ble_mesh: fix client model invalid address access

diff --git a/components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c b/components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c
index c0a155bed0db7d7615cdddf03e7e704cd63a5387..12080d51b92e335dfd66307fee568e47c01844e4 100644 (file)
--- a/components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c
+++ b/components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c
@@ -297,8 +297,6 @@ static void btc_ble_mesh_client_model_op_cb(struct bt_mesh_model *model,
         struct net_buf_simple *buf)
 {
     esp_ble_mesh_model_cb_param_t mesh_param = {0};
-    bt_mesh_client_user_data_t *client_param = NULL;
-    bt_mesh_client_internal_data_t *data = NULL;
     bt_mesh_client_node_t *node = NULL;
     btc_msg_t msg = {0};
     bt_status_t ret;
@@ -308,15 +306,11 @@ static void btc_ble_mesh_client_model_op_cb(struct bt_mesh_model *model,
         return;
     }
 
-    client_param = (bt_mesh_client_user_data_t *)model->user_data;
-    data = (bt_mesh_client_internal_data_t *)client_param->internal_data;
-    if (!data) {
-        LOG_ERROR("%s, Client internal_data is NULL", __func__);
-        return;
-    }
-
     bt_mesh_client_model_lock();
 
+    msg.sig = BTC_SIG_API_CB;
+    msg.pid = BTC_PID_MODEL;
+
     node = bt_mesh_is_client_recv_publish_msg(model, ctx, buf, false);
     if (node == NULL) {
         msg.act = ESP_BLE_MESH_CLIENT_MODEL_RECV_PUBLISH_MSG_EVT;
@@ -325,6 +319,8 @@ static void btc_ble_mesh_client_model_op_cb(struct bt_mesh_model *model,
         mesh_param.client_recv_publish_msg.ctx = (esp_ble_mesh_msg_ctx_t *)ctx;
         mesh_param.client_recv_publish_msg.length = buf->len;
         mesh_param.client_recv_publish_msg.msg = buf->data;
+        ret = btc_transfer_context(&msg, &mesh_param,
+                sizeof(esp_ble_mesh_model_cb_param_t), btc_ble_mesh_model_copy_req_data);
     } else {
         msg.act = ESP_BLE_MESH_MODEL_OPERATION_EVT;
         mesh_param.model_operation.opcode = ctx->recv_op;
@@ -332,19 +328,11 @@ static void btc_ble_mesh_client_model_op_cb(struct bt_mesh_model *model,
         mesh_param.model_operation.ctx = (esp_ble_mesh_msg_ctx_t *)ctx;
         mesh_param.model_operation.length = buf->len;
         mesh_param.model_operation.msg = buf->data;
-    }
-
-    msg.sig = BTC_SIG_API_CB;
-    msg.pid = BTC_PID_MODEL;
-    if (msg.act == ESP_BLE_MESH_CLIENT_MODEL_RECV_PUBLISH_MSG_EVT) {
-        ret = btc_transfer_context(&msg, &mesh_param,
-                sizeof(esp_ble_mesh_model_cb_param_t), btc_ble_mesh_model_copy_req_data);
-    } else {
         if (!k_delayed_work_free(&node->timer)) {
             ret = btc_transfer_context(&msg, &mesh_param,
                     sizeof(esp_ble_mesh_model_cb_param_t), btc_ble_mesh_model_copy_req_data);
             // Don't forget to release the node at the end.
-            bt_mesh_client_free_node(&data->queue, node);
+            bt_mesh_client_free_node(node);
         } else {
             ret = BT_STATUS_SUCCESS;
         }
@@ -603,44 +591,35 @@ static void btc_ble_mesh_prov_register_complete_cb(int err_code)
 static void btc_ble_mesh_client_model_timeout_cb(struct k_work *work)
 {
     esp_ble_mesh_model_cb_param_t mesh_param = {0};
-    bt_mesh_client_user_data_t *client_param = NULL;
-    bt_mesh_client_internal_data_t *data = NULL;
+    struct k_delayed_work *timer = NULL;
     bt_mesh_client_node_t *node = NULL;
     btc_msg_t msg = {0};
     bt_status_t ret;
 
-    node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
-    if (!node || !node->ctx.model || !node->ctx.model->user_data) {
-        LOG_ERROR("%s, Invalid parameter", __func__);
-        return;
-    }
+    bt_mesh_client_model_lock();
 
