2023-07-26 21:30:39

by Pauli Virtanen

[permalink] [raw]
Subject: [PATCH BlueZ 1/5] btdev: check error conditions for HCI_Create_Connection_Cancel

Create Connection Cancel shall return Command Complete with error status
when there is no Create Connection that can be canceled. In these
cases, we should not send a (spurious) Connection Complete event.

Fix by keeping a list of pending Create Connection commands, and
returning command errors if there is none pending at the moment.
---
emulator/btdev.c | 76 +++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 68 insertions(+), 8 deletions(-)

diff --git a/emulator/btdev.c b/emulator/btdev.c
index 637f0bb98..0c75e71c0 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -62,6 +62,7 @@ struct hook {

#define MAX_HOOK_ENTRIES 16
#define MAX_EXT_ADV_SETS 3
+#define MAX_PENDING_CONN 16

struct btdev_conn {
uint16_t handle;
@@ -223,6 +224,8 @@ struct btdev {
uint8_t le_rl_enable;
uint16_t le_rl_timeout;

+ struct btdev *pending_conn[MAX_PENDING_CONN];
+
uint8_t le_local_sk256[32];

uint16_t sync_train_interval;
@@ -1211,10 +1214,36 @@ static struct btdev_conn *conn_link_bis(struct btdev *dev, struct btdev *remote,
return conn;
}

+static void pending_conn_add(struct btdev *btdev, struct btdev *remote)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
+ if (!btdev->pending_conn[i]) {
+ btdev->pending_conn[i] = remote;
+ return;
+ }
+ }
+}
+
+static bool pending_conn_del(struct btdev *btdev, struct btdev *remote)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
+ if (btdev->pending_conn[i] == remote) {
+ btdev->pending_conn[i] = NULL;
+ return true;
+ }
+ }
+ return false;
+}
+
static void conn_complete(struct btdev *btdev,
const uint8_t *bdaddr, uint8_t status)
{
struct bt_hci_evt_conn_complete cc;
+ struct btdev *remote = find_btdev_by_bdaddr(bdaddr);

if (!status) {
struct btdev_conn *conn;
@@ -1223,6 +1252,8 @@ static void conn_complete(struct btdev *btdev,
if (!conn)
return;

+ pending_conn_del(conn->link->dev, btdev);
+
cc.status = status;
memcpy(cc.bdaddr, btdev->bdaddr, 6);
cc.encr_mode = 0x00;
@@ -1240,6 +1271,8 @@ static void conn_complete(struct btdev *btdev,
cc.link_type = 0x01;
}

+ pending_conn_del(btdev, remote);
+
cc.status = status;
memcpy(cc.bdaddr, bdaddr, 6);
cc.encr_mode = 0x00;
@@ -1260,6 +1293,8 @@ static int cmd_create_conn_complete(struct btdev *dev, const void *data,
memcpy(cr.dev_class, dev->dev_class, 3);
cr.link_type = 0x01;

+ pending_conn_add(dev, remote);
+
send_event(remote, BT_HCI_EVT_CONN_REQUEST, &cr, sizeof(cr));
} else {
conn_complete(dev, cmd->bdaddr, BT_HCI_ERR_PAGE_TIMEOUT);
@@ -1296,14 +1331,47 @@ static int cmd_add_sco_conn(struct btdev *dev, const void *data, uint8_t len)
cc.encr_mode = 0x00;

done:
+ pending_conn_del(dev, conn->link->dev);
+
send_event(dev, BT_HCI_EVT_CONN_COMPLETE, &cc, sizeof(cc));

return 0;
}

+static bool match_bdaddr(const void *data, const void *match_data)
+{
+ const struct btdev_conn *conn = data;
+ const uint8_t *bdaddr = match_data;
+
+ return !memcmp(conn->link->dev->bdaddr, bdaddr, 6);
+}
+
static int cmd_create_conn_cancel(struct btdev *dev, const void *data,
uint8_t len)
{
+ const struct bt_hci_cmd_create_conn_cancel *cmd = data;
+ struct btdev *remote = find_btdev_by_bdaddr(cmd->bdaddr);
+ struct btdev_conn *conn;
+
+ /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 1848
+ *
+ * If the connection is already established, and the
+ * HCI_Connection_Complete event has been sent, then the Controller
+ * shall return an HCI_Command_Complete event with the error code
+ * Connection Already Exists (0x0B). If the HCI_Create_Connection_Cancel
+ * command is sent to the Controller without a preceding
+ * HCI_Create_Connection command to the same device, the BR/EDR
+ * Controller shall return an HCI_Command_Complete event with the error
+ * code Unknown Connection Identifier (0x02).
+ */
+ if (!pending_conn_del(dev, remote)) {
+ conn = queue_find(dev->conns, match_bdaddr, cmd->bdaddr);
+ if (conn)
+ return -EEXIST;
+
+ return -ENOENT;
+ }
+
cmd_status(dev, BT_HCI_ERR_SUCCESS, BT_HCI_CMD_CREATE_CONN_CANCEL);

return 0;
@@ -1372,14 +1440,6 @@ static int cmd_link_key_reply(struct btdev *dev, const void *data, uint8_t len)
return 0;
}

-static bool match_bdaddr(const void *data, const void *match_data)
-{
- const struct btdev_conn *conn = data;
- const uint8_t *bdaddr = match_data;
-
- return !memcmp(conn->link->dev->bdaddr, bdaddr, 6);
-}
-
static void auth_complete(struct btdev_conn *conn, uint8_t status)
{
struct bt_hci_evt_auth_complete ev;
--
2.41.0



2023-07-26 22:35:08

by bluez.test.bot

[permalink] [raw]
Subject: RE: Additional tests for ISO and hci_sync

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=769853

---Test result---

Test Summary:
CheckPatch PASS 2.30 seconds
GitLint FAIL 1.64 seconds
BuildEll PASS 27.68 seconds
BluezMake FAIL 84.30 seconds
MakeCheck FAIL 175.49 seconds
MakeDistcheck PASS 157.60 seconds
CheckValgrind FAIL 62.68 seconds
CheckSmatch FAIL 310.97 seconds
bluezmakeextell FAIL 87.83 seconds
IncrementalBuild FAIL 759.16 seconds
ScanBuild FAIL 988.37 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,2/5] sco-tester: test local and remote disconnecting simultaneously

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
6: B3 Line contains hard tab characters (\t): " [controller] > HCI Synchronous Connect Complete"
7: B3 Line contains hard tab characters (\t): " [controller] > HCI Disconnection Complete (from remote)"
8: B3 Line contains hard tab characters (\t): " [user] shutdown(sco_socket)"
9: B3 Line contains hard tab characters (\t): " [kernel] hci_conn_abort(SCO handle)"
10: B3 Line contains hard tab characters (\t): " [kernel] > HCI Create Connection Cancel"
11: B3 Line contains hard tab characters (\t): " [kernel] < HCI Synchronous Connect Complete"
12: B3 Line contains hard tab characters (\t): " [kernel] < HCI Disconnect Complete"
13: B3 Line contains hard tab characters (\t): " [controller] < HCI Create Connection Cancel"
14: B3 Line contains hard tab characters (\t): " [controller] > HCI Command Status (Create Connection Cancel)"
15: B3 Line contains hard tab characters (\t): " [kernel] < HCI Command Status (Create Connection Cancel)"
33: B2 Line has trailing whitespace: " "
34: B1 Line exceeds max length (84>80): " CPU: 0 PID: 35 Comm: kworker/u3:2 Not tainted 6.5.0-rc1-00520-gf57f797eebfe #152"
35: B1 Line exceeds max length (85>80): " Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014"
62: B2 Line has trailing whitespace: " "
74: B2 Line has trailing whitespace: " "
90: B2 Line has trailing whitespace: " "
103: B2 Line has trailing whitespace: " "
108: B2 Line has trailing whitespace: " "
110: B1 Line exceeds max length (93>80): " page:ffffea00000a7800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29e0"
117: B2 Line has trailing whitespace: " "
[BlueZ,3/5] iso-tester: test with large CIS_ID and invalid CIG_ID/CIS_ID

