Possible use after free in TxRmtDriver

[schurwanzn-stabl]

When TxRmtDriver::write_items is called with block = false

esp-idf-hal/src/rmt.rs

Lines 607 to 613 in 29806af

	fn write_items<S>(&mut self, signal: &S, block: bool) -> Result<(), EspError>
	where
	S: Signal,
	{
	let items = signal.as_slice();
	esp!(unsafe { rmt_write_items(self.channel(), items.as_ptr(), items.len() as i32, block) })
	}

the called function rmt_write_items will keep reading from the passed pointer until the transmission is completed. The borrow on the S: Signal though "expires" once write_items returns.
For example when calling the TxRmtDriver::start function

esp-idf-hal/src/rmt.rs

Lines 589 to 597 in 29806af

	/// Start sending the given signal without blocking.
	///
	/// `signal` is captured for safety so that the user can't change the data while transmitting.
	pub fn start<S>(&mut self, signal: S) -> Result<(), EspError>
	where
	S: Signal,
	{
	self.write_items(&signal, false)
	}

the ESP-IDF may access dropped memory.

---

Aside from that the documentation of rm_write_items states to "please [?] do not use the memory allocated from psram when calling rmt_write_items". This restriction is not enforced either.
Should I create a separate issue for this?

[ivmarkov]

Can you actually contribute a Pr that fixes this? I admit I did not review carefully the RMT driver at the time, and it was a contribution.

[schurwanzn-stabl]

Fixing the code seems a bit more involved and we currently do not use the non-blocking function.
Thus I can't contribute a fix for now, sorry.