Variables which are assigned to the errno variable (usually called
"err") should be negative, and "-err" should be used where a positive
value is needed.
This commit also changes places where errno can be replaced with -err
(for consistency) and one perror() usage error.
Variables which are assigned to the errno variable (usually called
"err") should be negative, and "-err" should be used where a positive
value is needed.
Variables which are assigned to the errno variable (usually called
"err") should be negative, and "-err" should be used where a positive
value is needed.
This patch also fixes a bug related to not using an "err" variable to
store the errno value before calling external library code.
Currently, +CIEV indicator after AT+CHLD=0 command for one active call,
one held call, one incoming call scenario is incorrect. callheld=2
according to HFP 1.5 spec., p.70, means 'Call on hold, no active call'.
Hence, value 2 cannot be provided in +CIEV if there is an active call.
This happens in the following circumstance:
bluetoothd[30869]: audio/manager.c:hf_io_cb() Authorization denied!
(bluetoothd:30869): GLib-WARNING **: Invalid file descriptor.
Reported by Daniel Wagner <wagi@monom.org>
audio/avrcp.c: In function 'avrcp_unregister':
audio/avrcp.c:1253: error: implicit declaration of function 'g_slist_free_full'
thermometer/thermometer.c: In function 'destroy_char':
thermometer/thermometer.c:79: error: implicit declaration of function 'g_slist_free_full'
Section 5.4.1 of AVRCP 1.3 spec says:
If TG does not support SongLength And SongPosition on TG, then TG shall
return 0xFFFFFFFF.
SongPosition is always available, but song length depends on user to
provied it.
When registering for TRACK_CHANGED event, CT expects the track's UID in
the INTERIM and CHANGED responses. According to AVRCP 1.3 spec, there
are only 2 possible values:
1) 0: there's a track selected
2) UINT32_MAX: there's no track selected
AVRCP 1.4 reserves the value UINT64_MAX for the second case. Since this
later value is the one used in certification process for best IOP
we return UINT64_MAX instead of the former.
This implementation allows to pass PTS test TP/NFY/BV-05-C.
If we use the same hash table to set the new metadata, we have 2
undesired behaviors:
1) New track may contain fields from previous track if it didn't set all
the fields
2) If we fail on parsing the signal, we will still change some of the
fields
This fixes the same issue as in 8a6119ea1c685fc61419ee444a5967596f524c1c
but for CSD_CALL_STATUS_COMING. Call status change sequence in csd is
IDLE to COMING, COMING to PROCEEDING, and PROCEEDING to WAITING.
Returned 'state of the call' value after CSD_CALL_STATUS_COMING, as well
as after CSD_CALL_STATUS_PROCEEDING, in +CLCC shall be 5 (waiting, MT
call) instead of 4 (incoming, MT call) in maemo6 telephony driver for the
second incoming call.
Refactor code when we are 'listing selected attributes' to share code
with 'listing all attributes'. This way we always keep the list of
attributes in a GList, and call player_get_media_attribute() in only one
place.
When remote side requests all available metadata (i.e. it gives number
attributes equals to 0) do not return zero-length strings for
unavailable items. The only exception is title, that must be always present.
If list current calls is requested when there is second incoming call
and csd call status is CSD_CALL_STATUS_PROCEEDING, then returned 'state
of the call' value in +CLCC is 4 (incoming, MT call), which is incorrect.
Indication than proceeds from incoming to waiting state.
This patch sets the corresponding value to 5 (waiting, MT call) in
maemo6 telephony driver for the second call.
