search

zephyrproject-rtos / zephyr

Primary Git Repository for the Zephyr Project. Zephyr is a new generation, scalable, optimized, secure RTOS for multiple hardware architectures.
https://docs.zephyrproject.org
Apache License 2.0
10.86k stars 6.62k forks source link

bluetooth: null pointer dereference for non-connectable extended advertising #28325

Closed pabigot closed 4 years ago

pabigot commented 4 years ago

When https://github.com/pabigot/zephyr/tree/issue/28090 is run on current master including #28090 the application fails with:

*** Booting Zephyr OS build v2.4.0-rc1-85-gaa41d6aed41b  ***                    
Starting Beacon Demo                                                            
Bluetooth initialized                                                           
options 4, plc zep                                                              
leac 0                                                                          
0x20000a58 at 0                                                                 
leasd 0                                                                         
leas 0                                                                          
Beacon started                                                                  
[00:00:00.405,517] <inf> bt_hci_core: HW Platform: Nordic Semiconductor (0x0002)
[00:00:00.405,517] <inf> bt_hci_core: HW Variant: nRF52x (0x0002)               
[00:00:00.405,517] <inf> bt_hci_core: Firmware: Standard Bluetooth controller (0
[00:00:00.406,066] <inf> bt_hci_core: Identity: cf:46:c1:8a:96:e3 (random)      
[00:00:00.406,097] <inf> bt_hci_core: HCI: version 5.2 (0x0b) revision 0x0000, 1
[00:00:00.406,097] <inf> bt_hci_core: LMP: version 5.2 (0x0b) subver 0xffff     
[00:00:04.445,892] <err> os: ***** MPU FAULT *****                              
[00:00:04.445,892] <err> os:   Data Access Violation                            
[00:00:04.445,892] <err> os:   MMFAR Address: 0x8                               
[00:00:04.445,922] <err> os: r0/a1:  0x20000cbc  r1/a2:  0x2000105c  r2/a3:  0x3
[00:00:04.445,922] <err> os: r3/a4:  0x00000000 r12/ip:  0x00000000 r14/lr:  0x3
[00:00:04.445,922] <err> os:  xpsr:  0x2100001b                                 
[00:00:04.445,922] <err> os: Faulting instruction address (r15/pc): 0x000008c2  
[00:00:04.445,922] <err> os: >>> ZEPHYR FATAL ERROR 0: CPU exception on CPU 0   
[00:00:04.445,922] <err> os: Fault during interrupt handling                    

[00:00:04.445,953] <err> os: Current thread: 0x20000718 (unknown)               
[00:00:05.178,100] <err> os: Halting system

This is due to https://github.com/zephyrproject-rtos/zephyr/blob/7219924ee092676b5e522697c772477741c25b6e/subsys/bluetooth/controller/ll_sw/ull_adv.c#L1497 which unconditionally dereferences lll->node_rx_adv_term in a case where that pointer is null. The pointer is assigned at https://github.com/zephyrproject-rtos/zephyr/blob/7219924ee092676b5e522697c772477741c25b6e/subsys/bluetooth/controller/ll_sw/ull_adv.c#L933 which is within a block conditional on CONFIG_BT_PERIPHERAL and intended to support connectable advertising.

Is extended advertising only supported in this configuration? I would like to use it for non-connectable advertisements from a beacon device.

pabigot commented 4 years ago

Marking low so triage telecon doesn't get into it; PR exists and is scheduled for 2.4.0