From: Yun-Hao Chung <[email protected]>
This patch changes the logic of probe_service so that the same service
will not be added to a device.
---
The crash can be reproduced in the following steps
1. set service allowlist to ['aaaa']
2. pair with any device
3. after the device is disconnected, set service allowlist to an empty
list
4. remove the device from adapter
In step 3, when allowlist is set to empty, profile that was blocked
will be added to each devices. However, in step 2, profiles the device
provides had already been added. Due the logic of
device.c:probe_service, there will be 2 identical services in
device->services, which causes a double-free error when removing the
device.
src/device.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/device.c b/src/device.c
index 0d7444706336..dba26f787066 100644
--- a/src/device.c
+++ b/src/device.c
@@ -4709,8 +4709,11 @@ static struct btd_service *probe_service(struct btd_device *device,
return NULL;
l = find_service_with_profile(device->services, profile);
+ /* If the service already exists, return NULL so that it won't be added
+ * to the device->services.
+ */
if (l)
- return l->data;
+ return NULL;
service = service_create(device, profile);
--
2.32.0.93.g670b81a890-goog