This commit fixes the heap-use-after-free error when connecting 2 controllers. When a controller is connected admin_policy_adapter_probe is called. If policy_data was already allocated it gets freed, if not, it only gets allocated. Eventually add_interface is called. Here policy_data is put in the "data" variable (specific for each controller) and the process_changes task is called with idle priority. This function ultimately accesses policy_data from the "data" variable. When Bluez crashes the flow is: 1)first controller is attached 2)admin_policy_adapter_probe is called and policy_data is allocated 4)second controller is attached 5)admin_policy_adapter_probe is called and policy_data is freed, then allocated again 6)process_changes runs and the policy_data for the first controller is read, but it was already freed, thus the crash --- plugins/admin.c | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/admin.c b/plugins/admin.c index 68e9237d3..16b74cfbf 100644 --- a/plugins/admin.c +++ b/plugins/admin.c @@ -502,7 +502,6 @@ static int admin_policy_adapter_probe(struct btd_adapter *adapter) if (policy_data) { btd_warn(policy_data->adapter_id, "Policy data already exists"); - admin_policy_free(policy_data); policy_data = NULL; } -- 2.34.1