Both bt_le_adv_stop() and bt_le_adv_resume() were logging same
error message. Add aditional context to it so that logs are
distinguishable.
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
When received the valid S frame, the retransmission timer should not
be restarted if unacknowledged I-frames have been sent but the
retransmission timer has not elapsed.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
When the returned buffer is a `NULL` of the pull function, it means
there is not any data needs to be sent. However maybe there is any
frame pending on other L2CAP channel needs to be sent over the same
ACL connection.
Re-trigger the TX processor. It will call the pull function again
and the pending buffer will be pulled from following L2CAP.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The current logic will result in rsp always being accept because LOSC
added is 0. and according to the spec, LOSC should not be added to the
Set Configuration Reject response.
Signed-off-by: Cheng Chang <cheng.chang@nxp.com>
It wasn't taken into account that bt_le_scan_set_enable()
has a return value. It's not likely that the controller
rejects the command when BT_DEV_SCANNING is set, however.
Signed-off-by: Olivier Lesage <olivier.lesage@nordicsemi.no>
Attempting this would fail (assuming the controller is implemented
correctly) because when using legacy commands it is not allowed to
change the device address while scanning.
It also did not make sense. If we have configured the scanner to use
the identity address as own_addr, because the advertiser and scanner
addresses are shared when using legacy commands, setting the adv NRPA
here would overwrite the identity address used by the scanner, which
I assume is not the intention.
Signed-off-by: Olivier Lesage <olivier.lesage@nordicsemi.no>
In 25c993e5b7 a new case was introduced
where own_addr_type is not set by bt_id_set_scan_own_addr properly.
This led to issues for users where increasing their zephyr version
led to failures to start scanning after advertising in the case where
CONFIG_BT_SCAN_WITH_IDENTITY=n and legacy advertising commands are used.
Signed-off-by: Olivier Lesage <olivier.lesage@nordicsemi.no>
When peer monitor and retransmission timeout are zero, set them to the
default values. This ensures that the monitor timeout is always a valid
value to avoid the L2CAP BR timer work queue hang.
Signed-off-by: Make Shi <make.shi@nxp.com>
Remove duplicated check for 'ep->stream == NULL' to clean up conditionals
and avoid unnecessary repeated evaluations.
This cleans up the code and avoids unnecessary repeated condition
evaluation.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
The peer uses the RPA address.
A BR connection is created firstly, a subsequent BLE connection is
created secondly, the BR SMP CTKD occur thirdly (The BLE LTK is
derived from BR and the BR SMP distribute peer's IRK and identity address
here), but the BLE LTK is saved to key pool that is not
matched with the previous BLE connection because the derived LTK is saved
with identity address and BLE connection uses RPA. Fix it by: Resolve the
BLE connections' RPA with the derived IRK to find the previous BLE
connections and match the connections with derived LTK key.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
Channel tx_queue purging on disconnect was inconsistently handled
by the different channels: iso, l2cap, l2cap_br.
iso channels handled purging in the tx_data_pull hook.
l2cap and l2cap_br did the purging in channel delete functions
and did not expect tx_data_pull to be called for a disconnected
channel. Their data_pull functions could return a ptr to a
net_buf that was still on the tx_queue, which is problematic
when the conn tx_processor unrefs the returned buffer resulting
in multiple calls to the buf destroy function.
To make things consistent and correct, remove the code that tries
to purge tx_queues in the tx_processor and only do purging in
the channels themselves when they are deleted/disconnected.
Also refactor and clarify referencing of the net_buf returned
by tx_data_pull. It was confusing who had a reference and
when, which could vary depending on the length of the original
buffer. There are three cases: the buffer length is less
than the tx.mps, greater the mps but less than the mtu so
requiring segementation but not fragmentation, or greater than
both mps and mtu so requiring both segmentation and fragmentation.
The conn layer would increase the refcnt if the length was
greater than the mtu, but not have any awareness of whether
the net_buf was still on the tx_queue or not.