This fixes the following compilation error with GLib on 32-bit sytems:
audio/media.c: In function 'get_setting':
audio/media.c:1109:44: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
audio/media.c: In function 'set_setting':
audio/media.c:1132:41: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
Crash is caused by not removed freed player from the list:
Invalid read of size 8
at 0x13E7B5: media_adapter_find_player (media.c:861)
by 0x13FEBC: register_player (media.c:1561)
by 0x120DFE: process_message (object.c:224)
by 0x4F6E9A0: ??? (in /lib64/libdbus-1.so.3.5.6)
by 0x4F6092F: dbus_connection_dispatch (in /lib64/libdbus-1.so.3.5.6)
by 0x11F787: message_dispatch (mainloop.c:80)
by 0x4C762CA: ??? (in /lib64/libglib-2.0.so.0.3000.0)
by 0x4C74ADC: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.3000.0)
by 0x4C752D7: ??? (in /lib64/libglib-2.0.so.0.3000.0)
by 0x4C75824: g_main_loop_run (in /lib64/libglib-2.0.so.0.3000.0)
by 0x11EE4B: main (main.c:485)
Address 0x642ef30 is 16 bytes inside a block of size 80 free'd
at 0x4A0662E: free (vg_replace_malloc.c:366)
by 0x4C7B7F2: g_free (in /lib64/libglib-2.0.so.0.3000.0)
by 0x12D292: player_destroy (avrcp.c:1099)
by 0x120C38: service_filter (watch.c:477)
by 0x120950: message_filter (watch.c:527)
by 0x4F608E5: dbus_connection_dispatch (in /lib64/libdbus-1.so.3.5.6)
by 0x11F787: message_dispatch (mainloop.c:80)
by 0x4C762CA: ??? (in /lib64/libglib-2.0.so.0.3000.0)
by 0x4C74ADC: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.3000.0)
by 0x4C752D7: ??? (in /lib64/libglib-2.0.so.0.3000.0)
by 0x4C75824: g_main_loop_run (in /lib64/libglib-2.0.so.0.3000.0)
by 0x11EE4B: main (main.c:485)
Device object may exist but control wont be initialized causing the
following crash:
Invalid read of size 8
at 0x12B510: state_changed (control.c:90)
by 0x12BA20: avctp_set_state (avctp.c:367)
by 0x12C0DC: avctp_confirm_cb (avctp.c:733)
by 0x166481: server_cb (btio.c:200)
by 0x4E75ADC: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.3000.0)
by 0x4E762D7: ??? (in /lib64/libglib-2.0.so.0.3000.0)
by 0x4E76824: g_main_loop_run (in /lib64/libglib-2.0.so.0.3000.0)
by 0x11ED19: main (main.c:473)
Address 0x8 is not stack'd, malloc'd or (recently) free'd
If CT tries to change an Application Setting providing only one
setting, the size of the PDU will be 3 bytes. Therefore we should check
if the PDU is shorter than or equal 3, not only shorter.
If media attribute is not available for a certain media file, return an
empty string instead of rejecting the request. The spec is not so clear
if only the title should be handled as an empty string when not present,
but this is the only alternative to rejecting the request.
IOP tests showed that some CT devices don't like reject messages: they
never ask for an attribute again if they previously received a REJECTED
message for that attribute. They consider REJECTED as "TG doesn't
implement it these optional attributes" as opposed to what we had
before, "this attribute is currently not available".
Check on active call is added for playing of DTMF feedback tones to
notify user. Network DTMF tones are handled by modem, and therefore
there is no need in special check for those.
StartEventTone and StopTone method calls to tone generator are added
to maemo6 telephony driver. Such implements playback of DTMF tones
in handsfree to notify user.
SendDTMF method call is replaced by StartDTMF/StopDTMF in maemo6 telephony
driver. StartDTMF/StopDTMF places DTMF tone in queue on modem side playing
it minimum required time. When using SendDTMF, modem ignores new tone
until currently playing one is not finished.
Downside of StartDTMF/StopDTMF combination is absence of audio feedback to
hands-free.
AVRCP is an extension of AV/C spec which has a limit of 512 bytes. The
only place where it can exceed this value is in the response to
GetElementAttributes command.
Now we simply don't add the attributes that would overflow the available
buffer space.
In case of incoming RFCOMM connection, manager calls
gateway_connect_rfcomm which already take reference to GIOChannel, hence
no need to take another one.
Make sure that state changes to disconnected on errors (authorization
refused, disconnect, sdp) This change will become necessary when
integrating the Audio interface which rely on state change to confirm
that connection has started successfully.
