From 14c2ef7ee93b96d80a6430616d8918023d171159 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 21 Aug 2013 13:43:56 +0300
Subject: [PATCH] network: Fix crash after removing adapter

The service watch is not removed so once the client disconnects the
callback is called using the data already freed:
Invalid read of size 8
   at 0x428CFE: server_remove_sessions.isra.0 (server.c:605)
   by 0x428D80: server_disconnect (server.c:626)
   by 0x475426: service_filter (watch.c:486)
   by 0x47569A: message_filter (watch.c:554)
   by 0x32F840F9E5: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
   by 0x474347: message_dispatch (mainloop.c:76)
   by 0x3383648962: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3383647E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3383648157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3383648559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x40A2CF: main (main.c:583)
 Address 0x4eb5f00 is 32 bytes inside a block of size 56 free'd
   at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x338364D9AE: g_free (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x429663: server_unregister (server.c:848)
   by 0x33836648F7: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x454180: adapter_remove (adapter.c:2886)
   by 0x45C940: index_removed (adapter.c:5651)
   by 0x467FDF: received_data (mgmt.c:252)
   by 0x3383647E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3383648157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3383648559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x40A2CF: main (main.c:583)
---
 profiles/network/server.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/network/server.c b/profiles/network/server.c
index de48bec76..043e1fca2 100644
--- a/profiles/network/server.c
+++ b/profiles/network/server.c
@@ -724,6 +724,7 @@ static void server_free(void *data)
 	if (ns->record_id)
 		remove_record_from_server(ns->record_id);
 
+	g_dbus_remove_watch(btd_get_dbus_connection(), ns->watch_id);
 	g_free(ns->name);
 	g_free(ns->bridge);
 
-- 
2.47.3