With the patch I submitted some time ago
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=e9b1a8f7266d0674b1ea068a5bb5698e9ee424c9
there is a code path leading to a double free:
session_cb -> avdtp_parse_resp -> avdtp_abort_resp ->
avdtp_sep_set_state(..., AVDTP_STATE_IDLE) -> handle_unanswered_req
A response to AVDTP Abort could lead to the pending request being
freed both in session_cb and handle_unanswered_req.
This patch avoids doing it in the latter function. The primary purpose
of adding handle_unanswered_req was to trigger responses on the Audio
API (it was based on avdtp.c:request_timeout). AFAIU, AVDTP Abort
doesn't lead to an API response and will be freed elsewhere
(session_cb or avdtp_unref).
/Daniel
From 803637bc0e452392498714cd8245a06f5aea2edc Mon Sep 17 00:00:00 2001
From: Daniel Orstadius <daniel.orstadius@xxxxxxxxx>
Date: Fri, 19 Feb 2010 17:51:48 +0200
Subject: [PATCH] Fix double free on AVDTP Abort response
The pending request might be freed twice when receiving an Abort
response, in handle_unanswered_req and session_cb. Avoid freeing
it in handle_unanswered_req.
---
audio/avdtp.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/audio/avdtp.c b/audio/avdtp.c
index 2591845..ae7c88e 100644
--- a/audio/avdtp.c
+++ b/audio/avdtp.c
@@ -905,6 +905,13 @@ static void handle_unanswered_req(struct avdtp *session,
struct avdtp_local_sep *lsep;
struct avdtp_error err;
+ if (session->req == AVDTP_ABORT) {
+ /* Avoid freeing the Abort request here */
+ debug("handle_unanswered_req: Abort req, returning");
+ session->req->stream = NULL;
+ return;
+ }
+
req = session->req;
session->req = NULL;
--
1.6.0.4
