Panic with Bluetooth LE, possible fix.
Marc Veldman
marc at bumblingdork.com
Wed Apr 1 17:46:12 UTC 2020
Hello List,
apologies if this is the wrong list.
Enabling bluetooth LE scanning will cause a panic:
Doing this with a Bluetooth 4.0 capable unit:
# hccontrol -n ubt0hci le_set_scan_param active 500 500 public all
# hccontrol -n ubt0hci le_set_scan_enable enable
# hccontrol -n ubt0hci le_enable enable
<panic>
Attached the coredump and below a possible patch.
The problem is that ep cannot be safely be used as the test expression
in the for loop
because of the later m_pullup. This pattern is repeated at other places in
this file and other places in bluetooth/hci.
I'm a beginner at C, and I'm not really sure if this is the proper way to go.
Advice would be appreciated so I can submit a proper bug report with a patch.
Thanks in advance!
Index: sys/netgraph/bluetooth/hci/ng_hci_evnt.c
===================================================================
--- sys/netgraph/bluetooth/hci/ng_hci_evnt.c (revision 359500)
+++ sys/netgraph/bluetooth/hci/ng_hci_evnt.c (working copy)
@@ -381,6 +381,7 @@
ng_hci_neighbor_p n = NULL;
bdaddr_t bdaddr;
int error = 0;
+ int num_reports = 0;
u_int8_t event_type;
u_int8_t addr_type;
@@ -389,9 +390,12 @@
return (ENOBUFS);
ep = mtod(event, ng_hci_le_advertising_report_ep *);
+ num_reports = ep->num_reports;
+ /* ep can not be safely used after m_pullup */
+ ep = NULL;
m_adj(event, sizeof(*ep));
- for (; ep->num_reports > 0; ep->num_reports --) {
+ for (; num_reports > 0; num_reports --) {
/* Get remote unit address */
NG_HCI_M_PULLUP(event, sizeof(u_int8_t));
event_type = *mtod(event, u_int8_t *);
Best regards,
Marc Veldman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: core.txt.3
Type: application/octet-stream
Size: 193895 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-bluetooth/attachments/20200401/b6970058/attachment-0001.obj>
More information about the freebsd-bluetooth
mailing list