-    client_param = (bt_mesh_client_user_data_t *)node->ctx.model->user_data;
-    data = (bt_mesh_client_internal_data_t *)client_param->internal_data;
-    if (!data) {
-        LOG_ERROR("%s, Client internal_data is NULL", __func__);
-        return;
-    }
+    timer = CONTAINER_OF(work, struct k_delayed_work, work);
 
-    bt_mesh_client_model_lock();
+    if (timer && !k_delayed_work_free(timer)) {
+        node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
+        if (node) {
+            mesh_param.client_send_timeout.opcode = node->opcode;
+            mesh_param.client_send_timeout.model = (esp_ble_mesh_model_t *)node->ctx.model;
+            mesh_param.client_send_timeout.ctx = (esp_ble_mesh_msg_ctx_t *)&node->ctx;
 
-    if (!k_delayed_work_free(&node->timer)) {
-        mesh_param.client_send_timeout.opcode = node->opcode;
-        mesh_param.client_send_timeout.model = (esp_ble_mesh_model_t *)node->ctx.model;
-        mesh_param.client_send_timeout.ctx = (esp_ble_mesh_msg_ctx_t *)&node->ctx;
+            msg.sig = BTC_SIG_API_CB;
+            msg.pid = BTC_PID_MODEL;
+            msg.act = ESP_BLE_MESH_CLIENT_MODEL_SEND_TIMEOUT_EVT;
 
-        msg.sig = BTC_SIG_API_CB;
-        msg.pid = BTC_PID_MODEL;
-        msg.act = ESP_BLE_MESH_CLIENT_MODEL_SEND_TIMEOUT_EVT;
+            ret = btc_transfer_context(&msg, &mesh_param,
+                    sizeof(esp_ble_mesh_model_cb_param_t), btc_ble_mesh_model_copy_req_data);
+            if (ret != BT_STATUS_SUCCESS) {
+                LOG_ERROR("%s btc_transfer_context failed", __func__);
+            }
 
-        ret = btc_transfer_context(&msg, &mesh_param,
-                sizeof(esp_ble_mesh_model_cb_param_t), btc_ble_mesh_model_copy_req_data);
-        if (ret != BT_STATUS_SUCCESS) {
-            LOG_ERROR("%s btc_transfer_context failed", __func__);
+            // Don't forget to release the node at the end.
+            bt_mesh_client_free_node(node);
         }
-
-        // Don't forget to release the node at the end.
-        bt_mesh_client_free_node(&data->queue, node);
     }
 
     bt_mesh_client_model_unlock();

diff --git a/components/bt/esp_ble_mesh/mesh_core/cfg_cli.c b/components/bt/esp_ble_mesh/mesh_core/cfg_cli.c
index 2eb843e35cafcf8c985d0b2a124a93c24357cafc..c975b56002e125fd828ca06cdf234a8ae9322c90 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_core/cfg_cli.c
+++ b/components/bt/esp_ble_mesh/mesh_core/cfg_cli.c
@@ -107,37 +107,23 @@ static void bt_mesh_cfg_client_unlock(void)
 
 static void timeout_handler(struct k_work *work)
 {
-    config_internal_data_t *internal = NULL;
-    bt_mesh_config_client_t *client = NULL;
+    struct k_delayed_work *timer = NULL;
     bt_mesh_client_node_t *node = NULL;
 
     BT_WARN("Receive configuration status message timeout");
 
-    node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
-    if (!node || !node->ctx.model) {
-        BT_ERR("%s, Invalid parameter", __func__);
-        return;
-    }
-
-    client = (bt_mesh_config_client_t *)node->ctx.model->user_data;
-    if (!client) {
-        BT_ERR("%s, Config Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (config_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Config Client internal_data is NULL", __func__);
-        return;
-    }
-
     bt_mesh_cfg_client_lock();
 
-    if (!k_delayed_work_free(&node->timer)) {
-        bt_mesh_config_client_cb_evt_to_btc(node->opcode,
-            BTC_BLE_MESH_EVT_CONFIG_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
-        // Don't forget to release the node at the end.
-        bt_mesh_client_free_node(&internal->queue, node);
+    timer = CONTAINER_OF(work, struct k_delayed_work, work);
+
+    if (timer && !k_delayed_work_free(timer)) {
+        node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
+        if (node) {
+            bt_mesh_config_client_cb_evt_to_btc(node->opcode,
+                BTC_BLE_MESH_EVT_CONFIG_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
+            // Don't forget to release the node at the end.
+            bt_mesh_client_free_node(node);
+        }
     }
 
     bt_mesh_cfg_client_unlock();
@@ -149,7 +135,6 @@ static void cfg_client_cancel(struct bt_mesh_model *model,
                               struct bt_mesh_msg_ctx *ctx,
                               void *status, size_t len)
 {
-    config_internal_data_t *data = NULL;
     bt_mesh_client_node_t *node = NULL;
     struct net_buf_simple buf = {0};
     u8_t evt_type = 0xFF;
@@ -159,12 +144,6 @@ static void cfg_client_cancel(struct bt_mesh_model *model,
         return;
     }
 
