From 93252f39ef75dbca4e7e238032c5065727464a85 Mon Sep 17 00:00:00 2001
From: Aleksander Morgado <aleksander@lanedo.com>
Date: Fri, 20 Jul 2012 12:34:22 +0200
Subject: [PATCH] icera: avoid highly unlikely use of already unref-ed bearer

In the connection and disconnection sequences, we make sure that the Bearer
object is valid by keeping a reference in the Dial3gppContext and
Disconnect3gppContext (actually, another one kept by the GSimpleAsyncResult as
well). But we are considering here the case where the context is completed and
freed by an unsolicited message handler before we get the reply to the AT
command, so to properly ensure that the bearer object is still valid when we try
to check if the context is in the priv struct, we need to keep an extra ref
around.
---
 plugins/icera/mm-broadband-bearer-icera.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/plugins/icera/mm-broadband-bearer-icera.c b/plugins/icera/mm-broadband-bearer-icera.c
index 066f3a19..1eb590d8 100644
--- a/plugins/icera/mm-broadband-bearer-icera.c
+++ b/plugins/icera/mm-broadband-bearer-icera.c
@@ -345,6 +345,10 @@ disconnect_ipdpact_ready (MMBaseModem *modem,
     /* Try to recover the disconnection context. If none found, it means the
      * context was already completed and we have nothing else to do. */
     ctx = self->priv->disconnect_pending;
+
+    /* Balance refcount with the extra ref we passed to command_full() */
+    g_object_unref (self);
+
     if (!ctx) {
         mm_dbg ("Disconnection context was finished already by an unsolicited message");
 
@@ -407,7 +411,7 @@ disconnect_3gpp (MMBroadbandBearer *bearer,
         FALSE,
         NULL, /* cancellable */
         (GAsyncReadyCallback)disconnect_ipdpact_ready,
-        ctx->self); /* we pass the bearer object! */
+        g_object_ref (ctx->self)); /* we pass the bearer object! */
     g_free (command);
 }
 
@@ -680,6 +684,10 @@ activate_ready (MMBaseModem *modem,
     /* Try to recover the connection context. If none found, it means the
      * context was already completed and we have nothing else to do. */
     ctx = self->priv->connect_pending;
+
+    /* Balance refcount with the extra ref we passed to command_full() */
+    g_object_unref (self);
+
     if (!ctx) {
         mm_dbg ("Connection context was finished already by an unsolicited message");
 
@@ -743,7 +751,7 @@ deactivate_ready (MMBaseModem *modem,
         FALSE,
         NULL, /* cancellable */
         (GAsyncReadyCallback)activate_ready,
-        ctx->self); /* we pass the bearer object! */
+        g_object_ref (ctx->self)); /* we pass the bearer object! */
     g_free (command);
 }