[PATCH v1] bluetooth: guard against controllers sending zero'd events

[PATCH v1] bluetooth: guard against controllers sending zero'd events

[Alain Michaud]

Some controllers have been observed to send zero'd events under some
conditions.  This change guards against this condition as well as adding
a trace to facilitate diagnosability of this condition.

Signed-off-by: Alain Michaud <alainm@chromium.org>
---

 net/bluetooth/hci_event.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 591e7477e925..f865eddb8d69 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5868,7 +5868,8 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
 	u8 status = 0, event = hdr->evt, req_evt = 0;
 	u16 opcode = HCI_OP_NOP;
 
-	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
+	if (hdev->sent_cmd && event &&
+	    bt_cb(hdev->sent_cmd)->hci.req_event == event) {
 		struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
 		opcode = __le16_to_cpu(cmd_hdr->opcode);
 		hci_req_cmd_complete(hdev, opcode, status, &req_complete,
@@ -5876,6 +5877,9 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
 		req_evt = event;
 	}
 
+	if (!event)
+		BT_ERR("Received unexpected HCI Event 00000000");
+
 	/* If it looks like we might end up having to call
 	 * req_complete_skb, store a pristine copy of the skb since the
 	 * various handlers may modify the original one through
-- 
2.25.0.265.gbab2e86ba0-goog

Re: [PATCH v1] bluetooth: guard against controllers sending zero'd events

[Marcel Holtmann]

Hi Alain,

> Some controllers have been observed to send zero'd events under some
> conditions.  This change guards against this condition as well as adding
> a trace to facilitate diagnosability of this condition.

can you include a trace for this as well please.

> 
> Signed-off-by: Alain Michaud <alainm@chromium.org>
> ---
> 
> net/bluetooth/hci_event.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 591e7477e925..f865eddb8d69 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -5868,7 +5868,8 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
> 	u8 status = 0, event = hdr->evt, req_evt = 0;
> 	u16 opcode = HCI_OP_NOP;
> 
> -	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
> +	if (hdev->sent_cmd && event &&
> +	    bt_cb(hdev->sent_cmd)->hci.req_event == event) {

Why are you bothering to check for event here. Do we have requests set with hci_req.event == 0?

> 		struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
> 		opcode = __le16_to_cpu(cmd_hdr->opcode);
> 		hci_req_cmd_complete(hdev, opcode, status, &req_complete,
> @@ -5876,6 +5877,9 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
> 		req_evt = event;
> 	}
> 
> +	if (!event)
> +		BT_ERR("Received unexpected HCI Event 00000000");
> +

We need to start using bt_dev_err if we want to do that. However in this case bt_dev_warn is better since we should be gracefully handling this anyway.

Regards

Marcel

Re: [PATCH v1] bluetooth: guard against controllers sending zero'd events

[Johan Hedberg]

Hi Marcel,

On 29. Feb 2020, at 9.14, Marcel Holtmann <marcel@holtmann.org> wrote:
>> --- a/net/bluetooth/hci_event.c
>> +++ b/net/bluetooth/hci_event.c
>> @@ -5868,7 +5868,8 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
>> 	u8 status = 0, event = hdr->evt, req_evt = 0;
>> 	u16 opcode = HCI_OP_NOP;
>> 
>> -	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
>> +	if (hdev->sent_cmd && event &&
>> +	    bt_cb(hdev->sent_cmd)->hci.req_event == event) {
> 
> Why are you bothering to check for event here. Do we have requests set with hci_req.event == 0?

If I remember right, most requests are like that. req.event is only used then the request completes in something else than a command complete/status.

Johan

Re: [PATCH v1] bluetooth: guard against controllers sending zero'd events

[Marcel Holtmann]

Hi Johan,

>>> --- a/net/bluetooth/hci_event.c
>>> +++ b/net/bluetooth/hci_event.c
>>> @@ -5868,7 +5868,8 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
>>> 	u8 status = 0, event = hdr->evt, req_evt = 0;
>>> 	u16 opcode = HCI_OP_NOP;
>>> 
>>> -	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
>>> +	if (hdev->sent_cmd && event &&
>>> +	    bt_cb(hdev->sent_cmd)->hci.req_event == event) {
>> 
>> Why are you bothering to check for event here. Do we have requests set with hci_req.event == 0?
> 
> If I remember right, most requests are like that. req.event is only used then the request completes in something else than a command complete/status.

so what do we do then if we get an event == 0 from the controller? Just bail out early? It seems kind pointless to keep processing it.

Regards

Marcel

Re: [PATCH v1] bluetooth: guard against controllers sending zero'd events

[Johan Hedberg]

Hi Marcel,

On 1. Mar 2020, at 4.44, Marcel Holtmann <marcel@holtmann.org> wrote:
>>> Why are you bothering to check for event here. Do we have requests set with hci_req.event == 0?
>> 
>> If I remember right, most requests are like that. req.event is only used then the request completes in something else than a command complete/status.
> 
> so what do we do then if we get an event == 0 from the controller? Just bail out early? It seems kind pointless to keep processing it.

Yeah, that’s what I’d do. Bail out early, but log a warning.

Johan