extmod/zephyr_ble: Fix soft reset resource leaks causing intermittent hang.

pi-anl · pi-anl · commit 1cad43a469aa · 2026-01-13T23:20:57.000+11:00
After 4-5 BLE test cycles, the device would hang during soft reset.
Root cause was accumulated state corruption from unfree'd resources
and stale flags persisting across soft resets.

Fixes:
- Reset static flags on deinit: mp_bt_zephyr_callbacks_registered,
  indication pool in_use flags, HCI RX task flags
- Add mp_bluetooth_zephyr_work_reset() to clear stale work queue
  linkages that prevented proper reinitialization
- Add mp_bt_zephyr_free_service() to free malloc'd GATT service
  memory (UUIDs, characteristic structs, attribute arrays)
- Free temporary UUIDs from create_zephyr_uuid() immediately after
  gatt_db_add() copies them

Verified with 20+ consecutive BLE multitest cycles without hang.
diff --git a/extmod/zephyr_ble/hal/zephyr_ble_work.c b/extmod/zephyr_ble/hal/zephyr_ble_work.c
@@ -831,3 +831,35 @@ bool mp_bluetooth_zephyr_work_drain(void) {
     DEBUG_WORK_printf("work_drain: done, processed=%d\n", any_work);
     return any_work;
 }
+
+// Reset work queue state for clean re-initialization
+// This clears the global work queue list and resets the system work queue
+// Called from mp_bluetooth_deinit() to prevent stale queue linkages
+void mp_bluetooth_zephyr_work_reset(void) {
+    DEBUG_WORK_printf("work_reset: clearing work queue state\n");
+
+    // Clear the global work queue list
+    global_work_q = NULL;
+
+    // Reset system work queue
+    k_sys_work_q.head = NULL;
+    k_sys_work_q.nextq = NULL;
+    k_sys_work_q.name = NULL;
+
+    // Reset init work queue
+    k_init_work_q.head = NULL;
+    k_init_work_q.nextq = NULL;
+    k_init_work_q.name = NULL;
+
+    // Reset recursion guards
+    regular_work_processor_running = false;
+    init_work_processor_running = false;
+
+    // Reset init phase flag
+    in_bt_enable_init = false;
+    in_sys_work_q_context = false;
+
+    // Reset debug counters
+    work_process_call_count = 0;
+    work_items_processed = 0;
+}
diff --git a/extmod/zephyr_ble/hal/zephyr_ble_work.h b/extmod/zephyr_ble/hal/zephyr_ble_work.h
@@ -215,6 +215,10 @@ void mp_bluetooth_zephyr_work_thread_stop(void);
 // Returns true if any work was processed
 bool mp_bluetooth_zephyr_work_drain(void);
 
+// Reset work queue state for clean re-initialization
+// Called from mp_bluetooth_deinit() to clear stale queue linkages
+void mp_bluetooth_zephyr_work_reset(void);
+
 // Get delayable work from work (for internal use)
 // work is embedded in the delayable work structure
 static inline struct k_work_delayable *k_work_delayable_from_work(struct k_work *work) {
diff --git a/extmod/zephyr_ble/modbluetooth_zephyr.c b/extmod/zephyr_ble/modbluetooth_zephyr.c
@@ -235,6 +235,7 @@ static void add_descriptor(struct bt_gatt_attr *chrc, struct add_descriptor *d,
 static void mp_bt_zephyr_gatt_indicate_done(struct bt_conn *conn, struct bt_gatt_indicate_params *params, uint8_t err);
 static void mp_bt_zephyr_gatt_indicate_destroy(struct bt_gatt_indicate_params *params);
 static struct bt_gatt_attr *mp_bt_zephyr_find_attr_by_handle(uint16_t value_handle);
+static void mp_bt_zephyr_free_service(struct bt_gatt_service *service);
 
 static struct bt_conn_cb mp_bt_zephyr_conn_callbacks = {
     .connected = mp_bt_zephyr_connected,
@@ -682,9 +683,14 @@ int mp_bluetooth_deinit(void) {
 
