Eliminate memory leaks and unsafe callbacks in BTA and BTE.

Alarms were being added to a hash map but were not freed during
teardown. This results in both memory leaks and potential access
of torn-down data (in case the still-armed alarm fires after
teardown completes).

diff --git a/bta/sys/bta_sys_main.c b/bta/sys/bta_sys_main.c
index 66ecf17..c5eeae1 100644 (file)
--- a/bta/sys/bta_sys_main.c
+++ b/bta/sys/bta_sys_main.c
@@ -177,7 +177,7 @@ BTA_API void bta_sys_init(void)
     pthread_mutex_init(&bta_alarm_lock, NULL);
 
     bta_alarm_hash_map = hash_map_new(BTA_ALARM_HASH_MAP_SIZE,
-            hash_function_pointer, NULL,NULL);
+            hash_function_pointer, NULL, (data_free_fn)alarm_free);
     btu_bta_alarm_queue = fixed_queue_new(SIZE_MAX);
 
     bta_sys_cb.task_id = GKI_get_taskid();

diff --git a/main/bte_main.c b/main/bte_main.c
index 5466c44..de53464 100755 (executable)
--- a/main/bte_main.c
+++ b/main/bte_main.c
@@ -215,17 +215,17 @@ void bte_main_enable()
     btu_hci_msg_queue = fixed_queue_new(SIZE_MAX);
 
     btu_general_alarm_hash_map = hash_map_new(BTU_GENERAL_ALARM_HASH_MAP_SIZE,
-            hash_function_pointer, NULL,NULL);
+            hash_function_pointer, NULL, (data_free_fn)alarm_free);
     pthread_mutex_init(&btu_general_alarm_lock, NULL);
     btu_general_alarm_queue = fixed_queue_new(SIZE_MAX);
 
     btu_oneshot_alarm_hash_map = hash_map_new(BTU_ONESHOT_ALARM_HASH_MAP_SIZE,
-            hash_function_pointer, NULL,NULL);
+            hash_function_pointer, NULL, (data_free_fn)alarm_free);
     pthread_mutex_init(&btu_oneshot_alarm_lock, NULL);
     btu_oneshot_alarm_queue = fixed_queue_new(SIZE_MAX);
 
     btu_l2cap_alarm_hash_map = hash_map_new(BTU_L2CAP_ALARM_HASH_MAP_SIZE,
-            hash_function_pointer, NULL,NULL);
+            hash_function_pointer, NULL, (data_free_fn)alarm_free);
     pthread_mutex_init(&btu_l2cap_alarm_lock, NULL);
     btu_l2cap_alarm_queue = fixed_queue_new(SIZE_MAX);