From dbb3af61ed707b161815f0e51952363fb82afe86 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 16 Sep 2021 15:36:00 -0700
Subject: admin: Fix double free

Fixes the following double free which happen due to exit calling
btd_unregister_adapter_driver:

Invalid read of size 8
   at 0x1CDA97: queue_foreach (queue.c:198)
   by 0x1318B8: admin_policy_remove (admin.c:591)
   by 0x18982A: plugin_cleanup (plugin.c:217)
   by 0x12E3FD: main (main.c:1214)
 Address 0x547ffb8 is 8 bytes inside a block of size 32 free'd
   at 0x483A9F5: free (vg_replace_malloc.c:538)
   by 0x1318CB: admin_policy_remove (admin.c:592)
   by 0x18F416: unload_driver (adapter.c:7215)
   by 0x496F50F: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.6600.8)
   by 0x131988: admin_exit (admin.c:623)
   by 0x18982A: plugin_cleanup (plugin.c:217)
   by 0x12E3FD: main (main.c:1214)
 Block was alloc'd at
   at 0x4839809: malloc (vg_replace_malloc.c:307)
   by 0x1CDE1E: btd_malloc (util.c:33)
   by 0x1CD83D: queue_new (queue.c:47)
   by 0x13150D: admin_init (admin.c:614)
   by 0x18966B: plugin_init (plugin.c:187)
   by 0x12E358: main (main.c:1198)
---
 plugins/admin.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins')

diff --git a/plugins/admin.c b/plugins/admin.c
index c232c057c..7b7190a06 100644
--- a/plugins/admin.c
+++ b/plugins/admin.c
@@ -590,6 +590,7 @@ static void admin_policy_remove(struct btd_adapter *adapter)
 
 	queue_foreach(devices, unregister_device_data, NULL);
 	queue_destroy(devices, g_free);
+	devices = NULL;
 
 	if (policy_data) {
 		admin_policy_destroy(policy_data);
@@ -621,7 +622,6 @@ static void admin_exit(void)
 	DBG("");
 
 	btd_unregister_adapter_driver(&admin_policy_driver);
-	admin_policy_remove(NULL);
 }
 
 BLUETOOTH_PLUGIN_DEFINE(admin, VERSION,
-- 
cgit v1.2.1