From 6dfd0d376ff222eb7da283ece7f88a1cc6f4a0c0 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 3 Dec 2014 13:53:25 +0200
Subject: [PATCH] android: Fix crash on android-tester

When doing the HAL cleanup the callbacks should be reset to NULL
after calling hal_ipc_unregister otherwise an handler may be called
leading to invalid reads:

BlueZ D: android/hal-a2dp.c:cleanup()
bluetoothd[2624]: android/avdtp.c:connection_lost() Disconnected: Input/output error (5)
bluetoothd[2624]: android/avdtp.c:avdtp_ref() 0x5841900: ref=2
bluetoothd[2624]: android/a2dp.c:bt_a2dp_notify_state() device 00:AA:01:01:00:00 state 0
==2564== Thread 3:
==2564== Invalid read of size 8
==2564==    at 0x6B66B47: handle_conn_state (hal-a2dp.c:38)
==2564==    by 0x6B6CDB3: notification_handler (hal-ipc.c:125)
==2564==    by 0x5368EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==2564==    by 0x5672B8C: clone (in /usr/lib64/libc-2.18.so)
==2564==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
---
 android/hal-a2dp-sink.c        | 4 ++--
 android/hal-a2dp.c             | 4 ++--
 android/hal-avrcp-ctrl.c       | 4 ++--
 android/hal-avrcp.c            | 4 ++--
 android/hal-bluetooth.c        | 4 ++--
 android/hal-gatt.c             | 4 ++--
 android/hal-handsfree-client.c | 4 ++--
 android/hal-handsfree.c        | 4 ++--
 android/hal-health.c           | 4 ++--
 android/hal-hidhost.c          | 4 ++--
 android/hal-pan.c              | 4 ++--
 11 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/android/hal-a2dp-sink.c b/android/hal-a2dp-sink.c
index 001b0224e..a0b7ed1c4 100644
--- a/android/hal-a2dp-sink.c
+++ b/android/hal-a2dp-sink.c
@@ -139,14 +139,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbs = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_A2DP_SINK;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_A2DP_SINK);
+
+	cbs = NULL;
 }
 
 static btav_interface_t iface = {
diff --git a/android/hal-a2dp.c b/android/hal-a2dp.c
index ca92b0ee5..f572875e8 100644
--- a/android/hal-a2dp.c
+++ b/android/hal-a2dp.c
@@ -141,14 +141,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbs = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_A2DP;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_A2DP);
+
+	cbs = NULL;
 }
 
 static btav_interface_t iface = {
diff --git a/android/hal-avrcp-ctrl.c b/android/hal-avrcp-ctrl.c
index 9ae463175..46b77fd8f 100644
--- a/android/hal-avrcp-ctrl.c
+++ b/android/hal-avrcp-ctrl.c
@@ -122,14 +122,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbs = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_AVRCP_CTRL;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_AVRCP_CTRL);
+
+	cbs = NULL;
 }
 
 static btrc_ctrl_interface_t iface = {
diff --git a/android/hal-avrcp.c b/android/hal-avrcp.c
index 6c7f195ee..f935eda51 100644
--- a/android/hal-avrcp.c
+++ b/android/hal-avrcp.c
@@ -656,14 +656,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbs = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_AVRCP;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_AVRCP);
+
+	cbs = NULL;
 }
 
 static btrc_interface_t iface = {
diff --git a/android/hal-bluetooth.c b/android/hal-bluetooth.c
index cceb196ea..fac6b6fbc 100644
--- a/android/hal-bluetooth.c
+++ b/android/hal-bluetooth.c
@@ -591,9 +591,9 @@ static void cleanup(void)
 
 	hal_ipc_cleanup();
 
-	bt_hal_cbacks = NULL;
-
 	hal_ipc_unregister(HAL_SERVICE_ID_BLUETOOTH);
+
+	bt_hal_cbacks = NULL;
 }
 
 static int get_adapter_properties(void)
diff --git a/android/hal-gatt.c b/android/hal-gatt.c
index 73fa8818d..d06164ec5 100644
--- a/android/hal-gatt.c
+++ b/android/hal-gatt.c
@@ -1978,14 +1978,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbs = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_GATT;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_GATT);
+
+	cbs = NULL;
 }
 
 static btgatt_client_interface_t client_iface = {
diff --git a/android/hal-handsfree-client.c b/android/hal-handsfree-client.c
index 66b5df48f..93b5746b6 100644
--- a/android/hal-handsfree-client.c
+++ b/android/hal-handsfree-client.c
@@ -616,14 +616,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbs = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_HANDSFREE_CLIENT;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_HANDSFREE_CLIENT);
+
+	cbs = NULL;
 }
 
 static bthf_client_interface_t iface = {
diff --git a/android/hal-handsfree.c b/android/hal-handsfree.c
index e2cfc39bf..2c638e622 100644
--- a/android/hal-handsfree.c
+++ b/android/hal-handsfree.c
@@ -819,14 +819,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbs = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_HANDSFREE;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_HANDSFREE);
+
+	cbs = NULL;
 }
 
 #if ANDROID_VERSION >= PLATFORM_VER(5, 0, 0)
diff --git a/android/hal-health.c b/android/hal-health.c
index 846273647..5d5b11137 100644
--- a/android/hal-health.c
+++ b/android/hal-health.c
@@ -271,14 +271,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbacks = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_HEALTH;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_HEALTH);
+
+	cbacks = NULL;
 }
 
 static bthl_interface_t health_if = {
diff --git a/android/hal-hidhost.c b/android/hal-hidhost.c
index 3cfc6b63b..1a603269c 100644
--- a/android/hal-hidhost.c
+++ b/android/hal-hidhost.c
@@ -373,14 +373,14 @@ static void cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbacks = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_HIDHOST;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_HIDHOST);
+
+	cbacks = NULL;
 }
 
 static bthh_interface_t hidhost_if = {
diff --git a/android/hal-pan.c b/android/hal-pan.c
index cd783bc10..61d44a930 100644
--- a/android/hal-pan.c
+++ b/android/hal-pan.c
@@ -184,14 +184,14 @@ static void pan_cleanup(void)
 	if (!interface_ready())
 		return;
 
-	cbs = NULL;
-
 	cmd.service_id = HAL_SERVICE_ID_PAN;
 
 	hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
 					sizeof(cmd), &cmd, NULL, NULL, NULL);
 
 	hal_ipc_unregister(HAL_SERVICE_ID_PAN);
+
+	cbs = NULL;
 }
 
 static btpan_interface_t pan_if = {
-- 
2.47.3