Hi Miao-chen,
On Fri, Oct 30, 2020 at 4:13 PM Miao-chen Chou <mcchou@xxxxxxxxxxxx> wrote:
>
> This cleans up the lingering pointer, adapter->client, during powering
> off the adapter. The crash occurs when a D-Bus client set Powered
> property to false and immediately calls StopDiscovery() when there is
> ongoing discovery. As a part of powering off the adapter,
> adapter->discovery_list gets cleared, and given that adapter->client
> refers to one of the clients in adapter->discovery_list, adapter->client
> should be cleared along with it.
>
> Reviewed-by: Alain Michaud <alainm@xxxxxxxxxxxx>
> Reviewed-by: Sonny Sasaka <sonnysasaka@xxxxxxxxxxxx>
> ---
>
> src/adapter.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/src/adapter.c b/src/adapter.c
> index c0053000a..74bfb0448 100644
> --- a/src/adapter.c
> +++ b/src/adapter.c
> @@ -1507,8 +1507,10 @@ static void discovery_free(void *user_data)
> client->discovery_filter = NULL;
> }
>
> - if (client->msg)
> + if (client->msg) {
> dbus_message_unref(client->msg);
> + client->msg = NULL;
> + }
This shouldn't make any difference as the whole list is freed and so
is the client.
>
> g_free(client->owner);
> g_free(client);
> @@ -5301,6 +5303,19 @@ static void free_service_auth(gpointer data, gpointer user_data)
>
> static void remove_discovery_list(struct btd_adapter *adapter)
> {
> + DBusMessage *msg;
> +
> + if (adapter->client) {
> + msg = adapter->client->msg;
> + if (msg) {
> + g_dbus_send_message(dbus_conn, btd_error_busy(msg));
> + dbus_message_unref(msg);
> + adapter->client->msg = NULL;
> + }
> +
> + adapter->client = NULL;
Shouldn't you call discovery_free as well here? Or perhaps we could
move the lines above inside discovery_free so it detects if the
adapter->client is pointing to a client that is being freed.
> + }
> +
> g_slist_free_full(adapter->set_filter_list, discovery_free);
> adapter->set_filter_list = NULL;
>
> --
> 2.26.2
>
--
Luiz Augusto von Dentz
