Bluetooth: Host: Run tx_processor on its own thread

[alwa-nordic]

Move tx_processor off the system work queue to its own thread. Solves deadlock where bt_hci_cmd_alloc() blocks the system work queue.

[jhedberg]

Does nRF51 even have working Bluetooth? @nordicjm mentioned on Discord today that it doesn't (since Zephyr 4.0). @cvinayak do you know?

[nordicjm]

See #74345 it works in 3.7 with Vinayak's patch (it does not work in-tree as is without changes), it does not work in any later versions as the stack was reworked to a much slower implementation and the nRF51 CPU is not fast enough to handle the interrupts

[jhedberg]

In that case there's a bunch of cleanup that needs to be done, since there are still some overlays for the board in Bluetooth sample apps. There's also supported: ble in the board's yaml.

[cvinayak]

The Zephyr Controller's redesigned control procedure max. CPU usage due to handling of tx ack and the processing of the Rx-ed PDU contiguously is higher within the 150 us tIFS. Hence, under controlled conditions nRF51 assertion checks fail detecting the increased CPU usage that is causing violation of hard real-time deadlines. I have private fork with latest upstreamed rebase of this PR #75197 with legacy control procedure implementation that I continue to use with nRF51 with my boards (bbc_microbits that supports extended advertising and extended scanning too, with one day's hope to use it to listen to Auracast LE audio!).

@alwa-nordic what is the reason for default y if !SOC_SERIES_NRF51X ? If this is assertions in the Controller, then you do not need this (and can be documented as Controller's known issue). If this is due to RAM or Flash usage, then on the SoC variant need not be using in samples.yaml that fail build.

[alwa-nordic]

what is the reason for default y if !SOC_SERIES_NRF51X ?

# due to limited RAM on nRF51 devices.

[alwa-nordic]

@jhedberg, would you like to move this discussion to an issue or other forum?

[cvinayak]

The Zephyr Controller's redesigned control procedure max. CPU usage due to handling of tx ack and the processing of the Rx-ed PDU contiguously is higher within the 150 us tIFS. Hence, under controlled conditions nRF51 assertion checks fail detecting the increased CPU usage that is causing violation of hard real-time deadlines. I have private fork with latest upstreamed rebase of this PR #75197 with legacy control procedure implementation that I continue to use with nRF51 with my boards (bbc_microbits that supports extended advertising and extended scanning too, with one day's hope to use it to listen to Auracast LE audio!).

@alwa-nordic what is the reason for default y if !SOC_SERIES_NRF51X ? If this is assertions in the Controller, then you do not need this (and can be documented as Controller's known issue). If this is due to RAM or Flash usage, then on the SoC variant need not be using in samples.yaml that fail build.

[cvinayak]

Suggested change

	default -1
	default -7

to be in sync with CONFIG_BT_HCI_TX_PRIO=7

and

BUILD_ASSERT(CONFIG_BT_DRIVER_RX_HIGH_PRIO < CONFIG_BT_HCI_TX_PRIO);

[alwa-nordic]

OK, I'll update it to -7. I selected it arbitrarily anyway. But can you help me understand what the point is and formulate a code comment?

zephyr/subsys/bluetooth/common/dummy.c

Lines 38 to 39 in e57676a

	* This is required in order to dispatch Number of Completed Packets event
	* before any new data arrives on a connection to the Host threads.

I don't understand why tx_processor needs to run for the Controller to generate outstanding Number of Completed Packets events.

Is this maybe about sending the Host Number Of Completed Packets command? I guess it helps throughput in situations with high CPU load, when otherwise the Controller could be starved of Host buffers and start NAK-ing on air? If so, would it make sense to future work on prioritizing only the Host Number of Buffers Complete commands instead of all TX?

[alwa-nordic]

I see the code comment above is from 9a13a0c, which' commit message says:

The Tx thread priority shall be higher than Rx thread priority in order to correctly detect transaction violations in ATT and SMP protocols.

We are not doing this anymore. It did not work correctly with some Controllers, and it was decided it's not a requirement anyway.

Do you still want me to change priority to -7?

All questions in my previous comment still stand.

[cvinayak]

detect transaction violations in ATT and SMP protocols.

This is to prevent remote initiated starvation of local ACL Tx buffers, i.e. example, a remote peer sending a burst of ATT Read Requests violating transaction rules leading to local enqueuing back ATT Read/Error Responses.

Hence, even if do not have transaction violation detection today, to be consistent with ONFIG_BT_HCI_TX_PRIO we should use -7. Another PR or GH issue can address collective the use of co-operative priority values like 6, 7 and 8 currently in the Bluetooth subsystem.