The response of GetCurrentPlayerApplicationSettingValue expects the
first operand to be the number of attributes in response. Since we start
with len=0, we were overwriting this number with the value of the first
attribute.
Also use g_memdup instead of g_malloc + memcpy.
This simplify a bit the handling by introducing common checks before
calling the handler callback, it is also much easier to add/remove
new PDUs in this way.
When the avctp channel is not connected, we call
g_io_channel_unix_get_fd() with a NULL pointer. Glib does not check the
pointer before dereferencing it, causing bluetoothd to segv.
Move the function call to the place it's actually needed, after the
safety checks.
The header files with constants and structures for audio specific
interaction with Pulseaudio are suppose to be under LGPL license.
For some odd reason a2dp-codecs.h ended up being under GPL license
which is against the intention of this being shared and re-used by
non-GPL programs. Fix this now to avoid any future confusion.
When a HFPHS endpoint is created, media will start to watch for
HandsfreeGateway state changes. media call SetConfiguration upon
connection and ClearConfiguration upon disconnection.
If SetConfiguration call fails, the headset or gateway for which
SetConfiguration is called is disconnected. This will free any
pending request, but this does not prevent the request to
terminate (endpoint_reply) and try to free itself once again.
Note that a copy of the freed pointer is tested which has not
been updated.
AVDTP_CONNECT_TIMEOUT controls the delay between HSP/HFP
connection establishment and AVDTP signal channel establishment.
The original value of 1 sec. is too short to avoid racing for AVDTP
connection establishment (eg., if the device continues to configure
the HFP service level connection with additional AT cmds).
Some devices have broken AVDTP implementations that just cannot
handle the race conditions that arise if both devices are attempting
stream establishment at the same time. However, these conditions arise
only when the remote device is the ACL initiator (and in practice, the
RFCOMM initiator as well). This fix bumps out the timeout value only
when the headset has initiated the link.
AVRCP_GET_PLAYER_ATTRIBUTE_TEXT and AVRCP_GET_PLAYER_VALUE_TEXT shall
only be used if TG has extended attributes.
For the ones defined in AVRCP spec these commands should not be called.
Since we do not have extended attributes yet we can ignore those
commands.
When we disconnect an A2DP device by immediate power off and quickly
also initiate a disconnection from our side, a crash is occurring. This
is happening because of the disconnect_timeout coming after freeing the
session.
This also fix the circular dependency of media.c and a2dp.c
Invalid read of size 8
at 0x4EA8CC2: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4E8D087: ??? (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x63f6638 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
If ringtone is loud enough, it may leak to microphone when call is
answered via Bluetooth headset. As result, it can be heard on remote
end. Therefore, playing ringtone shall be stopped as fast as possible
before answering a call.
The AVDTP spec allows for a race condition between remote and local
device when issuing an AVDTP_START cmd on a stream in the OPEN state.
However, the internal state must continue to be consistent. For example,
suppose that avdtp_start() has been called while in the OPEN state and
a AVDTP_START cmd is sent. Now before we have received a response (and
thus entered the STREAMING state), we *receive* a START cmd. Prior to
this fix, since the sep is still in the OPEN state, we would accept
the new START cmd. This will leads us to send both a Start_Ind and
Start_Cfm - not good.
Now, we track this transitional state (starting == TRUE).
NB - 'starting' is only in a valid state while the sep is in the
OPEN state. 'starting' is reset when we return to the OPEN state.
