Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bluetooth: controller: LEGACY: ASSERTION failure on invalid packet sequence #22968

Closed
cvinayak opened this issue Feb 20, 2020 · 0 comments · Fixed by #22970
Closed

Bluetooth: controller: LEGACY: ASSERTION failure on invalid packet sequence #22968

cvinayak opened this issue Feb 20, 2020 · 0 comments · Fixed by #22970
Assignees
@cvinayak
Labels
area: Bluetooth bug The issue is a bug, or the PR is fixing a bug priority: high High impact/importance bug
Milestone
v2.2.0

Comments

@cvinayak
Copy link
Contributor

Describe the bug
A rough central device using invalid sequence number in the first connection event causes assertion failure in the controller.

To Reproduce
Steps to reproduce the behavior:

  1. mkdir build; cd build
  2. cmake -DBOARD=nrf52_pca10040 -DCONFIG_BT_LL_SW_LEGACY=y ../samples/bluetooth/peripheral
  3. make
  4. See error

Expected behavior
No assertion failure or crash.

Impact
showstopper

Screenshots or console output

*** Booting Zephyr OS build v2.2.0-rc1-215-g6baff1b3b9c0  ***
Bluetooth initialized
Advertising successfully started
[00:00:00.007,476] <inf> fs_nvs: 6 Sectors of 4096 bytes
[00:00:00.007,476] <inf> fs_nvs: alloc wra: 0, fa8
[00:00:00.007,476] <inf> fs_nvs: data wra: 0, e4
[00:00:00.008,880] <inf> bt_hci_core: HW Platform: Nordic Semiconductor (0x0002)
[00:00:00.008,880] <inf> bt_hci_core: HW Variant: nRF52x (0x0002)
[00:00:00.008,880] <inf> bt_hci_core: Firmware: Standard Bluetooth controller (0x00) Version 2.2 Build 0
[00:00:00.009,155] <inf> bt_hci_core: No ID address. App must call settings_load()
[00:00:00.011,901] <inf> bt_hci_core: Identity: c1:ab:66:13:11:2e (random)
[00:00:00.011,932] <inf> bt_hci_core: HCI: version 5.1 (0x0a) revision 0x0000, manufacturer 0x05f1
[00:00:00.011,932] <inf> bt_hci_core: LMP: version 5.1 (0x0a) subver 0xffff
Connected
ASSERTION FAIL [status == 0] @ ZEPHYR_BASE/subsys/bluetooth/controller/ll_sw/ctrl.c:5050
[00:00:15.125,396] <err> os: r0/a1:  0x00000003  r1/a2:  0x0000000a  r2/a3:  0x00000001
[00:00:15.125,427] <err> os: r3/a4:  0x000204d2 r12/ip:  0x200010cc r14/lr:  0x00011a5b
[00:00:15.125,427] <err> os:  xpsr:  0x61000029
[00:00:15.125,427] <err> os: Faulting instruction address (r15/pc): 0x00011a66
[00:00:15.125,427] <err> os: >>> ZEPHYR FATAL ERROR 3: Kernel oops on CPU 0
[00:00:15.125,427] <err> os: Fault during interrupt handling

[00:00:15.125,427] <err> os: Current thread: 0x2000183c (unknown)
[00:00:15.438,201] <err> os: Halting system

Environment (please complete the following information):

  • OS: Linux
  • Toolchain: gnuarmemb gcc version 9.2.0 (Arch Repository)
  • Commit SHA or Version used: 6baff1b

Additional context
Add any other context about the problem here. None.
@cvinayak cvinayak added bug The issue is a bug, or the PR is fixing a bug priority: high High impact/importance bug area: Bluetooth labels Feb 20, 2020
@cvinayak cvinayak added this to the v1.14.2 milestone Feb 20, 2020
@cvinayak cvinayak self-assigned this Feb 20, 2020
cvinayak added a commit to cvinayak/zephyr that referenced this issue Feb 20, 2020
@cvinayak
Bluetooth: controller: legacy: Fix Tx pool corruption
f6454ba 
Fix Tx pool from being corrupted when rough central device
uses invalid packet sequence numbers, causing NULL pointer
to be released into free data Tx pool.

Fixes zephyrproject-rtos#22968.

Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
@cvinayak cvinayak mentioned this issue Feb 20, 2020
Merged
@jhedberg jhedberg modified the milestones: v1.14.2, v2.2.0 Feb 27, 2020
jhedberg pushed a commit that referenced this issue Feb 27, 2020
@cvinayak @jhedberg
Bluetooth: controller: legacy: Fix Tx pool corruption
7a3e29a 
Fix Tx pool from being corrupted when rough central device
uses invalid packet sequence numbers, causing NULL pointer
to be released into free data Tx pool.

Fixes #22968.

Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
hakehuang pushed a commit to hakehuang/zephyr that referenced this issue Mar 18, 2020
@cvinayak @hakehuang
Bluetooth: controller: legacy: Fix Tx pool corruption
bdc235e 
Fix Tx pool from being corrupted when rough central device
uses invalid packet sequence numbers, causing NULL pointer
to be released into free data Tx pool.

Fixes zephyrproject-rtos#22968.

Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
cvinayak added a commit to cvinayak/zephyr that referenced this issue Sep 23, 2020
@cvinayak
Bluetooth: controller: legacy: Fix Tx pool corruption
5c0c536 
Fix Tx pool from being corrupted when rough central device
uses invalid packet sequence numbers, causing NULL pointer
to be released into free data Tx pool.

Fixes zephyrproject-rtos#22968.

Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
nashif pushed a commit that referenced this issue Nov 17, 2020
@cvinayak @nashif
Bluetooth: controller: legacy: Fix Tx pool corruption
e637fce 
Fix Tx pool from being corrupted when rough central device
uses invalid packet sequence numbers, causing NULL pointer
to be released into free data Tx pool.

Fixes #22968.

Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cvinayak cvinayak

Labels
area: Bluetooth bug The issue is a bug, or the PR is fixing a bug priority: high High impact/importance bug
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging a pull request may close this issue.

Bluetooth: controller: legacy: Fix Tx pool corruption cvinayak/zephyr
2 participants
@jhedberg @cvinayak