Fix the crash when stopping LE discovery

This patchset combines two upstream commits.
If we upgrade bluez version, this issue will be resolved.
But for the product issue, we make the hotfix patchset.

------------------------------------------------
commit b94e7fc4e267edbae5359a3efb69b14575c6ca3b
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Thu Jun 11 10:26:57 2020 -0700

    adapter: Fix passing wrong pointer to stop discovery
------------------------------------------------
commit 9dd6df753a0a7e09e09cea0fdc0bc056389624d4
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Mon Jun 8 14:55:57 2020 -0700

    adapter: Fix possible crash when stopping discovery
-----------------------------------------------

Change-Id: I5c9d5fa98e9a1201e2547fd674da851a4e82edab
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>

diff --git a/src/adapter.c b/src/adapter.c
index e9ae74b..5beaaf8 100644 (file)
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -2439,10 +2439,14 @@ static void discovering_callback(uint16_t index, uint16_t length,
                        hci_clear_bit(BDADDR_LE_RANDOM, &adapter->discovery_type);
 
                        if (adapter->le_discovering == true) {
-                               struct watch_client *client;
-                               client = adapter->le_discovery_list->data;
+                               if (adapter->le_discovery_list) {
+                                       struct watch_client *client;
+
+                                       client = adapter->le_discovery_list->data;
+                                       g_dbus_remove_watch(dbus_conn, client->watch);
+                               }
+
                                adapter->le_discovering = false;
-                               g_dbus_remove_watch(dbus_conn, client->watch);
                        }
                } else {
                        hci_set_bit(BDADDR_LE_PUBLIC, &adapter->discovery_type);
@@ -2679,12 +2683,20 @@ done:
 static void stop_le_discovery_complete(uint8_t status, uint16_t length,
                                        const void *param, void *user_data)
 {
-       struct watch_client *client = user_data;
-       struct btd_adapter *adapter = client->adapter;
+       struct btd_adapter *adapter = user_data;
+       struct watch_client *client;
        DBusMessage *reply;
 
        DBG("status 0x%02x", status);
 
+       /* Is there are no clients the discovery must have been stopped while
+         * discovery command was pending.
+         */
+       if (!adapter->le_discovery_list)
+               return;
+
+       client = adapter->le_discovery_list->data;
+
        if (status != MGMT_STATUS_SUCCESS) {
                if (client->msg) {
                        reply = btd_error_busy(client->msg);
@@ -3201,7 +3213,7 @@ static void le_discovery_disconnect(DBusConnection *conn, void *user_data)
 
        mgmt_send(adapter->mgmt, MGMT_OP_STOP_LE_DISCOVERY,
                                adapter->dev_id, sizeof(cp), &cp,
-                               stop_discovery_complete, client, NULL);
+                               stop_le_discovery_complete, adapter, NULL);
 }
 
 #ifdef TIZEN_FEATURE_PLATFROM_SCAN_FILTER
@@ -4426,7 +4438,7 @@ static DBusMessage *adapter_stop_le_discovery(DBusConnection *conn,
        DBG("cp.type %d", cp.type);
        mgmt_send(adapter->mgmt, MGMT_OP_STOP_LE_DISCOVERY,
                                adapter->dev_id, sizeof(cp), &cp,
-                               stop_le_discovery_complete, client, NULL);
+                               stop_le_discovery_complete, adapter, NULL);
 
        client->msg = dbus_message_ref(msg);
        return NULL;