This is probably a glib bug on g_slist_free_full which doesn't handle the
case where the list is modified inside the callback:
Invalid read of size 8
at 0x50AD5B2: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x13057B: a2dp_unregister (a2dp.c:1550)
by 0x12144C: a2dp_server_remove (manager.c:1032)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x178B55: adapter_remove (adapter.c:2326)
by 0x175205: manager_remove_adapter (manager.c:290)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x175086: manager_cleanup (manager.c:298)
by 0x11D7A8: main (main.c:305)
Address 0x637a5e8 is 8 bytes inside a block of size 16 free'd
at 0x4C27D6E: free (vg_replace_malloc.c:366)
by 0x50AD9FC: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x12E5C6: a2dp_remove_sep (a2dp.c:1667)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x13057B: a2dp_unregister (a2dp.c:1550)
by 0x12144C: a2dp_server_remove (manager.c:1032)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x178B55: adapter_remove (adapter.c:2326)
by 0x175205: manager_remove_adapter (manager.c:290)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8)
Invalid free() / delete / delete[]
at 0x4C27D6E: free (vg_replace_malloc.c:366)
by 0x50AD5A3: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x13057B: a2dp_unregister (a2dp.c:1550)
by 0x12144C: a2dp_server_remove (manager.c:1032)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x178B55: adapter_remove (adapter.c:2326)
by 0x175205: manager_remove_adapter (manager.c:290)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x175086: manager_cleanup (manager.c:298)
by 0x11D7A8: main (main.c:305)
Address 0x637a5e0 is 0 bytes inside a block of size 16 free'd
at 0x4C27D6E: free (vg_replace_malloc.c:366)
by 0x50AD9FC: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x12E5C6: a2dp_remove_sep (a2dp.c:1667)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x13057B: a2dp_unregister (a2dp.c:1550)
by 0x12144C: a2dp_server_remove (manager.c:1032)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x178B55: adapter_remove (adapter.c:2326)
by 0x175205: manager_remove_adapter (manager.c:290)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8)
Invalid read of size 8
at 0x50AD5B2: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x175086: manager_cleanup (manager.c:298)
by 0x11D7A8: main (main.c:305)
Address 0x62b7ea8 is 8 bytes inside a block of size 16 free'd
at 0x4C27D6E: free (vg_replace_malloc.c:366)
by 0x50AD9FC: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x1751AE: manager_remove_adapter (manager.c:275)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x175086: manager_cleanup (manager.c:298)
by 0x11D7A8: main (main.c:305)
Invalid free() / delete / delete[]
at 0x4C27D6E: free (vg_replace_malloc.c:366)
by 0x50AD5A3: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x175086: manager_cleanup (manager.c:298)
by 0x11D7A8: main (main.c:305)
Address 0x62b7ea0 is 0 bytes inside a block of size 16 free'd
at 0x4C27D6E: free (vg_replace_malloc.c:366)
by 0x50AD9FC: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x1751AE: manager_remove_adapter (manager.c:275)
by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8)
by 0x175086: manager_cleanup (manager.c:298)
by 0x11D7A8: main (main.c:305)
To fix this now adapter_remove and a2dp_unregister_sep are passed
directly as a callbacks so g_slist_remove is not triggered.
When a vendor dependent command is requested but target does not
implement it, the correct return value is CTYPE_NOT_IMPLEMENTED instead
of CTYPE_REJECTED.
AVRCP 1.3 spec clearly says so on section 4.5.1:
[ It is assumed that devices that do not support this metadata
transfer related features shall return a response of NOT
IMPLEMENTED as per AV/C protocol specification ]
And AV/C General Specification, section 8.3.2 talks about legacy
behavior and mandates that NOT_IMPLEMENTED is returned.
Finally, in section 11.6.1 we see that VENDOR-DEPENDENT command frame
depends on the company_ID. Therefore we can't assume it has the same
format as the one specified for metadata transfer (in case the company
ID is 0x001958)
In order to support vendordep pdu as required by AVRCP 1.3 this part
will get very large. So, separate it to a new function like is done for
panel_passthrough.
When handling the discover response, if all stream end points are
in use, then we must finalize discovery, as no GET_CAPABILITIES
command will be issued.
Changing stream state from STREAMING to IDLE can be associated with side
effects under some circumstances (such as terminating bluetoothd during
music is streamed). In this case, after connection is lost, stream state
changes from STREAMING to IDLE - "avdtp_sep_set_state" is triggered which
invokes callback called "stream_state_changed" which internally invokes
"avdtp_sep_set_state" (state of stream doesn't change and stays as IDLE)
second time and then stream object is freed by "stream_free"
at the end of "avdtp_sep_set_state". After returning from callback,
first triggered "avdtp_sep_set_state" attempts to free stream object
again ("if (state == AVDTP_STATE_IDLE)" condition is still satisfied)
and it leads to invalid read/write/free issues (reported by valgrind)
in "stream free" body, since "stream" is "alias" pointer to stream object
which is already out of date (memory for stream object has been already
freed).