[PavelVPV]

TX processor has been running on sysworkq before which priority is -1. Can we do profiling and address the priority issue in a separate PR? It is hard to change something without having evidence that this change is needed (even if it is needed).

[alwa-nordic]

This is to prevent remote initiated starvation of local ACL Tx buffers, i.e. example, a remote peer sending a burst of ATT Read Requests violating transaction rules leading to local enqueuing back ATT Read/Error Responses.

Well, we don't have those checks in att.c now. So changing the priority of tx_processor is pointless.

[alwa-nordic]

This is to prevent remote initiated starvation of local ACL Tx buffers, i.e. example, a remote peer sending a burst of ATT Read Requests violating transaction rules leading to local enqueuing back ATT Read/Error Responses.

It may be sensible to make our implementation impervious against the kind of DoS you describe (future work). But it will have to be something robust, and it must not rely on thread priorities.

[cvinayak]

TX processor has been running on sysworkq before which priority is -1. Can we do profiling and address the priority issue in a separate PR? It is hard to change something without having evidence that this change is needed (even if it is needed).

Then, inherit the sysworkq priority here instead of hard coding to -1.

It may be sensible to make our implementation impervious against the kind of DoS you describe (future work). But it will have to be something robust, and it must not rely on thread priorities.

Then, make this user configurable (and, making it inherit system work queue prior), this thread does not need to rely on priority values.

[cvinayak]

Why? Please check with maintainer of qemu_cortex_m3/ti_lm3s6965

[alwa-nordic]

It ran out of RAM. I assume 62 was chosen to fill RAM on the least capable device in CI, not because it is a requirement of the sample. Now the least capable device only allows for 61.

Please tell me why I should check with the maintainer of qemu_cortex_m3/ti_lm3s6965. It's our (Bluetooth subsystem) sample.

[cvinayak]

4c6174d5112b (Vinayak Kariappa Chettimada 2020-12-15 18:48:33 +0530  1) sample:
ca2bcf8d1566 (Fabio Baltieri              2023-01-23 19:05:52 +0000  2)   description: Bluetooth Peripheral Identity
93b63df7627b (Gerard Marull-Paretas       2023-05-08 13:37:42 +0200  3)   name: Demonstrates use of multiple identity and the ability to be connected to from
93b63df7627b (Gerard Marull-Paretas       2023-05-08 13:37:42 +0200  4)     multiple central devices
4c6174d5112b (Vinayak Kariappa Chettimada 2020-12-15 18:48:33 +0530  5) tests:
4c6174d5112b (Vinayak Kariappa Chettimada 2020-12-15 18:48:33 +0530  6)   sample.bluetooth.peripheral_identity:
4c6174d5112b (Vinayak Kariappa Chettimada 2020-12-15 18:48:33 +0530  7)     harness: bluetooth
93b63df7627b (Gerard Marull-Paretas       2023-05-08 13:37:42 +0200  8)     platform_allow:
93b63df7627b (Gerard Marull-Paretas       2023-05-08 13:37:42 +0200  9)       - qemu_cortex_m3
93b63df7627b (Gerard Marull-Paretas       2023-05-08 13:37:42 +0200 10)       - qemu_x86
8dc3f856229c (Torsten Rasmussen           2022-09-14 22:23:15 +0200 11)       - nrf52840dk/nrf52840
4c6174d5112b (Vinayak Kariappa Chettimada 2020-12-15 18:48:33 +0530 12)     tags: bluetooth
ba7d730e9bd9 (Anas Nashif                 2022-11-29 00:23:08 +0000 13)     integration_platforms:
ba7d730e9bd9 (Anas Nashif                 2022-11-29 00:23:08 +0000 14)       - qemu_cortex_m3

ti_lm3s6965 comes as part of qemu_cortex_m3 coverage. If this platform cannot be supported we should explicitly note this in release notes and have a plan to deprecate it. Hence, the maintainer should be informed.

