Skip to content

Commit 9e0c6d5

Browse files
alxelaxkartben
alxelax
authored and
kartben
committed
bluetooth: mesh: fix buffer leakage if mesh was suspended
Commit fixes bug when advertisements were disabled and stopped during suspending without unreferencing allocated advertisements. Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
1 parent fe1b0e3 commit 9e0c6d5

File tree

1 file changed

+17
-16
lines changed

1 file changed

+17
-16
lines changed

subsys/bluetooth/mesh/adv_ext.c

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -434,6 +434,13 @@ void bt_mesh_adv_friend_ready(void)
434434
}
435435
}
436436

437+
static void adv_sent(struct bt_mesh_ext_adv *ext_adv)
438+
{
439+
atomic_set_bit(ext_adv->flags, ADV_FLAG_SENT);
440+
441+
bt_mesh_wq_submit(&ext_adv->work);
442+
}
443+
437444
int bt_mesh_adv_terminate(struct bt_mesh_adv *adv)
438445
{
439446
int err;
@@ -458,9 +465,7 @@ int bt_mesh_adv_terminate(struct bt_mesh_adv *adv)
458465
/* Do not call `cb:end`, since this user action */
459466
adv->ctx.cb = NULL;
460467

461-
atomic_set_bit(ext_adv->flags, ADV_FLAG_SENT);
462-
463-
bt_mesh_wq_submit(&ext_adv->work);
468+
adv_sent(ext_adv);
464469

465470
return 0;
466471
}
@@ -502,8 +507,7 @@ static struct bt_mesh_ext_adv *adv_instance_find(struct bt_le_ext_adv *instance)
502507
return NULL;
503508
}
504509

505-
static void adv_sent(struct bt_le_ext_adv *instance,
506-
struct bt_le_ext_adv_sent_info *info)
510+
static void ext_adv_set_sent(struct bt_le_ext_adv *instance, struct bt_le_ext_adv_sent_info *info)
507511
{
508512
struct bt_mesh_ext_adv *ext_adv = adv_instance_find(instance);
509513

@@ -517,17 +521,15 @@ static void adv_sent(struct bt_le_ext_adv *instance,
517521
return;
518522
}
519523

520-
atomic_set_bit(ext_adv->flags, ADV_FLAG_SENT);
521-
522-
bt_mesh_wq_submit(&ext_adv->work);
524+
adv_sent(ext_adv);
523525
}
524526

525527
int bt_mesh_adv_enable(void)
526528
{
527529
int err;
528530

529531
static const struct bt_le_ext_adv_cb adv_cb = {
530-
.sent = adv_sent,
532+
.sent = ext_adv_set_sent,
531533
};
532534

533535
if (advs[0].instance) {
@@ -536,8 +538,7 @@ int bt_mesh_adv_enable(void)
536538
}
537539

538540
for (int i = 0; i < ARRAY_SIZE(advs); i++) {
539-
err = bt_le_ext_adv_create(&advs[i].adv_param, &adv_cb,
540-
&advs[i].instance);
541+
err = bt_le_ext_adv_create(&advs[i].adv_param, &adv_cb, &advs[i].instance);
541542
if (err) {
542543
return err;
543544
}
@@ -565,11 +566,6 @@ int bt_mesh_adv_disable(void)
565566
return err;
566567
}
567568

568-
/* `adv_sent` is called to finish transmission of an adv buffer that was pushed to
569-
* the host before the advertiser was stopped, but did not finish.
570-
*/
571-
adv_sent(advs[i].instance, NULL);
572-
573569
err = bt_le_ext_adv_delete(advs[i].instance);
574570
if (err) {
575571
LOG_ERR("Failed to delete adv %d", err);
@@ -579,6 +575,11 @@ int bt_mesh_adv_disable(void)
579575
advs[i].instance = NULL;
580576

581577
atomic_clear_bit(advs[i].flags, ADV_FLAG_SUSPENDING);
578+
579+
/* `adv_sent` is called to finish transmission of an adv buffer that was pushed to
580+
* the host before the advertiser was stopped, but did not finish.
581+
*/
582+
adv_sent(&advs[i]);
582583
}
583584

584585
return 0;

0 commit comments

Comments
 (0)