[nrf noup] bluetooth: conn: Skip buffer ref count check in send_buf

MarekPieta · rlubos · commit cc098c6faa2f · 2025-08-01T11:34:17.000+02:00
If ATT sent callback is delayed until data transmission is done by BLE controller, the transmitted buffer may have an additional reference. The reference is used to extend lifetime of the net buffer until the data transmission is confirmed by ACK of the remote. send_buf function can be called multiple times, if buffer has to be fragmented over HCI. In that case, the callback is provided as an argument only for the last transmitted fragment. The `buf->ref == 1` check is skipped because it's impossible to properly validate number of references for the sent fragments if buffers may have the additional reference. Jira: NCSDK-28624 Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no> (cherry picked from commit 2c09574)
diff --git a/subsys/bluetooth/host/conn.c b/subsys/bluetooth/host/conn.c
@@ -702,19 +702,27 @@ static int send_buf(struct bt_conn *conn, struct net_buf *buf,
 
 	uint16_t frag_len = MIN(conn_mtu(conn), len);
 
-	/* Check that buf->ref is 1 or 2. It would be 1 if this was
-	 * the only reference (e.g. buf was removed from the conn
-	 * tx_queue). It would be 2 if the tx_data_pull kept it on
-	 * the tx_queue for segmentation.
+	/* If ATT sent callback is delayed until data transmission
+	 * is done by BLE controller, the transmitted buffer may
+	 * have an additional reference. The reference is used to
+	 * extend lifetime of the net buffer until the data
+	 * transmission is confirmed by ACK of the remote.
 	 *
-	 * Allow for an additional buffer reference if callback is
-	 * provided. This can be used to extend lifetime of the net
-	 * buffer until the data transmission is confirmed by ACK of
-	 * the remote.
+	 * send_buf function can be called multiple times, if buffer
+	 * has to be fragmented over HCI. In that case, the callback
+	 * is provided as an argument only for the last transmitted
+	 * fragment. The `buf->ref == 1` (or 2) check is skipped
+	 * because it's impossible to properly validate number of
+	 * references for the sent fragments if buffers may have the
+	 * additional reference.
+	 *
+	 * Otherwise, check that buf->ref is 1 or 2. It would be 1
+	 * if this was the only reference (e.g. buf was removed from
+	 * the conn tx_queue). It would be 2 if the tx_data_pull
+	 * kept it on the tx_queue for segmentation.
 	 */
-	if (buf->ref > 2 + (cb ? 1 : 0)) {
-		__ASSERT_NO_MSG(false);
-	}
+	__ASSERT_NO_MSG(IS_ENABLED(CONFIG_BT_ATT_SENT_CB_AFTER_TX) || (buf->ref == 1) ||
+			(buf->ref == 2));
 
 	/* The reference is always transferred to the frag, so when
 	 * the frag is destroyed, the parent reference is decremented.