[PavelVPV]

Sorry, missed that we need to disable this code if tx processor thread is enabled:

zephyr/subsys/bluetooth/host/hci_core.c

Lines 473 to 500 in 27904e9

	/* TODO: disallow sending sync commands from syswq altogether */
	/* Since the commands are now processed in the syswq, we cannot suspend
	* and wait. We have to send the command from the current context.
	*/
	if (k_current_get() == &k_sys_work_q.thread) {
	/* drain the command queue until we get to send the command of interest. */
	struct net_buf *cmd = NULL;
	do {
	cmd = k_fifo_peek_head(&bt_dev.cmd_tx_queue);
	LOG_DBG("process cmd %p want %p", cmd, buf);
	/* Wait for a response from the Bluetooth Controller.
	* The Controller may fail to respond if:
	* - It was never programmed or connected.
	* - There was a fatal error.
	*
	* See the `BT_HCI_OP_` macros in hci_types.h or
	* Core_v5.4, Vol 4, Part E, Section 5.4.1 and Section 7
	* to map the opcode to the HCI command documentation.
	* Example: 0x0c03 represents HCI_Reset command.
	*/
	__maybe_unused bool success = process_pending_cmd(HCI_CMD_TIMEOUT);
	BT_ASSERT_MSG(success, "command opcode 0x%04x timeout", opcode);
	} while (buf != cmd);
	}

[alwa-nordic]

Sorry, missed that we need to disable this code if tx processor thread is enabled:

zephyr/subsys/bluetooth/host/hci_core.c

Lines 473 to 500 in 27904e9

	/* TODO: disallow sending sync commands from syswq altogether */
	/* Since the commands are now processed in the syswq, we cannot suspend
	* and wait. We have to send the command from the current context.
	*/
	if (k_current_get() == &k_sys_work_q.thread) {
	/* drain the command queue until we get to send the command of interest. */
	struct net_buf *cmd = NULL;
	do {
	cmd = k_fifo_peek_head(&bt_dev.cmd_tx_queue);
	LOG_DBG("process cmd %p want %p", cmd, buf);
	/* Wait for a response from the Bluetooth Controller.
	* The Controller may fail to respond if:
	* - It was never programmed or connected.
	* - There was a fatal error.
	*
	* See the `BT_HCI_OP_` macros in hci_types.h or
	* Core_v5.4, Vol 4, Part E, Section 5.4.1 and Section 7
	* to map the opcode to the HCI command documentation.
	* Example: 0x0c03 represents HCI_Reset command.
	*/
	__maybe_unused bool success = process_pending_cmd(HCI_CMD_TIMEOUT);
	BT_ASSERT_MSG(success, "command opcode 0x%04x timeout", opcode);
	} while (buf != cmd);
	}

Should we disable it? Or keep it and print a warning like in 93c2d8d? It may be a good idea to keep it until we do a full audit of the code on tx_processor and determine that it cannot possibly happen.

[PavelVPV]

Sorry, missed that we need to disable this code if tx processor thread is enabled:

zephyr/subsys/bluetooth/host/hci_core.c

Lines 473 to 500 in 27904e9

	/* TODO: disallow sending sync commands from syswq altogether */
	/* Since the commands are now processed in the syswq, we cannot suspend
	* and wait. We have to send the command from the current context.
	*/
	if (k_current_get() == &k_sys_work_q.thread) {
	/* drain the command queue until we get to send the command of interest. */
	struct net_buf *cmd = NULL;
	do {
	cmd = k_fifo_peek_head(&bt_dev.cmd_tx_queue);
	LOG_DBG("process cmd %p want %p", cmd, buf);
	/* Wait for a response from the Bluetooth Controller.
	* The Controller may fail to respond if:
	* - It was never programmed or connected.
	* - There was a fatal error.
	*
	* See the `BT_HCI_OP_` macros in hci_types.h or
	* Core_v5.4, Vol 4, Part E, Section 5.4.1 and Section 7
	* to map the opcode to the HCI command documentation.
	* Example: 0x0c03 represents HCI_Reset command.
	*/
	__maybe_unused bool success = process_pending_cmd(HCI_CMD_TIMEOUT);
	BT_ASSERT_MSG(success, "command opcode 0x%04x timeout", opcode);
	} while (buf != cmd);
	}

Should we disable it? Or keep it and print a warning like in 93c2d8d? It may be a good idea to keep it until we do a full audit of the code on tx_processor and determine that it cannot possibly happen.

I think this path should never exist in case of tx processor thread. If it happens that somehow Host calls bt_hci_cmd_send_sync from tx processor, bt_hci_cmd_send_sync will deadlock as semaphore is released after a command is sent and response is received. But since the command is never sent, the response will never be received. A warning may not be noticed, but deadlock will be reported and gets fixed.

