wifi_prov_mgr_start_provisioning after de intializing and re initializing provision manager causing panic (IDFGH-17019) #18065
Description
Answers checklist.
- I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
- I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
- I have searched the issue tracker for a similar issue and not found a similar issue.
IDF version.
v5.5.2
Espressif SoC revision.
ESP32-S3 (revision v0.2)
Operating System used.
Windows
How did you build your project?
Command line with idf.py
If you are using Windows, please specify command line type.
CMD
Development Kit.
ESP32-S3-WROOM-1U-N16R8
Power Supply used.
External 3.3V
What is the expected behavior?
I am trying to deinitialize the provisoning manager after attempting provisioning to free up IRAM. The provisioning manager should be able to be deinitialized and reinitialized multiple times without requiring a device reboot. The BT controller should properly clean up all allocated resources during deinitialization, allowing for clean reinitialization.
Keeping the provision manager running for reprovisioning is an issue because it consumes significant IRAM, almost 20KB, which is why we need to deinit it after provisioning attempt.
The current workaround is that the device must be rebooted to restart provisioning. This is not acceptable for production use cases where provisioning may need to be attempted again later (e.g., to change WiFi credentials).
What is the actual behavior?
After successfully provisioning -> deiniting the provisioning manager -> reiniting the provision manger and starting the provisioning, the device crashes with the following assertion:
assert failed: heap_caps_free heap_caps_base.c:74 (heap != NULL && "free() target pointer is outside heap areas")
### Steps to reproduce.
1. wifi_prov_mgr example without QR code and using BLE transport for provisioning
2. Force reset provision status after startup
3. Starting provisioning and waiting for it to complete (wifi_prov_mgr_wait()), deiniting the provision manager (wifi_prov_mgr_deinit())
4. Deinitializes WiFi (`esp_wifi_stop()`, `esp_wifi_deinit()`)
5. Checks BT controller state esp_bt_controller_get_status() (reports IDLE)
6. Reinitializes WiFi
7. Reinitializes provisioning manager
8. Attempts to start provisioning → **CRASH**
[app-main.txt](https://github.com/user-attachments/files/24389709/app-main.txt)
### Debug Logs.
```plain
I (24) boot: ESP-IDF v5.5.2 2nd stage bootloader
I (25) boot: compile time Dec 31 2025 07:54:22
I (25) boot: Multicore bootloader
I (25) boot: chip revision: v0.2
I (28) boot: efuse block revision: v1.3
I (31) boot.esp32s3: Boot SPI Speed : 80MHz
I (35) boot.esp32s3: SPI Mode : DIO
I (39) boot.esp32s3: SPI Flash Size : 2MB
I (43) boot: Enabling RNG early entropy source...
I (47) boot: Partition Table:
I (50) boot: ## Label Usage Type ST Offset Length
I (56) boot: 0 nvs WiFi data 01 02 00009000 00006000
I (63) boot: 1 phy_init RF data 01 01 0000f000 00001000
I (69) boot: 2 factory factory app 00 00 00010000 00180000
I (76) boot: End of partition table
I (79) esp_image: segment 0: paddr=00010020 vaddr=3c0c0020 size=286f0h (165616) map
I (115) esp_image: segment 1: paddr=00038718 vaddr=3fca0100 size=054d8h ( 21720) load
I (120) esp_image: segment 2: paddr=0003dbf8 vaddr=40374000 size=02420h ( 9248) load
I (123) esp_image: segment 3: paddr=00040020 vaddr=42000020 size=b7368h (750440) map
I (259) esp_image: segment 4: paddr=000f7390 vaddr=40376420 size=19ccch (105676) load
I (282) esp_image: segment 5: paddr=00111064 vaddr=50000000 size=00020h ( 32) load
I (293) boot: Loaded app from partition at offset 0x10000
I (294) boot: Disabling RNG early entropy source...