     #if CONFIG_BT_GATT_DYNAMIC_DB
     for (size_t i = 0; i < MP_STATE_PORT(bluetooth_zephyr_root_pointers)->n_services; ++i) {
-        bt_gatt_service_unregister(MP_STATE_PORT(bluetooth_zephyr_root_pointers)->services[i]);
-        MP_STATE_PORT(bluetooth_zephyr_root_pointers)->services[i] = NULL;
+        struct bt_gatt_service *service = MP_STATE_PORT(bluetooth_zephyr_root_pointers)->services[i];
+        if (service != NULL) {
+            bt_gatt_service_unregister(service);
+            mp_bt_zephyr_free_service(service);
+            MP_STATE_PORT(bluetooth_zephyr_root_pointers)->services[i] = NULL;
+        }
     }
+    MP_STATE_PORT(bluetooth_zephyr_root_pointers)->n_services = 0;
     #endif
 
     // Call bt_disable() to properly shutdown the BLE stack
@@ -729,6 +735,10 @@ int mp_bluetooth_deinit(void) {
     mp_bluetooth_zephyr_hci_rx_task_stop();
     mp_bluetooth_zephyr_work_thread_stop();
 
+    // Reset work queue state to clear stale queue linkages
+    extern void mp_bluetooth_zephyr_work_reset(void);
+    mp_bluetooth_zephyr_work_reset();
+
     // Deinit port-specific resources (CYW43 cleanup, soft timers, etc.)
     // This must be done after bt_disable() completes.
     #if MICROPY_PY_NETWORK_CYW43 || MICROPY_PY_BLUETOOTH_USE_ZEPHYR_HCI
@@ -739,6 +749,16 @@ int mp_bluetooth_deinit(void) {
     MP_STATE_PORT(bluetooth_zephyr_root_pointers) = NULL;
     mp_bt_zephyr_next_conn = NULL;
 
+    // Reset indication pool - all indications should be done by now
+    for (int i = 0; i < CONFIG_BT_MAX_CONN; i++) {
+        mp_bt_zephyr_indicate_pool[i].in_use = false;
+    }
+
+    // Reset callback registration flag so callbacks will be re-registered on next init.
+    // This is necessary because Zephyr's internal callback list may have been corrupted
+    // by the soft reset, and we want a clean slate.
+    mp_bt_zephyr_callbacks_registered = false;
+
     // Set state to OFF so next init does full re-initialization
     // (including controller init and callback registration)
     mp_bluetooth_zephyr_ble_state = MP_BLUETOOTH_ZEPHYR_BLE_STATE_OFF;
@@ -877,10 +897,14 @@ int mp_bluetooth_gatts_register_service_begin(bool append) {
         return MP_EOPNOTSUPP;
     }
 
-    // Unregister and unref any previous service definitions.
+    // Unregister and free any previous service definitions.
     for (size_t i = 0; i < MP_STATE_PORT(bluetooth_zephyr_root_pointers)->n_services; ++i) {
-        bt_gatt_service_unregister(MP_STATE_PORT(bluetooth_zephyr_root_pointers)->services[i]);
-        MP_STATE_PORT(bluetooth_zephyr_root_pointers)->services[i] = NULL;
+        struct bt_gatt_service *service = MP_STATE_PORT(bluetooth_zephyr_root_pointers)->services[i];
+        if (service != NULL) {
+            bt_gatt_service_unregister(service);
+            mp_bt_zephyr_free_service(service);
+            MP_STATE_PORT(bluetooth_zephyr_root_pointers)->services[i] = NULL;
+        }
     }
     MP_STATE_PORT(bluetooth_zephyr_root_pointers)->n_services = 0;
 
@@ -931,7 +955,10 @@ int mp_bluetooth_gatts_register_service(mp_obj_bluetooth_uuid_t *service_uuid, m
     uint64_t attrs_are_chrs = 0;
     uint64_t chr_has_ccc = 0;
 
-    add_service(create_zephyr_uuid(service_uuid), &svc_attributes[attr_index]);
+    // Create and add service, then free the temporary UUID (gatt_db_add copies it)
+    struct bt_uuid *svc_uuid = create_zephyr_uuid(service_uuid);
+    add_service(svc_uuid, &svc_attributes[attr_index]);
+    free(svc_uuid);
     attr_index += 1;
 
     for (size_t i = 0; i < num_characteristics; ++i) {
@@ -956,6 +983,8 @@ int mp_bluetooth_gatts_register_service(mp_obj_bluetooth_uuid_t *service_uuid, m
         }
 
