Fix iterating over BT LE responses
ClosedPublic
Actions

Authored by kibab on Nov 1 2019, 9:45 PM.

Details

Reviewers

imp
takawata

Summary

ep->num_responses is a member in a packed structure, and arithmetic manipulations on it don't work well at least on aarch64.
So if ep->num_responses == 1, ep->num_responses -1 will be 251 :-( and this breaks all iterator code that follows.

Test Plan

Apply patch, then run:

hccontrol le_enable enable
hccontrol le_set_scan_enable enable

Without the patch the second command results in kernel panic (on Pine64 which is 64-bit ARM). With the patch it completes OK and I can later use "hccontrol read_neighbor_cache" to see the list of LE devices.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 27314

Event Timeline

kibab created this revision.Nov 1 2019, 9:45 PM

Herald added a subscriber: donner. · View Herald TranscriptNov 1 2019, 9:45 PM

Harbormaster completed remote builds in B27314: Diff 63871.Nov 1 2019, 9:45 PM

donner added inline comments.Nov 2 2019, 4:05 PM

sys/netgraph/bluetooth/hci/ng_hci_evnt.c
395–396	This original loop modifies the record field "num_reports" directly inside the netgraph data. After this modification, only a temporary variable is modified, but the result is not stored back. So the modification is not semantically equivalent. Please explain, why this change in functionality is allowed in this context.
400	The error message is very generic and not helpful for the end user. It looks more like a programming issue (i.e. erroneous code path) Is it possible to log something more specific about the reason for the error? Something like "low on memory" or "packet too short" (or whatever is more likely).