| Message ID | 20200821175838.20761-1-sonnysasaka@chromium.org (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [BlueZ,v2] adapter: Fix crash in discovery_disconnect | expand |
Hi Sonny, On Fri, Aug 21, 2020 at 11:00 AM Sonny Sasaka <sonnysasaka@chromium.org> wrote: > > discovery_disconnect crashed because the adapter pointer has been freed > before. This patch makes sure that discovery list is cleaned up before > adapter pointer is freed. > > Reviewed-by: Miao-chen Chou <mcchou@chromium.org> > > --- > src/adapter.c | 20 +++++++++++++++----- > 1 file changed, 15 insertions(+), 5 deletions(-) > > diff --git a/src/adapter.c b/src/adapter.c > index 5e896a9f0..1435e2bd7 100644 > --- a/src/adapter.c > +++ b/src/adapter.c > @@ -5316,12 +5316,26 @@ static void free_service_auth(gpointer data, gpointer user_data) > g_free(auth); > } > > +static void remove_discovery_list(struct btd_adapter *adapter) > +{ > + g_slist_free_full(adapter->set_filter_list, discovery_free); > + adapter->set_filter_list = NULL; > + > + g_slist_free_full(adapter->discovery_list, discovery_free); > + adapter->discovery_list = NULL; > +} > + > static void adapter_free(gpointer user_data) > { > struct btd_adapter *adapter = user_data; > > DBG("%p", adapter); > > + /* Make sure the adapter's discovery list is cleaned up before freeing > + * the adapter. > + */ > + remove_discovery_list(adapter); > + > if (adapter->pairable_timeout_id > 0) { > g_source_remove(adapter->pairable_timeout_id); > adapter->pairable_timeout_id = 0; > @@ -6846,11 +6860,7 @@ static void adapter_stop(struct btd_adapter *adapter) > > cancel_passive_scanning(adapter); > > - g_slist_free_full(adapter->set_filter_list, discovery_free); > - adapter->set_filter_list = NULL; > - > - g_slist_free_full(adapter->discovery_list, discovery_free); > - adapter->discovery_list = NULL; > + remove_discovery_list(adapter); > > discovery_cleanup(adapter, 0); > > -- > 2.26.2 Applied, thanks.
diff --git a/src/adapter.c b/src/adapter.c index 5e896a9f0..1435e2bd7 100644 --- a/src/adapter.c +++ b/src/adapter.c @@ -5316,12 +5316,26 @@ static void free_service_auth(gpointer data, gpointer user_data) g_free(auth); } +static void remove_discovery_list(struct btd_adapter *adapter) +{ + g_slist_free_full(adapter->set_filter_list, discovery_free); + adapter->set_filter_list = NULL; + + g_slist_free_full(adapter->discovery_list, discovery_free); + adapter->discovery_list = NULL; +} + static void adapter_free(gpointer user_data) { struct btd_adapter *adapter = user_data; DBG("%p", adapter); + /* Make sure the adapter's discovery list is cleaned up before freeing + * the adapter. + */ + remove_discovery_list(adapter); + if (adapter->pairable_timeout_id > 0) { g_source_remove(adapter->pairable_timeout_id); adapter->pairable_timeout_id = 0; @@ -6846,11 +6860,7 @@ static void adapter_stop(struct btd_adapter *adapter) cancel_passive_scanning(adapter); - g_slist_free_full(adapter->set_filter_list, discovery_free); - adapter->set_filter_list = NULL; - - g_slist_free_full(adapter->discovery_list, discovery_free); - adapter->discovery_list = NULL; + remove_discovery_list(adapter); discovery_cleanup(adapter, 0);
discovery_disconnect crashed because the adapter pointer has been freed before. This patch makes sure that discovery list is cleaned up before adapter pointer is freed. Reviewed-by: Miao-chen Chou <mcchou@chromium.org> --- src/adapter.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-)