From bdcec8418f3c92d9cc09cc71b52f5178e6db4f36 Mon Sep 17 00:00:00 2001 From: Vinayak Kariappa Chettimada Date: Thu, 22 Aug 2019 09:44:53 +0530 Subject: [PATCH] Bluetooth: controller: split: Fix Tx FIFO, queue, and pool corruption Fix the Tx FIFO, queue and pool corruption due to missing release of link object to Tx link pool and hence missing reset of the per connection initially allocated Tx link free pointer. The bug caused Tx PDUs and associated memory to be lost leading to missing L2CAP segment transmissions. With lost control PDU buffers, ULL would stall processing Done events also leading to controller asserts. Fixes #18546. Signed-off-by: Vinayak Kariappa Chettimada --- subsys/bluetooth/controller/ll_sw/ull_adv.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/subsys/bluetooth/controller/ll_sw/ull_adv.c b/subsys/bluetooth/controller/ll_sw/ull_adv.c index 50879d7035e..24f9676d4d2 100644 --- a/subsys/bluetooth/controller/ll_sw/ull_adv.c +++ b/subsys/bluetooth/controller/ll_sw/ull_adv.c @@ -1155,8 +1155,17 @@ static void disabled_cb(void *param) static inline void conn_release(struct ll_adv_set *adv) { - ll_conn_release(adv->lll.conn->hdr.parent); + struct lll_conn *lll = adv->lll.conn; + memq_link_t *link; + + LL_ASSERT(!lll->link_tx_free); + link = memq_deinit(&lll->memq_tx.head, &lll->memq_tx.tail); + LL_ASSERT(link); + lll->link_tx_free = link; + + ll_conn_release(lll->hdr.parent); adv->lll.conn = NULL; + ll_rx_release(adv->node_rx_cc_free); adv->node_rx_cc_free = NULL; ll_rx_link_release(adv->link_cc_free);