Panic with Bluetooth LE, possible fix.

Marc Veldman marc at bumblingdork.com
Thu Apr 2 09:35:07 UTC 2020 


> On 2 Apr 2020, at 11:01, Takanori Watanabe <takawata at init-main.com> wrote:
> 
> On Wed, Apr 01, 2020 at 07:45:28PM +0200, Marc Veldman wrote:
>> Hello List,
>> 
>> apologies if this is the wrong list.
>> Enabling bluetooth LE scanning will cause a panic:
>> 
>> Doing this with a Bluetooth 4.0 capable unit:
>> 
>> # hccontrol -n ubt0hci le_set_scan_param active 500 500 public all
>> # hccontrol -n ubt0hci le_set_scan_enable enable
>> # hccontrol -n ubt0hci le_enable enable
>> <panic>
>> 
>> Attached the coredump and below a possible patch.
>> The problem is that ep cannot be safely be used as the test expression
>> in the for loop
>> because of the later m_pullup. This pattern is repeated at other places in
>> this file and other places in bluetooth/hci.
>> 
>> I'm a beginner at C, and I'm not really sure if this is the proper way to go.
>> Advice would be appreciated so I can submit a proper bug report with a patch.
>> 
>> Thanks in advance!
>> 
>> Index: sys/netgraph/bluetooth/hci/ng_hci_evnt.c
>> ===================================================================
>> --- sys/netgraph/bluetooth/hci/ng_hci_evnt.c    (revision 359500)
>> +++ sys/netgraph/bluetooth/hci/ng_hci_evnt.c    (working copy)
>> @@ -381,6 +381,7 @@
>>     ng_hci_neighbor_p         n = NULL;
>>     bdaddr_t             bdaddr;
>>     int                 error = 0;
>> +    int                 num_reports = 0;
>>     u_int8_t event_type;
>>     u_int8_t addr_type;
>> 
>> @@ -389,9 +390,12 @@
>>         return (ENOBUFS);
>> 
>>     ep = mtod(event, ng_hci_le_advertising_report_ep *);
>> +    num_reports = ep->num_reports;
>> +    /* ep can not be safely used after m_pullup */
>> +    ep = NULL;
>>     m_adj(event, sizeof(*ep));
>> 
>> -    for (; ep->num_reports > 0; ep->num_reports --) {
>> +    for (; num_reports > 0; num_reports --) {
>>         /* Get remote unit address */
>>         NG_HCI_M_PULLUP(event, sizeof(u_int8_t));
>>         event_type = *mtod(event, u_int8_t *);
> 
> Thank you for tracking down. I'll commit it. 

Thanks! This pattern of using pointer to mbufs that get pulled up is repeated in this
file and possibly in the rest of the hci/bluetooth code.
Shall I submit a patch for those too?

Best regards,

Marc Veldman

More information about the freebsd-bluetooth mailing list