Re: Panic with Bluetooth LE, possible fix.

Thu, 02 Apr 2020 07:50:52 -0700 


> On 2 Apr 2020, at 11:01, Takanori Watanabe <takaw...@init-main.com> wrote:
> 
> On Wed, Apr 01, 2020 at 07:45:28PM +0200, Marc Veldman wrote:
>> Hello List,
>> 
>> apologies if this is the wrong list.
>> Enabling bluetooth LE scanning will cause a panic:
>> 
>> Doing this with a Bluetooth 4.0 capable unit:
>> 
>> # hccontrol -n ubt0hci le_set_scan_param active 500 500 public all
>> # hccontrol -n ubt0hci le_set_scan_enable enable
>> # hccontrol -n ubt0hci le_enable enable
>> <panic>
>> 
>> Attached the coredump and below a possible patch.
>> The problem is that ep cannot be safely be used as the test expression
>> in the for loop
>> because of the later m_pullup. This pattern is repeated at other places in
>> this file and other places in bluetooth/hci.
>> 
>> I'm a beginner at C, and I'm not really sure if this is the proper way to go.
>> Advice would be appreciated so I can submit a proper bug report with a patch.
>> 
>> Thanks in advance!
>> 
>> Index: sys/netgraph/bluetooth/hci/ng_hci_evnt.c
>> ===================================================================
>> --- sys/netgraph/bluetooth/hci/ng_hci_evnt.c    (revision 359500)
>> +++ sys/netgraph/bluetooth/hci/ng_hci_evnt.c    (working copy)
>> @@ -381,6 +381,7 @@
>>     ng_hci_neighbor_p         n = NULL;
>>     bdaddr_t             bdaddr;
>>     int                 error = 0;
>> +    int                 num_reports = 0;
>>     u_int8_t event_type;
>>     u_int8_t addr_type;
>> 
>> @@ -389,9 +390,12 @@
>>         return (ENOBUFS);
>> 
>>     ep = mtod(event, ng_hci_le_advertising_report_ep *);
>> +    num_reports = ep->num_reports;
>> +    /* ep can not be safely used after m_pullup */
>> +    ep = NULL;
>>     m_adj(event, sizeof(*ep));
>> 
>> -    for (; ep->num_reports > 0; ep->num_reports --) {
>> +    for (; num_reports > 0; num_reports --) {
>>         /* Get remote unit address */
>>         NG_HCI_M_PULLUP(event, sizeof(u_int8_t));
>>         event_type = *mtod(event, u_int8_t *);
> 
> Thank you for tracking down. I'll commit it. 

Thanks! This pattern of using pointer to mbufs that get pulled up is repeated 
in this
file and possibly in the rest of the hci/bluetooth code.
Shall I submit a patch for those too?

Best regards,

Marc Veldman

_______________________________________________
freebsd-bluetooth@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bluetooth
To unsubscribe, send any mail to "freebsd-bluetooth-unsubscr...@freebsd.org"






















					Reply via email to