Could you please it also?

please check it also

please check it also

Hello @namanjain7 @ewoodev

During internal testing, we found that the Bluetooth app directly uses kernel-space memory. The call path is as follows:

When the BLE server disconnects, ble_server_connected_cb is invoked; with the current Bluetooth architecture, this callback is called directly from the kernel layer.

static ble_server_init_config server_config = {
ble_server_connected_cb,
ble_server_disconnected_cb,
ble_server_mtu_update_cb,
ble_server_passkey_display_cb,
ble_server_pair_bond_cb,
true,
gatt_profile, sizeof(gatt_profile) / sizeof(ble_server_gatt_t)
};

The callback invokes the ble_server_set_adv_data interface. Inside that interface, a local variable is defined: blemgr_msg_s msg = {BLE_CMD_SET_ADV_DATA, BLE_MANAGER_FAIL, (void *)(data), NULL};. That local variable lives in kernel space, yet it is consumed in the BLE message handler task (which belongs to app space). The usage site is:

ble_result_e blemgr_handle_request(blemgr_msg_s *msg) {
trble_result_e ret = TRBLE_FAIL;
blemgr_msg_params queue_msg = {
.evt = msg->event,
.count = 3
};

So we configured the system to allow the app to access kernel space.

Currently, the structure is not such that BLE requests are directly passed from within the callback called from the Kernel thread.
In the file named ble_response_handler.c, server and client callbacks are wrapped once, so the callback of the application layer is designed to be called by the user thread. (ecode only)
The structure is as follows:
Kernel thread calls response handler callback -> mq enqueue -> user thread mq dequeue -> calls application layer callback
Given this structure, it seems there would be no issues if kernel access is blocked on the user side.

Hello @giwon-nam The issue we tested is based on the code on GitHub, and tests related to ble_rmc will have this problem. Can you help me double-check it?

It seems that the issue occurred in the part where the connected callback is called during disconnection on the TP1x Plus.
I will contact Beken and request that during disconnection, only the disconnected callback should be called, and not the connected callback.

Hi @giwon-nam ,
In the ble_perfs and ble_tester examples, the attribute write callback ble_peri_cb_charact_rmc_sync invokes ble_server_attr_get_data. So this appears to cause the same server disconnection issue, What is the recommended way to avoid this?

This state is not safetly..

we didn't receive any report issue about it.
you have to open issue this.

we will apply this PR. Please reslove the ble issue ASAP.

Hello, @lingzhou2018
For now, the ble_server_attr_get_data function you mentioned appears to be functioning without issues.
Currently, on the ecode side, ble_server_attr_get_data is called within the attribute callback invoked by the kernel thread to check what data was written.
It has been confirmed that there are no issues on the ecode side after reflecting the content of the current PR.
If the schedule is urgent, it would be better to merge this PR first and then further analyze why crashes occur in ble_perfs and ble_tester.

Should this bss and data be protected about EXEC?

No, it should be MPU_EXEC_NEVER.
we will change and verify it

heap also..

mpu_cfg.xn = MPU_EXEC_NEVER; ok