Bluetooth: Mesh: Fix tx seg buffer with NULL pointer reference

[anchao]

Bluetooth: Mesh: Fix tx seg buffer with NULL pointer reference

Fix tx seg buffer with NULL pointer reference if enable mesh friendly

Signed-off-by: chao an anchao@xiaomi.com

[anchao]

Board: nRF52-PCA10040

To reproduce this issue:

$ sudo btattach -B /dev/ttyACM0 -S 1000000
$ west build -b native_posix samples/bluetooth/mesh
$ sudo gdb ./build/zephyr/zephyr.exe

$ (gdb) run --bt-dev=hci0

Thread 7 "zephyr.exe" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf7d82b40 (LWP 21501)]
net_buf_simple_add_mem (buf=0xf7d81cd0, mem=0x0, len=12) at /home/archer/code/zephyr/zephyr/subsys/net/buf.c:804
804 return memcpy(net_buf_simple_add(buf, len), mem, len);

(gdb) bt
#0 net_buf_simple_add_mem (buf=0xf7d81cd0, mem=0x0, len=12) at /home/archer/code/zephyr/zephyr/subsys/net/buf.c:804
#1 0x0805f160 in seg_tx_buf_build (tx=tx@entry=0x80867e0 <seg_tx>, seg_o=seg_o@entry=0 '\000', buf=buf@entry=0xf7d81cd0) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/transport.c:350
#2 0x0806017c in send_seg (net_tx=net_tx@entry=0xf7d81dc0, sdu=sdu@entry=0xf7d81e2c, cb=cb@entry=0x0, cb_data=0x0, ctl_op=0x0) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/transport.c:539
#3 0x08061afb in bt_mesh_trans_send (tx=0xf7d81dc0, msg=0xf7d81e2c, cb=0x0, cb_data=0x0) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/transport.c:669
#4 0x0806260a in model_send (model=model@entry=0x8080100 <root_models>, tx=tx@entry=0xf7d81dc0, implicit_bind=implicit_bind@entry=false, msg=0xf7d81e2c, cb=0x0, cb_data=0x0) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/access.c:690
#5 0x08062ca9 in bt_mesh_model_send (model=0x8080100 <root_models>, ctx=0xf7d81fc8, msg=0xf7d81e2c, cb=0x0, cb_data=0x0) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/access.c:718
#6 0x080657c7 in dev_comp_data_get (model=0x8080100 <root_models>, ctx=0xf7d81fc8, buf=0xf7d81f3c) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/cfg_srv.c:144
#7 0x080633cf in bt_mesh_model_recv (rx=0xf7d81fc4, buf=0xf7d81f3c) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/access.c:631
#8 0x08061422 in sdu_recv_unseg (buf=0xf7d81fb8, hdr=, rx=0xf7d81fc4) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/transport.c:891
#9 trans_unseg (seq_auth=0xf7d81f28, rx=0xf7d81fc4, buf=0xf7d81fb8) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/transport.c:1242
#10 bt_mesh_trans_recv (buf=0xf7d81fb8, rx=0xf7d81fc4) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/transport.c:1778
#11 0x0805ecb8 in bt_mesh_net_recv (data=0x8080b3c <clients+60>, rssi=0 '\000', net_if=BT_MESH_NET_IF_PROXY) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/net.c:1272
#12 0x0806f373 in proxy_complete_pdu (client=client@entry=0x8080b00 ) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/proxy.c:427
#13 0x0806f7f8 in proxy_recv (conn=0x80862a0 , attr=0x8080a28 <proxy_attrs+40>, buf=0x808126c <net_buf_data_acl_in_pool+12>, len=22, offset=0, flags=2 '\002') at /home/archer/code/zephyr/zephyr/subsys/bluetooth/mesh/proxy.c:531
#14 0x0805836f in write_cb (user_data=0xf7d821e4, attr=0x8080a28 <proxy_attrs+40>) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/att.c:1645
#15 write_cb (attr=0x8080a28 <proxy_attrs+40>, user_data=0xf7d821e4) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/att.c:1624
#16 0x0805b0da in gatt_foreach_iter (start_handle=18, end_handle=18, uuid=0x0, attr_data=0x0, user_data=0xf7d821e4, func=0x8058326 <write_cb>, num_matches=, attr=0x8080a28 <proxy_attrs+40>)
at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/gatt.c:1335
#17 gatt_foreach_iter (user_data=0xf7d821e4, func=0x8058326 <write_cb>, num_matches=, attr_data=0x0, uuid=0x0, end_handle=18, start_handle=18, attr=0x8080a28 <proxy_attrs+40>)
at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/gatt.c:1305
#18 foreach_attr_type_dyndb (user_data=0xf7d821e4, func=0x8058326 <write_cb>, num_matches=, attr_data=0x0, uuid=0x0, end_handle=18, start_handle=18) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/gatt.c:1367
#19 bt_gatt_foreach_attr_type (start_handle=18, end_handle=18, uuid=0x0, attr_data=0x0, num_matches=, func=0x8058326 <write_cb>, user_data=0xf7d821e4) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/gatt.c:1422
#20 0x08057721 in bt_gatt_foreach_attr (start_handle=start_handle@entry=18, end_handle=end_handle@entry=18, func=func@entry=0x8058326 <write_cb>, user_data=0xf7d821e4) at ../include/bluetooth/gatt.h:380
#21 0x08058792 in att_write_rsp (chan=chan@entry=0x8082ae0 <_k_mem_slab_buf_chan_slab>, req=req@entry=0 '\000', rsp=rsp@entry=0 '\000', handle=18, offset=0, value=0x808126c <net_buf_data_acl_in_pool+12>, len=22)
at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/att.c:1688
#22 0x0805887c in att_write_rsp (offset=0, len=22, value=0x808126c <net_buf_data_acl_in_pool+12>, handle=18, rsp=0 '\000', req=0 '\000', chan=0x8082ae0 <_k_mem_slab_buf_chan_slab>) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/att.c:1667
#23 att_write_cmd (chan=0x8082ae0 <_k_mem_slab_buf_chan_slab>, buf=0x8081440 <net_buf_acl_in_pool>) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/att.c:1918
#24 0x080586e9 in bt_att_recv (chan=0x8082ae4 <_k_mem_slab_buf_chan_slab+4>, buf=0x8081440 <net_buf_acl_in_pool>) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/att.c:2437
#25 0x080574eb in l2cap_chan_recv (buf=0x8081440 <net_buf_acl_in_pool>, chan=) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/l2cap.c:2235
#26 bt_l2cap_recv (conn=0x80862a0 , buf=0x8081440 <net_buf_acl_in_pool>) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/l2cap.c:2269
#27 0x080563c9 in bt_conn_recv (conn=, buf=, flags=1 '\001') at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/conn.c:1284
#28 0x08052e13 in hci_acl (buf=0x8081470 <net_buf_acl_in_pool+48>) at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/hci_core.c:1312
#29 hci_rx_thread () at /home/archer/code/zephyr/zephyr/subsys/bluetooth/host/hci_core.c:6567
#30 0x08049d78 in z_thread_entry (entry=0x8052cfd <hci_rx_thread>, p1=0x0, p2=0x0, p3=0x0) at /home/archer/code/zephyr/zephyr/lib/os/thread_entry.c:29
#31 0x0804f997 in posix_thread_starter (arg=0x4) at /home/archer/code/zephyr/zephyr/arch/posix/core/posix_core.c:305
#32 0xf7f42295 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#33 0xf7e6c1ae in clone () from /lib/i386-linux-gnu/libc.so.6

[joerchan]

Looks correct to me.