If a HFP audio gateway was connected via the ofono backend, pulse would
segfault during shutdown of the daemon. pa_bluetooth_discovery_unref()
removed the devices before the ofono backend was freed. Because the
ofono backend keeps its own list of transports, transport_free() was
then called during termination of the ofono backend with an invalid device
in the transport. Bug reported by Andrew Hlynskyi.
This patch moves the termination of the ofono and native backends before
freeing the devices.
---
src/modules/bluetooth/bluez5-util.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/modules/bluetooth/bluez5-util.c b/src/modules/bluetooth/bluez5-util.c
index 23100fca..8956fb13 100644
--- a/src/modules/bluetooth/bluez5-util.c
+++ b/src/modules/bluetooth/bluez5-util.c
@@ -1807,6 +1807,11 @@ void pa_bluetooth_discovery_unref(pa_bluetooth_discovery *y) {
pa_dbus_free_pending_list(&y->pending);
+ if (y->ofono_backend)
+ pa_bluetooth_ofono_backend_free(y->ofono_backend);
+ if (y->native_backend)
+ pa_bluetooth_native_backend_free(y->native_backend);
+
if (y->adapters)
pa_hashmap_free(y->adapters);
@@ -1818,11 +1823,6 @@ void pa_bluetooth_discovery_unref(pa_bluetooth_discovery *y) {
pa_hashmap_free(y->transports);
}
- if (y->ofono_backend)
- pa_bluetooth_ofono_backend_free(y->ofono_backend);
- if (y->native_backend)
- pa_bluetooth_native_backend_free(y->native_backend);
-
if (y->connection) {
if (y->matches_added)
--
2.11.0
