Return-Path: From: Gowtham Anandha Babu To: linux-bluetooth@vger.kernel.org Cc: bharat.panda@samsung.com, cpgs@samsung.com, Gowtham Anandha Babu Subject: [PATCH 2/3] shared/gatt-client: Fix usage of freed memory Date: Wed, 14 Jan 2015 15:27:37 +0530 Message-id: <1421229458-11207-3-git-send-email-gowtham.ab@samsung.com> In-reply-to: <1421229458-11207-1-git-send-email-gowtham.ab@samsung.com> References: <1421229458-11207-1-git-send-email-gowtham.ab@samsung.com> Sender: linux-bluetooth-owner@vger.kernel.org List-ID: src/shared/gatt-client.c:472:14: warning: Use of memory after it is freed op->success = false; ~~~~~~~~~~~ ^ src/shared/gatt-client.c:627:14: warning: Use of memory after it is freed op->success = success; ~~~~~~~~~~~ ^ src/shared/gatt-client.c:728:14: warning: Use of memory after it is freed op->success = success; ~~~~~~~~~~~ ^ src/shared/gatt-client.c:820:14: warning: Use of memory after it is freed op->success = success; ~~~~~~~~~~~ ^ src/shared/gatt-client.c:888:14: warning: Use of memory after it is freed op->success = success; ~~~~~~~~~~~ ^ src/shared/gatt-client.c:1909:2: warning: Use of memory after it is freed complete_read_long_op(op, success, att_ecode); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ src/shared/gatt-client.c:2126:2: warning: Use of memory after it is freed complete_write_long_op(op, success, 0, false); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ src/shared/gatt-client.c:2194:6: warning: Use of memory after it is freed if (op->callback) ^~~~~~~~~~~~ --- src/shared/gatt-client.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c index 3042a6c..371e89f 100644 --- a/src/shared/gatt-client.c +++ b/src/shared/gatt-client.c @@ -449,7 +449,6 @@ next: util_debug(client->debug_callback, client->debug_data, "Failed to start characteristic discovery"); - discovery_op_unref(op); goto failed; } @@ -466,11 +465,11 @@ next: util_debug(client->debug_callback, client->debug_data, "Failed to start included discovery"); - discovery_op_unref(op); failed: op->success = false; op->complete_func(op, false, att_ecode); + discovery_op_unref(op); } struct chrc { @@ -618,7 +617,6 @@ next: util_debug(client->debug_callback, client->debug_data, "Failed to start characteristic discovery"); - discovery_op_unref(op); failed: success = false; @@ -626,6 +624,7 @@ failed: done: op->success = success; op->complete_func(op, success, att_ecode); + discovery_op_unref(op); } static void discover_chrcs_cb(bool success, uint8_t att_ecode, @@ -719,7 +718,6 @@ next: util_debug(client->debug_callback, client->debug_data, "Failed to start characteristic discovery"); - discovery_op_unref(op); failed: success = false; @@ -727,6 +725,7 @@ failed: done: op->success = success; op->complete_func(op, success, att_ecode); + discovery_op_unref(op); } static void discover_secondary_cb(bool success, uint8_t att_ecode, @@ -814,11 +813,11 @@ next: util_debug(client->debug_callback, client->debug_data, "Failed to start included services discovery"); - discovery_op_unref(op); done: op->success = success; op->complete_func(op, success, att_ecode); + discovery_op_unref(op); } static void discover_primary_cb(bool success, uint8_t att_ecode, @@ -881,12 +880,12 @@ static void discover_primary_cb(bool success, uint8_t att_ecode, util_debug(client->debug_callback, client->debug_data, "Failed to start secondary service discovery"); - discovery_op_unref(op); success = false; done: op->success = success; op->complete_func(op, success, att_ecode); + discovery_op_unref(op); } static void notify_client_ready(struct bt_gatt_client *client, bool success, @@ -1897,7 +1896,6 @@ static void read_long_cb(uint8_t opcode, const void *pdu, read_long_op_unref)) return; - read_long_op_unref(op); success = false; goto done; } @@ -1907,6 +1905,7 @@ success: done: complete_read_long_op(op, success, att_ecode); + read_long_op_unref(op); } bool bt_gatt_client_read_long_value(struct bt_gatt_client *client, @@ -2109,7 +2108,6 @@ static void handle_next_prep_write(struct long_write_op *op) prepare_write_cb, long_write_op_ref(op), long_write_op_unref)) { - long_write_op_unref(op); success = false; } @@ -2124,6 +2122,7 @@ static void handle_next_prep_write(struct long_write_op *op) done: complete_write_long_op(op, success, 0, false); + long_write_op_unref(op); } static void start_next_long_write(struct bt_gatt_client *client) @@ -2141,10 +2140,10 @@ static void start_next_long_write(struct bt_gatt_client *client) handle_next_prep_write(op); - /* send_next_prep_write adds an extra ref. Unref here to clean up if - * necessary, since we also added a ref before pushing to the queue. + /* send_next_prep_write adds an extra ref. Unref is handled inside + * handle_next_prep_write, since we also added a ref before pushing + * to the queue. */ - long_write_op_unref(op); } static void execute_write_cb(uint8_t opcode, const void *pdu, uint16_t length, @@ -2188,13 +2187,13 @@ static void complete_write_long_op(struct long_write_op *op, bool success, long_write_op_unref)) return; - long_write_op_unref(op); success = false; if (op->callback) op->callback(success, reliable_error, att_ecode, op->user_data); start_next_long_write(op->client); + long_write_op_unref(op); } static void prepare_write_cb(uint8_t opcode, const void *pdu, uint16_t length, -- 1.9.1