BUS FAULT (use-after-free) in att.c on disconnect - Precise data bus error

Hi, 

My central device is running into Bus fault when continuously sending data to multiple connected peripheral device and any of peripheral device got disconneced. Issue can be reproduce when only one or two device conneced with central. 

Central is sending 20 bytes data packet to peripheral at interval of same as connection interval (188ms) and it can send upto 4 packets per connection event to every connected peripheral device. 

Environment

  • nRF Connect SDK version: Found on v3.3.0, but reproduced identically on v3.3.1 as well
  • SoC: nRF52840

Connection parameter used between central and peripheral

  • Connection interval: 188ms
  • Slave latency: 0
  • Supervision timeout: 8000ms

Below is the error logs at time of fault,

[00:06:52.180,572] <err> os: ***** BUS FAULT *****
[00:06:52.180,969] <err> os: Precise data bus error
[00:06:52.181,365] <err> os: BFAR Address: 0x701315dd
[00:06:52.181,854] <err> os: r0/a1: 0x200287f4 r1/a2: 0x00000000 r2/a3: 0x00000000
[00:06:52.182,464] <err> os: r3/a4: 0x00000000 r12/ip: 0x2001a5dc r14/lr: 0x00043d4b
[00:06:52.183,074] <err> os: xpsr: 0x21000000
[00:06:52.183,502] <err> os: Faulting instruction address (r15/pc): 0x0006f022
[00:06:52.184,051] <err> os: >>> ZEPHYR FATAL ERROR 25: Unknown error on CPU 0
[00:06:52.184,600] <err> os: Current thread: 0x2000f748 (sysworkq)

I run the add2line on zephyr.elf and found following files,

arm-zephyr-eabi-addr2line -e zephyr.elf -f -C 0x0006f022
C:/ncs/v3.3.0/zephyr/include/zephyr/sys/slist.h:213

arm-zephyr-eabi-addr2line -e zephyr.elf -f -C 0x00043d4b
C:/ncs/v3.3.0/zephyr/subsys/bluetooth/host/att.c:775

To debug the issue, I have enabled the few more debug logs and find out that, host is try to send the data even if the link is disconnected. At application level, I am making sure that app is not calling bt_gatt_write_without_response_cb if connection object is NULL or invalid. Setting connection object invalid when receive disconnection event.

[00:03:20.082,092] <dbg> bt_conn: bt_conn_set_state: disconnect-complete <<-- disconnected
[00:03:20.082,122] <dbg> bt_conn: bt_conn_tx_processor: start
[00:03:20.082,153] <dbg> bt_conn: bt_conn_tx_processor: no connection wants to do stuff
[00:03:20.082,214] <dbg> bt_conn: tx_notify_process: conn 0x20007038
[00:03:20.082,275] <dbg> bt_conn: bt_conn_set_state: trigger disconnect work
[00:03:20.082,305] <dbg> bt_conn: bt_conn_unref: handle 6 ref 3 -> 2
[00:03:20.082,366] <dbg> bt_conn: deferred_work: conn 0x20007038
[00:03:20.082,427] <dbg> bt_att: bt_att_disconnected: chan 0x20028b64 cid 0x0004
[00:03:20.082,458] <dbg> bt_att: att_chan_detach: chan 0x20028b60
[00:03:20.082,580] <dbg> bt_att: bt_att_released: chan 0x20028b60 <<-- channel released here
[00:03:20.066,406] <dbg> bt_conn: bt_conn_unref: handle 21 ref 3 -> 2
[00:03:20.084,442] <inf> usbd_cdc_acm: tx_en: trigger irq_cb_work
[00:03:20.084,625] <dbg> bt_conn: bt_conn_unref: handle 6 ref 2 -> 1
[00:03:20.084,655] <dbg> bt_conn: bt_conn_unref: handle 6 ref 1 -> 0
[00:03:20.084,686] <dbg> bt_att: att_tx_destroy_work_handler: 0x20039288 
[00:03:20.084,716] <dbg> bt_att: att_on_sent_cb: opcode 0x52
[00:03:20.084,747] <dbg> bt_att: att_on_sent_cb: UATT bearer, calling bt_att_sent: conn 0x20028cc0 chan 0x20028b64
[00:03:20.084,777] <dbg> bt_att: bt_att_sent: chan 0x20028b60 <<-- Data sent on already released channel??
[00:03:20.084,808] <err> os: ***** BUS FAULT *****
[00:03:20.084,808] <err> os: Precise data bus error
[00:03:20.084,838] <err> os: BFAR Address: 0x8a1a9443
[00:03:20.084,869] <err> os: r0/a1: 0x00000000 r1/a2: 0x00000000 r2/a3: 0x00000000
[00:03:20.084,899] <err> os: r3/a4: 0x00000000 r12/ip: 0x00000010 r14/lr: 0x000715ad
[00:03:20.084,899] <err> os: xpsr: 0xa1000000
[00:03:20.084,930] <err> os: Faulting instruction address (r15/pc): 0x00047016
[00:03:20.084,960] <err> os: >>> ZEPHYR FATAL ERROR 25: Unknown error on CPU 0
[00:03:20.085,021] <err> os: Current thread: 0x2000faa0 (sysworkq)
[00:03:20.884,613] <err> os: Halting system

Would you please help me to fix this issue? 

Thanks,

Narendra

Related