l2cap_data_pull hard fault on disconnect with queued tx data

denis 4 months ago

When using l2cap to stream data at a high rate from device to an app we are seeing a hard fault in l2cap_data_pull when there is queued l2cap send data.

When the fault occurs l2cap_data_pull, conn is in the disconnected state. It appears that the pdu->data pointer is 0. Then net_buf_push tries to adjust pdu->data which results in 0xfffffffc. Dereferencing that causes the hard fault:

hdr = net_buf_push(pdu, sizeof(*hdr));

hdr->len = sys_cpu_to_le16(pdu_len);

Using nRF Connect SDK 2.9.0 and nRF5340.

Should there be a check for conn status disconnected? Or for pdu->data == NULL? Or is this a race condition?

Parents

0 denis 4 months ago

If I add some checks to l2cap_data_pull then I don't see the hard fault:

struct net_buf *pdu = k_fifo_peek_head(&lechan->tx_queue);

// It seems there are items being taken from the fifo after the connection is closed. -denis

if (conn->state != BT_CONN_CONNECTED) {

return NULL;

}

if (pdu->data == NULL) {

return NULL;

}
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 denis 4 months ago

If I add some checks to l2cap_data_pull then I don't see the hard fault:

struct net_buf *pdu = k_fifo_peek_head(&lechan->tx_queue);

// It seems there are items being taken from the fifo after the connection is closed. -denis

if (conn->state != BT_CONN_CONNECTED) {

return NULL;

}

if (pdu->data == NULL) {

return NULL;

}
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data