SPP: Fix race condition crash by unifying thread context for resource cleanup

Yezmax · Yezmax · commit 647b511ffcbc · 2026-01-09T10:46:38.000+08:00
bug: v/80850

Rootcause: uv_loop_close() marks internal data structures as invalid, but
pending callbacks in the queue still reference these invalidated
structures. When uv_run() is called later, it processes the queue using
corrupted pointers, leading to segmentation faults and crashes.

Solution:Resolve race conditions by serializing cleanup operations:
Change the cleanup operation triggered by Bluetooth adapter shutdown to
be asynchronously submitted to the bttool_loop thread for sequential
execution. Set the global pointer g_bttool_loop_ptr to directly point to
bttool-&gt;loop, avoiding data duplication. In the on_adapter_state_changed_cb
callback, use do_in_thread_loop(g_bttool_loop_ptr, bt_tool_uninit_cb, NULL)
to submit the cleanup task to the bttool_loop thread, ensuring it executes
sequentially in the same thread as the cleanup operation for user exit
commands, thereby completely eliminating race conditions.

Signed-off-by: v-chenghuijin &lt;v-chenghuijin@xiaomi.com&gt;
diff --git a/tools/bt_tools.c b/tools/bt_tools.c
@@ -87,6 +87,7 @@ static void* adapter_callback = NULL;
 static bool g_cmd_had_inited = false;
 bool g_auto_accept_pair = true;
 bond_state_t g_bond_state = BOND_STATE_NONE;
+static uv_loop_t* g_bttool_loop = NULL;
 
 static struct {
     int cmd_err_code;
@@ -1595,6 +1596,12 @@ static int execute_command(void* handle, int argc, char* argv[])
     return CMD_UNKNOWN;
 }
 
+static void bt_tool_uninit_cb(void* data)
+{
+    bt_tool_uninit(g_bttool_ins);
+    g_bttool_loop = NULL;
+}
+
 static void on_adapter_state_changed_cb(void* cookie, bt_adapter_state_t state)
 {
     PRINT("Context:%p, Adapter state changed: %d", cookie, state);
@@ -1616,7 +1623,9 @@ static void on_adapter_state_changed_cb(void* cookie, bt_adapter_state_t state)
         PRINT("Adapter Name: %s, Cap: %d, Class: 0x%08" PRIX32 ", Mode:%d", name, cap, class, mode);
     } else if (state == BT_ADAPTER_STATE_TURNING_OFF) {
         /* code */
-        bt_tool_uninit(g_bttool_ins);
+        if (g_bttool_loop && g_bttool_loop->data && !uv_loop_is_close(g_bttool_loop)) {
+            do_in_thread_loop(g_bttool_loop, bt_tool_uninit_cb, NULL);
+        }
     } else if (state == BT_ADAPTER_STATE_OFF) {
         /* do something */
     }
@@ -1906,7 +1915,7 @@ static void bttool_thread(void* data)
        before the asynchronous instance is created.
     */
     uv_loop_init(&bttool->loop);
-
+    g_bttool_loop = &bttool->loop;
     /* initialize synchronous or asynchronous instance.
        and register callbacks.
     */
