From owner-freebsd-bluetooth@freebsd.org Thu Apr 2 09:04:15 2020 Return-Path: Delivered-To: freebsd-bluetooth@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C81A27AAE4 for ; Thu, 2 Apr 2020 09:04:15 +0000 (UTC) (envelope-from takawata@sana.init-main.com) Received: from sana.init-main.com (104.194.138.210.bn.2iij.net [210.138.194.104]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "amnesiac", Issuer "amnesiac" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48tHDk07Ntz49Zh for ; Thu, 2 Apr 2020 09:04:02 +0000 (UTC) (envelope-from takawata@sana.init-main.com) Received: from sana.init-main.com (localhost [127.0.0.1]) by sana.init-main.com (8.15.2/8.15.2) with ESMTPS id 03291EhC065727 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 2 Apr 2020 18:01:15 +0900 (JST) (envelope-from takawata@sana.init-main.com) Received: (from takawata@localhost) by sana.init-main.com (8.15.2/8.15.2/Submit) id 03291ExK065726; Thu, 2 Apr 2020 18:01:14 +0900 (JST) (envelope-from takawata) Date: Thu, 2 Apr 2020 18:01:14 +0900 From: Takanori Watanabe To: Marc Veldman , freebsd-bluetooth@freebsd.org Subject: Re: Panic with Bluetooth LE, possible fix. Message-ID: <20200402090114.GA65660@sana.init-main.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 48tHDk07Ntz49Zh X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of takawata@sana.init-main.com has no SPF policy when checking 210.138.194.104) smtp.mailfrom=takawata@sana.init-main.com X-Spamd-Result: default: False [-1.09 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.89)[-0.886,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(-0.45)[ipnet: 210.138.0.0/16(-3.92), asn: 2497(1.63), country: JP(0.05)]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[init-main.com]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-0.96)[-0.962,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[takawata@init-main.com,takawata@sana.init-main.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2497, ipnet:210.138.0.0/16, country:JP]; FROM_NEQ_ENVFROM(0.00)[takawata@init-main.com,takawata@sana.init-main.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-bluetooth@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Using Bluetooth in FreeBSD environments List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2020 09:04:15 -0000 On Wed, Apr 01, 2020 at 07:45:28PM +0200, Marc Veldman wrote: > Hello List, > > apologies if this is the wrong list. > Enabling bluetooth LE scanning will cause a panic: > > Doing this with a Bluetooth 4.0 capable unit: > > # hccontrol -n ubt0hci le_set_scan_param active 500 500 public all > # hccontrol -n ubt0hci le_set_scan_enable enable > # hccontrol -n ubt0hci le_enable enable > > > Attached the coredump and below a possible patch. > The problem is that ep cannot be safely be used as the test expression > in the for loop > because of the later m_pullup. This pattern is repeated at other places in > this file and other places in bluetooth/hci. > > I'm a beginner at C, and I'm not really sure if this is the proper way to go. > Advice would be appreciated so I can submit a proper bug report with a patch. > > Thanks in advance! > > Index: sys/netgraph/bluetooth/hci/ng_hci_evnt.c > =================================================================== > --- sys/netgraph/bluetooth/hci/ng_hci_evnt.c (revision 359500) > +++ sys/netgraph/bluetooth/hci/ng_hci_evnt.c (working copy) > @@ -381,6 +381,7 @@ > ng_hci_neighbor_p n = NULL; > bdaddr_t bdaddr; > int error = 0; > + int num_reports = 0; > u_int8_t event_type; > u_int8_t addr_type; > > @@ -389,9 +390,12 @@ > return (ENOBUFS); > > ep = mtod(event, ng_hci_le_advertising_report_ep *); > + num_reports = ep->num_reports; > + /* ep can not be safely used after m_pullup */ > + ep = NULL; > m_adj(event, sizeof(*ep)); > > - for (; ep->num_reports > 0; ep->num_reports --) { > + for (; num_reports > 0; num_reports --) { > /* Get remote unit address */ > NG_HCI_M_PULLUP(event, sizeof(u_int8_t)); > event_type = *mtod(event, u_int8_t *); Thank you for tracking down. I'll commit it.