-    data = (config_internal_data_t *)cli->internal_data;
-    if (!data) {
-        BT_ERR("%s, Config Client internal_data is NULL", __func__);
-        return;
-    }
-
     /* If it is a publish message, sent to the user directly. */
     buf.data = (u8_t *)status;
     buf.len  = (u16_t)len;
@@ -235,7 +214,7 @@ static void cfg_client_cancel(struct bt_mesh_model *model,
             bt_mesh_config_client_cb_evt_to_btc(
                 node->opcode, evt_type, model, ctx, (const u8_t *)status, len);
             // Don't forget to release the node at the end.
-            bt_mesh_client_free_node(&data->queue, node);
+            bt_mesh_client_free_node(node);
         }
     }
 

diff --git a/components/bt/esp_ble_mesh/mesh_core/health_cli.c b/components/bt/esp_ble_mesh/mesh_core/health_cli.c
index e652bdda5ef45f3685f4273442570bb53f8367a9..363e95c55c84179632e1d7eb21e9bc3f8e9aed4e 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_core/health_cli.c
+++ b/components/bt/esp_ble_mesh/mesh_core/health_cli.c
@@ -63,37 +63,23 @@ static void bt_mesh_health_client_unlock(void)
 
 static void timeout_handler(struct k_work *work)
 {
-    health_internal_data_t *internal = NULL;
-    bt_mesh_health_client_t *client = NULL;
+    struct k_delayed_work *timer = NULL;
     bt_mesh_client_node_t *node = NULL;
 
     BT_WARN("Receive health status message timeout");
 
-    node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
-    if (!node || !node->ctx.model) {
-        BT_ERR("%s, Invalid parameter", __func__);
-        return;
-    }
-
-    client = (bt_mesh_health_client_t *)node->ctx.model->user_data;
-    if (!client) {
-        BT_ERR("%s, Health Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (health_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Health Client internal_data is NULL", __func__);
-        return;
-    }
-
     bt_mesh_health_client_lock();
 
-    if (!k_delayed_work_free(&node->timer)) {
-        bt_mesh_health_client_cb_evt_to_btc(node->opcode,
-            BTC_BLE_MESH_EVT_HEALTH_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
-        // Don't forget to release the node at the end.
-        bt_mesh_client_free_node(&internal->queue, node);
+    timer = CONTAINER_OF(work, struct k_delayed_work, work);
+
+    if (timer && !k_delayed_work_free(timer)) {
+        node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
+        if (node) {
+            bt_mesh_health_client_cb_evt_to_btc(node->opcode,
+                BTC_BLE_MESH_EVT_HEALTH_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
+            // Don't forget to release the node at the end.
+            bt_mesh_client_free_node(node);
+        }
     }
 
     bt_mesh_health_client_unlock();
@@ -105,7 +91,6 @@ static void health_client_cancel(struct bt_mesh_model *model,
                                  struct bt_mesh_msg_ctx *ctx,
                                  void *status, size_t len)
 {
-    health_internal_data_t *data = NULL;
     bt_mesh_client_node_t *node = NULL;
     struct net_buf_simple buf = {0};
     u8_t evt_type = 0xFF;
@@ -115,12 +100,6 @@ static void health_client_cancel(struct bt_mesh_model *model,
         return;
     }
 
-    data = (health_internal_data_t *)health_cli->internal_data;
-    if (!data) {
-        BT_ERR("%s, Health Client internal_data is NULL", __func__);
-        return;
-    }
-
     /* If it is a publish message, sent to the user directly. */
     buf.data = (u8_t *)status;
     buf.len  = (u16_t)len;
@@ -151,7 +130,7 @@ static void health_client_cancel(struct bt_mesh_model *model,
             bt_mesh_health_client_cb_evt_to_btc(
                 node->opcode, evt_type, model, ctx, (const u8_t *)status, len);
             // Don't forget to release the node at the end.
-            bt_mesh_client_free_node(&data->queue, node);
+            bt_mesh_client_free_node(node);
         }
     }
 

