From 71a58bdcf0ccdc4f696441a04b5970e2335408ec Mon Sep 17 00:00:00 2001
From: Jakub Pawlowski <jpawlowski@google.com>
Date: Wed, 22 Feb 2017 10:34:45 -0800
Subject: [PATCH] Fix stack crash after bonding

delayed_auth_timer_ent was freed and re-created during it's execution.
Instead of re-creating, just cancel the timers in smp_cb_cleanup.

Test: manual, bond with HID device on linux
Bug: 34083285
Change-Id: Ie569666846db5dcb2466cff00665b2c1490d7d10
---
 stack/smp/smp_utils.cc | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/stack/smp/smp_utils.cc b/stack/smp/smp_utils.cc
index 06947a7f2..253938802 100644
--- a/stack/smp/smp_utils.cc
+++ b/stack/smp/smp_utils.cc
@@ -844,16 +844,18 @@ void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b) {
 void smp_cb_cleanup(tSMP_CB* p_cb) {
   tSMP_CALLBACK* p_callback = p_cb->p_callback;
   uint8_t trace_level = p_cb->trace_level;
+  alarm_t* smp_rsp_timer_ent = p_cb->smp_rsp_timer_ent;
+  alarm_t* delayed_auth_timer_ent = p_cb->delayed_auth_timer_ent;
 
   SMP_TRACE_EVENT("smp_cb_cleanup");
 
-  alarm_free(p_cb->smp_rsp_timer_ent);
-  alarm_free(p_cb->delayed_auth_timer_ent);
+  alarm_cancel(p_cb->smp_rsp_timer_ent);
+  alarm_cancel(p_cb->delayed_auth_timer_ent);
   memset(p_cb, 0, sizeof(tSMP_CB));
   p_cb->p_callback = p_callback;
   p_cb->trace_level = trace_level;
-  p_cb->smp_rsp_timer_ent = alarm_new("smp.smp_rsp_timer_ent");
-  p_cb->delayed_auth_timer_ent = alarm_new("smp.delayed_auth_timer_ent");
+  p_cb->smp_rsp_timer_ent = smp_rsp_timer_ent;
+  p_cb->delayed_auth_timer_ent = delayed_auth_timer_ent;
 }
 
 /*******************************************************************************
-- 
2.11.0