-
Angus Gratton authored
It seems like at some point Espressif NimBLE team changed nimble_port_init and nimble_port_deinit to manage HCI init internally: https://github.com/espressif/esp-nimble/commit/f8a79b04c9743543b8959727d7 This change is included in all the IDF versions that MicroPython supports. As a result, existing code that called esp_nimble_hci_deinit() explicitly would trigger a use-after-free bug and heap corruption (specifically this calls through to ble_transport_deinit() which calls os_mempool_free(). The second time this writes out to a bunch of memory pools where the backing buffers have already been freed.) Symptoms were intermittent random crashes after de-activating Bluetooth (running multi_bluetooth/ble_gatt_data_transfer.py could sometimes reproduce). Setting Heap Poisoning to Comprehensive in menuconfig caused the bug to be detected every time. This work was funded through GitHub Sponsors. Signed-off-by:
Angus Gratton <angus@redyak.com.au>
1754c587