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
19: B2 Line has trailing whitespace: " "
20: B1 Line exceeds max length (83>80): " ISO QoS CIG 0xF0 - Invalid Timed out 2.301 seconds"
21: B1 Line exceeds max length (83>80): " ISO QoS CIS 0xF0 - Invalid Failed 0.117 seconds"
22: B1 Line exceeds max length (83>80): " ISO Connect2 CIG 0x01 - Success/Invalid Failed 0.189 seconds"
23: B1 Line exceeds max length (83>80): " ISO AC 6(ii) CIS 0xEF/auto - Success Failed 0.196 seconds"
##############################
Test: BluezMake - FAIL
Desc: Build BlueZ
Output:

tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12763:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12763 | int main(int argc, char *argv[])
| ^~~~
emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8481: emulator/android_android_tester-btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4537: all] Error 2
##############################
Test: MakeCheck - FAIL
Desc: Run Bluez Make Check
Output:

emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7645: emulator/btdev.o] Error 1
make: *** [Makefile:11875: check] Error 2
##############################
Test: CheckValgrind - FAIL
Desc: Run Bluez Make Check with Valgrind
Output:

tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12763:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12763 | int main(int argc, char *argv[])
| ^~~~
emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8481: emulator/android_android_tester-btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:11875: check] Error 2
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:

