From 7ed42033406158d18b7e9c376de45f2babf19f05 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 1 Oct 2014 14:05:30 +0300
Subject: [PATCH] shared/gatt-client: Fix crash on bt_gatt_client_unref

Calling gatt_client_clear_services after notify_list is destroyed cause
the following backtrace:

Invalid read of size 8
   at 0x404CC9: queue_remove_all (queue.c:312)
   by 0x401FC6: gatt_client_remove_all_notify_in_range (gatt-client.c:350)
   by 0x403170: bt_gatt_client_free (gatt-client.c:357)
   by 0x401A93: test_client (test-gatt.c:224)
   by 0x4E9E5E0: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9EB1A: g_test_run_suite (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4015EE: main (test-gatt.c:259)
 Address 0x5752718 is 8 bytes inside a block of size 32 free'd
   at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x40315E: bt_gatt_client_free (gatt-client.c:1233)
   by 0x401A93: test_client (test-gatt.c:224)
   by 0x4E9E5E0: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9E7A5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4E9EB1A: g_test_run_suite (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x4015EE: main (test-gatt.c:259)
---
 src/shared/gatt-client.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index 782e6b32e..ddedaf031 100644
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -1224,12 +1224,12 @@ static void bt_gatt_client_free(struct bt_gatt_client *client)
 	bt_att_unregister(client->att, client->notify_id);
 	bt_att_unregister(client->att, client->ind_id);
 
+	gatt_client_clear_services(client);
+
 	queue_destroy(client->svc_chngd_queue, free);
 	queue_destroy(client->long_write_queue, long_write_op_unref);
 	queue_destroy(client->notify_list, notify_data_unref);
 
-	gatt_client_clear_services(client);
-
 	bt_att_unref(client->att);
 	free(client);
 }
-- 
2.47.3