From b2325e50bb68f57935d36192d86d217f63ad79e0 Mon Sep 17 00:00:00 2001
From: chenjianhua <chenjianhua@espressif.com>
Date: Mon, 26 Jun 2023 20:39:32 +0800
Subject: [PATCH] fix(bt/bluedroid): Fix memory leak of gattc cache upon
 disconnection

---
 components/bt/host/bluedroid/bta/dm/bta_dm_act.c       | 10 ----------
 components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c  |  2 --
 .../bt/host/bluedroid/bta/gatt/bta_gattc_utils.c       | 10 ++++++++++
 .../bt/host/bluedroid/bta/include/bta/bta_gatt_api.h   |  2 ++
 .../bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c |  2 ++
 5 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/components/bt/host/bluedroid/bta/dm/bta_dm_act.c b/components/bt/host/bluedroid/bta/dm/bta_dm_act.c
index 2e7dfd02e2..179258ee31 100644
--- a/components/bt/host/bluedroid/bta/dm/bta_dm_act.c
+++ b/components/bt/host/bluedroid/bta/dm/bta_dm_act.c
@@ -982,10 +982,6 @@ static void bta_dm_process_remove_device(BD_ADDR bd_addr, tBT_TRANSPORT transpor
 
     BTM_SecDeleteDevice(bd_addr, transport);
 
-#if (BLE_INCLUDED == TRUE && GATTC_INCLUDED == TRUE)
-    /* remove all cached GATT information */
-    BTA_GATTC_Refresh(bd_addr, false);
-#endif
     if (bta_dm_cb.p_sec_cback) {
         tBTA_DM_SEC sec_event;
         bdcpy(sec_event.link_down.bd_addr, bd_addr);
@@ -1140,8 +1136,6 @@ void bta_dm_close_acl(tBTA_DM_MSG *p_data)
 #if (BLE_INCLUDED == TRUE && GATTC_INCLUDED == TRUE)
         /* need to remove all pending background connection if any */
         BTA_GATTC_CancelOpen(0, p_remove_acl->bd_addr, FALSE);
-        /* remove all cached GATT information */
-        BTA_GATTC_Refresh(p_remove_acl->bd_addr, false);
 #endif
     }
     /* otherwise, no action needed */
@@ -3636,8 +3630,6 @@ void bta_dm_acl_change(tBTA_DM_MSG *p_data)
 #if (BLE_INCLUDED == TRUE && GATTC_INCLUDED == TRUE)
             /* need to remove all pending background connection */
             BTA_GATTC_CancelOpen(0, p_bda, FALSE);
-            /* remove all cached GATT information */
-            BTA_GATTC_Refresh(p_bda, false);
 #endif
         }
 
@@ -3815,8 +3807,6 @@ static BOOLEAN bta_dm_remove_sec_dev_entry(BD_ADDR remote_bd_addr)
 #if (BLE_INCLUDED == TRUE && GATTC_INCLUDED == TRUE)
         /* need to remove all pending background connection */
         BTA_GATTC_CancelOpen(0, remote_bd_addr, FALSE);
-        /* remove all cached GATT information */
-        BTA_GATTC_Refresh(remote_bd_addr, false);
 #endif
     }
     return is_device_deleted;
diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c
index 2e695719a9..a49366e4bd 100644
--- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c
+++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c
@@ -821,8 +821,6 @@ void bta_gattc_close(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data)
         bta_sys_conn_close( BTA_ID_GATTC , BTA_ALL_APP_ID, p_clcb->bda);
     }
 
-    bta_gattc_clcb_dealloc(p_clcb);
-
     if (p_data->hdr.event == BTA_GATTC_API_CLOSE_EVT) {
         cb_data.close.status = GATT_Disconnect(p_data->hdr.layer_specific);
     } else if (p_data->hdr.event == BTA_GATTC_INT_DISCONN_EVT) {
diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_utils.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_utils.c
index fa6d17392e..c39e0ce742 100644
--- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_utils.c
+++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_utils.c
@@ -322,6 +322,15 @@ void bta_gattc_clcb_dealloc(tBTA_GATTC_CLCB *p_clcb)
     }
 }
 
+void bta_gattc_clcb_dealloc_by_conn_id(UINT16 conn_id)
+{
+    tBTA_GATTC_CLCB *p_clcb = bta_gattc_find_clcb_by_conn_id(conn_id);
+
+    if (p_clcb) {
+        bta_gattc_clcb_dealloc(p_clcb);
+    }
+}
+
 /*******************************************************************************
 **
 ** Function         bta_gattc_find_srcb
@@ -421,6 +430,7 @@ tBTA_GATTC_SERV *bta_gattc_srcb_alloc(BD_ADDR bda)
     {
         if (p_tcb->p_srvc_cache != NULL) {
             list_free(p_tcb->p_srvc_cache);
+            p_tcb->p_srvc_cache = NULL;
         }
         osi_free(p_tcb->p_srvc_list);
         p_tcb->p_srvc_list = NULL;
diff --git a/components/bt/host/bluedroid/bta/include/bta/bta_gatt_api.h b/components/bt/host/bluedroid/bta/include/bta/bta_gatt_api.h
index 52501977f8..ff6abbffb3 100644
--- a/components/bt/host/bluedroid/bta/include/bta/bta_gatt_api.h
+++ b/components/bt/host/bluedroid/bta/include/bta/bta_gatt_api.h
@@ -1544,6 +1544,8 @@ extern void BTA_GATTS_Listen(tBTA_GATTS_IF server_if, BOOLEAN start,
                              BD_ADDR_PTR target_bda);
 
 
+extern void bta_gattc_clcb_dealloc_by_conn_id(UINT16 conn_id);
+
 #ifdef __cplusplus
 
 }
diff --git a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c
index caf0536747..3db904cd96 100644
--- a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c
+++ b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c
@@ -922,6 +922,8 @@ void btc_gattc_cb_handler(btc_msg_t *msg)
     case BTA_GATTC_CLOSE_EVT: {
         tBTA_GATTC_CLOSE *close = &arg->close;
 
+        // Free gattc clcb in BTC task to avoid race condition
+        bta_gattc_clcb_dealloc_by_conn_id(close->conn_id);
         gattc_if = close->client_if;
         param.close.status = close->status;
         param.close.conn_id = BTC_GATT_GET_CONN_ID(close->conn_id);