Skip to content

Commit 5aff606

Browse files
alxelaxalxelax
committed
[nrf fromtree] bluetooth: mesh: fix buffer leakage if mesh was suspended
Commit fixes bug when advertisements were disabled and stopped during suspending without unreferencing allocated advertisements. Signed-off-by: Aleksandr Khromykh <[email protected]> (cherry picked from commit 9e0c6d5)
1 parent 59275b9 commit 5aff606

File tree

1 file changed

+17
-16
lines changed

1 file changed

+17
-16
lines changed

subsys/bluetooth/mesh/adv_ext.c

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -459,6 +459,13 @@ void bt_mesh_adv_friend_ready(void)
459459
}
460460
}
461461

462+
static void adv_sent(struct bt_mesh_ext_adv *ext_adv)
463+
{
464+
atomic_set_bit(ext_adv->flags, ADV_FLAG_SENT);
465+
466+
bt_mesh_wq_submit(&ext_adv->work);
467+
}
468+
462469
int bt_mesh_adv_terminate(struct bt_mesh_adv *adv)
463470
{
464471
int err;
@@ -483,9 +490,7 @@ int bt_mesh_adv_terminate(struct bt_mesh_adv *adv)
483490
/* Do not call `cb:end`, since this user action */
484491
adv->ctx.cb = NULL;
485492

486-
atomic_set_bit(ext_adv->flags, ADV_FLAG_SENT);
487-
488-
bt_mesh_wq_submit(&ext_adv->work);
493+
adv_sent(ext_adv);
489494

490495
return 0;
491496
}
@@ -539,8 +544,7 @@ static struct bt_mesh_ext_adv *adv_instance_find(struct bt_le_ext_adv *instance)
539544
return NULL;
540545
}
541546

542-
static void adv_sent(struct bt_le_ext_adv *instance,
543-
struct bt_le_ext_adv_sent_info *info)
547+
static void ext_adv_set_sent(struct bt_le_ext_adv *instance, struct bt_le_ext_adv_sent_info *info)
544548
{
545549
struct bt_mesh_ext_adv *ext_adv = adv_instance_find(instance);
546550

@@ -554,17 +558,15 @@ static void adv_sent(struct bt_le_ext_adv *instance,
554558
return;
555559
}
556560

557-
atomic_set_bit(ext_adv->flags, ADV_FLAG_SENT);
558-
559-
bt_mesh_wq_submit(&ext_adv->work);
561+
adv_sent(ext_adv);
560562
}
561563

562564
int bt_mesh_adv_enable(void)
563565
{
564566
int err;
565567

566568
static const struct bt_le_ext_adv_cb adv_cb = {
567-
.sent = adv_sent,
569+
.sent = ext_adv_set_sent,
568570
};
569571

570572
if (advs[0].instance) {
@@ -573,8 +575,7 @@ int bt_mesh_adv_enable(void)
573575
}
574576

575577
for (int i = 0; i < ARRAY_SIZE(advs); i++) {
576-
err = bt_le_ext_adv_create(&advs[i].adv_param, &adv_cb,
577-
&advs[i].instance);
578+
err = bt_le_ext_adv_create(&advs[i].adv_param, &adv_cb, &advs[i].instance);
578579
if (err) {
579580
return err;
580581
}
@@ -611,11 +612,6 @@ int bt_mesh_adv_disable(void)
611612
return err;
612613
}
613614

614-
/* `adv_sent` is called to finish transmission of an adv buffer that was pushed to
615-
* the host before the advertiser was stopped, but did not finish.
616-
*/
617-
adv_sent(advs[i].instance, NULL);
618-
619615
err = bt_le_ext_adv_delete(advs[i].instance);
620616
if (err) {
621617
LOG_ERR("Failed to delete adv %d", err);
@@ -625,6 +621,11 @@ int bt_mesh_adv_disable(void)
625621
advs[i].instance = NULL;
626622

627623
atomic_clear_bit(advs[i].flags, ADV_FLAG_SUSPENDING);
624+
625+
/* `adv_sent` is called to finish transmission of an adv buffer that was pushed to
626+
* the host before the advertiser was stopped, but did not finish.
627+
*/
628+
adv_sent(&advs[i]);
628629
}
629630

630631
return 0;

0 commit comments

Comments
 (0)