With the patch I submitted some time ago
http://git.kernel.org/?p=bluetooth/bluez.git;a=commit;h=e9b1a8f7266d0674b1ea068a5bb5698e9ee424c9
there is a code path leading to a double free:
session_cb -> avdtp_parse_resp -> avdtp_abort_resp ->
avdtp_sep_set_state(..., AVDTP_STATE_IDLE) -> handle_unanswered_req

A response to AVDTP Abort could lead to the pending request being
freed both in session_cb and handle_unanswered_req.

This patch avoids doing it in the latter function. The primary purpose
of adding handle_unanswered_req was to trigger responses on the Audio
API (it was based on avdtp.c:request_timeout). AFAIU, AVDTP Abort
doesn't lead to an API response and will be freed elsewhere
(session_cb or avdtp_unref).

/Daniel