From c71318ce88398909e382c20873ee3f1eab616973 Mon Sep 17 00:00:00 2001 From: Yulong Date: Sat, 25 Nov 2017 05:06:14 -0500 Subject: [PATCH 1/3] component/bt: Fix the bug when write ccc sometimes will lead to repeatedly release the memory. --- components/bt/bluedroid/bta/gatt/bta_gattc_act.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c index e93f451a0..07a7b6754 100644 --- a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c +++ b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c @@ -1637,7 +1637,10 @@ static void bta_gattc_conn_cback(tGATT_IF gattc_if, BD_ADDR bda, UINT16 conn_id, else if ((transport == BT_TRANSPORT_LE) && (connected == FALSE) && (p_conn != NULL)){ p_conn->service_change_ccc_written = FALSE; if (p_conn->ccc_timer_used == TRUE){ - osi_free((void *)p_conn->service_change_ccc_timer.param); + if (p_conn->service_change_ccc_timer.param != 0) { + osi_free((void *)p_conn->service_change_ccc_timer.param); + p_conn->service_change_ccc_timer.param = (TIMER_PARAM_TYPE)0; + } bta_sys_stop_timer(&(p_conn->service_change_ccc_timer)); p_conn->ccc_timer_used = FALSE; } @@ -2350,6 +2353,7 @@ static void bta_gattc_wait4_service_change_ccc_cback (TIMER_LIST_ENT *p_tle) if (p_conn == NULL){ APPL_TRACE_ERROR("p_conn is NULL in %s\n", __func__); osi_free(p_timer_param); + p_tle->param = (TIMER_PARAM_TYPE)0; return; } @@ -2381,6 +2385,7 @@ static void bta_gattc_wait4_service_change_ccc_cback (TIMER_LIST_ENT *p_tle) } osi_free(p_timer_param); + p_tle->param = (TIMER_PARAM_TYPE)0; } #endif From 5b243b1d01d85fcabf2415b7bb2102fde2cc44ca Mon Sep 17 00:00:00 2001 From: Yulong Date: Thu, 30 Nov 2017 02:45:26 -0500 Subject: [PATCH 2/3] component/bt: Added the mutex lock protect the ccc free when disconnect. --- components/bt/bluedroid/bta/gatt/bta_gattc_act.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c index 07a7b6754..cc3e08494 100644 --- a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c +++ b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c @@ -34,6 +34,7 @@ #include "l2c_int.h" #include "gatt_int.h" #include "allocator.h" +#include "mutex.h" #if (defined BTA_HH_LE_INCLUDED && BTA_HH_LE_INCLUDED == TRUE) #include "bta_hh_int.h" @@ -47,6 +48,8 @@ #if GATTC_INCLUDED == TRUE && BLE_INCLUDED == TRUE +static osi_mutex_t write_ccc_mutex; + /***************************************************************************** ** Constants *****************************************************************************/ @@ -125,6 +128,8 @@ static void bta_gattc_enable(tBTA_GATTC_CB *p_cb) /* initialize control block */ memset(&bta_gattc_cb, 0, sizeof(tBTA_GATTC_CB)); p_cb->state = BTA_GATTC_STATE_ENABLED; + // Create a write ccc mutex when the gatt client enable + osi_mutex_new(&write_ccc_mutex); } else { APPL_TRACE_DEBUG("GATTC is arelady enabled"); } @@ -151,6 +156,8 @@ void bta_gattc_disable(tBTA_GATTC_CB *p_cb) APPL_TRACE_ERROR("not enabled or disable in pogress"); return; } + // Free the write ccc mutex when the gatt client disable + osi_mutex_free(&write_ccc_mutex); for (i = 0; i < BTA_GATTC_CL_MAX; i ++) { if (p_cb->cl_rcb[i].in_use) { @@ -1637,12 +1644,16 @@ static void bta_gattc_conn_cback(tGATT_IF gattc_if, BD_ADDR bda, UINT16 conn_id, else if ((transport == BT_TRANSPORT_LE) && (connected == FALSE) && (p_conn != NULL)){ p_conn->service_change_ccc_written = FALSE; if (p_conn->ccc_timer_used == TRUE){ + assert(write_ccc_mutex != NULL); + osi_mutex_lock(&write_ccc_mutex, OSI_MUTEX_MAX_TIMEOUT); + if (p_conn->service_change_ccc_timer.param != 0) { osi_free((void *)p_conn->service_change_ccc_timer.param); p_conn->service_change_ccc_timer.param = (TIMER_PARAM_TYPE)0; } bta_sys_stop_timer(&(p_conn->service_change_ccc_timer)); p_conn->ccc_timer_used = FALSE; + osi_mutex_unlock(&write_ccc_mutex); } } @@ -2343,6 +2354,9 @@ static void bta_gattc_wait4_service_change_ccc_cback (TIMER_LIST_ENT *p_tle) BOOLEAN start_ccc_timer = FALSE; UINT32 new_timeout; + assert(write_ccc_mutex != NULL); + osi_mutex_lock(&write_ccc_mutex, OSI_MUTEX_MAX_TIMEOUT); + tBTA_GATTC_WAIT_CCC_TIMER *p_timer_param = (tBTA_GATTC_WAIT_CCC_TIMER*) p_tle->param; if (p_timer_param == NULL){ APPL_TRACE_ERROR("p_timer_param is NULL in %s\n", __func__); @@ -2386,6 +2400,7 @@ static void bta_gattc_wait4_service_change_ccc_cback (TIMER_LIST_ENT *p_tle) osi_free(p_timer_param); p_tle->param = (TIMER_PARAM_TYPE)0; + osi_mutex_unlock(&write_ccc_mutex); } #endif From a0992ad4427e7400808c30c7055554a35c14e6d9 Mon Sep 17 00:00:00 2001 From: yulong Date: Thu, 30 Nov 2017 16:15:22 +0800 Subject: [PATCH 3/3] component/bt: Remove the p_tle->param reset to 0 when free the p_timer_param pointer. --- components/bt/bluedroid/bta/gatt/bta_gattc_act.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c index cc3e08494..3196ffb67 100644 --- a/components/bt/bluedroid/bta/gatt/bta_gattc_act.c +++ b/components/bt/bluedroid/bta/gatt/bta_gattc_act.c @@ -2358,6 +2358,7 @@ static void bta_gattc_wait4_service_change_ccc_cback (TIMER_LIST_ENT *p_tle) osi_mutex_lock(&write_ccc_mutex, OSI_MUTEX_MAX_TIMEOUT); tBTA_GATTC_WAIT_CCC_TIMER *p_timer_param = (tBTA_GATTC_WAIT_CCC_TIMER*) p_tle->param; + p_tle->param = (TIMER_PARAM_TYPE)0; if (p_timer_param == NULL){ APPL_TRACE_ERROR("p_timer_param is NULL in %s\n", __func__); return; @@ -2367,7 +2368,6 @@ static void bta_gattc_wait4_service_change_ccc_cback (TIMER_LIST_ENT *p_tle) if (p_conn == NULL){ APPL_TRACE_ERROR("p_conn is NULL in %s\n", __func__); osi_free(p_timer_param); - p_tle->param = (TIMER_PARAM_TYPE)0; return; } @@ -2399,7 +2399,6 @@ static void bta_gattc_wait4_service_change_ccc_cback (TIMER_LIST_ENT *p_tle) } osi_free(p_timer_param); - p_tle->param = (TIMER_PARAM_TYPE)0; osi_mutex_unlock(&write_ccc_mutex); }