diff --git a/components/bt/esp_ble_mesh/mesh_core/mesh_kernel.c b/components/bt/esp_ble_mesh/mesh_core/mesh_kernel.c
index 7ff4f75b8ac78d40e15548d4e6167687c82566ed..c169aa387dd990cdd66d6392520c7c8b9c17eb0b 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_core/mesh_kernel.c
+++ b/components/bt/esp_ble_mesh/mesh_core/mesh_kernel.c
@@ -103,7 +103,7 @@ void k_delayed_work_init(struct k_delayed_work *work, k_work_handler_t handler)
 
     osi_mutex_lock(&bm_alarm_lock, OSI_MUTEX_MAX_TIMEOUT);
     if (!hash_map_has_key(bm_alarm_hash_map, (void *)work)) {
-        alarm = osi_alarm_new("bt_mesh", (osi_alarm_callback_t)handler, (void *)work, 0);
+        alarm = osi_alarm_new("bt_mesh", (osi_alarm_callback_t)handler, (void *)&work->work, 0);
         if (alarm == NULL) {
             BT_ERR("%s, Unable to create alarm", __func__);
             return;

diff --git a/components/bt/esp_ble_mesh/mesh_models/client/client_common.c b/components/bt/esp_ble_mesh/mesh_models/client/client_common.c
index 037dd98d07dccde39d74774e6013214bb4319a58..7c2ac19b3dd7d233eeae054ae1d6f7b061f115b5 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_models/client/client_common.c
+++ b/components/bt/esp_ble_mesh/mesh_models/client/client_common.c
@@ -284,15 +284,30 @@ int bt_mesh_client_init(struct bt_mesh_model *model)
     return 0;
 }
 
-int bt_mesh_client_free_node(sys_slist_t *queue, bt_mesh_client_node_t *node)
+int bt_mesh_client_free_node(bt_mesh_client_node_t *node)
 {
-    if (!queue || !node) {
-        BT_ERR("%s, Invalid parameter", __func__);
+    bt_mesh_client_internal_data_t *internal = NULL;
+    bt_mesh_client_user_data_t *client = NULL;
+
+    if (!node || !node->ctx.model) {
+        BT_ERR("%s, Client model list item is NULL", __func__);
+        return -EINVAL;
+    }
+
+    client = (bt_mesh_client_user_data_t *)node->ctx.model->user_data;
+    if (!client) {
+        BT_ERR("%s, Client model user data is NULL", __func__);
+        return -EINVAL;
+    }
+
+    internal = (bt_mesh_client_internal_data_t *)client->internal_data;
+    if (!internal) {
+        BT_ERR("%s, Client model internal data is NULL", __func__);
         return -EINVAL;
     }
 
     // Release the client node from the queue
-    sys_slist_find_and_remove(queue, &node->client_node);
+    sys_slist_find_and_remove(&internal->queue, &node->client_node);
     // Free the node
     osi_free(node);
 

diff --git a/components/bt/esp_ble_mesh/mesh_models/client/generic_client.c b/components/bt/esp_ble_mesh/mesh_models/client/generic_client.c
index 617083cbd204e3e2e53745f2aeb7481ce19c4bd2..fd8986797a70ddb03ae7cbe2cc971f6f944809ad 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_models/client/generic_client.c
+++ b/components/bt/esp_ble_mesh/mesh_models/client/generic_client.c
@@ -144,37 +144,23 @@ static void bt_mesh_generic_client_unlock(void)
 
 static void timeout_handler(struct k_work *work)
 {
-    generic_internal_data_t *internal = NULL;
-    bt_mesh_generic_client_t *client = NULL;
+    struct k_delayed_work *timer = NULL;
     bt_mesh_client_node_t *node = NULL;
 
     BT_WARN("Receive generic status message timeout");
 
-    node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
-    if (!node || !node->ctx.model) {
-        BT_ERR("%s, Invalid parameter", __func__);
-        return;
-    }
-
-    client = (bt_mesh_generic_client_t *)node->ctx.model->user_data;
-    if (!client) {
-        BT_ERR("%s, Generic Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (generic_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Generic Client internal_data is NULL", __func__);
-        return;
-    }
-
     bt_mesh_generic_client_lock();
 
