From: Sonny Sasaka <sonnysasaka@chromium.org>
Date: Fri, 21 Aug 2020 17:58:38 +0000 (-0700)
Subject: adapter: Fix crash in discovery_disconnect
X-Git-Tag: submit/tizen/20210606.232858~16
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=79dfd19d25a572314807949361adcb2fc203224d;p=platform%2Fupstream%2Fbluez.git

adapter: Fix crash in discovery_disconnect

discovery_disconnect crashed because the adapter pointer has been freed
before. This patch makes sure that discovery list is cleaned up before
adapter pointer is freed.

Signed-off-by: Anuj Jain <anuj01.jain@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>
---

diff --git a/src/adapter.c b/src/adapter.c
index d8e6c998..2b0bf3af 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -10229,12 +10229,26 @@ static void free_service_auth(gpointer data, gpointer user_data)
 	g_free(auth);
 }
 
+static void remove_discovery_list(struct btd_adapter *adapter)
+{
+	g_slist_free_full(adapter->set_filter_list, discovery_free);
+	adapter->set_filter_list = NULL;
+
+	g_slist_free_full(adapter->discovery_list, discovery_free);
+	adapter->discovery_list = NULL;
+}
+
 static void adapter_free(gpointer user_data)
 {
 	struct btd_adapter *adapter = user_data;
 
 	DBG("%p", adapter);
 
+	/* Make sure the adapter's discovery list is cleaned up before freeing
+	 * the adapter.
+	 */
+	remove_discovery_list(adapter);
+
 	if (adapter->pairable_timeout_id > 0) {
 		g_source_remove(adapter->pairable_timeout_id);
 		adapter->pairable_timeout_id = 0;
@@ -12115,11 +12129,7 @@ static void adapter_stop(struct btd_adapter *adapter)
 
 	cancel_passive_scanning(adapter);
 
-	g_slist_free_full(adapter->set_filter_list, discovery_free);
-	adapter->set_filter_list = NULL;
-
-	g_slist_free_full(adapter->discovery_list, discovery_free);
-	adapter->discovery_list = NULL;
+	remove_discovery_list(adapter);
 
 	discovery_cleanup(adapter, 0);