I (304) octal_psram: vendor id : 0x0d (AP)
I (304) octal_psram: dev id : 0x02 (generation 3)
I (304) octal_psram: density : 0x03 (64 Mbit)
I (306) octal_psram: good-die : 0x01 (Pass)
I (310) octal_psram: Latency : 0x01 (Fixed)
I (315) octal_psram: VCC : 0x01 (3V)
I (319) octal_psram: SRF : 0x01 (Fast Refresh)
I (324) octal_psram: BurstType : 0x01 (Hybrid Wrap)
I (329) octal_psram: BurstLen : 0x01 (32 Byte)
I (333) octal_psram: Readlatency : 0x02 (10 cycles@Fixed)
I (338) octal_psram: DriveStrength: 0x00 (1/1)
I (342) esp_psram: Found 8MB PSRAM device
I (346) esp_psram: Speed: 40MHz
I (374) mmu_psram: Read only data copied and mapped to SPIRAM
I (374) cpu_start: Multicore app
I (1088) esp_psram: SPI SRAM memory test OK
I (1097) cpu_start: GPIO 44 and 43 are used as console UART I/O pins
I (1098) cpu_start: Pro cpu start user code
I (1098) cpu_start: cpu freq: 160000000 Hz
I (1099) app_init: Application information:
I (1103) app_init: Project name: wifi_prov_mgr
I (1108) app_init: App version: 1
I (1111) app_init: Compile time: Dec 31 2025 07:52:45
I (1116) app_init: ELF file SHA256: 907099a5c...
I (1121) app_init: ESP-IDF: v5.5.2
I (1125) efuse_init: Min chip rev: v0.0
I (1129) efuse_init: Max chip rev: v0.99
I (1133) efuse_init: Chip rev: v0.2
I (1137) heap_init: Initializing. RAM available for dynamic allocation:
I (1143) heap_init: At 3FCA65D8 len 00043138 (268 KiB): RAM
I (1148) heap_init: At 3FCE9710 len 00005724 (21 KiB): RAM
I (1153) heap_init: At 3FCF0000 len 00008000 (32 KiB): DRAM
I (1159) heap_init: At 600FE000 len 00001FE8 (7 KiB): RTCRAM
I (1164) esp_psram: Adding pool of 7981K of PSRAM memory to heap allocator
I (1171) esp_psram: Adding pool of 30K of PSRAM memory gap generated due to end address alignment of drom to the heap allocator
I (1183) spi_flash: detected chip: gd
I (1185) spi_flash: flash io: dio
W (1188) spi_flash: Detected size(16384k) larger than the size in the binary image header(2048k). Using the size in the binary image header.
I (1201) sleep_gpio: Configure to isolate all GPIO pins in sleep state
I (1207) sleep_gpio: Enable automatic switching of GPIO sleep configuration
I (1214) coexist: coex firmware version: 7260f71
I (1218) coexist: coexist rom version e7ae62f
I (1223) main_task: Started on CPU0
I (1233) esp_psram: Reserving pool of 32K of internal memory for DMA/internal allocations
I (1233) main_task: Calling app_main()
I (1273) pp: pp rom version: e7ae62f
I (1273) net80211: net80211 rom version: e7ae62f
I (1283) wifi:wifi driver task: 3fced57c, prio:23, stack:6656, core=0
I (1293) wifi:wifi firmware version: ee91c8c
I (1293) wifi:wifi certification version: v7.0
I (1293) wifi:config NVS flash: enabled
I (1303) wifi:config nano formatting: disabled
I (1303) wifi:Init data frame dynamic rx buffer num: 32
I (1303) wifi:Init static rx mgmt buffer num: 5
I (1313) wifi:Init management short buffer num: 32
I (1313) wifi:Init static tx buffer num: 16
I (1323) wifi:Init tx cache buffer num: 32
I (1323) wifi:Init static tx FG buffer num: 2
I (1323) wifi:Init static rx buffer size: 1600
I (1333) wifi:Init static rx buffer num: 10
I (1333) wifi:Init dynamic rx buffer num: 32
I (1343) wifi_init: rx ba win: 6
I (1343) wifi_init: accept mbox: 6
