Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Apr 2020 18:01:14 +0900
From:      Takanori Watanabe <takawata@init-main.com>
To:        Marc Veldman <marc@bumblingdork.com>, freebsd-bluetooth@freebsd.org
Subject:   Re: Panic with Bluetooth LE, possible fix.
Message-ID:  <20200402090114.GA65660@sana.init-main.com>
In-Reply-To: <CABaTypHcmMsQgTuzHrT-NYkca6ZC_c1yx0Z%2BZ98mU=S5oH6%2BAQ@mail.gmail.com>
References:  <CABaTypHcmMsQgTuzHrT-NYkca6ZC_c1yx0Z%2BZ98mU=S5oH6%2BAQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Apr 01, 2020 at 07:45:28PM +0200, Marc Veldman wrote:
> Hello List,
> 
> apologies if this is the wrong list.
> Enabling bluetooth LE scanning will cause a panic:
> 
> Doing this with a Bluetooth 4.0 capable unit:
> 
> # hccontrol -n ubt0hci le_set_scan_param active 500 500 public all
> # hccontrol -n ubt0hci le_set_scan_enable enable
> # hccontrol -n ubt0hci le_enable enable
> <panic>
> 
> Attached the coredump and below a possible patch.
> The problem is that ep cannot be safely be used as the test expression
> in the for loop
> because of the later m_pullup. This pattern is repeated at other places in
> this file and other places in bluetooth/hci.
> 
> I'm a beginner at C, and I'm not really sure if this is the proper way to go.
> Advice would be appreciated so I can submit a proper bug report with a patch.
> 
> Thanks in advance!
> 
> Index: sys/netgraph/bluetooth/hci/ng_hci_evnt.c
> ===================================================================
> --- sys/netgraph/bluetooth/hci/ng_hci_evnt.c    (revision 359500)
> +++ sys/netgraph/bluetooth/hci/ng_hci_evnt.c    (working copy)
> @@ -381,6 +381,7 @@
>      ng_hci_neighbor_p         n = NULL;
>      bdaddr_t             bdaddr;
>      int                 error = 0;
> +    int                 num_reports = 0;
>      u_int8_t event_type;
>      u_int8_t addr_type;
> 
> @@ -389,9 +390,12 @@
>          return (ENOBUFS);
> 
>      ep = mtod(event, ng_hci_le_advertising_report_ep *);
> +    num_reports = ep->num_reports;
> +    /* ep can not be safely used after m_pullup */
> +    ep = NULL;
>      m_adj(event, sizeof(*ep));
> 
> -    for (; ep->num_reports > 0; ep->num_reports --) {
> +    for (; num_reports > 0; num_reports --) {
>          /* Get remote unit address */
>          NG_HCI_M_PULLUP(event, sizeof(u_int8_t));
>          event_type = *mtod(event, u_int8_t *);

Thank you for tracking down. I'll commit it.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200402090114.GA65660>