Bluetooth: host: Invalid role used in finding connections

Directed advertising timeout was dropped in the host due to not being able to find a pending connection. Host used the role parameter from the error event parameters which has been earlier zero-ed out. Regression introduced in commit a0349689ff ("Bluetooth: host: Fix conn object assigned to wrong connection") Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
2020-02-01 07:59:19 +05:30 · 2020-02-01 07:59:19 +05:30 · 814654af80
commit 814654af80
parent a570be6e93
1 changed files with 32 additions and 17 deletions
--- a/subsys/bluetooth/host/hci_core.c
+++ b/subsys/bluetooth/host/hci_core.c
@ -1329,41 +1329,56 @@ static void enh_conn_complete(struct bt_hci_evt_le_enh_conn_complete *evt)

 	if (evt->status) {
 		/*
-		 * If there was an error we are only interested in pending
-		 * connection. There is no need to check ID address as
-		 * only one connection can be in that state.
-		 *
-		 * Depending on error code address might not be valid anyway.
+		 * Here we are only interested in pending connection.
 		 */
-		conn = find_pending_connect(evt->role, NULL);
-		if (!conn) {
-			return;
-		}
-
-		conn->err = evt->status;

 		if (IS_ENABLED(CONFIG_BT_PERIPHERAL) &&
-		    conn->err == BT_HCI_ERR_ADV_TIMEOUT) {
+		    evt->status == BT_HCI_ERR_ADV_TIMEOUT) {
 			/*
-			 * Handle advertising timeout after high duty directed
-			 * advertising.
+			 * Handle advertising timeout after high duty cycle
+			 * directed advertising.
 			 */

 			atomic_clear_bit(bt_dev.flags, BT_DEV_ADVERTISING);
+
+			/*
+			 * There is no need to check ID address as only one
+			 * connection in slave role can be in pending state.
+			 */
+			conn = find_pending_connect(BT_HCI_ROLE_SLAVE, NULL);
+			if (!conn) {
+				BT_ERR("No pending slave connection");
+				return;
+			}
+
+			conn->err = evt->status;
+
 			bt_conn_set_state(conn, BT_CONN_DISCONNECTED);
 			goto done;
 		}

 		if (IS_ENABLED(CONFIG_BT_CENTRAL) &&
-		    conn->err == BT_HCI_ERR_UNKNOWN_CONN_ID) {
+		    evt->status == BT_HCI_ERR_UNKNOWN_CONN_ID) {
+			/*
+			 * Handle create connection cancel.
+			 *
+			 * There is no need to check ID address as only one
+			 * connection in master role can be in pending state.
+			 */
+			conn = find_pending_connect(BT_HCI_ROLE_MASTER, NULL);
+			if (!conn) {
+				BT_ERR("No pending master connection");
+				return;
+			}
+
+			conn->err = evt->status;
+
 			le_conn_cancel_complete(conn);
 			goto done;
 		}

 		BT_WARN("Unexpected status 0x%02x", evt->status);

-		bt_conn_unref(conn);
-
 		return;
 	}