I (1343) wifi_init: tcpip mbox: 32
I (1353) wifi_init: udp mbox: 6
I (1353) wifi_init: tcp mbox: 6
I (1353) wifi_init: tcp tx win: 5760
I (1353) wifi_init: tcp rx win: 5760
I (1363) wifi_init: tcp mss: 1440
I (1363) wifi_init: WiFi/LWIP prefer SPIRAM
I (1373) wifi_init: WiFi IRAM OP enabled
I (1373) wifi_init: WiFi RX IRAM OP enabled
I (1373) wifi_prov_scheme_ble: BT memory released
I (1423) app: Starting provisioning
I (1423) phy_init: phy_version 711,97bcf0a2,Aug 25 2025,19:04:10
W (1423) phy_init: failed to load RF calibration data (0xffffffff), falling back to full calibration
I (1463) phy_init: Saving new calibration data due to checksum failure or outdated calibration data, mode(2)
I (1523) wifi:mode : sta (ec:da:3b:96:ad:d4)
I (1523) wifi:enable tsf
I (1533) BLE_INIT: BT controller compile version [5106725]
I (1533) BLE_INIT: Using main XTAL as clock source
I (1533) BLE_INIT: Feature Config, ADV:1, BLE_50:1, DTM:1, SCAN:1, CCA:0, SMP:1, CONNECT:1
I (1533) BLE_INIT: Bluetooth MAC: ec:da:3b:96:ad:d6
I (1543) protocomm_nimble: BLE Host Task Started
I (1553) NimBLE: GAP procedure initiated: stop advertising.
I (1553) NimBLE: GAP procedure initiated: advertise;
I (1553) NimBLE: disc_mode=2
I (1563) NimBLE: adv_channel_map=0 own_addr_type=0 adv_filter_policy=0 adv_itvl_min=256 adv_itvl_max=256
I (1573) NimBLE:
I (1573) wifi_prov_mgr: Provisioning started with service name : PROV_96ADD4
I (1573) app: Provisioning started
I (10073) app: BLE transport: Connected!
I (10863) protocomm_nimble: mtu update event; conn_handle=1 cid=4 mtu=256
I (12603) app: Secured session established!
W (34063) wifi:Password length matches WPA2 standards, authmode threshold changes from OPEN to WPA2
I (34093) app: Received Wi-Fi credentials
SSID : batcave
Password : WeDPL@i8
I (40003) wifi:new:<4,0>, old:<1,0>, ap:<255,255>, sta:<4,0>, prof:1, snd_ch_cfg:0x0
I (40003) wifi:state: init -> auth (0xb0)
I (40013) wifi:state: auth -> assoc (0x0)
I (40023) wifi:state: assoc -> run (0x10)
I (40053) wifi:connected with batcave, aid = 4, channel 4, BW20, bssid = ba:e7:88:7a:cb:d7
I (40053) wifi:security: WPA2-PSK, phy: bgn, rssi: -28
I (40063) wifi:pm start, type: 1
I (40063) wifi:dp: 1, bi: 102400, li: 3, scale listen interval from 307200 us to 307200 us
I (40063) wifi:set rx beacon pti, rx_bcn_pti: 14, bcn_timeout: 25000, mt_pti: 14, mt_time: 10000
I (40103) wifi:dp: 2, bi: 102400, li: 4, scale listen interval from 307200 us to 409600 us
I (40103) wifi:AP's beacon interval = 102400 us, DTIM period = 2
I (41113) app: Connected with IP Address:10.138.163.24
I (41113) esp_netif_handlers: sta ip: 10.138.163.24, mask: 255.255.255.0, gw: 10.138.163.127
I (41113) wifi_prov_mgr: STA Got IP
I (41113) app: Provisioning successful
I (42583) NimBLE: GAP procedure initiated: stop advertising.
I (42583) NimBLE: GAP procedure initiated: stop advertising.
I (42583) NimBLE: GAP procedure initiated: terminate connection; conn_handle=1 hci_reason=19
E (42613) protocomm_nimble: Error setting advertisement data; rc = 30
I (42623) wifi_prov_mgr: Provisioning stopped
I (42623) app: BLE transport: Disconnected!
I (43583) wifi_prov_scheme_ble: BTDM memory released
I (43583) app: Hello World!
