From patchwork Sat May 13 01:13:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Salveti X-Patchwork-Id: 99733 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp580182qge; Fri, 12 May 2017 18:13:42 -0700 (PDT) X-Received: by 10.99.247.83 with SMTP id f19mr7276125pgk.190.1494638022259; Fri, 12 May 2017 18:13:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494638022; cv=none; d=google.com; s=arc-20160816; b=kBSN421C3T9CvRTW//N0yG84WdcyDwcTWfM3LN4+91hTpCd59ozxTDG444lXgXZpIU ga3tYXPZ2i9s6dYV4XHt/jD38TsLyqbEVALqsslff/iWMwWwvV8x1e3T1YEj9/riikFS 6zykvC8f9OhVyB0zyfRXYKUvyxLDRssX9+ccF2EFhXHgkD1PBGP5fPorM5bMwk1avMLD XPwG9GV1WUpTLwxPrIV0lf6qOx/tL/lv/1TmHNRXDHn6AAItts3JUo/pEnjySH7qrjdn h325fU+XQQKc0IAK8KD2/HS5tAyCD+WjlEERTqn4qyRO/iLzv43FsUgYk4ccEqsaNNle X/ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=vI4mJsDEvXy3Vo/scjTDQ3Aob/oLS1G3FmDyvphtAnw=; b=x2tS6t+9IslBeONnNdhH9NUnImboG/71I2NAlxQvJkW3Mr3qFFII7/RsfjRa5CWaP9 SKtQAYIFsgc4SFKlnL4845LURMdpkPfDUkNjtmLfeYu/98i1S/aMDTtS3Gm9hrJcuKAZ IHz1PuLlSG68lbWq+kKQM6FhsUZeN7oCDtBUFZ7Pmpf7DO40XXbB06TeFV/KNiC30YY4 W6PJ2on9qMuraMfv09qW9hzaj/AkUmnTyxEW+LXjisYdCx6rmKTGMqEUkQGCJVRwmoc7 /xSfT2KiOsBESKCbq+xgInsTMPaTZAB2Zcftqgdwd+h9m1p0lClig/Inu9VRBXZlDP0g +Y3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y4si4671873plb.230.2017.05.12.18.13.42; Fri, 12 May 2017 18:13:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752505AbdEMBNl (ORCPT + 1 other); Fri, 12 May 2017 21:13:41 -0400 Received: from mail-vk0-f43.google.com ([209.85.213.43]:36631 "EHLO mail-vk0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751830AbdEMBNk (ORCPT ); Fri, 12 May 2017 21:13:40 -0400 Received: by mail-vk0-f43.google.com with SMTP id p85so5339191vkd.3 for ; Fri, 12 May 2017 18:13:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=c3QirTlysdJmzDCDNJe/9J26FABvTwV1j2D/XwVeKy4=; b=NVMtmmoT90n7f8BfX3QcNvX4YZYgpzUfMYXfIYarmYqEOu0LuvKcyzAz1FqqE4LhKj hgCO/aH5MlVb/dyyFNABzffaKYgB+kuZHtP6UFIuDgKKTmHvR36p3K0pojmnqldFXx6+ gl3bi4eNo0ptlg3KFYkRXD74/2U3sB8bYL3ek= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=c3QirTlysdJmzDCDNJe/9J26FABvTwV1j2D/XwVeKy4=; b=RgbLoufLsyI9s33pb5TI77Hm5JOOxL3xFoUVcV+b++NpXf32GhSglDVOHyAdNtlpYI B/5GkmMWSAQAGeYZTr/nHcTRDzMk27S0JzKDQQMIlIPHe5U81BBdTgELF3gTgXHeR9lg pjn9K+YW0KZQvSwocZiZwT7SWkhqf2aeW/DolsVdAU9vJZa51F2JignriKnfvVNKEv9B CGlr1v1r8wmTI5geXbO/UtVuHLNoF/sJ4W3YFqagv7bdw047lkFo62dE/sgzLCak4VIm mPhK6UmgNc3SgS1j6DyUS7qIpUFF1XDQVuCA3Fb7+z9mZpxYfmgbQq54sy7FZ5lYYQyT +mvA== X-Gm-Message-State: AODbwcDsroCxeOYo0xd3j98fhE/HHavVHcShqRpeWt8jYdgJg+6TsVrd Qn8bmN63qiVBlYla X-Received: by 10.31.130.143 with SMTP id e137mr2858503vkd.15.1494638019774; Fri, 12 May 2017 18:13:39 -0700 (PDT) Received: from localhost.localdomain ([189.101.222.224]) by smtp.gmail.com with ESMTPSA id p136sm1306086vke.9.2017.05.12.18.13.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 12 May 2017 18:13:39 -0700 (PDT) From: Ricardo Salveti To: linux-bluetooth@vger.kernel.org Cc: johan.hedberg@intel.com Subject: [PATCH] Bluetooth: Check for available le pkts before sending frame Date: Fri, 12 May 2017 22:13:33 -0300 Message-Id: <1494638013-6662-1-git-send-email-ricardo.salveti@linaro.org> X-Mailer: git-send-email 2.7.4 Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org hci_sched_le only checks for the available le pkts before iterating over the channel data queue, allowing hci data buffer overflow when quota is larger than cnt (hci_chan_sent uses both le_cnt and acl_cnt when calculating quota, both of which are only updated after hci_sched_le is done with the channel data queue). Bug found when using wl1835mod (96boards HiKey) with multiple BT LE connections: > HCI Event: Number of Completed Packets (0x13) plen 5 Num handles: 1 Handle: 1025 Count: 2 > HCI Event: Data Buffer Overflow (0x1a) plen 1 Link type: ACL (0x01) > HCI Event: Data Buffer Overflow (0x1a) plen 1 Link type: ACL (0x01) > HCI Event: Data Buffer Overflow (0x1a) plen 1 Link type: ACL (0x01) > HCI Event: Data Buffer Overflow (0x1a) plen 1 Link type: ACL (0x01) > HCI Event: Data Buffer Overflow (0x1a) plen 1 Link type: ACL (0x01) Signed-off-by: Ricardo Salveti --- net/bluetooth/hci_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 0568677..58e9ab2 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3938,7 +3938,7 @@ static void hci_sched_le(struct hci_dev *hdev) tmp = cnt; while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) { u32 priority = (skb_peek(&chan->data_q))->priority; - while (quote-- && (skb = skb_peek(&chan->data_q))) { + while (cnt && quote-- && (skb = skb_peek(&chan->data_q))) { BT_DBG("chan %p skb %p len %d priority %u", chan, skb, skb->len, skb->priority);