SPP: Add mutex protection in spp_command_uninit to prevent concurrent access

Yezmax · Yezmax · commit 2b07e8f18bc4 · 2025-12-23T18:09:23.000+08:00
v/80850

Rootcause: uv_loop_close() marks internal data structures as invalid (e.g., set to -1), but pending callbacks in the queue still reference these invalidated structures. When uv_run() is called later, it processes the queue using corrupted pointers, leading to segmentation faults and crashes.

Solution:Introduce a global mutex 'spp_lock' to protect the entire cleanup process in
spp_command_uninit. The lock is initialized in spp_command_init and acquired
at the beginning of spp_command_uninit. It is released and destroyed at the
end of the function to ensure atomic execution of critical operations and
prevent data races.

Signed-off-by: v-chenghuijin &lt;v-chenghuijin@xiaomi.com&gt;
diff --git a/tools/spp.c b/tools/spp.c
@@ -24,6 +24,10 @@
 #include "bt_uuid.h"
 #include "euv_pipe.h"
 #include "uv_thread_loop.h"
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
 
 typedef struct {
     struct list_node node;
@@ -87,6 +91,7 @@ static sem_t spp_send_sem;
 static void* spp_app_handle = NULL;
 static uv_loop_t spp_thread_loop = { 0 };
 static transmit_context_t trans_ctx = { 0 };
+static uv_mutex_t spp_lock;
 
 static struct option spp_ping_options[] = {
     { "port", required_argument, 0, 'p' },
@@ -720,15 +725,24 @@ int spp_command_init(void* handle)
     thread_loop_run(&spp_thread_loop, true, "spp_client");
     spp_app_handle = bt_spp_register_app_with_name(handle, "btool", &spp_cbs);
 
+    int ret = uv_mutex_init(&spp_lock);
+    if (ret != 0) {
+        syslog(LOG_ERR, "%s mutex error: %d", __func__, ret);
+        return ret;
+    }
+
     return 0;
 }
 
 void spp_command_uninit(void* handle)
 {
+    uv_mutex_lock(&spp_lock);
     bt_spp_unregister_app(handle, spp_app_handle);
     sem_destroy(&spp_send_sem);
     thread_loop_exit(&spp_thread_loop);
     memset(&spp_thread_loop, 0, sizeof(spp_thread_loop));
+    uv_mutex_unlock(&spp_lock);
+    uv_mutex_destroy(&spp_lock);
 }
 
 int spp_command_exec(void* handle, int argc, char* argv[])