I (44583) app: ESP PROVISIONING MANGER INIT AGAIN ATTEMPT
I (44583) app: Deinitializing WiFi
I (44583) wifi:state: run -> init (0x0)
I (44593) wifi:pm stop, total sleep time: 3453352 us / 4524324 us
I (44593) wifi:new:<4,0>, old:<4,0>, ap:<255,255>, sta:<4,0>, prof:1, snd_ch_cfg:0x0
I (44643) wifi:flush txq
I (44643) wifi:stop sw txq
I (44643) wifi:lmac stop hw txq
I (45143) wifi:Deinit lldesc rx mblock:10
I (46153) app: Creating default Wi-Fi interface
I (56153) app: Deinitializing WiFi provisioning manager
I (56153) app: Provisioning manager already deinitialized
I (56153) app: Deinitializing BT controller before reinitialization
I (56153) app: BT controller status: 0
I (56153) app: BT controller already in IDLE state
I (56163) pp: pp rom version: e7ae62f
I (56163) net80211: net80211 rom version: e7ae62f
I (56183) wifi:wifi driver task: 3fced554, prio:23, stack:6656, core=0
I (56203) wifi:wifi firmware version: ee91c8c
I (56203) wifi:wifi certification version: v7.0
I (56203) wifi:config NVS flash: enabled
I (56203) wifi:config nano formatting: disabled
I (56203) wifi:Init data frame dynamic rx buffer num: 32
I (56213) wifi:Init static rx mgmt buffer num: 5
I (56213) wifi:Init management short buffer num: 32
I (56223) wifi:Init static tx buffer num: 16
I (56223) wifi:Init tx cache buffer num: 32
I (56223) wifi:Init static tx FG buffer num: 2
I (56233) wifi:Init static rx buffer size: 1600
I (56233) wifi:Init static rx buffer num: 10
I (56243) wifi:Init dynamic rx buffer num: 32
I (56243) wifi_init: rx ba win: 6
I (56243) wifi_init: accept mbox: 6
I (56253) wifi_init: tcpip mbox: 32
I (56253) wifi_init: udp mbox: 6
I (56253) wifi_init: tcp mbox: 6
I (56253) wifi_init: tcp tx win: 5760
I (56263) wifi_init: tcp rx win: 5760
I (56263) wifi_init: tcp mss: 1440
I (56263) wifi_init: WiFi/LWIP prefer SPIRAM
I (56273) wifi_init: WiFi IRAM OP enabled
I (56273) wifi_init: WiFi RX IRAM OP enabled
I (56283) wifi:mode : sta (ec:da:3b:96:ad:d4)
I (56283) wifi:enable tsf
I (57283) app: Device already provisioned, starting provisioning attempt again
I (57283) app: Checking BT controller state
I (57283) app: BT controller status: 0
I (57283) app: BT controller in IDLE state - provisioning manager will initialize it
btdm: bss start 0x3fcef180, len 36
btdm: data start 0x3fcef174, data start rom 0x40057350, len 12
--- 0x40057350: _data_start_btdm_rom in ROM
MAGIC fadebead VERSION 0001000a
I (57303) BLE_INIT: BT controller compile version [5106725]
I (57303) BLE_INIT: Using main XTAL as clock source
Guru Meditation Error: Core 0 panic'ed (LoadProhibited). Exception was unhandled.
