There is an issue that the SCO connect cannot be un-referenced by HFP
AG when the SCO connection is broken if the SCO connect is not created
by HFP AG.
Register SCO connect change callback. And un-reference the SCO connect
in SCO disconnected callback.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
There are two issues found,
Issue 1, if the SCO connection has been established, the SCO connected
event will not be notified. Then the call that waiting for the SCO
connected event will not be updated. And the call will be rejected due
to the timeout.
Issue 2, the SCO con object will be cleared when SLC is disconnecting
and the SCO connection has been established. It causes the SCO connect
object will be `NULL` in the SCO disconnected callback.
Add a new field `sco_conn` to keep the SCO connect object. Manage the
SCO connection via the field `ag->sco_conn`.
When creating the SCO connection, keep the created SCO connect object
to `ag->sco_conn`. And if the `ag->sco_chan.sco` is `NULL`, it means
the SCO connection has been established. Just update the call that
waiting for the SCO connected event directly.
Increase the `ref` of SCO connect object and pass to the field
`ag->sco_conn` if the `ag->sco_conn` is `NULL`.
Decrease the `ref` of SCO connect object if the `ag->sco_conn` is not
`NULL` when disconnect the SCO connection or process SCO disconnected
event.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Commit removes unused host hci custom functionality
that was moved to mesh by misinterpretation of it.
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
- Issue: There is a bus-fault while accessing empty userdata structure
pointer if application does not include any include service
userdata instance (which consist of UUID list of included service)
but service array has defined dummy entry for it assumed to be
overridden by app during initial flow.
- For example, the issue has happened in case of tmap-central sample
without "CONFIG_BT_OTS" support. there are some MCS attributes
dependent on OTS service because of that
"BT_GATT_INCLUDE_SERVICE(NULL)" entry is added as part of service
definition. The given entry does not have userdata handler defined
and is expecting to be overriden by the app if it will be included.
During "bt_mcs_init()" call, "mcs.attrs[i].user_data" is not
populated with any attr-instance pointer. This makes CPU to access
null-address during reading local-database include-service attribute
which was not provided by the app but the include-service entry was
added to the db.
- Fix: Adding condition to check if user-data has null address, and
returning back to avoid any hard-faults.
Signed-off-by: Nirav Agrawal <nirav.agrawal@nxp.com>
If the next ticker is too close then hop over it when
rescheduling a ticker with drift in slot window is used.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
The command buffer was incorrectly encoded due to the recent change to H:4
encoding. Instead of fixing the header offset, just use the newly
introduced bt_hci_cmd_alloc() API, since that takes care of correctly
encoding the command header when it gets sent.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Introduce a new bt_hci_cmd_alloc() API which only allocates a command
buffer and reserves sufficient headroom for H:4 and command headers, but
doesn't actually encode any of those headers into the buffer. Additionally,
modify bt_hci_cmd_send() and bt_hci_cmd_send_sync() so that they handle
such buffers and perform the header encoding correctly. To avoid
duplication, bt_hci_cmd_send_sync() now builds upon (i.e. calls internally)
the bt_hci_cmd_send() API.
Signed-off-by: Johan Hedberg <johan.hedberg@silabs.com>
Fix incorrect aux offset value in the aux pointer in the
primary advertising channel PDUs when using single timer
tIFS switching feature in nRF54Lx.
End time was not captured when only Tx follow by Tx happens
in the primary advertising channels. End time needs to be
always captured when using single timer so that elapsed
packet timer value is correctly accumulated, for use to
setup subsequent radio transmission or reception inside the
same radio event.
Relates to commit 373dc0db71 ("Bluetooth: Controller:
Single timer use Extended Advertising nRF54L support").
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Do not clear timer clear subscription until the radio event
is done. This is required for single timer switching when
periodic chains are to be received by LLL scheduling. Each
PDU in the train requires the timer to be cleared when the
parent PDU has been received such that reception of
auxiliary PDU's radio_tmr_start_us() can use the relative
offset since last PDU reception.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Use defines for Transmit/Receive and Inter-frame spacing
related Radio End events. This will ease some spaghetti of
conditional compilations for single timer and direction
finding support.
Direction Finding is not yet supported when using single
timer software tIFS switching.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Fixup commit 031a17c271 ("Bluetooth: Controller: Align
DDPI usage with nRF54L power domains").
Align DDPI usage with nRF54L series power domains and
available DDPI configurations.
Use indices below 4 when needing to bridge with GPIO,
use indices below 8 when needing to bridge with MCU domain
like CCM and AAR; and use indices above 7 to bridge with
Peripheral domain.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
HAL_SW_SWITCH_TIMER_CLEAR_PPI is same as
HAL_SW_SWITCH_GROUP_TASK_ENABLE_PPI, hence the single PPI
suffice being disabled.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Bluetooth 6.1 has version number 0x0F and was released in May 2025.
