From a372e0ee88ee3c6e87ecf2f7468762f1ad7d9b0e Mon Sep 17 00:00:00 2001
From: Wang Mengyang <wangmengyang@espressif.com>
Date: Tue, 30 Jul 2024 17:17:18 +0800
Subject: [PATCH] fix(bt): Fix heap corruption in the call of
 esp_bt_mem_release on ESP32

Closes https://github.com/espressif/esp-idf/issues/14263
---
 components/bt/controller/esp32/bt.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/components/bt/controller/esp32/bt.c b/components/bt/controller/esp32/bt.c
index 4567226ddb..92aa9b16ae 100644
--- a/components/bt/controller/esp32/bt.c
+++ b/components/bt/controller/esp32/bt.c
@@ -1484,6 +1484,14 @@ esp_err_t esp_bt_mem_release(esp_bt_mode_t mode)
         .name  = "BT Controller Data"
     };
 
+    /*
+     * Free data and BSS section for Bluetooth controller ROM code.
+     * Note that rom mem release must be performed before section _bt_data_start to _bt_data_end is released,
+     * otherwise `btdm_dram_available_region` will no longer be available when performing rom mem release and
+     * thus causing heap corruption.
+     */
+    ret = esp_bt_controller_rom_mem_release(mode);
+
     if (mode == ESP_BT_MODE_BTDM) {
         /* Start by freeing Bluetooth BSS section */
         if (ret == ESP_OK) {
@@ -1496,11 +1504,6 @@ esp_err_t esp_bt_mem_release(esp_bt_mode_t mode)
         }
     }
 
-    /* free data and BSS section for Bluetooth controller ROM code */
-    if (ret == ESP_OK) {
-        ret = esp_bt_controller_rom_mem_release(mode);
-    }
-
     return ret;
 }