mirror of
https://github.com/espressif/esp-idf.git
synced 2025-07-30 10:47:19 +02:00
fix(bt/bluedroid): Fix the crash of invalid access to released resources
It is caused by the delayed timer is alarmed after esp_spp_deinit.
This commit is contained in:
Jin Cheng
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
|
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
|
||||||
*
|
*
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
*/
|
*/
|
||||||
@ -63,6 +63,7 @@ typedef struct {
|
|||||||
int tx_mtu;
|
int tx_mtu;
|
||||||
uint8_t *write_data;
|
uint8_t *write_data;
|
||||||
osi_alarm_t *close_alarm;
|
osi_alarm_t *close_alarm;
|
||||||
|
void *alarm_arg;
|
||||||
uint8_t role;
|
uint8_t role;
|
||||||
uint16_t security;
|
uint16_t security;
|
||||||
esp_bd_addr_t addr;
|
esp_bd_addr_t addr;
|
||||||
@ -192,6 +193,7 @@ static l2cap_slot_t *l2cap_malloc_slot(void)
|
|||||||
(*slot)->is_server = false;
|
(*slot)->is_server = false;
|
||||||
(*slot)->write_data = NULL;
|
(*slot)->write_data = NULL;
|
||||||
(*slot)->close_alarm = NULL;
|
(*slot)->close_alarm = NULL;
|
||||||
|
(*slot)->alarm_arg = NULL;
|
||||||
/* clear the old event bits */
|
/* clear the old event bits */
|
||||||
if (l2cap_local_param.tx_event_group) {
|
if (l2cap_local_param.tx_event_group) {
|
||||||
xEventGroupClearBits(l2cap_local_param.tx_event_group, SLOT_WRITE_BIT(i) | SLOT_CLOSE_BIT(i));
|
xEventGroupClearBits(l2cap_local_param.tx_event_group, SLOT_WRITE_BIT(i) | SLOT_CLOSE_BIT(i));
|
||||||
@ -246,10 +248,26 @@ static void l2cap_free_slot(l2cap_slot_t *slot)
|
|||||||
free_slot_data(&slot->rx);
|
free_slot_data(&slot->rx);
|
||||||
if (slot->close_alarm) {
|
if (slot->close_alarm) {
|
||||||
osi_alarm_free(slot->close_alarm);
|
osi_alarm_free(slot->close_alarm);
|
||||||
|
if (slot->alarm_arg) {
|
||||||
|
osi_free(slot->alarm_arg);
|
||||||
|
slot->alarm_arg = NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
osi_free(slot);
|
osi_free(slot);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void l2cap_free_pending_slots(void)
|
||||||
|
{
|
||||||
|
l2cap_slot_t *slot = NULL;
|
||||||
|
for (size_t i = 1; i <= BTA_JV_MAX_L2C_CONN; i++) {
|
||||||
|
slot = l2cap_local_param.l2cap_slots[i];
|
||||||
|
if (slot) {
|
||||||
|
BTC_TRACE_WARNING("%s found slot(handle=0x%x) pending to close, close it now!", __func__, slot->handle);
|
||||||
|
l2cap_free_slot(slot);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
static void close_timeout_handler(void *arg)
|
static void close_timeout_handler(void *arg)
|
||||||
{
|
{
|
||||||
btc_msg_t msg;
|
btc_msg_t msg;
|
||||||
@ -758,6 +776,7 @@ void btc_l2cap_cb_handler(btc_msg_t *msg)
|
|||||||
break;
|
break;
|
||||||
case BTA_JV_DISABLE_EVT:
|
case BTA_JV_DISABLE_EVT:
|
||||||
param.uninit.status = ESP_BT_L2CAP_SUCCESS;
|
param.uninit.status = ESP_BT_L2CAP_SUCCESS;
|
||||||
|
l2cap_free_pending_slots();
|
||||||
BTA_JvFree();
|
BTA_JvFree();
|
||||||
osi_mutex_free(&l2cap_local_param.l2cap_slot_mutex);
|
osi_mutex_free(&l2cap_local_param.l2cap_slot_mutex);
|
||||||
if (l2cap_local_param.tx_event_group) {
|
if (l2cap_local_param.tx_event_group) {
|
||||||
@ -836,6 +855,7 @@ void btc_l2cap_cb_handler(btc_msg_t *msg)
|
|||||||
}
|
}
|
||||||
BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!",
|
BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!",
|
||||||
__func__, VFS_CLOSE_TIMEOUT);
|
__func__, VFS_CLOSE_TIMEOUT);
|
||||||
|
slot->alarm_arg = (void *)p_arg;
|
||||||
slot->connected = false;
|
slot->connected = false;
|
||||||
need_call = false;
|
