From ba266f7efdfb4c90e65f59a2da3d626ae26ab945 Mon Sep 17 00:00:00 2001 From: Miao-chen Chou Date: Mon, 2 Nov 2020 14:30:03 -0800 Subject: [PATCH] adapter: Fix a crash caused by lingering discovery client pointer This cleans up the lingering pointer, adapter->client, during powering off the adapter. The crash occurs when a D-Bus client set Powered property to false and immediately calls StopDiscovery() when there is ongoing discovery. As a part of powering off the adapter, adapter->discovery_list gets cleared, and given that adapter->client refers to one of the clients in adapter->discovery_list, adapter->client should be cleared along with it. (1) Connect to a BT audio device from BT system tray. (2) Once the audio device is connected, power off BT and immediately power off the audio device. --- src/adapter.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/adapter.c b/src/adapter.c index dffb8bc84..56d0c6eaa 100644 --- a/src/adapter.c +++ b/src/adapter.c @@ -1497,6 +1497,7 @@ static void discovery_cleanup(struct btd_adapter *adapter, int timeout) static void discovery_free(void *user_data) { struct discovery_client *client = user_data; + struct btd_adapter *adapter = client->adapter; DBG("%p", client); @@ -1508,8 +1509,14 @@ static void discovery_free(void *user_data) client->discovery_filter = NULL; } - if (client->msg) + if (client->msg) { + if (client == adapter->client) { + g_dbus_send_message(dbus_conn, + btd_error_busy(client->msg)); + adapter->client = NULL; + } dbus_message_unref(client->msg); + } g_free(client->owner); g_free(client); -- 2.47.3