From 8863b72b051987ed17e343d16351ec8728f243e0 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 14 Apr 2020 10:41:30 -0700
Subject: [PATCH] Bluetooth: ATT: Fix passing wrong pointer when disconnecting

When disconnecting att_reset is called and all requests are notified
but instead of passing req->user_data like it should it pass the req
itself which nowdays comes from a k_mem_slab, rather than being a
contiguous memory that would contain the request and its user data,
which would likely cause invalid access.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 subsys/bluetooth/host/att.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/subsys/bluetooth/host/att.c b/subsys/bluetooth/host/att.c
index c5004995be7..afde34d3b8d 100644
--- a/subsys/bluetooth/host/att.c
+++ b/subsys/bluetooth/host/att.c
@@ -2091,7 +2091,8 @@ static void att_reset(struct bt_att *att)
 	/* Notify pending requests */
 	SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&att->reqs, req, tmp, node) {
 		if (req->func) {
-			req->func(NULL, BT_ATT_ERR_UNLIKELY, NULL, 0, req);
+			req->func(NULL, BT_ATT_ERR_UNLIKELY, NULL, 0,
+				  req->user_data);
 		}
 
 		att_req_destroy(req);