From: Marcel Holtmann <marcel@holtmann.org>
To: hongyi mao <maohongyicn@gmail.com>
Cc: Bluez mailing list <linux-bluetooth@vger.kernel.org>
Subject: Re: Kernel Bluetooth Protocol Stack Problem
Date: Thu, 10 Oct 2019 05:43:51 +0200 [thread overview]
Message-ID: <D18AA174-F883-481F-B172-EB98B26E925F@holtmann.org> (raw)
In-Reply-To: <CACokStd_VLLP=dc+v=MZXpYF+Pw57f0Cma3-HSrXz5_PdiyRfw@mail.gmail.com>
Hi Hongyi,
> My use scenario: the peripheral is a BLE thermometer and
> hygrometer,and the data of the thermometer and hygrometer is stored in
> the BLE Advertising packet.
> the host sends the LE Set Scan Enable Command to the local controller,
> and then the host receives the le_meta_event and parses the data in
> the BLE Advertising packet.
>
> The problem occurred: the host side received other events besides
> le_meta_event, such as HCI_EV_INQUIRY_COMPLETE event,
> HCI_EV_CONN_REQUEST event, HCI_EV_CHANNEL_SELECTED event..., the
> reason for receiving these events may be BR/EDR/LE controllers wrong
> or other, this We are investigating.
>
> However, I think that when the host receives the HCI_EV_CONN_REQUEST
> event according to the procedure described in kernel,
> Hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
> ->hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
> ->conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,HCI_ROLE_SLAVE);
> ->hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); or
> hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),&cp);
> The host should receive the HCI_EV_CONN_COMPLETE event or the
> HCI_EV_SYNC_CONN_COMPLETE event,
> but we did not receive it. Or the host receives the
> HCI_EV_CONN_COMPLETE event or HCI_EV_SYNC_CONN_COMPLETE, but
> ev->status != 0;
> The result is that the data for conn->handle is not updated, conn->handle=0.
>
> Next, the host may receive other events, such as
> HCI_EV_CHANNEL_SELECTED event, HCI_EV_PHY_LINK_COMPLETE event,
> HCI_EV_PHY_LINK_COMPLETE event...,
> but we did not receive an event that can update the struct hci_conn data.
> For example, the host receives the HCI_EV_CHANNEL_SELECTED event next.
> Hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
> ->hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff
> *skb);//but ev->phy_handle=0;
> ->hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);//host will
> find struct hci_conn because conn->handle=0 ev->phy_handle=0,hcon !=
> NULL
> ->amp_read_loc_assoc_final_data(hdev, hcon);
> ->set_bit(READ_LOC_AMP_ASSOC_FINAL, &mgr->state); //host did not
> receive any other events to update the data in hcon, mgr = NULL
>
> This situation will lead to kernel oops
>
> This problem can also occur when the host receives other events. As
> long as the event ev->phy_handle=0, the struct hci_conn is found,
> and the uninitialized data in the struct hci_conn is manipulated in
> the event, this problem will occur.
>
> Maybe this problem is a controller error, but I think the kernel stack
> should take this usage scenario into consideration.
> The attachment trace.log is the hci log we grab.The trace.log may not
> have caught this situation, but this situation requires a long test to
> appear.
what kind of hardware is this?
< HCI Command: Read Local Version Information (0x04|0x0001) plen 0
> HCI Event: Command Complete (0x0e) plen 12
Read Local Version Information (0x04|0x0001) ncmd 1
Status: Success (0x00)
HCI version: Bluetooth 4.1 (0x07) - Revision 0 (0x0000)
LMP version: Bluetooth 4.1 (0x07) - Subversion 602 (0x025a)
Manufacturer: Qualcomm (29)
< HCI Command: Read BD ADDR (0x04|0x0009) plen 0
> HCI Event: Command Complete (0x0e) plen 10
Read BD ADDR (0x04|0x0009) ncmd 1
Status: Success (0x00)
Address: C8:02:8F:04:89:1B (Nova Electronics (Shanghai) Co., Ltd.)
Is this some sort of new USB dongle from Qualcomm?
The problem is not Channel Selected event. That is just a symptom. The problem is that the hardware is sending garbage or you uncovered a bug in the driver or the USB controller.
