From bd70ab0db346a6512ab25bdeb1ac3d1ceb5bee9d Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Fri, 17 Jul 2020 14:09:42 -0700
Subject: [PATCH] shared/gatt-client: Fix possible crash

This fixes the following crash which was the cause of CI failing with
the latest changes:

Invalid read of size 8
   at 0x15A5ED: queue_remove_if (queue.c:289)
   by 0x15181E: chrc_removed (gatt-client.c:278)
   by 0x15A4BC: queue_foreach (queue.c:220)
   by 0x157870: notify_attribute_changed (gatt-db.c:396)
   by 0x157870: notify_service_changed (gatt-db.c:407)
   by 0x15793C: gatt_db_service_destroy (gatt-db.c:433)
   by 0x15A741: queue_remove_all (queue.c:354)
   by 0x15A774: queue_destroy (queue.c:73)
   by 0x15776F: gatt_db_destroy (gatt-db.c:459)
   by 0x15776F: gatt_db_unref (gatt-db.c:471)
   by 0x15776F: gatt_db_unref (gatt-db.c:463)
   by 0x15211A: bt_gatt_client_free (gatt-client.c:2250)
   by 0x152565: notify_cb (gatt-client.c:2228)
   by 0x14D0F8: handle_notify (att.c:972)
   by 0x14D0F8: can_read_data (att.c:1063)
   by 0x1597F4: watch_callback (io-glib.c:170)
   by 0x48B67AE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x48B6B37: ??? (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x48B6E52: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x159DE4: mainloop_run (mainloop-glib.c:79)
   by 0x15A1C1: mainloop_run_with_signal (mainloop-notify.c:201)
   by 0x14B27B: tester_run (tester.c:870)
   by 0x147C8E: main (test-gatt.c:4488)
 Address 0x4f51498 is 8 bytes inside a block of size 32 free'd
   at 0x483B9F5: free (vg_replace_malloc.c:538)
   by 0x1520A8: bt_gatt_client_free (gatt-client.c:2235)
   by 0x152565: notify_cb (gatt-client.c:2228)
   by 0x14D0F8: handle_notify (att.c:972)
   by 0x14D0F8: can_read_data (att.c:1063)
   by 0x1597F4: watch_callback (io-glib.c:170)
   by 0x48B67AE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x48B6B37: ??? (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x48B6E52: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x159DE4: mainloop_run (mainloop-glib.c:79)
   by 0x15A1C1: mainloop_run_with_signal (mainloop-notify.c:201)
   by 0x14B27B: tester_run (tester.c:870)
   by 0x147C8E: main (test-gatt.c:4488)

Signed-off-by: Anuj Jain <anuj01.jain@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>
---
 src/shared/gatt-client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index 5843ff2c..8d1a27d1 100644
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -2506,6 +2506,7 @@ static void bt_gatt_client_free(struct bt_gatt_client *client)
 {
 	bt_gatt_client_cancel_all(client);
 
+	queue_destroy(client->notify_chrcs, notify_chrc_free);
 	queue_destroy(client->notify_list, notify_data_cleanup);
 
 	queue_destroy(client->ready_cbs, ready_destroy);
@@ -2536,7 +2537,6 @@ static void bt_gatt_client_free(struct bt_gatt_client *client)
 	queue_destroy(client->clones, NULL);
 	queue_destroy(client->svc_chngd_queue, free);
 	queue_destroy(client->long_write_queue, request_unref);
-	queue_destroy(client->notify_chrcs, notify_chrc_free);
 	queue_destroy(client->pending_requests, request_unref);
 
 #ifdef TIZEN_FEATURE_BLUEZ_MODIFY
-- 
2.34.1