gatt: Fix invalid read when disconnecting
In case there is a client of AcquireNotify and a disconnect happens the
code not only have to free the client object but also destroy the io
associated with it, for this reason the client object cannot be freed
until the io is destroyed otherwise it may lead to the following error:
Invalid read of size 4
at 0x63920: notify_io_destroy (gatt-client.c:1461)
by 0x63EDB: pipe_io_destroy (gatt-client.c:1082)
by 0x6405B: characteristic_free (gatt-client.c:1663)
by 0x81F33: remove_interface (object.c:667)
by 0x826CB: g_dbus_unregister_interface (object.c:1391)
by 0x85D2B: queue_remove_all (queue.c:354)
by 0x635F7: unregister_service (gatt-client.c:1893)
by 0x85CF7: queue_remove_all (queue.c:339)
by 0x661DF: btd_gatt_client_service_removed (gatt-client.c:2199)
by 0x695CB: gatt_service_removed (device.c:3747)
by 0x85B17: queue_foreach (queue.c:220)
by 0x91283: notify_service_changed (gatt-db.c:280)
by 0x91283: gatt_db_service_destroy (gatt-db.c:291)
Address 0x515ed48 is 0 bytes inside a block of size 20 free'd
at 0x483EAD0: free (vg_replace_malloc.c:530)
by 0x85D2B: queue_remove_all (queue.c:354)
by 0x636D3: unregister_characteristic (gatt-client.c:1741)
by 0x85D2B: queue_remove_all (queue.c:354)
by 0x635F7: unregister_service (gatt-client.c:1893)
by 0x85CF7: queue_remove_all (queue.c:339)
by 0x661DF: btd_gatt_client_service_removed (gatt-client.c:2199)
by 0x695CB: gatt_service_removed (device.c:3747)
by 0x85B17: queue_foreach (queue.c:220)
by 0x91283: notify_service_changed (gatt-db.c:280)
by 0x91283: gatt_db_service_destroy (gatt-db.c:291)
by 0x85D2B: queue_remove_all (queue.c:354)
by 0x91387: gatt_db_clear_range (gatt-db.c:475)
Change-Id: If5d5159c7fc59f4f3b88afb863eb0b0644ddee09
Signed-off-by: himanshu <h.himanshu@samsung.com>
projects / platform / upstream / bluez.git / commit