New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
samples: bluetooth: hci_spi: Invalid cmd_hdr and acl_hdr usage #27266
Comments
@CorentinDOROTHEE Thank you very much for finding this bug ! In fact, cmd_hdr and acl_hdr are not even initiailized with 0 values. This may be the reason why this bug was not detected before (due to its random occurance nature). static void bt_tx_thread(void *p1, void *p2, void *p3)
{
uint8_t header_master[5];
uint8_t header_slave[5] = { READY_NOW, SANITY_CHECK,
0x00, 0x00, 0x00 };
struct net_buf *buf = NULL;
struct bt_hci_cmd_hdr cmd_hdr; /* <=== Not initialized */
struct bt_hci_acl_hdr acl_hdr; /* <=== Not initiailized*/
int ret;
ARG_UNUSED(p1);
ARG_UNUSED(p2);
ARG_UNUSED(p3);
(void)memset(txmsg, 0xFF, SPI_MAX_MSG_LEN);
while (1) {
[...]
switch (rxmsg[PACKET_TYPE]) {
case HCI_CMD:
buf = bt_buf_get_tx(BT_BUF_CMD, K_NO_WAIT, &rxmsg[1],
sizeof(cmd_hdr));
if (buf) {
net_buf_add_mem(buf, &rxmsg[4],
cmd_hdr.param_len); /* <=== Read here but never written. cmd_hdr.len is random...*/
} else {
LOG_ERR("No available command buffers!");
continue;
}
break;
case HCI_ACL:
buf = bt_buf_get_tx(BT_BUF_ACL_OUT, K_NO_WAIT,
&rxmsg[1], sizeof(acl_hdr));
if (buf) {
net_buf_add_mem(buf, &rxmsg[5],
sys_le16_to_cpu(acl_hdr.len)); /* <=== Read here but never written. acl_hdr.len is random...*/
} else {
LOG_ERR("No available ACL buffers!");
continue;
}
break;
[...]
}
} This problem is still present in master. The fix for this problem should be integrated in both master and V2.3.0 release as backport. |
A fix to this problem would be to either correctly fill the cmd_hdr & acl_hdr with spi data Or simply remove the two structs and get the header length from rxmsg content directly. This could save a bit of the thread stack memory. |
Looks like this bug was introduced in this commit: The author deleted the original memcpy calls filling up the headers. Maybe author and reviewer can help: @Vudentz @carlescufi |
Fixes zephyrproject-rtos#27266. cmd_hdr and acl_hdr local structs were read but never written. Causing unpredictable errors in bt_tx_thread such as : "Invalid HCI CMD packet length" in hci.c:2280 or Imprecise data bus errors on nrf52810. cmd_hdr and acl_hdr are now filled with the received data from SPI Master. Signed-off-by: Corentin Dorothée <corentin.dorothee@gmail.com>
Fixes #27266. cmd_hdr and acl_hdr local structs were read but never written. Causing unpredictable errors in bt_tx_thread such as : "Invalid HCI CMD packet length" in hci.c:2280 or Imprecise data bus errors on nrf52810. cmd_hdr and acl_hdr are now filled with the received data from SPI Master. Signed-off-by: Corentin Dorothée <corentin.dorothee@gmail.com>
Describe the bug
cmd_hdr and acl_hdr local structs were read but never written.
Causing unpredictable errors in bt_tx_thread such as :
"Invalid HCI CMD packet length" in hci.c:2280
or Imprecise data bus errors on nrf52810.
I have pinpointed the issue to samples/bluetooth/hci_spi/src/main.c using SEGGER J-Link probe
To Reproduce
Steps to reproduce the behavior:
CONFIG_BT_LOG_LEVEL_DBG=y
CONFIG_BT_DEBUG_LOG=y
CONFIG_BT_DEBUG_HCI_DRIVER=y
Expected behavior
cmd_hdr and acl_hdr local structs should be filled with the SPI data received from the host cpu
Impact
hci_spi is unusable and crash at random spots depending on the host application:
Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: