With CONFIG_BT_MAX_CONN=1, restarting connectable advertising from
the bt_conn_cb.disconnected callback fails with -ENOMEM because the
BLE host still holds a connection reference at that point. The
connection slot is only guaranteed free when bt_conn_cb.recycled fires.
Two code paths in gatt_disconnected() called bt_mesh_adv_gatt_update()
indirectly, triggering bt_le_ext_adv_start() before the connection
slot was freed:
pb_gatt_srv: on the provisioned path, bt_mesh_pb_gatt_srv_disable()
was called, which internally triggers bt_mesh_adv_gatt_update().
proxy_srv: when the proxy service was not yet registered upon
disconnect, bt_mesh_proxy_gatt_enable() was called, which also
triggers bt_mesh_adv_gatt_update().
Extract prov_gatt_service_unregister() and proxy_gatt_service_register()
as private helpers that perform only the GATT service operation without
triggering advertising. Have gatt_disconnected() call these helpers
and set adv_restart_pending = true in all branches, so conn_recycled()
safely handles the advertising restart after the connection is freed.
Assisted-by: GitHub Copilot:Claude Sonnet 4.6
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
When a PB-GATT or GATT Proxy connection disconnects on a device with
CONFIG_BT_MAX_CONN=1, the mesh stack attempts to restart connectable
advertising from the disconnected callback. This fails with -ENOMEM
because the BLE host still holds a reference to the connection object
at that point, and bt_le_ext_adv_start() cannot pre-allocate a new
connection slot.
Fix this by using the bt_conn_cb.recycled callback to trigger
advertising restart. The recycled callback fires only after the
connection object is fully released, guaranteeing a free slot is
available for connectable advertising.
Remove bt_mesh_adv_gatt_update() from bt_mesh_proxy_role_cleanup()
and instead set an adv_restart_pending flag in the disconnected
handler. The recycled callback checks this flag to avoid unnecessary
advertising restart attempts from unrelated disconnections.
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
In `l2cap_br_conf_req()` and `l2cap_br_conf_rsp()`, `buf->len` is used
to validate the minimum packet size. However, `buf->len` may exceed the
actual command data length (the `len` parameter from the L2CAP
signaling header), as the buffer can contain data beyond the current
command.
When the command data length `len` is smaller than the minimum packet
size, but `buf->len` is not less than the minimum packet size, the
validation passes incorrectly. Subsequently, when calculating `opt_len`
(`len - sizeof(*req)`), an underflow occurs duw to the value of type
`uint16_t`, resulting in an out-of-bounds buffer access issue.
Fix by validating against the `len` parameter instead of `buf->len` in
both `l2cap_br_conf_req()` and `l2cap_br_conf_rsp()`, since `len`
reflects the actual command data length.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
When sc=0, a framed ISO PDU segment header includes a 3-byte time_offset
field, so seg_hdr->len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE.
isoal_check_seg_header() accepted segments with sc=0 and len<3 as valid,
allowing isoal_rx_framed_consume() to underflow, causing an
out-of-bounds read of up to 255 bytes of adjacent memory into an HCI ISO
packet delivered to the host.
Signed-off-by: Flavio Ceolin <flavio@hubblenetwork.com>
In prov_msg_recv(), the protocol timer was reset unconditionally at
the top of the function, before the FCS check and before the
ADV_LINK_INVALID check. When the link has been marked invalid (e.g.
after a provisioning failure), any incoming PB-ADV packet with a
passing FCS would still reset the timer, preventing
protocol_timeout() from firing and closing the link via
prov_link_close().
Move k_work_reschedule() to after the ADV_LINK_INVALID check so the
timer is only reset for valid PDUs on an active, non-failed link.
Move the FCS check before the timer reset for the same reason.
Once ADV_LINK_INVALID is set the protocol timer is no longer
extended by incoming packets, and the link is closed by
protocol_timeout() as intended, after which the unprovisioned
device beacon and PB-ADV link acceptance are restored.
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
Since commit 37717b229f ("sys: util: rename Z_MIN Z_MAX Z_CLAMP to min
max and clamp"), <zephyr/sys/util.h> unconditionally defines function-
like macros named `min`, `max`, and `clamp` in the global namespace (in
C mode). util.h gets pulled in transitively by very broad headers,
including the POSIX layer's <pthread.h>, so any third-party C code that
uses these names as ordinary identifiers (e.g. XNNPACK's static `clamp`
helper and its public `clamp` struct field) fails to build as soon as
<pthread.h> is included.
Following the approach used by Linux, move the lowercase `min`, `max`,
`min3`, `max3`, and `clamp` macros (and their helpers) into a new
<zephyr/sys/minmax.h> header that has to be included explicitly by
source files that want them. util.h keeps the uppercase MIN/MAX/CLAMP,
so most code is unaffected; only the (much smaller) set of files that
actually use the lowercase variants needs to pick up the new include.
Fixes#107853.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
The when the reception stopped callback was called, we should
call bt_cap_handover_broadcast_reception_stopped and not
cap_handover_broadcast_audio_stopped, as we need to stop the
broadcast as a result of it, and not just delete it.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Fix expressions where increment or decrement operators are combined
with other side effects in the same full expression, violating
MISRA-C Rule 13.3.
Separate the increment and decrement operations into standalone
statements to ensure each full expression contains at most one
side effect.
Assisted-by: GitHub Copilot
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Add missing error checks for any function calls in the
affected files, as that is required by the Zephyr coding guidelines.
The call to bt_ots_client_register in mcc.c was moved to
avoid calling it mulitple times, causing it to fail if
bt_mcc_discover_mcs was called more than once.
Assisted-by: Copilot:claude-sonnet-4.6
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Add a LOG_DBG for all aborts so that it is easier
to determine the exact reason for an aborted CAP
procedure.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Minor change to valid_unicast_to_broadcast_metadata to break
the loop earlier if the unique_metadata_cnt is already too
large.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
bt_avdtp_parse_capability_codec() returns immediately after parsing the
Media Codec service category, skipping any subsequent service categories
in the capability list. This causes the Delay Reporting service category
(0x08) to be missed when it appears after the Media Codec in a Set
Configuration command.
Fix by replacing 'return 0' with 'break' so the while loop continues
to parse remaining service categories. Also update the final return to
check whether a codec was actually found.
Signed-off-by: Zihao Gao <gaozihao@xiaomi.com>
Update the documentation for the uncast_x_complete callbacks
so that applications can better determine what `err` might be
and act according to the error.
It also makes the disconnect callback more unique, as well
as treating control point write rejects different from
invalid state changes.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
The characteristic name and definitions in the TBS spec for
the values are "optional opcodes" instead of "support features".
Additionally, the field is 16-bit, instead of the current 8-bit
in the register parameters.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
It doesn't really serve a purpose since the addition of
CONFIG_PSA_CRYPTO.
Replace remaining uses of the former by the latter.
TF-M now implies CONFIG_PSA_CRYPTO the same way as
CONFIG_MBEDTLS because otherwise we get build failures
if we build Mbed TLS without CONFIG_PSA_CRYPTO enabled.
Hopefully we can remove these two in a later PR.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Fix missing static const qualifier on the version number
look up array declaration.
Without this fix, str was an automatic array inside
bt_hci_get_ver_str(), consuming stack on each call.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Add shell support for the bt_conn_br_change_packet_type() API:
- Add 'br change-packet-type <hex>' shell command to allow
changing ACL packet types on an established BR/EDR connection.
- Add br_packet_type_changed callback to print the
HCI_Connection_Packet_Type_Changed event result.
- Register the callback in conn_callbacks.
This addresses the review feedback requesting shell/test support
for the change connection packet type feature.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
Add bt_conn_br_change_packet_type() API to dynamically change the
allowed packet types for an established BR/EDR connection. This
enables throughput optimization by selecting appropriate packet
types (DM/DH 1/3/5 slots) based on application requirements.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
Introduce BT_RFCOMM_OVERHEAD_SIZE macro to calculate the RFCOMM frame
overhead, which includes the maximum header size, FCS size, and
credits size.
This refactoring:
- Defines BT_RFCOMM_CREDITS_SIZE (1 byte) as a public constant
- Consolidates overhead calculation in a single macro
- Updates all MTU calculations to use BT_RFCOMM_OVERHEAD_SIZE
- Removes redundant credits size adjustment in rfcomm_dlc_connected()
since the overhead is now accounted for upfront in session MTU
calculation
- Simplifies code in GOEP by using the new macro instead of manual
header size calculations
- Change the range of BT_GOEP_RFCOMM_MTU to [265, BT_RFCOMM_L2CAP_MTU]
The change ensures consistent MTU calculations across RFCOMM and
dependent profiles (HFP, GOEP) and accounts for the credits field in
CFC-supported scenarios from the start.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Since the Broadcast Assistant implementation may have a
pending request _per_ instance, each instance needs its own
buffer to accomodate that, otherwise we may risk overwriting
data between instances. This follows the design used in the
BAP Unicast Client
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
The wr_chunk function had a fast path for devices without explicit erase
(e.g. nRF54L RRAM) that wrote chunk data directly without aligning the
offset or size to the flash write block size. On RRAM with
write-block-size=16, this caused -EINVAL from the flash driver for every
chunk write since chunk_size (161) and most chunk offsets are not
16-byte aligned.
The failed writes caused the BLOB server to never mark chunks as
received, resulting in block_status_rsp always reporting all chunks
missing. This led to infinite retransmission of block 0 and eventual
DFU timeout.
Fix by using a read-modify-write approach for non-erase devices:
read existing data at the aligned boundaries, overlay the chunk data,
and write back the full aligned buffer. This satisfies the driver's
alignment requirements while preserving neighboring bytes.
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
bt_iso_recv pulls the SDU header (with or without) timestamp,
but did not check the length of `buf` before doing so.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Introduces K_MEM_SLAB_DEFINE_TYPE() and K_MEM_SLAB_DEFINE_STATIC_TYPE()
helpers to allow the user to declare slabs for types without having to
manually ensure the alignment is correct.
Manual slab alignment was very error-prone and this change fixes several
instances of misalignment that would be trapped by the undefined
behavior sanitizer when running on 64-bit targets.
Signed-off-by: Egill Sigurdur <egill@egill.xyz>
393350fd65 made it so that the `mbedTLS`
library is only created when `CONFIG_MBEDTLS_BUILTIN`.
Before this commit, users of Mbed TLS did the following:
`zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)`
If the `mbedTLS` CMake library doesn't exist but is still linked to
(as is the case when `CONFIG_MBEDTLS && !CONFIG_MBEDTLS_BUILTIN`),
the linker command is populated with `-lmbedTLS` which makes the build
fail because there is no `libmbedTLS.a` in the build.
Make it so that users of Mbed TLS only link to the `mbedTLS` CMake
library when the builtin version is used.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
With adding discard-tracking of extended advertising reports, the
reports are allocated from the discardable event pool instead of the
"normal" event pool. This commit sets the default value of
BT_BUF_EVT_DISCARDABLE_SIZE to BT_BUF_EVT_RX_SIZE when BT_EXT_ADV
is enabled.
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
Extends the `host/scan/slow` bsim test to test that the reassembler
is able to recover from a discarded extended advertising report chain.
This requires tracking that extended advertising reports are in fact
received, and that the reassembler times out. Functions for this are
added to testing.h which is only compiled if BT_TESTING is enabled.
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
Implements a method for discarding fragmented extended advertising. In
order to acheive this, we need to consider past and future fragments
of the advertising report we discard.
The future fragments are on its way from the controller, and will result
in either a complete- or incomplete event. These are handled by tracking
the adv SID and address until the controller sends either a complete or
incomplete event. Once an advertising report is marked as discarded,
consecutive fragments will be silently discarded.
The past fragments are either already in the reassembler (in scan.c),
or on their way through the rx_queue. To handle these, and allow the
reassembler to recover from a in-progress reassembly which is discarded,
we add a work item which is rescheduled when each consecutive fragment
is received. The timeout is configurable through the new Kconfig option
`CONFIG_BT_EXT_ADV_REASSEMBLY_TIMEOUT`. On timeout, the reassembler will
change its state to discard incoming fragments from the same advertiser.
The reassembler will start assembling new fragments if it recognises a
new advertiser, or if a final fragment (either marked as complete
or incomplete) from the advertiser it is currently tracking is received.
This functionality needs to be added at a HCI driver level by using the
new `hci_ext_adv_report_process` function. It is added the the
IPC HCI driver to fixzephyrproject-rtos/zephyr#50786
Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
Add new inline function entropy_get_default_device which returns
the "zephyr,entropy" device or the architectural entropy device,
if the former is not set, and use that in all places to query the
entropy device.
This allows using architectural drivers which do not have a DT
node.
Signed-off-by: Christoph Busold <cbusold@qti.qualcomm.com>
The right_ring_buf_fail_cnt field was never read.
Remove the dead field.
Assisted-by: Claude:claude-sonnet-4.6
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Apply ARG_UNUSED() to unused function arguments as per the Zephyr
coding guidelines
A few functions were modified to remove unused parameters
or to actually use the parameters.
Assisted-by: GitHub Copilot
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
The scanning field was set to false in broadcast_assistant_reset() but
never read anywhere. The scanning state is tracked via the
BAP_BA_FLAG_SCANNING atomic bit; the bool field is leftover dead code.
Assisted-by: Claude:claude-sonnet-4.6
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Introduce HAL_EVENT_TIMER_US_TO_TICKS macro to explicitly map the 1 MHz
hardware timer resolution to the radio configuration, preventing unintended
unit mixing between microseconds and hardware ticks.
Fixes#105085
Signed-off-by: Bhavin Umatiya <umatiyabhavin@gmail.com>
The broadcast_sink pointer was written in three places (set and
cleared) in bap_broadcast_sink.c but never read or dereferenced
anywhere in the codebase. Remove the field, its three write sites,
and the now-unneeded forward declaration of struct bt_bap_broadcast_sink
in bap_endpoint.h.
Assisted-by: Claude:claude-sonnet-4.6
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Adds IRK update call to internal bt_le_adv_start_ext. And rename it to
adv_start_ext to prevent confusion with public functions.
There are two paths to start ext advertising:
- bt_le_adv_start can start extended advertising if enabled by calling
internal bt_le_adv_start_ext else it starts legacy advertisements.
- bt_le_ext_adv_start specifically starts extended advertisements.
This commit misses the first path for ext advertisement:
6d137ae015
Signed-off-by: Alperen Sener <alperen.sener@nordicsemi.no>
Fix a race condition in RFCOMM session disconnection when both local
and peer devices initiate disconnection simultaneously.
Add state check in `rfcomm_session_disconnected()` to only transition
to `DISCONNECTED` state if the session is not already in
`DISCONNECTING` state. This prevents the race condition where both
sides set the session to disconnected, causing the disconnection
process to not complete properly and leaving the L2CAP connection
unreleased.
Without this check, subsequent RFCOMM channel connection requests
would fail due to the invalid session state (the expected state is
`IDLE`, while the actual state is `DISCONNECTED`).
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The technology values defined in tbs.h are actually defined
in assigned numbers under the HFP. They have been moved to
the assigned_numbers.h file, and name to match the placement
in Assigned Numbers. They have been defined in an enum instead
of multiple #define's, to more easily refer to them.
The callback for reading technology was likewise updated to use
the new enum.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Add SPP test shell commands, support client and server features.
include register, connect, send and disconnect.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
Add bt_conn_br_set_sniff_subrating() API to configure sniff subrating
parameters for BR/EDR connections. Sniff subrating allows further
power savings by reducing the number of sniff anchor points the
device needs to listen on.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
Introduce struct bt_conn_br_cb to group all BR/EDR specific connection
callbacks (role_changed, mode_changed) into a dedicated sub-struct
within bt_conn_cb. This replaces the previously scattered callbacks
that were individually guarded by CONFIG_BT_CLASSIC or
CONFIG_BT_POWER_MODE_CONTROL.
Application code now uses the .br. accessor:
.br.role_changed = my_role_changed_cb,
.br.mode_changed = my_mode_changed_cb,
The br_ prefix is dropped from callback names since the struct
hierarchy already conveys the BR/EDR scope, aligning with the
pattern suggested during review.
Also fix bt_conn_notify_mode_changed() to use
BT_CONN_CB_DYNAMIC_FOREACH instead of SYS_SLIST_FOR_EACH_CONTAINER
for consistency with other callback notification functions.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
The VOCS discover callback may call vcp_vol_ctlr_discover_complete()
with a NULL vol_ctlr when lookup_vcp_by_vocs() fails.
This leads to a potential NULL pointer dereference as
vcp_vol_ctlr_discover_complete() unconditionally accesses
vol_ctlr->flags.
Fix this by returning early when vol_ctlr is NULL.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Core spec defines the range of adv intervals for extended advertising to
0x0020 to 0xFFFFFF, but the code currently only allows up to 0x4000.
This change enables the full range of intervals for extended advertising
Signed-off-by: Kyra Lengfeld <kyra.lengfeld@nordicsemi.no>
Remove the logic that silently clamps the MTU to valid ranges and
instead return an error if the configured MTU is below the minimum
required size.
The MTU is now always set to the maximum value that the configuration
can support, rather than conditionally using a default only when
set to 0.
Change log level from WRN to ERR for the minimum MTU check since
this now represents a fatal configuration error.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