-    if (!k_delayed_work_free(&node->timer)) {
-        bt_mesh_generic_client_cb_evt_to_btc(node->opcode,
-            BTC_BLE_MESH_EVT_GENERIC_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
-        // Don't forget to release the node at the end.
-        bt_mesh_client_free_node(&internal->queue, node);
+    timer = CONTAINER_OF(work, struct k_delayed_work, work);
+
+    if (timer && !k_delayed_work_free(timer)) {
+        node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
+        if (node) {
+            bt_mesh_generic_client_cb_evt_to_btc(node->opcode,
+                BTC_BLE_MESH_EVT_GENERIC_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
+            // Don't forget to release the node at the end.
+            bt_mesh_client_free_node(node);
+        }
     }
 
     bt_mesh_generic_client_unlock();
@@ -186,31 +172,14 @@ static void generic_status(struct bt_mesh_model *model,
                            struct bt_mesh_msg_ctx *ctx,
                            struct net_buf_simple *buf)
 {
-    generic_internal_data_t *internal = NULL;
-    bt_mesh_generic_client_t *client = NULL;
     bt_mesh_client_node_t *node = NULL;
-    u8_t  *val = NULL;
-    u8_t   evt = 0xFF;
-    u32_t  rsp = 0;
+    u8_t *val = NULL;
+    u8_t evt = 0xFF;
     size_t len = 0;
 
     BT_DBG("%s, len %d, bytes %s", __func__, buf->len, bt_hex(buf->data, buf->len));
 
-    client = (bt_mesh_generic_client_t *)model->user_data;
-    if (!client) {
-        BT_ERR("%s, Generic Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (generic_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Generic Client internal_data is NULL", __func__);
-        return;
-    }
-
-    rsp = ctx->recv_op;
-
-    switch (rsp) {
+    switch (ctx->recv_op) {
     case BLE_MESH_MODEL_OP_GEN_ONOFF_STATUS: {
         struct bt_mesh_gen_onoff_status *status = NULL;
         if (buf->len != 1 && buf->len != 3) {
@@ -569,7 +538,7 @@ static void generic_status(struct bt_mesh_model *model,
 
     node = bt_mesh_is_client_recv_publish_msg(model, ctx, buf, true);
     if (!node) {
-        BT_DBG("Unexpected generic status message 0x%x", rsp);
+        BT_DBG("Unexpected generic status message 0x%x", ctx->recv_op);
     } else {
         switch (node->opcode) {
         case BLE_MESH_MODEL_OP_GEN_ONOFF_GET:
@@ -615,13 +584,13 @@ static void generic_status(struct bt_mesh_model *model,
         if (!k_delayed_work_free(&node->timer)) {
             bt_mesh_generic_client_cb_evt_to_btc(node->opcode, evt, model, ctx, val, len);
             // Don't forget to release the node at the end.
-            bt_mesh_client_free_node(&internal->queue, node);
+            bt_mesh_client_free_node(node);
         }
     }
 
     bt_mesh_generic_client_unlock();
 
-    switch (rsp) {
+    switch (ctx->recv_op) {
     case BLE_MESH_MODEL_OP_GEN_USER_PROPERTIES_STATUS: {
         struct bt_mesh_gen_user_properties_status *status;
         status = (struct bt_mesh_gen_user_properties_status *)val;

diff --git a/components/bt/esp_ble_mesh/mesh_models/client/include/client_common.h b/components/bt/esp_ble_mesh/mesh_models/client/include/client_common.h
index d2b05e0c1ec2cc1dfc668e28fb4bc8e7cae6a84d..4cf2e890b6bc1f10d8190eec1a10f656494861aa 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_models/client/include/client_common.h
+++ b/components/bt/esp_ble_mesh/mesh_models/client/include/client_common.h
@@ -112,7 +112,7 @@ int bt_mesh_client_send_msg(struct bt_mesh_model *model,
                             s32_t timeout, bool need_ack,
                             const struct bt_mesh_send_cb *cb, void *cb_data);
 
-int bt_mesh_client_free_node(sys_slist_t *queue, bt_mesh_client_node_t *node);
+int bt_mesh_client_free_node(bt_mesh_client_node_t *node);
 
 enum {
     NODE = 0,

diff --git a/components/bt/esp_ble_mesh/mesh_models/client/lighting_client.c b/components/bt/esp_ble_mesh/mesh_models/client/lighting_client.c
index c52f35e00e76d9631cc18f3b6e5567d350de79f6..a73f91a36ec665fc902e9fc7b72fca17f54dfab8 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_models/client/lighting_client.c
+++ b/components/bt/esp_ble_mesh/mesh_models/client/lighting_client.c
@@ -153,37 +153,23 @@ static void bt_mesh_light_client_unlock(void)
 
 static void timeout_handler(struct k_work *work)
 {
-    light_internal_data_t *internal = NULL;
-    bt_mesh_light_client_t *client = NULL;
+    struct k_delayed_work *timer = NULL;
     bt_mesh_client_node_t *node = NULL;
 
