In NCS@ sdk_nrf/subsys/bluetooth/gatt_dm.c: bt_gatt_dm_start():
if bt_gatt_discover() return with an error, the variable "dm" shall be release by calling "svc_attr_memory_release(dm)".
Because in the value init stage, dm has alloc an uuid with this line: dm->discover_params.uuid = svc_uuid ? uuid_store(dm, svc_uuid): NULL;
It's easy to check this out:
1. Use ble central to connect and paired with a peripheral device, then disconnect if paired failed.
2. Set periph always refuse pair request from central.
3. Try enough times, user_data_alloc will always return NULL because almost of heap size had been allocated and never free.
