From 8921a3682806e4667b5668200749070dbc1c03b1 Mon Sep 17 00:00:00 2001
From: zhiweijian <zhiweijian@espressif.com>
Date: Mon, 11 Sep 2017 17:30:50 +0800
Subject: [PATCH] Component/bt: fix bug for gatts notify stress test crash

---
 components/bt/bluedroid/api/esp_gatt_common_api.c |  2 +-
 components/bt/bluedroid/hci/hci_layer.c           | 12 ++++++++++--
 components/bt/bluedroid/hci/packet_fragmenter.c   |  7 +++++++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/components/bt/bluedroid/api/esp_gatt_common_api.c b/components/bt/bluedroid/api/esp_gatt_common_api.c
index e184325a14..6d795c1c08 100644
--- a/components/bt/bluedroid/api/esp_gatt_common_api.c
+++ b/components/bt/bluedroid/api/esp_gatt_common_api.c
@@ -37,7 +37,7 @@ esp_err_t esp_ble_gatt_set_local_mtu (uint16_t mtu)
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
     if ((mtu < ESP_GATT_DEF_BLE_MTU_SIZE) || (mtu > ESP_GATT_MAX_MTU_SIZE)) {
-        return ESP_GATT_ILLEGAL_PARAMETER;
+        return ESP_ERR_INVALID_SIZE;
     }
 
     msg.sig = BTC_SIG_API_CALL;
diff --git a/components/bt/bluedroid/hci/hci_layer.c b/components/bt/bluedroid/hci/hci_layer.c
index 1c5117c7f2..6651fb6f2d 100644
--- a/components/bt/bluedroid/hci/hci_layer.c
+++ b/components/bt/bluedroid/hci/hci_layer.c
@@ -363,8 +363,16 @@ static void fragmenter_transmit_finished(BT_HDR *packet, bool all_fragments_sent
         // This is kind of a weird case, since we're dispatching a partially sent packet
         // up to a higher layer.
         // TODO(zachoverflow): rework upper layer so this isn't necessary.
-        buffer_allocator->free(packet);
-        //dispatch_reassembled(packet);
+        //buffer_allocator->free(packet);
+
+        /* dispatch_reassembled(packet) will send the packet back to the higher layer
+           when controller buffer is not enough. hci will send the remain packet back
+           to the l2cap layer and saved in the Link Queue (p_lcb->link_xmit_data_q).
+           The l2cap layer will resend the packet to lower layer when controller buffer
+           can be used.
+        */
+
+        dispatch_reassembled(packet);
         //data_dispatcher_dispatch(interface.event_dispatcher, packet->event & MSG_EVT_MASK, packet);
     }
 }
diff --git a/components/bt/bluedroid/hci/packet_fragmenter.c b/components/bt/bluedroid/hci/packet_fragmenter.c
index d597809a7b..67e89c28af 100644
--- a/components/bt/bluedroid/hci/packet_fragmenter.c
+++ b/components/bt/bluedroid/hci/packet_fragmenter.c
@@ -111,6 +111,13 @@ static void fragment_and_dispatch(BT_HDR *packet)
             packet->layer_specific--;
             if (packet->layer_specific == 0) {
                 packet->event = MSG_HC_TO_STACK_L2C_SEG_XMIT;
+
+                /* The remain packet will send back to the l2cap layer when controller buffer is not enough
+                   current_fragment_packet must be NULL, otherwise hci_host_thread_handler() will
+                   connitue handle the remain packet. then the remain packet will be freed.
+                */
+
+                current_fragment_packet = NULL;
                 callbacks->transmit_finished(packet, false);
                 return;
             }