From: Yun-Hao Chung <howardchung@xxxxxxxxxxxx> This patch changes the logic of probe_service so that the same service will not be added to a device. --- The crash can be reproduced in the following steps 1. set service allowlist to ['aaaa'] 2. pair with any device 3. after the device is disconnected, set service allowlist to an empty list 4. remove the device from adapter In step 3, when allowlist is set to empty, profile that was blocked will be added to each devices. However, in step 2, profiles the device provides had already been added. Due the logic of device.c:probe_service, there will be 2 identical services in device->services, which causes a double-free error when removing the device. src/device.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/device.c b/src/device.c index 0d7444706336..dba26f787066 100644 --- a/src/device.c +++ b/src/device.c @@ -4709,8 +4709,11 @@ static struct btd_service *probe_service(struct btd_device *device, return NULL; l = find_service_with_profile(device->services, profile); + /* If the service already exists, return NULL so that it won't be added + * to the device->services. + */ if (l) - return l->data; + return NULL; service = service_create(device, profile); -- 2.32.0.93.g670b81a890-goog