[alwa-nordic]

Sorry, missed that we need to disable this code if tx processor thread is enabled:

zephyr/subsys/bluetooth/host/hci_core.c

Lines 473 to 500 in 27904e9

	/* TODO: disallow sending sync commands from syswq altogether */
	/* Since the commands are now processed in the syswq, we cannot suspend
	* and wait. We have to send the command from the current context.
	*/
	if (k_current_get() == &k_sys_work_q.thread) {
	/* drain the command queue until we get to send the command of interest. */
	struct net_buf *cmd = NULL;
	do {
	cmd = k_fifo_peek_head(&bt_dev.cmd_tx_queue);
	LOG_DBG("process cmd %p want %p", cmd, buf);
	/* Wait for a response from the Bluetooth Controller.
	* The Controller may fail to respond if:
	* - It was never programmed or connected.
	* - There was a fatal error.
	*
	* See the `BT_HCI_OP_` macros in hci_types.h or
	* Core_v5.4, Vol 4, Part E, Section 5.4.1 and Section 7
	* to map the opcode to the HCI command documentation.
	* Example: 0x0c03 represents HCI_Reset command.
	*/
	__maybe_unused bool success = process_pending_cmd(HCI_CMD_TIMEOUT);
	BT_ASSERT_MSG(success, "command opcode 0x%04x timeout", opcode);
	} while (buf != cmd);
	}

Should we disable it? Or keep it and print a warning like in 93c2d8d? It may be a good idea to keep it until we do a full audit of the code on tx_processor and determine that it cannot possibly happen.

I think this path should never exist in case of tx processor thread. If it happens that somehow Host calls bt_hci_cmd_send_sync from tx processor, bt_hci_cmd_send_sync will deadlock as semaphore is released after a command is sent and response is received. But since the command is never sent, the response will never be received.

Do you mean this path never does anything useful, even when tx_processor and bt_hci_cmd_send_sync are on the same thread? 😕

A warning may not be noticed, but deadlock will be reported and gets fixed.

I'm not sure I agree a deadlock is better than a warning, for our business. But I am willing to chance that there is no deadlock and remove the workaround.

[PavelVPV]

Do you mean this path never does anything useful, even when tx_processor and bt_hci_cmd_send_sync are on the same thread? 😕

tx_processor and bt_hci_cmd_send_sync shall not run on the same thread. If this happens, it needs to be fixed.

I'm not sure I agree a deadlock is better than a warning, for our business. But I am willing to chance that there is no deadlock and remove the workaround.

What can I as a user do with warning?

[alwa-nordic]

What can I as a user do with warning?

I thought about that:

zephyr/subsys/bluetooth/host/hci_core.c

Line 495 in 93c2d8d

* If you see this warning, please send us a stack trace.

And it's not about the warning. There is a chance you get a functioning system, as opposed to a deadlock. That's the point of defensive programming. We try to recover also from situations we think are not possible. Because often we are wrong. And in this case we haven't even done an audit yet. And one of the commits in this PR is fixing a case of this problem. There are downsides; there is a chance you get a stack overflow. This is something to weight up.

BTW, I think if we keep this defense, we should also add it to bt_hci_cmd_alloc(). But I can do that in a separate PR later.

[alwa-nordic]

I added a commit disabling the workaround.

[jhedberg]

@alwa-nordic you might want to set aside some time next week to go through potential breakage resulting from the weekly CI run, if this gets merged this week. I suspect there may very well be some sample & test configurations that don't fit anymore. Even the "push to main" CI run might reveal those, but let's see. Still waiting for an update from @cvinayak since his review is currently blocking this.

[jhedberg]

Bluetooth WG: let's disable this by default, and then it can go in for 4.3. Some test config should still enable it for coverage.

[KyraLengfeld]

Suggested change

	/* If the commands are now processed in the syswq, we cannot suspend
	/* If the commands are processed in the syswq, we cannot suspend

[KyraLengfeld]

No concerns from me, but assume you will have to appease the others still :)

[alwa-nordic]

Updated

[alwa-nordic]

Updated: default n and improved comment.

[cvinayak]

TX processor has been running on sysworkq before which priority is -1. Can we do profiling and address the priority issue in a separate PR? It is hard to change something without having evidence that this change is needed (even if it is needed).

Then, inherit the sysworkq priority here instead of hard coding to -1.

It may be sensible to make our implementation impervious against the kind of DoS you describe (future work). But it will have to be something robust, and it must not rely on thread priorities.

Then, make this user configurable (and, making it inherit system work queue prior), this thread does not need to rely on priority values.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[jhedberg]

@alwa-nordic since this missed the feature freeze, it doesn't really make sense to have any references to Zephyr 4.3 anymore. This would have needed to get merged last Friday to make it.

[alwa-nordic]

@alwa-nordic since this missed the feature freeze, it doesn't really make sense to have any references to Zephyr 4.3 anymore. This would have needed to get merged last Friday to make it.

Ok, then I'll remove the default n, and the PR will go in after Zephyr 4.3 is released.