From 28419bdc2fd093bcbc68b629b9c7b8c295260c57 Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@gmail.com>
Date: Mon, 9 Dec 2013 20:20:55 +0100
Subject: [PATCH 5/5] core: Fix crash due to agent callback freeing the agent

Similar fix was provided for simple_agent_reply in a2f5d438 but missed
pincode_reply case.

Fix following:

src/agent.c:agent_disconnect() Agent :1.48 disconnected
src/agent.c:set_default_agent() Default agent cleared
src/agent.c:agent_destroy() agent :1.48
src/agent.c:agent_unref() 0x4701c68: ref=1
Agent /org/bluez/agent replied with an error:
    org.freedesktop.DBus.Error.NoReply, Message did not receive a reply
    (timeout by message bus)
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
    pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=0
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
    pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=-1
src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16
    pinlen 0
src/agent.c:agent_unref() 0x4701c68: ref=-2
...
---
 src/agent.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/agent.c b/src/agent.c
index b292881..2ec3183 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -428,6 +428,9 @@ static void pincode_reply(DBusPendingCall *call, void *user_data)
 	 * is only called after a reply has been received */
 	message = dbus_pending_call_steal_reply(call);
 
+	/* Protect from the callback freeing the agent */
+	agent_ref(agent);
+
 	dbus_error_init(&err);
 	if (dbus_set_error_from_message(&err, message)) {
 		error("Agent %s replied with an error: %s, %s",
@@ -467,6 +470,7 @@ done:
 	dbus_pending_call_cancel(req->call);
 	agent->request = NULL;
 	agent_request_free(req, TRUE);
+	agent_unref(agent);
 }
 
 static int pincode_request_new(struct agent_request *req, const char *device_path,
-- 
1.8.4.2