This patch prevents from this special case by freeing stream object only
when it is present on streams list and removing from this list when
stream object would be freed.
Changing stream state from STREAMING to IDLE can be associated with side
effects under some circumstances (such as terminating bluetoothd during
music is streamed). In this case, after connection is lost, stream state
changes from STREAMING to IDLE - "avdtp_sep_set_state" is triggered which
invokes callback called "stream_state_changed" which internally invokes
"avdtp_sep_set_state" (state of stream doesn't change and stays as IDLE)
second time and then stream callbacks list is discarded by "stream_free"
("g_slist_free(stream->callbacks)"). After returning from callback,
"stream->callbacks" list (and "l" pointer as well) is already out of date,
so attempting to fetch "l->next" pointer (returned by "g_slist_next(l)"
to be prepared to next iteration of "for" loop) from node on discarded
list leads to invalid read issue (reported by valgrind).
This patch prevents from this issue by moving "l = g_slist_next(l)"
instruction just before invoking callback - loop has been modified and
"while" used instead of "for" loop variant.
Under some circumstances (such as terminating bluetoothd during music is
streamed) endpoint object may be destroyed (memory for endpoint object is
internally freed, directly by "media_endpoint_remove") after invoking
"media_transport_destroy" (in "media_endpoint_clear_configuration") to
destroy transport object (memory for transport object is directly freed by
"media_transport_free"). It leads to invalid write issue (reported by
valgrind) after assignment "endpoint->transport = NULL", since "endpoint"
is "alias" pointer to endpoint object which is already out of date
(memory for endpoint object has been already freed).
This patch prevents from this issue by ensuring that assignment
"endpoint->transport = NULL" would be executed when endpoint object
certainly exists.
Under some circumstances (such as terminating bluetoothd during music is
streamed) sep object may be destroyed (memory for sep object is internally
freed, directly by "a2dp_unregister_sep") after invoking
"media_endpoint_clear_configuration" (in "stream_state_changed").
It leads to invalid write issue (reported by valgrind) after assignment
"sep->stream = NULL", since "sep" is "alias" pointer to sep object which
is already out of date (memory for sep object has been already freed)
This patch prevents from this issue by ensuring that assignment
"sep->stream = NULL" would be executed when sep object certainly exists.
Reply for control message with invalid (not registered for reception
of messages) PID should not have message information field present.
This was affecting AVCTP 1.3 qualification test case TP/NFR/BI-01-C.
Function media_endpoint_create returns pointer to structure. In
conditional expression it is safer to compare returned value with NULL
and not with gboolean as it is done in register_endpoint function.
By patch b9d85c0010 the initialization
of the telephony subsystem is delayed in the bluetoothd startup
procedure. As a result the SupportedFeatures bitmap has not been set
when creating the HFP SDP record. This patch changes the order of
the telephony initialization (via the state_changed function) and
the registration of the record, so that it gets the right value.
Although the corresponding bit in +BRSF is correctly set, the
missing bit for the "Three-way calling" feature in the SDP record
causes some headsets not to send AT+CHLD=? in certain situations.
This results in failed connections since BlueZ does not enter the
"connected" state on the headset interface before that command is
received, if the feature is supported by both sides.
AVRCP TG now returns a REJECTED response with the "Invalid command"
error code for VENDOR DEPENDENT commands. This fixes test case
AVRCP/TG/INV/TC_TG_INV_BI_01_C with recent PTS version.
Fixed incorrect update of transport->owners GSlist in
media_transport_free. Removal of list entries within 'for' loop leads to
invalid read of memory (l = l->next) and memory leaks.
Fixed incorrect update of server->sessions GSlist in avdtp_exit.
Previosly it was leading to invalid read of memory (l = l->next)
(and possible memory leaks) since after invoking avdtp_unref in
connection_lost, l pointer was not valid anymore (previously assignment
l = l->next was used after invoking connection_lost in for loop).
