From 72878d96feb732b5e7de6c22cc44728429e26346 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 25 Oct 2018 10:09:37 +0300
Subject: [PATCH] gatt: Fix crash on disconnect

This fix a crash when ATT disconnects causing the following trace:

 Invalid read of size 8
    at 0x47CD9A: att_disconnected (gatt-database.c:335)
    by 0x4E04F5: disconn_handler (att.c:539)
    by 0x4DACD0: queue_foreach (queue.c:220)
    by 0x4E23D8: disconnect_cb (att.c:592)
    by 0x4F0A58: watch_callback (io-glib.c:170)
    by 0x50D788C: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5600.3)
    by 0x50D7C57: ??? (in /usr/lib64/libglib-2.0.so.0.5600.3)
    by 0x50D7F81: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5600.3)
    by 0x40D336: main (main.c:808)
  Address 0x9aed3c0 is 0 bytes inside a block of size 40 free'd
    at 0x4C2FDAC: free (vg_replace_malloc.c:530)
    by 0x47CE78: att_disconnected (gatt-database.c:358)
    by 0x47F9FF: btd_gatt_database_att_disconnected (gatt-database.c:3540)
    by 0x4AAB8E: gatt_server_cleanup (device.c:584)
    by 0x4AAC26: attio_cleanup (device.c:601)
    by 0x4ADDF1: att_disconnected_cb (device.c:4865)
    by 0x4E04F5: disconn_handler (att.c:539)
    by 0x4DACD0: queue_foreach (queue.c:220)
    by 0x4E23D8: disconnect_cb (att.c:592)
    by 0x4F0A58: watch_callback (io-glib.c:170)
    by 0x50D788C: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5600.3)
    by 0x50D7C57: ??? (in /usr/lib64/libglib-2.0.so.0.5600.3)
---
 src/gatt-database.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index 783b692d5..ec584fc3c 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3357,6 +3357,8 @@ void btd_gatt_database_att_connected(struct btd_gatt_database *database,
 void btd_gatt_database_att_disconnected(struct btd_gatt_database *database,
 						struct btd_device *device)
 {
+	struct bt_gatt_server *server = btd_device_get_gatt_server(device);
+	struct bt_att *att = bt_gatt_server_get_att(server);
 	struct device_state *state;
 	const bdaddr_t *addr;
 	uint8_t type;
@@ -3370,6 +3372,9 @@ void btd_gatt_database_att_disconnected(struct btd_gatt_database *database,
 	if (!state)
 		return;
 
+	if (state->disc_id)
+		bt_att_unregister_disconnect(att, state->disc_id);
+
 	att_disconnected(0, state);
 }
 
-- 
2.47.3