BLE assert lld_con.c 3397, param 00000001 00000000 (IDFGH-14550)

[DamienEspitallier]

Answers checklist.

• I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• I have searched the issue tracker for a similar issue and not found a similar issue.

IDF version.

ESP-IDF 5.4.0

Espressif SoC revision.

ESP32-S3

Operating System used.

Linux

How did you build your project?

Other (please specify in More Information)

If you are using Windows, please specify command line type.

None

Development Kit.

Custom board

Power Supply used.

Battery

What is the expected behavior?

No crash after BLE connection from a central device.

What is the actual behavior?

Our device is a ble peripheral. It works fine when connecting to a computer (python bleak, webble with chrome), ios (iphone, ipad) and android except with one device.

When using a samsung android phone (Galaxy S20 5G) as central, the esp32 crash with "BLE assert lld_con.c 3397, param 00000001 00000000" message just after the connection.

Steps to reproduce.

1. Enable nimble peripheral
2. Connect with Galaxy S20 5G
3. Crash

Debug Logs.

0x1b>[0;32mI (21697) GAP: MTU update: conn_handle=1, mtu=506<0x1b>[0m
<0x1b>[0;32mI (21698) BLE_FILE_TRANSFER: Updated max chunk size to 479 based on MTU 506 and DLE 27<0x1b>[0m
<0x1b>[0;32mI (21745) GAP: Data length changed: conn_handle=0, tx_len=251, tx_time=2120<0x1b>[0m
<0x1b>[0;32mI (21746) BLE_FILE_TRANSFER: Updated max chunk size to 495 based on MTU 506 and DLE 251<0x1b>[0m
BLE assert lld_con.c 3397, param 00000001 00000000
Guru Meditation Error: Core  0 panic'ed (Interrupt wdt timeout on CPU0). 

Core  0 register dump:
PC      : 0x40006fcb  PS      : 0x00060934  A0      : 0x8001c7d5  A1      : 0x3fcc6830  
A2      : 0x00000001  A3      : 0x00000000  A4      : 0x3ff19e72  A5      : 0x00000d45  
A6      : 0x0000506c  A7      : 0x00000000  A8      : 0x00000001  A9      : 0x3fcef9e4  
A10     : 0x3fcef9e4  A11     : 0x00000001  A12     : 0x00000001  A13     : 0x00000000  
A14     : 0x00000001  A15     : 0x0000cdcd  SAR     : 0x00000005  EXCCAUSE: 0x00000005  
EXCVADDR: 0x00000000  LBEG    : 0x40006fc4  LEND    : 0x40006fcb  LCOUNT  : 0x00000000  


Backtrace: 0x40006fc8:0x3fcc6830 0x4001c7d2:0x3fcc6850 0x4205603a:0x3fcc6870 0x42056221:0x3fcc68a0 0x4205624d:0x3fcc68c0 0x42055a25:0x3fcc68e0 0x40012e7d:0x3fcc6960 0x42061bef:0x3fcc6980 0x4000d025:0x3fcc69b0 0x4002c4a5:0x3fcc69d0 0x42052dbb:0x3fcc69f0 0x403799b9:0x3fcc6a10 0x40379b87:0x3fcc6a30 0x4038354d:0x3fcc6a60


Core  1 register dump:
PC      : 0x4037f81e  PS      : 0x00060834  A0      : 0x8203c299  A1      : 0x3fcb1640  
A2      : 0x00000000  A3      : 0x00000000  A4      : 0x3fcae340  A5      : 0x3fcae320  
A6      : 0x40376d04  A7      : 0x00000001  A8      : 0x8203caee  A9      : 0x3fcb1600  
A10     : 0x00000000  A11     : 0x00000001  A12     : 0x803838e9  A13     : 0x3fcdbf00  
A14     : 0x00060023  A15     : 0x3fcb180c  SAR     : 0x00000000  EXCCAUSE: 0x00000005  
EXCVADDR: 0x00000000  LBEG    : 0x00000000  LEND    : 0x00000000  LCOUNT  : 0x00000000  


Backtrace: 0x4037f81b:0x3fcb1640 0x4203c296:0x3fcb1660 0x403843f1:0x3fcb1680 0x4038354d:0x3fcb16a0




decoded backtrace #0: 
0x40006fc8: ?? ??:0
0x4001c7d2: ?? ??:0
0x4205603a: r_llc_loc_phy_upd_proc_continue at ??:?
0x42056221: f_ll_phy_update_ind_handler at ??:?
0x4205624d: ll_phy_update_ind_handler_hack at ??:?
0x42055a25: r_lld_llcp_rx_ind_handler at ??:?
0x40012e7d: ?? ??:0
0x42061bef: r_ke_task_schedule at ??:?
0x4000d025: ?? ??:0
0x4002c4a5: ?? ??:0
0x42052dbb: rw_schedule at ??:?
0x403799b9: ble_try_turn_on_pll_track at ??:?
0x40379b87: btdm_controller_task at ??:?
0x4038354d: vPortTaskWrapper at port.c:139

decoded backtrace #1:
0x4037f81b: xt_utils_wait_for_intr at xt_utils.h:82
 (inlined by) esp_cpu_wait_for_intr at cpu.c:55
0x4203c296: esp_vApplicationIdleHook at freertos_hooks.c:58
0x403843f1: prvIdleTask at tasks.c:4353 (discriminator 1)
0x4038354d: vPortTaskWrapper at port.c:139

More Information.

lld_con.c is from an opaque lib so hard to debug. It is easy to reproduce on the samsung phone as it always crash, but I did not achieve to reproduce the crash with another phone or computer.

[DamienEspitallier]

While trying to reduce my code to provide a simple example I found that it only occurs if I enable PHY_2M

//no bug if these lines are removed
rc = ble_gap_set_prefered_le_phy(conn_handle,
BLE_GAP_LE_PHY_2M_MASK,
BLE_GAP_LE_PHY_2M_MASK,
0); // no coded PHY options
if (rc != 0) {
ESP_LOGE(TAG, "Error requesting PHY update: rc=%d", rc);
}