Core 0 register dump:
PC : 0x40382555 PS : 0x00060730 A0 : 0x82014054 A1 : 0x3fca9c10
--- 0x40382555: vQueueDelete at C:/Espressif/frameworks/esp-idf-v5.5.2/components/freertos/FreeRTOS-Kernel/queue.c:2374
A2 : 0x0073766e A3 : 0x00000000 A4 : 0xfffffff8 A5 : 0x3c0caee0
A6 : 0x00000022 A7 : 0x3fca9ae0 A8 : 0x00000889 A9 : 0x3fca98a0
A10 : 0x3fca710c A11 : 0x3fca6f74 A12 : 0x3fca9b04 A13 : 0x3fca98e0
A14 : 0x3fca9ae0 A15 : 0xfffffff8 SAR : 0x0000000e EXCCAUSE: 0x0000001c
EXCVADDR: 0x007376b2 LBEG : 0x400556d5 LEND : 0x400556e5 LCOUNT : 0xfffffffd
--- 0x400556d5: strlen in ROM
--- 0x400556e5: strlen in ROM
Backtrace: 0x40382552:0x3fca9c10 0x42014051:0x3fca9c30 0x4202597d:0x3fca9c50 0x42026c7b:0x3fca9c70 0x4201475b:0x3fca9cc0 0x4201e0ab:0x3fca9cf0 0x4201353b:0x3fca9d60 0x42013964:0x3fca9d80 0x4200f3cf:0x3fca9db0 0x4200d357:0x3fca9dd0 0x4200ea1e:0x3fca9df0 0x4200c789:0x3fca9fc0 0x420b6668:0x3fcaa1c0 0x40382591:0x3fcaa1f0
--- 0x40382552: vQueueDelete at C:/Espressif/frameworks/esp-idf-v5.5.2/components/freertos/FreeRTOS-Kernel/queue.c:2355
--- 0x42014051: semphr_delete_wrapper at C:/Espressif/frameworks/esp-idf-v5.5.2/components/bt/controller/esp32c3/bt.c:935
--- 0x4202597d: btdm_controller_deinit_internal at arch_main.o:?
--- 0x42026c7b: btdm_controller_init at ??:?
--- 0x4201475b: esp_bt_controller_init at C:/Espressif/frameworks/esp-idf-v5.5.2/components/bt/controller/esp32c3/bt.c:1886
--- 0x4201e0ab: nimble_port_init at C:/Espressif/frameworks/esp-idf-v5.5.2/components/bt/host/nimble/nimble/porting/nimble/src/nimble_port.c:195
--- 0x4201353b: simple_ble_start at C:/Espressif/frameworks/esp-idf-v5.5.2/components/protocomm/src/transports/protocomm_nimble.c:528
--- 0x42013964: protocomm_ble_start at C:/Espressif/frameworks/esp-idf-v5.5.2/components/protocomm/src/transports/protocomm_nimble.c:1028
--- 0x4200f3cf: prov_start at C:/Espressif/frameworks/esp-idf-v5.5.2/components/wifi_provisioning/src/scheme_ble.c:74
--- 0x4200d357: wifi_prov_mgr_start_service at C:/Espressif/frameworks/esp-idf-v5.5.2/components/wifi_provisioning/src/manager.c:311
--- 0x4200ea1e: wifi_prov_mgr_start_provisioning at C:/Espressif/frameworks/esp-idf-v5.5.2/components/wifi_provisioning/src/manager.c:1715
--- 0x4200c789: app_main at
ELF file SHA256: 907099a5c
Rebooting...
ESP-ROM:esp32s3-20210327
Build:Mar 27 2021
rst:0xc (RTC_SW_CPU_RST),boot:0x8 (SPI_FAST_FLASH_BOOT)
Saved PC:0x4038199d
C:/Development/iApts/wifi_prov_mgr/main/app_main.c:461
--- 0x420b6668: main_task at C:/Espressif/frameworks/esp-idf-v5.5.2/components/freertos/app_startup.c:208
--- 0x40382591: vPortTaskWrapper at C:/Espressif/frameworks/esp-idf-v5.5.2/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:139
--- 0x4038199d: esp_restart_noos at C:/Espressif/frameworks/esp-idf-v5.5.2/components/esp_system/port/soc/esp32s3/system_internal.c:164
SPIWP:0xee
mode:DIO, clock div:1
load:0x3fce2820,len:0x158c
load:0x403c8700,len:0xd24
--- 0x403c8700: _stext at ??:?
load:0x403cb700,len:0x2f34
entry 0x403c8924
Diagnostic report archive.
idf-diag-890d3642-110f-4892-8b59-cc332604ca01.zip
More Information.
The issue appears to be in the BT controller initialization sequence. When the BT controller is reinitialized after being deinitialized, it attempts to clean up resources (specifically a semaphore/queue) that were created during the first initialization.
The backtrace shows the crash occurs in semphr_delete_wrapper → vQueueDelete, suggesting that a semaphore created during the first BT controller init is being deleted with an invalid pointer during the second init.
Am i missing something or is there another way for ensuring the provisioning manager and BT controller can be safely deinitialized and reinitialized multiple times without requiring a reboot?