Bluetooth: conn: move auto-init procedures to system workqueue

[jori-nordic]

conn_auto_initiate() starts a bunch of controller procedures (read: HCI
commands) that are fired off right after connection establishment.

Right now, it's called from the RX context, which is the same context where
resources (cmd & acl buffers) are freed. This not ideal.

But the procedures are all async, so it should be fine to schedule this
function on the system workqueue, where we have less risk of deadlocks.

[Thalley]

A few comments, but nothing that actually needs to be fixed especially since this is from moved code.

[jori-nordic]

nothing that actually needs to be fixed

Will make another PR right after this one to address, scout's honor.

[alwa-nordic]

This can potentially destroy the currently running k_work object. Is that ok?

[jori-nordic]

good point. I have no idea if it's going to implode or not.

[alwa-nordic]

It looks in work.c like the work item is touched after the handler completes. Better safe than sorry. I suggest we make the work item global, we iterate over all connected conns in the handler, and have a flag that marks the work done on each conn.

[jhedberg]

Looking at what the workqueue implementation does after calling the callback this may actually be a problem (it's still accessing parts of the work struct, like work->flags after it).

zephyr/kernel/work.c

Lines 688 to 703 in 40414f7

	handler(work);
	/* Mark the work item as no longer running and deal
	* with any cancellation and flushing issued while it
	* was running. Clear the BUSY flag and optionally
	* yield to prevent starving other threads.
	*/
	key = k_spin_lock(&lock);
	flag_clear(&work->flags, K_WORK_RUNNING_BIT);
	if (flag_test(&work->flags, K_WORK_FLUSHING_BIT)) {
	finalize_flush_locked(work);
	}
	if (flag_test(&work->flags, K_WORK_CANCELING_BIT)) {
	finalize_cancel_locked(work);
	}

[jori-nordic]

I wonder if this is already an issue with deferred_work:

zephyr/subsys/bluetooth/host/conn.c

Lines 2069 to 2072 in 40414f7

	/* Release the reference we took for the very first
	* state transition.
	*/
	bt_conn_unref(conn);

[Thalley]

One solution could be to do "slow" freeing of connections, i.e. when the refcount drops to zero there's a separate (independent of any connection object) k_work that's responsible for really freeing the object.

Wouldn't that hinder advertisers to restart connectable advertising even further?
Today we suggest to use a k_work in the disconnected callback, but if the stack then also does a k_work before actually freeing the connection, then the application's k_work needs to be schedules after the stack's k_work.

[jori-nordic]

we probably need to address the rootcause, which is the work item belonging to the struct bt_conn. I really don't like the deferred_work anyways. So refactoring deferred_work using @alwa-nordic 's proposition seems appropriate.

[Thalley]

we probably need to address the rootcause, which is the work item belonging to the struct bt_conn. I really don't like the deferred_work anyways. So refactoring deferred_work using @alwa-nordic 's proposition seems appropriate.

Not really opposed to that either. It does sound a bit like we are starting to implement a tiny garbage collector if we have a work item that occasionally goes through all connection objects to finalize the free'ing :D But you are correct that free'ing an object that contains the work items that triggers the free is an issue

[jori-nordic]

I suggest to name it ZNGC Zis is Not a Garbage Collector 🚮🙊

[Thalley]

ZNGC Zis is Not a Garbage Collector

Better make it "ZNGC: ZNGC is Not a Garbage Collector" for additional recursiveness

[Thalley]

Sounds like we need to fix further things in this PR

[Thalley]

With the if (conn->state != BT_CONN_CONNECTED) { on line 1697, do we need this check for each procedure? Or can e.g. bt_hci_read_remote_version actually disconnect the connection?

[jori-nordic]

idk. I'm not taking any chances in case of pre-emption by e.g. the controller thread sending a disconnected event, which is high-prio.

[Thalley]

No log message if bt_hci_le_read_max_data_len fails?

[jori-nordic]

just copy-pasting stuff around

[jori-nordic]

I was planning to have this PR be a single cherry-pickable commit. And have another one for logs and cosmetic changes, IS_ENABLED() etc..

[Thalley]

Suggested change

	bt_conn_foreach(BT_CONN_TYPE_ALL, perform_auto_initiated_procedures, NULL);
	bt_conn_foreach(BT_CONN_TYPE_LE, perform_auto_initiated_procedures, NULL);

I guess we don't want to do these for ISO or classic connections

[jhedberg]

Shouldn't this be atomic_test_and_clear_bit()?

[jhedberg]

Nevermind, I think it might be correct. To me it'd just be more intuitive to have a flag set together with the reference, and cleared when you do unref()

[jori-nordic]

set should be correct

[jhedberg]

I think it might be more intuitive if you reversed this, i.e. call it AUTO_INIT_PROCEDURES_PENDING. That way the reference is tied to something more tangible (the flag being set).

[jori-nordic]

I did this to distinguish between a freshly-memset connection and a connection that has had this procedure performed. I can swap if you really want to.

[jhedberg]

I think verifying the correctness of the reference counting becomes clearer if it was reversed. Normally reference counts are tied to actual pointer variables, but that's not the case here. If you can see a setting of the flag when you do ref() and a test_and_clear() when you do unref() it's IMO more obvious to what the reference count is tied, i.e. something like:

bt_conn_ref(conn);
set_bit();

and:

if (test_and_clear_bit()) {
	bt_conn_unref();
}

[jori-nordic]

aiight, i'll change it.

[jhedberg]

I think the same rule applies for CHECKIF as for ASSERT, i.e. you should never put functionally significant actions inside it. E.g. if CONFIG_NO_RUNTIME_CHECKS is set then the test_and_clear_bit() would never get called, which is probably not what you want.

[jori-nordic]

right. forgot about that option.

[alwa-nordic]

Taking the ref here is unnecessary. bt_conn_foreach iterates over live connection objects and lends a reference to the loop body function.

In general, if a function gets a bt_conn in a parameter, the caller shall guarantee it lives until the function returns.

[alwa-nordic]

This flag is arguably redundant. I think it's functionally equivalent to conn.state == CONNECTED && !procedures_done.

[Thalley]

Suggested change

	static void schedule_auto_initiated_procedures(struct bt_conn *conn)
	{
	LOG_DBG("[%p] Scheduling auto-init procedures", conn);
	k_work_submit(&procedures_on_connect);
	}
	static void schedule_auto_initiated_procedures(void)
	{
	LOG_DBG("Scheduling auto-init procedures");
	k_work_submit(&procedures_on_connect);
	}

Since the k_work is no longer in the conn object, suggest to remove it from the function. In the case of LOG_DBG not being enabled, it was a unused argument anyhow

[jori-nordic]

I think we should still have it. As it is the start of an async operation and the log in perform_auto_initiated_procedures only notify us of the execution of that async operation.

If you really don't want it, feel free to NAK and I'll remove.

[Thalley]

Not a huge deal and it may be useful :)

[jori-nordic]

rebased to fix conflict in hci_core.c