Fix race condition between usb_host_destroy and fd_removed_cb

fd_removed_cb is called by libusb_exit() -> usbi_io_exit() -> usbi_remove_poolfd() -> ctx->fd_removed_cb.

fd_removed_cb uses context->gio_channels and context->channel_list_lock.
So, you should not free and destroy it before calling libusb_exit().

Signed-off-by: INSUN PYO <insun.pyo@samsung.com>
Change-Id: I5fdde607d19be9e4df9214489f91e3d33f41eaf6

diff --git a/src/usb_host.c b/src/usb_host.c
index 410acc4d0f68268d4354373ade58b626e2c925b2..2247bf70e60c11e693de6b64317f1f61bb756ad0 100755 (executable)
--- a/src/usb_host.c
+++ b/src/usb_host.c
@@ -578,14 +578,15 @@ int usb_host_destroy(usb_host_context_h context)
                fd = g_io_channel_unix_get_fd(ch->ch);
                g_source_remove(ch->source_tag);
                g_io_channel_unref(ch->ch);
+               context->gio_channels = g_list_delete_link(context->gio_channels, l);
                l = next;
                free(ch);
                _I("removed fd %d", fd);
        }
 
+       libusb_exit(context->lusb_ctx);
        g_list_free(context->gio_channels);
        pthread_mutex_destroy(&context->channel_list_lock);
-       libusb_exit(context->lusb_ctx);
 
        free(context);
        return USB_HOST_ERROR_NONE;