Panic with Bluetooth LE, possible fix.
Takanori Watanabe
takawata at init-main.com
Thu Apr 2 09:04:15 UTC 2020
On Wed, Apr 01, 2020 at 07:45:28PM +0200, Marc Veldman wrote:
> Hello List,
>
> apologies if this is the wrong list.
> Enabling bluetooth LE scanning will cause a panic:
>
> Doing this with a Bluetooth 4.0 capable unit:
>
> # hccontrol -n ubt0hci le_set_scan_param active 500 500 public all
> # hccontrol -n ubt0hci le_set_scan_enable enable
> # hccontrol -n ubt0hci le_enable enable
> <panic>
>
> Attached the coredump and below a possible patch.
> The problem is that ep cannot be safely be used as the test expression
> in the for loop
> because of the later m_pullup. This pattern is repeated at other places in
> this file and other places in bluetooth/hci.
>
> I'm a beginner at C, and I'm not really sure if this is the proper way to go.
> Advice would be appreciated so I can submit a proper bug report with a patch.
>
> Thanks in advance!
>
> Index: sys/netgraph/bluetooth/hci/ng_hci_evnt.c
> ===================================================================
> --- sys/netgraph/bluetooth/hci/ng_hci_evnt.c (revision 359500)
> +++ sys/netgraph/bluetooth/hci/ng_hci_evnt.c (working copy)
> @@ -381,6 +381,7 @@
> ng_hci_neighbor_p n = NULL;
> bdaddr_t bdaddr;
> int error = 0;
> + int num_reports = 0;
> u_int8_t event_type;
> u_int8_t addr_type;
>
> @@ -389,9 +390,12 @@
> return (ENOBUFS);
>
> ep = mtod(event, ng_hci_le_advertising_report_ep *);
> + num_reports = ep->num_reports;
> + /* ep can not be safely used after m_pullup */
> + ep = NULL;
> m_adj(event, sizeof(*ep));
>
> - for (; ep->num_reports > 0; ep->num_reports --) {
> + for (; num_reports > 0; num_reports --) {
> /* Get remote unit address */
> NG_HCI_M_PULLUP(event, sizeof(u_int8_t));
> event_type = *mtod(event, u_int8_t *);
Thank you for tracking down. I'll commit it.
More information about the freebsd-bluetooth
mailing list