     BT_WARN("Receive light status message timeout");
 
-    node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
-    if (!node || !node->ctx.model) {
-        BT_ERR("%s, Invalid parameter", __func__);
-        return;
-    }
-
-    client = (bt_mesh_light_client_t *)node->ctx.model->user_data;
-    if (!client) {
-        BT_ERR("%s, Lighting Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (light_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Lighting Client internal_data is NULL", __func__);
-        return;
-    }
-
     bt_mesh_light_client_lock();
 
-    if (!k_delayed_work_free(&node->timer)) {
-        bt_mesh_lighting_client_cb_evt_to_btc(node->opcode,
-            BTC_BLE_MESH_EVT_LIGHTING_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
-        // Don't forget to release the node at the end.
-        bt_mesh_client_free_node(&internal->queue, node);
+    timer = CONTAINER_OF(work, struct k_delayed_work, work);
+
+    if (timer && !k_delayed_work_free(timer)) {
+        node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
+        if (node) {
+            bt_mesh_lighting_client_cb_evt_to_btc(node->opcode,
+                BTC_BLE_MESH_EVT_LIGHTING_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
+            // Don't forget to release the node at the end.
+            bt_mesh_client_free_node(node);
+        }
     }
 
     bt_mesh_light_client_unlock();
@@ -195,31 +181,14 @@ static void light_status(struct bt_mesh_model *model,
                          struct bt_mesh_msg_ctx *ctx,
                          struct net_buf_simple *buf)
 {
-    light_internal_data_t *internal = NULL;
-    bt_mesh_light_client_t *client = NULL;
     bt_mesh_client_node_t *node = NULL;
-    u8_t  *val = NULL;
-    u8_t   evt = 0xFF;
-    u32_t  rsp = 0;
+    u8_t *val = NULL;
+    u8_t evt = 0xFF;
     size_t len = 0;
 
     BT_DBG("%s, len %d, bytes %s", __func__, buf->len, bt_hex(buf->data, buf->len));
 
-    client = (bt_mesh_light_client_t *)model->user_data;
-    if (!client) {
-        BT_ERR("%s, Lighting Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (light_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Lighting Client internal_data is NULL", __func__);
-        return;
-    }
-
-    rsp = ctx->recv_op;
-
-    switch (rsp) {
+    switch (ctx->recv_op) {
     case BLE_MESH_MODEL_OP_LIGHT_LIGHTNESS_STATUS: {
         struct bt_mesh_light_lightness_status *status = NULL;
         if (buf->len != 2 && buf->len != 5) {
@@ -684,7 +653,7 @@ static void light_status(struct bt_mesh_model *model,
 
     node = bt_mesh_is_client_recv_publish_msg(model, ctx, buf, true);
     if (!node) {
-        BT_DBG("Unexpected light status message 0x%x", rsp);
+        BT_DBG("Unexpected light status message 0x%x", ctx->recv_op);
     } else {
         switch (node->opcode) {
         case BLE_MESH_MODEL_OP_LIGHT_LIGHTNESS_GET:
@@ -741,13 +710,13 @@ static void light_status(struct bt_mesh_model *model,
         if (!k_delayed_work_free(&node->timer)) {
             bt_mesh_lighting_client_cb_evt_to_btc(node->opcode, evt, model, ctx, val, len);
             // Don't forget to release the node at the end.
-            bt_mesh_client_free_node(&internal->queue, node);
+            bt_mesh_client_free_node(node);
         }
     }
 
     bt_mesh_light_client_unlock();
 
-    switch (rsp) {
+    switch (ctx->recv_op) {
     case BLE_MESH_MODEL_OP_LIGHT_LC_PROPERTY_STATUS: {
         struct bt_mesh_light_lc_property_status *status;
         status = (struct bt_mesh_light_lc_property_status *)val;

diff --git a/components/bt/esp_ble_mesh/mesh_models/client/sensor_client.c b/components/bt/esp_ble_mesh/mesh_models/client/sensor_client.c
index 3626a38dcd1d6288da7c5a442996f410d628a7c0..e3eda759ad8c09a25e56dc67693f45c012d5d520 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_models/client/sensor_client.c
+++ b/components/bt/esp_ble_mesh/mesh_models/client/sensor_client.c
@@ -82,37 +82,23 @@ static void bt_mesh_sensor_client_unlock(void)
 
 static void timeout_handler(struct k_work *work)
 {
-    sensor_internal_data_t *internal = NULL;
-    bt_mesh_sensor_client_t *client = NULL;
+    struct k_delayed_work *timer = NULL;
     bt_mesh_client_node_t *node = NULL;
 
