Parent: c082d4d9148fa57e76c31ede3433462bff97e1f8
Author: Szymon Janc <szymon.janc@codecoup.pl>
Committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2016-03-31 10:27:33
Tree: b3dfe49d564bcc2e1811d975e693e56929e5d210
audio/avdtp: Fix crash on outgoing connection failure This fix double free if outgoing connection failed. This was due to connection_lost() being called from avdtp_unref which could result in another call to connection_lost when session ref is already 0. Fix this in similar way pairing agent is handled: takes extra reference before calling callbacks and unref it before exit. Then only unref is suppose to free session. connect error: Host is down (112) profiles/audio/avdtp.c:connection_lost() Disconnected from 00:0C:8A:FB:D4:16 profiles/audio/a2dp.c:discover_cb() err 0xfff000240 profiles/audio/avdtp.c:avdtp_unref() 0x85a88f0: ref=1 src/service.c:change_state() 0x7f7c710: device 00:0C:8A:FB:D4:16 profile a2dp-sink state changed: connecting -> disconnected (-11) src/device.c:device_profile_connected() a2dp-sink Resource temporarily unavailable (11) src/device.c:device_profile_connected() returning response to :1.37 profiles/audio/a2dp.c:setup_unref() 0x85b0380: ref=0 profiles/audio/a2dp.c:setup_free() 0x85b0380 profiles/audio/avdtp.c:avdtp_unref() 0x85a88f0: ref=0 profiles/audio/avdtp.c:connection_lost() Disconnected from 00:0C:8A:FB:D4:16 profiles/audio/a2dp.c:discover_cb() err 0xfff000170 profiles/audio/sink.c:sink_set_state() State changed /org/bluez/hci0/ dev_00_0C_8A_FB_D4_16: SINK_STATE_CONNECTING -> SINK_STATE_DISCONNECTED profiles/audio/a2dp.c:channel_remove() chan 0x85a8780 profiles/audio/avdtp.c:avdtp_free() 0x85a88f0 Invalid free() / delete / delete[] / realloc() at 0x4C29CF0: free (vg_replace_malloc.c:530) by 0x50CE5ED: g_free (in /usr/lib64/libglib-2.0.so.0.4600.2) by 0x4177E3: finalize_discovery (avdtp.c:1039) by 0x41789A: connection_lost (avdtp.c:1114) by 0x41A7FD: avdtp_connect_cb (avdtp.c:2339) by 0x44CBFB: connect_cb (btio.c:232) by 0x50C8E39: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4600.2) by 0x50C91CF: ??? (in /usr/lib64/libglib-2.0.so.0.4600.2) by 0x50C94F1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4600.2) by 0x40B7B7: main (main.c:687) Address 0x85b4c30 is 0 bytes inside a block of size 24 free'd at 0x4C29CF0: free (vg_replace_malloc.c:530) by 0x50CE5ED: g_free (in /usr/lib64/libglib-2.0.so.0.4600.2) by 0x4177E3: finalize_discovery (avdtp.c:1039) by 0x41789A: connection_lost (avdtp.c:1114) by 0x413EE2: setup_free (a2dp.c:163) by 0x413EE2: setup_unref (a2dp.c:178) by 0x413F5F: setup_cb_free (a2dp.c:201) by 0x41638D: finalize_discover (a2dp.c:346) by 0x41638D: discover_cb (a2dp.c:1855) by 0x4177DB: finalize_discovery (avdtp.c:1037) by 0x41789A: connection_lost (avdtp.c:1114) by 0x41A7FD: avdtp_connect_cb (avdtp.c:2339) by 0x44CBFB: connect_cb (btio.c:232) by 0x50C8E39: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4600.2) Block was alloc'd at at 0x4C2A988: calloc (vg_replace_malloc.c:711) by 0x50CE530: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.4600.2) by 0x4190FB: avdtp_discover (avdtp.c:3186) by 0x416C19: a2dp_discover (a2dp.c:1872) by 0x413642: sink_setup_stream (sink.c:265) by 0x4136C4: sink_connect (sink.c:294) by 0x470165: btd_service_connect (service.c:238) by 0x47583C: connect_next.isra.18 (device.c:1455) by 0x478500: connect_profiles (device.c:1710) by 0x48EC4A: process_message.isra.5 (object.c:259) by 0x53DD1A2: ??? (in /usr/lib64/libdbus-1.so.3.14.6) by 0x53CE733: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.14.6)
Diffstat
| M | profiles/audio/avdtp.c | | | 21 | +++++++++++++- - - - - - - - |
1 files changed, 13 insertions(+), 8 deletions(-)