Now it is the tx_data_pull callbacks responsibitity to increment
the reference count if it is returning a pointer to a net_buf
that it is still keeping on the tx_queue for segmentation purposes.
The conn layer will now always transfer that reference into a
fragment view and not conditional it on the length relative to
the mtu, and always decrement the reference to the parent when
the fragment is destroyed.
So there is no risk of decrementing a reference to a net buf
that might still be on a tx_queue, which simplifies error
handling in particular.
Also add error handling paths for when asserts are not enabled.
Signed-off-by: Mike J. Chen <mjchen@google.com>
In HFP PTS, cases run fail with the log 'Bluetooth Profile Descriptor
List UUID (0x111E) is missing'.
With this patch, the affected cases can pass correctly.
Signed-off-by: Jiawei Yang <jiawei.yang_1@nxp.com>
SonarQube reports: cast from 'const struct _snode *' to 'struct _snode *'
drops const qualifier. Fix it by removing the const.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
(cherry picked from commit 7982ee0df13b7f9e54595f799e32f38c464b0f9e)
1. bt_sdp_discover may be called in two tasks at the same time:
(1) If the 2 calls are for 2 acl conns,
the same session may be new allocated to two acl conns.
(2) If the 2 calls are for the same acl conn, the same session should be
used.
Use the bt_conn_index to map acl conn with session to fix it.
2. fix that bt_sdp_discover may use one session that is disconnecting,
put req to reqs_next and process it after disconnected.
3. remove memset of session, reset each members individually.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
(cherry picked from commit dcbe5d7dc5d72ce0d2915cf2b291cc84a916a536)
Ensure that the BR/EDR L2CAP RX MTU is limited to the configured
BT_L2CAP_RX_MTU value during channel configuration.
This change prevent potential buffer overflow issues when receiving
data larger than the configured buffer size.
Signed-off-by: Jiawei Yang <jiawei.yang_1@nxp.com>
The MTU calculation in rfcomm_connected() was incorrectly adding the FCS
size instead of subtracting it.
This could lead to buffer overflows when sending data that exceeds
the actual available space.
Fix the calculation by properly subtracting both the RFCOMM header size and
the FCS size from the L2CAP MTU to get the correct RFCOMM session MTU.
Signed-off-by: Jiawei Yang <jiawei.yang_1@nxp.com>
There is an issue that the SCO connect cannot be un-referenced by HFP
AG when the SCO connection is broken if the SCO connect is not created
by HFP AG.
Register SCO connect change callback. And un-reference the SCO connect
in SCO disconnected callback.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
There are two issues found,
Issue 1, if the SCO connection has been established, the SCO connected
event will not be notified. Then the call that waiting for the SCO
connected event will not be updated. And the call will be rejected due
to the timeout.
Issue 2, the SCO con object will be cleared when SLC is disconnecting
and the SCO connection has been established. It causes the SCO connect
object will be `NULL` in the SCO disconnected callback.
Add a new field `sco_conn` to keep the SCO connect object. Manage the
SCO connection via the field `ag->sco_conn`.
When creating the SCO connection, keep the created SCO connect object
to `ag->sco_conn`. And if the `ag->sco_chan.sco` is `NULL`, it means
the SCO connection has been established. Just update the call that
waiting for the SCO connected event directly.
Increase the `ref` of SCO connect object and pass to the field
`ag->sco_conn` if the `ag->sco_conn` is `NULL`.
Decrease the `ref` of SCO connect object if the `ag->sco_conn` is not
`NULL` when disconnect the SCO connection or process SCO disconnected
event.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Commit removes unused host hci custom functionality
that was moved to mesh by misinterpretation of it.
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
- Issue: There is a bus-fault while accessing empty userdata structure
pointer if application does not include any include service
userdata instance (which consist of UUID list of included service)
but service array has defined dummy entry for it assumed to be
overridden by app during initial flow.
