc8 in ep_free profiles/audio/bap.c:1167
=======================================================================

1 files changed, 13 insertions, 0 deletions

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index 30049f0fb3..ff6d6d8813 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -879,9 +879,22 @@ static struct bap_setup *setup_new(struct bap_ep *ep)
 static void setup_free(void *data)
 {
 	struct bap_setup *setup = data;
+	DBusMessage *reply;
 
 	DBG("%p", setup);
 
+	if (setup->stream && setup->id) {
+		bt_bap_stream_cancel(setup->stream, setup->id);
+		setup->id = 0;
+	}
+
+	if (setup->msg) {
+		reply = btd_error_failed(setup->msg, "Canceled");
+		g_dbus_send_message(btd_get_dbus_connection(), reply);
+		dbus_message_unref(setup->msg);
+		setup->msg = NULL;
+	}
+
 	if (setup->ep)
 		queue_remove(setup->ep->setups, setup);