         add_characteristic(&add_char, &svc_attributes[attr_index], &svc_attributes[attr_index + 1]);
+        // Free the temporary UUID (gatt_db_add copied it)
+        free((void *)add_char.uuid);
 
         struct bt_gatt_attr *curr_char = &svc_attributes[attr_index];
         attrs_are_chrs |= (1 << attr_index);
@@ -980,6 +1009,8 @@ int mp_bluetooth_gatts_register_service(mp_obj_bluetooth_uuid_t *service_uuid, m
                 }
 
                 add_descriptor(curr_char, &add_desc, &svc_attributes[attr_index]);
+                // Free the temporary UUID (gatt_db_add copied it)
+                free((void *)add_desc.uuid);
                 attr_index += 1;
 
                 descriptor_index++;
@@ -1000,6 +1031,8 @@ int mp_bluetooth_gatts_register_service(mp_obj_bluetooth_uuid_t *service_uuid, m
             attrs_to_ignore |= (1 << attr_index);
 
             add_descriptor(curr_char, &add_desc, &svc_attributes[attr_index]);
+            // Free the temporary UUID (gatt_db_add copied it)
+            free((void *)add_desc.uuid);
             attr_index += 1;
         }
     }
@@ -1600,6 +1633,56 @@ static void add_descriptor(struct bt_gatt_attr *chrc, struct add_descriptor *d,
     }
 }
 
+// Free all memory associated with a GATT service.
+// Called when unregistering services to prevent memory leaks.
+//
+// Memory allocation pattern in GATT registration:
+// - gatt_db_add() allocates attr->uuid via malloc for ALL attributes
+// - gatt_db_add() allocates attr->user_data via malloc ONLY when user_data_len > 0:
+//   - Service declaration (index 0): user_data = malloc'd copy of service UUID
+//   - Characteristic declaration: user_data = malloc'd bt_gatt_chrc struct
+//   - Other attrs: user_data is either NULL or later assigned to gatts_db entry (GC heap)
+// - Service struct and attrs array are malloc'd in mp_bluetooth_gatts_register_service
+//
+// We must NOT free user_data that points to gatts_db entries (GC managed).
+// We identify characteristic declarations by their read callback (bt_gatt_attr_read_chrc).
+static void mp_bt_zephyr_free_service(struct bt_gatt_service *service) {
+    if (service == NULL) {
+        return;
+    }
+
+    if (service->attrs != NULL) {
+        // First: free user_data for service declaration (index 0) and characteristic declarations
+        // Service declaration is always at index 0
+        if (service->attr_count > 0 && service->attrs[0].user_data != NULL) {
+            free(service->attrs[0].user_data);
+        }
+
+        // Characteristic declarations have read callback = bt_gatt_attr_read_chrc
+        extern ssize_t bt_gatt_attr_read_chrc(struct bt_conn *conn,
+            const struct bt_gatt_attr *attr, void *buf, uint16_t len, uint16_t offset);
+        for (size_t i = 1; i < service->attr_count; i++) {
+            struct bt_gatt_attr *attr = &service->attrs[i];
+            if (attr->read == bt_gatt_attr_read_chrc && attr->user_data != NULL) {
+                free(attr->user_data);
+            }
+        }
+
+        // Second: free all UUIDs (all were malloc'd by gatt_db_add)
+        for (size_t i = 0; i < service->attr_count; i++) {
+            if (service->attrs[i].uuid != NULL) {
+                free((void *)service->attrs[i].uuid);
+            }
+        }
+
+        // Free the attributes array itself
+        free(service->attrs);
+    }
+
+    // Free the service struct itself
+    free(service);
+}
+
 // GATT Client implementation
 #if MICROPY_PY_BLUETOOTH_ENABLE_GATT_CLIENT
 
diff --git a/ports/rp2/mpzephyrport_rp2.c b/ports/rp2/mpzephyrport_rp2.c
@@ -875,6 +875,12 @@ void mp_bluetooth_zephyr_port_deinit(void) {
     poll_uart_skipped_no_cb = 0;
     poll_uart_skipped_task = 0;
     poll_uart_cyw43_calls = 0;
+
+    #if MICROPY_PY_THREAD
+    // Reset HCI RX task flags so next init starts fresh
+    hci_rx_task_started = false;
+    hci_rx_task_exited = false;
+    #endif
 }
 
 void mp_bluetooth_zephyr_poll_uart(void) {