- For example, the issue has happened in case of tmap-central sample
without "CONFIG_BT_OTS" support. there are some MCS attributes
dependent on OTS service because of that
"BT_GATT_INCLUDE_SERVICE(NULL)" entry is added as part of service
definition. The given entry does not have userdata handler defined
and is expecting to be overriden by the app if it will be included.
During "bt_mcs_init()" call, "mcs.attrs[i].user_data" is not
populated with any attr-instance pointer. This makes CPU to access
null-address during reading local-database include-service attribute
which was not provided by the app but the include-service entry was
added to the db.
- Fix: Adding condition to check if user-data has null address, and
returning back to avoid any hard-faults.
Signed-off-by: Nirav Agrawal <nirav.agrawal@nxp.com>
The command buffer was incorrectly encoded due to the recent change to H:4
encoding. Instead of fixing the header offset, just use the newly
introduced bt_hci_cmd_alloc() API, since that takes care of correctly
encoding the command header when it gets sent.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Introduce a new bt_hci_cmd_alloc() API which only allocates a command
buffer and reserves sufficient headroom for H:4 and command headers, but
doesn't actually encode any of those headers into the buffer. Additionally,
modify bt_hci_cmd_send() and bt_hci_cmd_send_sync() so that they handle
such buffers and perform the header encoding correctly. To avoid
duplication, bt_hci_cmd_send_sync() now builds upon (i.e. calls internally)
the bt_hci_cmd_send() API.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Bluetooth 6.1 has version number 0x0F and was released in May 2025.
This commit ensures this version number is properly decoded.
Going forward we may consider removing printing the version
number as a string because the feature set is more important
than the version number.
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
The bt_le_ext_adv_info struct has been extended to also
contain the advertising and periodic advertising states.
Additionally, the function verifies the input to avoid
NULL pointer access, and the addr field is more
properly documented.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Core Specification 6.1 clarified exptected erro code in case peer
sending invalid Public Key. In case pairing is aborted during or
immediately after Public Key Exchange phase has completed (which is
the case here) expected reason code is set to "DHKey Check Failed".
This was affecting SM/CEN/KDU/BI-04-C and SM/PER/KDU/BI-04-C
qualification test cases.
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
The target variable is a `uint8_t`. It is not reasonable to pass a
value with `uint16_t` in little-endian format.
Remove `sys_cpu_to_le16`, and pass the value directly.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Updates the LE legacy pairing procedure as a result of errata ES-24491.
New part:
If the initiating device receives an LP_CONFIRM_R value that is equal to
the LP_CONFIRM_I value, the pairing process shall be aborted and fail
with "Confirm Value Failed" as reason.
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
In the function `sdp_client_ss_search()` and
`sdp_client_ssa_search()`, the allocated buf is not released if the
required UUID is invalid.
Un-reference the allocated net buffer if the UUID is invalid.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The `session->param` should be updated to date whatever the function
`sdp_client_ssa_search()`, `sdp_client_sa_search()` or
`sdp_client_ss_search()` can be executed properly.
Update the `session->param` to the new `param` when executing the
function.
Fixes#91156
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
There is a potential issue that the index of ACL may out of the
bounds of the array `bt_hfp_hf_pool` if the array size is not aligned
with the array size of `acl_conns`.
To avoid the potential issue, check if the ACL conn index is less than
the array size of `bt_hfp_hf_pool` before accessing the array
`bt_hfp_hf_pool` with ACL conn index.
Fixes#91172
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
When there are br connections connected, find_key_in_use call
bt_conn_get_dst to get br connection's dst and bt_conn_get_dst return NULL,
then bt_keys_find_addr aseert because addr is NULL.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
- Remove memset on bt_l2cap_br_chan during SDP
disconnect to prevent overwriting resources
(e.g., rtx_work) still in use by L2CAP,
which handles channel cleanup itself.
- Delete unused partial_resp_queue to clean up code.
Signed-off-by: ZhongYao Luo <LuoZhongYao@gmail.com>