src/shared/crypto.c:271:21: warning: Variable length array is used.
src/shared/crypto.c:272:23: warning: Variable length array is used.
src/shared/gatt-helpers.c:768:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:830:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1323:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1354:23: warning: Variable length array is used.
src/shared/gatt-server.c:276:25: warning: Variable length array is used.
src/shared/gatt-server.c:619:25: warning: Variable length array is used.
src/shared/gatt-server.c:718:25: warning: Variable length array is used.
src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
src/shared/crypto.c:271:21: warning: Variable length array is used.
src/shared/crypto.c:272:23: warning: Variable length array is used.
src/shared/gatt-helpers.c:768:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:830:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1323:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1354:23: warning: Variable length array is used.
src/shared/gatt-server.c:276:25: warning: Variable length array is used.
src/shared/gatt-server.c:619:25: warning: Variable length array is used.
src/shared/gatt-server.c:718:25: warning: Variable length array is used.
src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
tools/mesh-cfgtest.c:1453:17: warning: unknown escape sequence: '\%'
tools/sco-tester.c: note: in included file:
./lib/bluetooth.h:216:15: warning: array of flexible structures
./lib/bluetooth.h:221:31: warning: array of flexible structures
tools/bneptest.c:634:39: warning: unknown escape sequence: '\%'
tools/seq2bseq.c:57:26: warning: Variable length array is used.
tools/obex-client-tool.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
android/avctp.c:505:34: warning: Variable length array is used.
android/avctp.c:556:34: warning: Variable length array is used.
unit/test-avrcp.c:373:26: warning: Variable length array is used.
unit/test-avrcp.c:398:26: warning: Variable length array is used.
unit/test-avrcp.c:414:24: warning: Variable length array is used.
android/avrcp-lib.c:1085:34: warning: Variable length array is used.
android/avrcp-lib.c:1583:34: warning: Variable length array is used.
android/avrcp-lib.c:1612:34: warning: Variable length array is used.
android/avrcp-lib.c:1638:34: warning: Variable length array is used.
profiles/input/device.c:165:26: warning: Variable length array is used.
mesh/mesh-io-mgmt.c:523:67: warning: Variable length array is used.
client/display.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
src/shared/crypto.c:271:21: warning: Variable length array is used.
src/shared/crypto.c:272:23: warning: Variable length array is used.
src/shared/gatt-helpers.c:768:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:830:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1323:31: warning: Variable length array is used.
src/shared/gatt-helpers.c:1354:23: warning: Variable length array is used.
src/shared/gatt-server.c:276:25: warning: Variable length array is used.
src/shared/gatt-server.c:619:25: warning: Variable length array is used.
src/shared/gatt-server.c:718:25: warning: Variable length array is used.
src/shared/shell.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
monitor/packet.c: note: in included file:
monitor/display.h:82:26: warning: Variable length array is used.
monitor/packet.c:1832:26: warning: Variable length array is used.
monitor/packet.c: note: in included file:
monitor/bt.h:3551:52: warning: array of flexible structures
monitor/bt.h:3539:40: warning: array of flexible structures
monitor/l2cap.c: note: in included file:
monitor/display.h:82:26: warning: Variable length array is used.
monitor/msft.c: note: in included file:
monitor/msft.h:88:44: warning: array of flexible structures
monitor/att.c: note: in included file:
monitor/display.h:82:26: warning: Variable length array is used.
tools/rctest.c:624:33: warning: non-ANSI function declaration of function 'automated_send_recv'
tools/hex2hcd.c:135:26: warning: Variable length array is used.
tools/meshctl.c:324:33: warning: non-ANSI function declaration of function 'forget_mesh_devices'
tools/mesh-gatt/node.c:456:39: warning: non-ANSI function declaration of function 'node_get_local_node'
tools/mesh-gatt/net.c:1239:30: warning: non-ANSI function declaration of function 'get_next_seq'
tools/mesh-gatt/net.c:2193:29: warning: non-ANSI function declaration of function 'net_get_default_ttl'
tools/mesh-gatt/net.c:2207:26: warning: non-ANSI function declaration of function 'net_get_seq_num'
tools/mesh-gatt/prov.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
tools/mesh-gatt/onoff-model.c: note: in included file (through /usr/include/readline/readline.h):
/usr/include/readline/rltypedefs.h:35:23: warning: non-ANSI function declaration of function 'Function'
/usr/include/readline/rltypedefs.h:36:25: warning: non-ANSI function declaration of function 'VFunction'
/usr/include/readline/rltypedefs.h:37:27: warning: non-ANSI function declaration of function 'CPFunction'
/usr/include/readline/rltypedefs.h:38:29: warning: non-ANSI function declaration of function 'CPPFunction'
ell/log.c:446:65: warning: non-ANSI function declaration of function 'register_debug_section'
ell/log.c:454:68: warning: non-ANSI function declaration of function 'free_debug_sections'
ell/random.c:75:42: warning: non-ANSI function declaration of function 'l_getrandom_is_supported'
ell/cipher.c:675:28: warning: non-ANSI function declaration of function 'init_supported'
ell/checksum.c:387:28: warning: non-ANSI function declaration of function 'init_supported'
ell/checksum.c:449:47: warning: non-ANSI function declaration of function 'l_checksum_cmac_aes_supported'
ell/cipher.c:534:24: warning: Variable length array is used.
ell/cert-crypto.c:51:33: warning: Variable length array is used.
ell/cert-crypto.c:147:36: warning: Variable length array is used.
ell/cert-crypto.c:203:36: warning: Variable length array is used.
ell/cert-crypto.c:256:31: warning: Variable length array is used.
ell/key.c:553:25: warning: Variable length array is used.
ell/dbus-service.c:563:49: warning: non-ANSI function declaration of function '_dbus_object_tree_new'
ell/dbus-filter.c:247:46: warning: Variable length array is used.
ell/tls.c:58:25: warning: Variable length array is used.
ell/tls.c:99:22: warning: Variable length array is used.
ell/tls.c:99:46: warning: Variable length array is used.
ell/tls.c:1832:26: warning: Variable length array is used.
ell/tls-suites.c:1091:25: warning: Variable length array is used.
ell/tls-suites.c:1093:34: warning: Variable length array is used.
ell/tls-suites.c:1096:41: warning: Variable length array is used.
ell/tls-suites.c:1145:41: warning: Variable length array is used.
emulator/btdev.c:420:29: warning: Variable length array is used.
emulator/bthost.c:584:28: warning: Variable length array is used.
emulator/bthost.c:741:28: warning: Variable length array is used.
emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7645: emulator/btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4537: all] Error 2
##############################
Test: bluezmakeextell - FAIL
Desc: Build Bluez with External ELL
Output:

emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7645: emulator/btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4537: all] Error 2
##############################
Test: IncrementalBuild - FAIL
Desc: Incremental build with the patches in the series
Output:
[BlueZ,1/5] btdev: check error conditions for HCI_Create_Connection_Cancel

tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12763:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12763 | int main(int argc, char *argv[])
| ^~~~
unit/test-avdtp.c: In function ‘main’:
unit/test-avdtp.c:766:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
766 | int main(int argc, char *argv[])
| ^~~~
unit/test-avrcp.c: In function ‘main’:
unit/test-avrcp.c:989:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
989 | int main(int argc, char *argv[])
| ^~~~
emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7645: emulator/btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4537: all] Error 2
##############################
Test: ScanBuild - FAIL
Desc: Run Scan Build
Output:

