adb: disconnect: fix write-after-free memory corruption and crash.
Transport atransport objects are semi-reference counted: the input and output threads each hold a reference. The adb disconnect command was calling transport_unref to release a reference that it never had in the first place. This meant that the refcount dropped to zero and the object was deleted before either the input or output thread released its reference. When that last thread released its reference, it wrote to freed memory and also sometimes crashed. This fix is to not release any unheld reference, instead it just kicks the transport to break remote_read in output_thread. So all transport close flow goes the following way: output_thread (exit) -> main thread (offline the transport) -> input thread (exit) -> main thread (destroy the transport) Change-Id: Iad1fe718acc8716f3a79c8c22b426a1b2450452c
Loading
Please register or sign in to comment