> HCI Event: Unknown (0xaf) plen 168
aa b1 32 13 56 7b dd 4d 68 d2 ec 2b 0e b6 3e 2b ..2.V{.Mh..+..>+
02 01 03 01 b8 63 5a d0 83 0c 1f 1e ff 06 00 01 .....cZ.........
09 20 02 3c 26 fe 29 8d b4 89 26 03 37 3d 5c 23 . .<&.)...&.7=\#
8e ba 27 b6 41 c3 d2 2d 9b 7f b5 3e 2b 02 01 03 ..'.A..-...>+...
01 7a f7 04 dd a4 20 1f 1e ff 06 00 01 09 20 00 .z.... ....... .
0e 5f f0 72 0f 3b ea 9b ae ba 77 fa 41 35 4d 7a ._.r.;....w.A5Mz
3f 7b 28 18 9a bb 39 b1 3e 29 02 01 03 01 fb 6e ?{(...9.>).....n
54 04 1f 39 1d 1c ff 06 00 01 09 21 0a 61 76 81 T..9.......!.av.
ad 16 28 44 45 53 4b 54 4f 50 2d 4a 4a 38 36 35 ..(DESKTOP-JJ865
34 30 c1 3e 2b 02 01 03 01 79 03 3f 35 8e 01 1f 40.>+....y.?5...
1e ff 06 00 01 09 20 02 ...... .
> HCI Event: Unknown (0x6b) plen 233
87 d9 8b 41 cf 02 af a8 aa b1 32 13 56 7b dd 4d ...A......2.V{.M
68 d2 ec 2b 0e b5 3e 2b 02 01 03 01 7a f7 04 dd h..+..>+....z...
a4 20 1f 1e ff 06 00 01 09 20 00 0e 5f f0 72 0f . ....... .._.r.
3b ea 9b ae ba 77 fa 41 35 4d 7a 3f 7b 28 18 9a ;....w.A5Mz?{(..
bb 39 b2 3e 29 02 01 03 01 fb 6e 54 04 1f 39 1d .9.>).....nT..9.
1c ff 06 00 01 09 21 0a 61 76 81 ad 16 28 44 45 ......!.av...(DE
53 4b 54 4f 50 2d 4a 4a 38 36 35 34 30 c1 3e 2b SKTOP-JJ86540.>+
02 01 03 01 a3 f8 96 8c 85 25 1f 1e ff 06 00 01 .........%......
09 20 02 7f 31 9e b5 d1 76 45 f0 77 95 eb e7 5a . ..1...vE.w...Z
93 38 cc 88 20 5c 58 62 d2 af ab 3e 2b 02 01 03 .8.. \Xb...>+...
01 79 03 3f 35 8e 01 1f 1e ff 06 00 01 09 20 02 .y.?5......... .
6b e9 87 d9 8b 41 cf 02 af a8 aa b1 32 13 56 7b k....A......2.V{
dd 4d 68 d2 ec 2b 0e b6 3e 2b 02 01 03 01 7a f7 .Mh..+..>+....z.
04 dd a4 20 1f 1e ff 06 00 01 09 20 00 0e 5f f0 ... ....... .._.
72 0f 3b ea 9b ae ba 77 fa r.;....w.
> HCI Event: Channel Selected (0x41) plen 53
invalid packet size
4d 7a 3f 7b 28 18 9a bb 39 b3 3e 2b 02 01 03 01 Mz?{(...9.>+....
79 03 3f 35 8e 01 1f 1e ff 06 00 01 09 20 02 6b y.?5......... .k
e9 87 d9 8b 41 cf 02 af a8 aa b1 32 13 56 7b dd ....A......2.V{.
4d 68 d2 ec 2b Mh..+
So maybe this is missing a firmware download that has bug fixes. You might need to examine the Windows driver.
Regards
Marcel
next prev parent reply other threads:[~2019-10-10 3:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-08 8:34 Kernel Bluetooth Protocol Stack Problem hongyi mao
2019-10-08 8:41 ` Marcel Holtmann
[not found] ` <CACokStd_VLLP=dc+v=MZXpYF+Pw57f0Cma3-HSrXz5_PdiyRfw@mail.gmail.com>
2019-10-10 3:43 ` Marcel Holtmann [this message]
2019-10-10 8:27 ` hongyi mao
2019-10-16 19:08 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D18AA174-F883-481F-B172-EB98B26E925F@holtmann.org \
--to=marcel@holtmann.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=maohongyicn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).