SPP: Fix race condition crash by unifying thread context for resource cleanup

bug: v/80850

Rootcause: uv_loop_close() marks internal data structures as invalid
(e.g., set to -1), but pending callbacks in the queue still reference
these invalidated structures. When uv_run() is called later, it processes
the queue using corrupted pointers, leading to segmentation faults and
crashes.

Solution:We modified the adapter state change callback
(on_adapter_state_changed_cb) in bt_tools.c. When the adapter state is
detected to be turning off, instead of directly calling the cleanup
function, the task bt_tool_uninit_cb is now dispatched to the bttool_loop
thread for sequential execution via do_in_thread_loop. This approach
ensures all resource cleanup operations—including the critical
spp_command_uninit call—are completed sequentially within the same thread
context, completely eliminating the possibility of concurrent access.

Signed-off-by: v-chenghuijin <v-chenghuijin@xiaomi.com>

Author: Yezmax

framework/common/uv_thread_loop.c

@@ -223,10 +223,8 @@ void thread_loop_exit(uv_loop_t* loop)
         uv_sem_wait(&priv->exited);
         uv_sem_destroy(&priv->exited);
     } else {
-        if (!uv_loop_is_close(loop)) {
-            uv_run(loop, UV_RUN_ONCE);
-            (void)uv_loop_close(loop);
-        }
+        uv_run(loop, UV_RUN_ONCE);
+        (void)uv_loop_close(loop);
     }
 
     uv_mutex_lock(&priv->msg_lock);

service/common/service_loop.c

@@ -287,10 +287,8 @@ void service_loop_exit(void)
         uv_sem_wait(&loop->exited);
         uv_sem_destroy(&loop->exited);
     } else {
-        if (!uv_loop_is_close(handle)) {
-            uv_run(handle, UV_RUN_ONCE);
-            (void)uv_loop_close(handle);
-        }
+        uv_run(handle, UV_RUN_ONCE);
+        (void)uv_loop_close(handle);
     }
 
     uv_mutex_lock(&loop->msg_lock);

tools/bt_tools.c

@@ -87,6 +87,7 @@ static void* adapter_callback = NULL;
 static bool g_cmd_had_inited = false;
 bool g_auto_accept_pair = true;
 bond_state_t g_bond_state = BOND_STATE_NONE;
+static uv_loop_t bttool_loop;
 
 static struct {
     int cmd_err_code;
@@ -1595,6 +1596,11 @@ static int execute_command(void* handle, int argc, char* argv[])
     return CMD_UNKNOWN;
 }
 
+static void bt_tool_uninit_cb(void* data)
+{
+    bt_tool_uninit(g_bttool_ins);
+}
+
 static void on_adapter_state_changed_cb(void* cookie, bt_adapter_state_t state)
 {
     PRINT("Context:%p, Adapter state changed: %d", cookie, state);
@@ -1616,7 +1622,9 @@ static void on_adapter_state_changed_cb(void* cookie, bt_adapter_state_t state)
         PRINT("Adapter Name: %s, Cap: %d, Class: 0x%08" PRIX32 ", Mode:%d", name, cap, class, mode);
     } else if (state == BT_ADAPTER_STATE_TURNING_OFF) {
         /* code */
-        bt_tool_uninit(g_bttool_ins);
+        if (bttool_loop.data) {
+            do_in_thread_loop(&bttool_loop, bt_tool_uninit_cb, NULL);
+        }
     } else if (state == BT_ADAPTER_STATE_OFF) {
         /* do something */
     }
@@ -1906,7 +1914,7 @@ static void bttool_thread(void* data)
        before the asynchronous instance is created.
     */
     uv_loop_init(&bttool->loop);
-
+    memcpy(&bttool_loop, &bttool->loop, sizeof(uv_loop_t));
     /* initialize synchronous or asynchronous instance.
        and register callbacks.
     */

tools/spp.c

@@ -13,17 +13,18 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  ***************************************************************************/
-#include <stdlib.h>
-#include <string.h>
 
-#include "bt_config.h"
 #include "bt_list.h"
 #include "bt_spp.h"
 #include "bt_time.h"
 #include "bt_tools.h"
 #include "bt_uuid.h"
 #include "euv_pipe.h"
 #include "uv_thread_loop.h"
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
 
 typedef struct {
     struct list_node node;