This commit ensures this version number is properly decoded.
Going forward we may consider removing printing the version
number as a string because the feature set is more important
than the version number.
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
The bt_le_ext_adv_info struct has been extended to also
contain the advertising and periodic advertising states.
Additionally, the function verifies the input to avoid
NULL pointer access, and the addr field is more
properly documented.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Adds a new abstract struct for unicast group that is
specific for CAP. The difference between this and the BAP
unicast group, is that the parameters are CAP streams and
thus ensuring that the streams in the group adhere to the
additional requirements that CAP has on top of BAP.
This also adds foreach functions for both CAP and BAP
to allow users to iterate on the streams in the
abstract groups.
Various samples, modules and tests have been updated
to use the CAP struct and API.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Core Specification 6.1 clarified exptected erro code in case peer
sending invalid Public Key. In case pairing is aborted during or
immediately after Public Key Exchange phase has completed (which is
the case here) expected reason code is set to "DHKey Check Failed".
This was affecting SM/CEN/KDU/BI-04-C and SM/PER/KDU/BI-04-C
qualification test cases.
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
Fix up the bus fault by not violating the MAXPACKETSIZE
value range of NRF_CCM h/w peripheral.
Fix up relates to commit 920117922b ("Bluetooth:
Controller: nRF53x: Fix NRF_CCM MAXPACKETSIZE value").
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Fix incorrect elapsed events value when LLL event prepare_cb
was invoked but was aborted before anchor point sync. This
caused premature supervision timeouts under applications
configured with CONFIG_BT_CTLR_EVENT_OVERHEAD_RESERVE_MAX=n
and CONFIG_BT_CTLR_PERIPHERAL_RESERVE_MAX=n.
Fixes commit 247037bd3e ("Bluetooth: Controller: Fix
incorrect elapsed events value").
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
ticker_is_initialized() should only return true when the ticker is
running (triggered regularly). Users like nrf_flash_sync_is_required()
depend on this behavior.
When the bluetooth controller driver is closed, ll_deinit() calls
lll_deinit(), which stops the ticker from being triggered. Also
deinitialize the ticker to ensure that ticker_is_initialized() returns
false.
Signed-off-by: Marco Widmer <marco.widmer@bytesatwork.ch>
The target variable is a `uint8_t`. It is not reasonable to pass a
value with `uint16_t` in little-endian format.
Remove `sys_cpu_to_le16`, and pass the value directly.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
When using Zero Latency IRQs do not invoke ISR_DIRECT_PM and
do not return to reschedule in the kernel.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Updates the LE legacy pairing procedure as a result of errata ES-24491.
New part:
If the initiating device receives an LP_CONFIRM_R value that is equal to
the LP_CONFIRM_I value, the pairing process shall be aborted and fail
with "Confirm Value Failed" as reason.
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
In the function `sdp_client_ss_search()` and
`sdp_client_ssa_search()`, the allocated buf is not released if the
required UUID is invalid.
Un-reference the allocated net buffer if the UUID is invalid.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Made a few complex functions simpler
Added missing default cases in switches
Fixes a bad cast that removed const
Moved loop iterators to inner loop
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Fixes a few bad casts that ignored const
Add a few missing final else statement
Refactored aics_discover_func to be less complex by
moving some parts of it into a new function.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
The `session->param` should be updated to date whatever the function
`sdp_client_ssa_search()`, `sdp_client_sa_search()` or
`sdp_client_ss_search()` can be executed properly.
Update the `session->param` to the new `param` when executing the
function.
Fixes#91156
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
There is a potential issue that the index of ACL may out of the
bounds of the array `bt_hfp_hf_pool` if the array size is not aligned
with the array size of `acl_conns`.
To avoid the potential issue, check if the ACL conn index is less than
the array size of `bt_hfp_hf_pool` before accessing the array
`bt_hfp_hf_pool` with ACL conn index.
Fixes#91172
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
When there are br connections connected, find_key_in_use call
bt_conn_get_dst to get br connection's dst and bt_conn_get_dst return NULL,
then bt_keys_find_addr aseert because addr is NULL.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
- Remove memset on bt_l2cap_br_chan during SDP
disconnect to prevent overwriting resources
(e.g., rtx_work) still in use by L2CAP,
which handles channel cleanup itself.
- Delete unused partial_resp_queue to clean up code.
Signed-off-by: ZhongYao Luo <LuoZhongYao@gmail.com>
If the received data length is less than 2 in none basic mode, the
L2CAP channel connection will be dropped.
Only check the received data length if the `SAR` is
`BT_L2CAP_CONTROL_SAR_START`.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