need_call = false;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
|
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
|
||||||
*
|
*
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
*/
|
*/
|
||||||
@ -63,6 +63,7 @@ typedef struct {
|
|||||||
int fd;
|
int fd;
|
||||||
uint8_t *write_data;
|
uint8_t *write_data;
|
||||||
osi_alarm_t *close_alarm;
|
osi_alarm_t *close_alarm;
|
||||||
|
void *alarm_arg;
|
||||||
esp_spp_role_t role;
|
esp_spp_role_t role;
|
||||||
esp_spp_sec_t security;
|
esp_spp_sec_t security;
|
||||||
esp_bd_addr_t addr;
|
esp_bd_addr_t addr;
|
||||||
@ -149,6 +150,7 @@ static spp_slot_t *spp_malloc_slot(void)
|
|||||||
(*slot)->write_data_len = 0;
|
(*slot)->write_data_len = 0;
|
||||||
(*slot)->is_writing = false;
|
(*slot)->is_writing = false;
|
||||||
(*slot)->close_alarm = NULL;
|
(*slot)->close_alarm = NULL;
|
||||||
|
(*slot)->alarm_arg = NULL;
|
||||||
/* clear the old event bits */
|
/* clear the old event bits */
|
||||||
if (spp_local_param.tx_event_group) {
|
if (spp_local_param.tx_event_group) {
|
||||||
xEventGroupClearBits(spp_local_param.tx_event_group, SLOT_WRITE_BIT(i) | SLOT_CLOSE_BIT(i));
|
xEventGroupClearBits(spp_local_param.tx_event_group, SLOT_WRITE_BIT(i) | SLOT_CLOSE_BIT(i));
|
||||||
@ -284,10 +286,26 @@ static void spp_free_slot(spp_slot_t *slot)
|
|||||||
free_slot_data(&slot->rx);
|
free_slot_data(&slot->rx);
|
||||||
if (slot->close_alarm) {
|
if (slot->close_alarm) {
|
||||||
osi_alarm_free(slot->close_alarm);
|
osi_alarm_free(slot->close_alarm);
|
||||||
|
if (slot->alarm_arg) {
|
||||||
|
osi_free(slot->alarm_arg);
|
||||||
|
slot->alarm_arg = NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
osi_free(slot);
|
osi_free(slot);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void spp_free_pending_slots(void)
|
||||||
|
{
|
||||||
|
spp_slot_t *slot = NULL;
|
||||||
|
for (size_t i = 1; i <= MAX_RFC_PORTS; i++) {
|
||||||
|
slot = spp_local_param.spp_slots[i];
|
||||||
|
if (slot) {
|
||||||
|
BTC_TRACE_WARNING("%s found slot(rfc_handle=0x%x) pending to close, close it now!", __func__, slot->rfc_handle);
|
||||||
|
spp_free_slot(slot);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
static inline void btc_spp_cb_to_app(esp_spp_cb_event_t event, esp_spp_cb_param_t *param)
|
static inline void btc_spp_cb_to_app(esp_spp_cb_event_t event, esp_spp_cb_param_t *param)
|
||||||
{
|
{
|
||||||
esp_spp_cb_t btc_spp_cb = (esp_spp_cb_t)btc_profile_cb_get(BTC_PID_SPP);
|
esp_spp_cb_t btc_spp_cb = (esp_spp_cb_t)btc_profile_cb_get(BTC_PID_SPP);
|
||||||
@ -1211,6 +1229,7 @@ void btc_spp_cb_handler(btc_msg_t *msg)
|
|||||||
}
|
}
|
||||||
BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!",
|
BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!",
|
||||||
__func__, VFS_CLOSE_TIMEOUT);
|
__func__, VFS_CLOSE_TIMEOUT);
|
||||||
|
slot->alarm_arg = (void *)p_arg;
|
||||||
slot->connected = false;
|
slot->connected = false;
|
||||||
need_call = false;
|
need_call = false;
|
||||||
}
|
}
|
||||||
@ -1314,6 +1333,7 @@ void btc_spp_cb_handler(btc_msg_t *msg)
|
|||||||
break;
|
break;
|
||||||
case BTA_JV_DISABLE_EVT:
|
case BTA_JV_DISABLE_EVT:
|
||||||
param.uninit.status = ESP_SPP_SUCCESS;
|
param.uninit.status = ESP_SPP_SUCCESS;
|
||||||
|
spp_free_pending_slots();
|
||||||
BTA_JvFree();
|
BTA_JvFree();
|
||||||
osi_mutex_free(&spp_local_param.spp_slot_mutex);
|
osi_mutex_free(&spp_local_param.spp_slot_mutex);
|
||||||
if (spp_local_param.tx_event_group) {
|
if (spp_local_param.tx_event_group) {
|
||||||
|
|||||||
Reference in New Issue
Block a user