Assert fires when disconnecting while data is transmitted via L2CAP

Hi Torsten,

When inspecting the buffer that caused the assert, it turns out, that `len` and `size` have values that I would expect, while `data` and `__buf` are set to 0!:

Can you please elaborate on this. The assert triggered means that net_buf_simple_headroom(buf) was less than the len. If you think there should have been enough space in that buffer, then we need to investigate how the buffer got full or why this API gave wrong info. Could be stackoverflow symptoms?

Hi Susheel Nuguru ,

there was for sure enough headroom for the l2cap protocol, when the l2cap message was added to the queue (using `bt_l2cap_chan_send()`), as I'm able to send thousands of l2cap SDUs without problem.

The reason, why the calculation of the headroom results in 0 (and thus is small than len) is, because the headroom is defined to be the difference between `data` and `__buf`. As booth are 0 (which I think is most likely the reason for the failure), the difference and thus the headroom is 0.

The pool for all messages are statically allocated and as `data` and `__buf` are the first and the last member, I would rule out some accidental overwriting. I looked into the buffer library but also did not found any single function, that sets both pointer to zero.

As you can see from that call stack, the assert is triggered from a function that runs in a BLE stack internal thread. So there is hardly anything, I can do to prevent it.

thanks and best regards

Torsten

Hi Torsten,

I unfortunately don't have anything to add to the discussion. I'm writing just to let you know that Susheel has unfortunately been sick, but he will return next week and continue working on this. Our apologies for the inconvenience.

Best regards,

Hieu

Wow, Torsten, seems like you have done some solid debugging already, sorry to hear about the pain caused by the tools on Mac. I am using windows and the tools work ok.

I have not tried to reproduce this but it seems like theassertion failure occurs because the net_buf_simple_push() function in buf_simple.c is being called on an SDU that has already been marked as freed.

Before I dive into this, I need to able to reproduce this.

Unfortunately, I was not able to reproduce this with a small example. In `l2cap_data_pull`, at the beginning, the next PDU is pulled out of the transit queue, using `k_fifo_peek_head`, which leaves the PDU on the queue. Later in the same function, if `last_frag` and `last_seg`, `k_fifo_get` is used to actually remove the PDU from the queue. I've a PDU is returned but not removed from the queue, the trouble begins (same PDU is pulled twice from the queue. First time it was marked as freed, second time, the assert will fire).

So my last resort quick fix for our upcoming release will be, to change the function to use `k_fifo_get` also, when the connection state is indicating that the connection is closed. But I don't know if that has other side effects.

I understand your concern, the side effect might be that there could be a double freeing of PDU if you do this wrong. Consider using k_fifo_peek_head first not to affect the queue while enquiring stuff.

Hi Susheel Nuguru 

did you made any progress on this issue? Are you able to reproduce this?

best regards

Torsten

Hi Susheel Nuguru 

did you made any progress on this issue? Are you able to reproduce this?

best regards

Torsten

Torsten, Sorry no I did not try to reproduce this on my end.

Normal process is that we get a minimalistic project from the users who have issues so that we can spend our time in debugging and not constructing the project and its configuration. It happened so many times that we spend huge amount of times trying to get close to the user setup, but the time we spend on constructing the environment does not guarantee that we are still able to reproduce. Best is that you give a minimalistic project for me to reproduce and i can debug and take it to the dev team.

Hi Susheel,

OK, I was missing that information and that's why I also asked for unit tests. If there where unit tests, either that case could be covered by them, or it might be relatively easy to create a test for that case if similar tests already exists.

Anyway: I will put that as a TODO on our side and see, when we are able to work further on the reproducer.

best regards

Torsten

sounds like a plan Torsten.

Hi Susheel Nuguru ,

please find the reproducer here: https://github.com/TorstenRobitzki/l2cap_reproducer

It is bases on one of the official examples (GATT CGM). It accepts a L2CAP connection and once connected, tries to send as much 4KByte large SDU as possible.

There is a python script, that used a HCI controller on a nrf52 eval board, to connect to the reproducer.

Once, the HCI controller, is powered off, the connection times out and the L2CAP layer on the reproducer hits the assert.

Let me know, when you have further questions or need help with the setup.

best regards

Torsten

This bug-fix might fix the problem:

--- a/subsys/bluetooth/host/l2cap.c
+++ b/subsys/bluetooth/host/l2cap.c
@@ -959,8 +959,9 @@ struct net_buf *l2cap_data_pull(struct bt_conn *conn,
         * static channels don't have the concept of L2CAP segments.
         */
        bool last_seg = lechan->_pdu_remaining == pdu->len;
+       bool sdu_end = ( last_frag && last_seg ) || conn->state != BT_CONN_CONNECTED;
 
-       if (last_frag && last_seg) {
+       if (sdu_end) {
                LOG_DBG("last frag of last seg, dequeuing %p", pdu);
                __maybe_unused struct net_buf *b = k_fifo_get(&lechan->tx_queue, K_NO_WAIT);
 
@@ -968,7 +969,6 @@ struct net_buf *l2cap_data_pull(struct bt_conn *conn,
        }
 
        if (last_frag && L2CAP_LE_CID_IS_DYN(lechan->tx.cid)) {
-               bool sdu_end = last_frag && last_seg;
 
                LOG_DBG("adding %s callback", sdu_end ? "`sdu_sent`" : "NULL");
                /* No user callbacks for SDUs */