     BT_WARN("Receive sensor status message timeout");
 
-    node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
-    if (!node || !node->ctx.model) {
-        BT_ERR("%s, Invalid parameter", __func__);
-        return;
-    }
-
-    client = (bt_mesh_sensor_client_t *)node->ctx.model->user_data;
-    if (!client) {
-        BT_ERR("%s, Sensor Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (sensor_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Sensor Client internal_data is NULL", __func__);
-        return;
-    }
-
     bt_mesh_sensor_client_lock();
 
-    if (!k_delayed_work_free(&node->timer)) {
-        bt_mesh_sensor_client_cb_evt_to_btc(node->opcode,
-            BTC_BLE_MESH_EVT_SENSOR_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
-        // Don't forget to release the node at the end.
-        bt_mesh_client_free_node(&internal->queue, node);
+    timer = CONTAINER_OF(work, struct k_delayed_work, work);
+
+    if (timer && !k_delayed_work_free(timer)) {
+        node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
+        if (node) {
+            bt_mesh_sensor_client_cb_evt_to_btc(node->opcode,
+                BTC_BLE_MESH_EVT_SENSOR_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
+            // Don't forget to release the node at the end.
+            bt_mesh_client_free_node(node);
+        }
     }
 
     bt_mesh_sensor_client_unlock();
@@ -124,30 +110,14 @@ static void sensor_status(struct bt_mesh_model *model,
                           struct bt_mesh_msg_ctx *ctx,
                           struct net_buf_simple *buf)
 {
-    sensor_internal_data_t *internal = NULL;
-    bt_mesh_sensor_client_t *client = NULL;
     bt_mesh_client_node_t *node = NULL;
-    u8_t  *val = NULL;
-    u8_t   evt = 0xFF;
-    u32_t  rsp = 0;
+    u8_t *val = NULL;
+    u8_t evt = 0xFF;
     size_t len = 0;
 
     BT_DBG("%s, len %d, bytes %s", __func__, buf->len, bt_hex(buf->data, buf->len));
 
-    client = (bt_mesh_sensor_client_t *)model->user_data;
-    if (!client) {
-        BT_ERR("%s, Sensor Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (sensor_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Sensor Client internal_data is NULL", __func__);
-        return;
-    }
-
-    rsp = ctx->recv_op;
-    switch (rsp) {
+    switch (ctx->recv_op) {
     case BLE_MESH_MODEL_OP_SENSOR_DESCRIPTOR_STATUS: {
         struct bt_mesh_sensor_descriptor_status *status = NULL;
         status = osi_calloc(sizeof(struct bt_mesh_sensor_descriptor_status));
@@ -296,7 +266,7 @@ static void sensor_status(struct bt_mesh_model *model,
 
     node = bt_mesh_is_client_recv_publish_msg(model, ctx, buf, true);
     if (!node) {
-        BT_DBG("Unexpected sensor status message 0x%x", rsp);
+        BT_DBG("Unexpected sensor status message 0x%x", ctx->recv_op);
     } else {
         switch (node->opcode) {
         case BLE_MESH_MODEL_OP_SENSOR_DESCRIPTOR_GET:
@@ -319,13 +289,13 @@ static void sensor_status(struct bt_mesh_model *model,
         if (!k_delayed_work_free(&node->timer)) {
             bt_mesh_sensor_client_cb_evt_to_btc(node->opcode, evt, model, ctx, val, len);
             // Don't forget to release the node at the end.
-            bt_mesh_client_free_node(&internal->queue, node);
+            bt_mesh_client_free_node(node);
         }
     }
 
     bt_mesh_sensor_client_unlock();
 
-    switch (rsp) {
+    switch (ctx->recv_op) {
     case BLE_MESH_MODEL_OP_SENSOR_DESCRIPTOR_STATUS: {
         struct bt_mesh_sensor_descriptor_status *status;
         status = (struct bt_mesh_sensor_descriptor_status *)val;

diff --git a/components/bt/esp_ble_mesh/mesh_models/client/time_scene_client.c b/components/bt/esp_ble_mesh/mesh_models/client/time_scene_client.c
index 01f563994608fe0e15aea72feed35ed9ed2076a3..3b05be51b6b5bb592ca1f864a919a750c643ff66 100644 (file)
--- a/components/bt/esp_ble_mesh/mesh_models/client/time_scene_client.c
+++ b/components/bt/esp_ble_mesh/mesh_models/client/time_scene_client.c
@@ -98,37 +98,23 @@ static void bt_mesh_time_scene_client_unlock(void)
 
 static void timeout_handler(struct k_work *work)
 {
-    time_scene_internal_data_t *internal = NULL;
-    bt_mesh_time_scene_client_t *client = NULL;
+    struct k_delayed_work *timer = NULL;
     bt_mesh_client_node_t *node = NULL;
 
     BT_WARN("Receive time scene status message timeout");
 
-    node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
-    if (!node || !node->ctx.model) {
-        BT_ERR("%s, Invalid parameter", __func__);
-        return;
-    }
-
-    client = (bt_mesh_time_scene_client_t *)node->ctx.model->user_data;
-    if (!client) {
-        BT_ERR("%s, Time Scene Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (time_scene_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Time Scene Client internal_data is NULL", __func__);
-        return;
-    }
-
     bt_mesh_time_scene_client_lock();
 
-    if (!k_delayed_work_free(&node->timer)) {
-        bt_mesh_time_scene_client_cb_evt_to_btc(node->opcode,
-            BTC_BLE_MESH_EVT_TIME_SCENE_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
-        // Don't forget to release the node at the end.
-        bt_mesh_client_free_node(&internal->queue, node);
+    timer = CONTAINER_OF(work, struct k_delayed_work, work);
+
+    if (timer && !k_delayed_work_free(timer)) {
+        node = CONTAINER_OF(work, bt_mesh_client_node_t, timer.work);
+        if (node) {
+            bt_mesh_time_scene_client_cb_evt_to_btc(node->opcode,
+                BTC_BLE_MESH_EVT_TIME_SCENE_CLIENT_TIMEOUT, node->ctx.model, &node->ctx, NULL, 0);
+            // Don't forget to release the node at the end.
+            bt_mesh_client_free_node(node);
+        }
     }
 
     bt_mesh_time_scene_client_unlock();
@@ -140,30 +126,14 @@ static void time_scene_status(struct bt_mesh_model *model,
                               struct bt_mesh_msg_ctx *ctx,
                               struct net_buf_simple *buf)
 {
-    time_scene_internal_data_t *internal = NULL;
-    bt_mesh_time_scene_client_t *client = NULL;
     bt_mesh_client_node_t *node = NULL;
-    u8_t  *val = NULL;
-    u8_t   evt = 0xFF;
-    u32_t  rsp = 0;
+    u8_t *val = NULL;
+    u8_t evt = 0xFF;
     size_t len = 0;
 
     BT_DBG("%s, len %d, bytes %s", __func__, buf->len, bt_hex(buf->data, buf->len));
 
-    client = (bt_mesh_time_scene_client_t *)model->user_data;
-    if (!client) {
-        BT_ERR("%s, Time Scene Client user_data is NULL", __func__);
-        return;
-    }
-
-    internal = (time_scene_internal_data_t *)client->internal_data;
-    if (!internal) {
-        BT_ERR("%s, Time Scene Client internal_data is NULL", __func__);
-        return;
-    }
-
-    rsp = ctx->recv_op;
-    switch (rsp) {
+    switch (ctx->recv_op) {
     case BLE_MESH_MODEL_OP_TIME_STATUS: {
         struct bt_mesh_time_status *status = NULL;
         if (buf->len != 5 && buf->len != 10) {
@@ -333,7 +303,7 @@ static void time_scene_status(struct bt_mesh_model *model,
 
     node = bt_mesh_is_client_recv_publish_msg(model, ctx, buf, true);
     if (!node) {
-        BT_DBG("Unexpected time scene status message 0x%x", rsp);
+        BT_DBG("Unexpected time scene status message 0x%x", ctx->recv_op);
     } else {
         switch (node->opcode) {
         case BLE_MESH_MODEL_OP_TIME_GET:
@@ -363,13 +333,13 @@ static void time_scene_status(struct bt_mesh_model *model,
         if (!k_delayed_work_free(&node->timer)) {
             bt_mesh_time_scene_client_cb_evt_to_btc(node->opcode, evt, model, ctx, val, len);
             // Don't forget to release the node at the end.
-            bt_mesh_client_free_node(&internal->queue, node);
+            bt_mesh_client_free_node(node);
         }
     }
 
     bt_mesh_time_scene_client_unlock();
 
-    switch (rsp) {
+    switch (ctx->recv_op) {
     case BLE_MESH_MODEL_OP_SCENE_REGISTER_STATUS: {
         struct bt_mesh_scene_register_status *status;
         status = (struct bt_mesh_scene_register_status *)val;