src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
gatt_db_unregister(op->client->db, op->db_id);
^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
discovery_op_complete(op, false, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:993:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1099:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1291:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1356:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1631:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1636:2: warning: Use of memory after it is freed
discover_all(op);
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2140:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2148:8: warning: Use of memory after it is freed
discovery_op_ref(op),
^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3236:2: warning: Use of memory after it is freed
complete_write_long_op(req, success, 0, false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3258:2: warning: Use of memory after it is freed
request_unref(req);
^~~~~~~~~~~~~~~~~~
12 warnings generated.
src/shared/shell.c:1228:13: warning: Access to field 'options' results in a dereference of a null pointer (loaded from variable 'opt')
if (c != opt->options[index - offset].val) {
^~~~~~~~~~~~
1 warning generated.
src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
gatt_db_unregister(op->client->db, op->db_id);
^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
discovery_op_complete(op, false, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:993:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1099:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1291:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1356:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1631:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1636:2: warning: Use of memory after it is freed
discover_all(op);
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2140:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2148:8: warning: Use of memory after it is freed
discovery_op_ref(op),
^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3236:2: warning: Use of memory after it is freed
complete_write_long_op(req, success, 0, false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3258:2: warning: Use of memory after it is freed
request_unref(req);
^~~~~~~~~~~~~~~~~~
12 warnings generated.
tools/hciattach.c:816:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 10)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:864:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 4)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:886:8: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 10)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:908:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 4)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:929:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 4)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:973:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 6)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
6 warnings generated.
src/shared/shell.c:1228:13: warning: Access to field 'options' results in a dereference of a null pointer (loaded from variable 'opt')
if (c != opt->options[index - offset].val) {
^~~~~~~~~~~~
1 warning generated.
src/oui.c:50:2: warning: Value stored to 'hwdb' is never read
hwdb = udev_hwdb_unref(hwdb);
^ ~~~~~~~~~~~~~~~~~~~~~
src/oui.c:53:2: warning: Value stored to 'udev' is never read
udev = udev_unref(udev);
^ ~~~~~~~~~~~~~~~~
2 warnings generated.
tools/hcidump.c:180:9: warning: Potential leak of memory pointed to by 'dp'
if (fds[i].fd == sock)
^~~
tools/hcidump.c:248:17: warning: Assigned value is garbage or undefined
dh->ts_sec = htobl(frm.ts.tv_sec);
^ ~~~~~~~~~~~~~~~~~~~~
tools/hcidump.c:326:9: warning: 1st function call argument is an uninitialized value
if (be32toh(dp.flags) & 0x02) {
^~~~~~~~~~~~~~~~~
/usr/include/endian.h:46:22: note: expanded from macro 'be32toh'
# define be32toh(x) __bswap_32 (x)
^~~~~~~~~~~~~~
tools/hcidump.c:341:20: warning: 1st function call argument is an uninitialized value
frm.data_len = be32toh(dp.len);
^~~~~~~~~~~~~~~
/usr/include/endian.h:46:22: note: expanded from macro 'be32toh'
# define be32toh(x) __bswap_32 (x)
^~~~~~~~~~~~~~
tools/hcidump.c:346:14: warning: 1st function call argument is an uninitialized value
opcode = be32toh(dp.flags) & 0xffff;
^~~~~~~~~~~~~~~~~
/usr/include/endian.h:46:22: note: expanded from macro 'be32toh'
# define be32toh(x) __bswap_32 (x)
^~~~~~~~~~~~~~
tools/hcidump.c:384:17: warning: Assigned value is garbage or undefined
frm.data_len = btohs(dh.len);
^ ~~~~~~~~~~~~~
tools/hcidump.c:394:11: warning: Assigned value is garbage or undefined
frm.len = frm.data_len;
^ ~~~~~~~~~~~~
tools/hcidump.c:398:9: warning: 1st function call argument is an uninitialized value
ts = be64toh(ph.ts);
^~~~~~~~~~~~~~
/usr/include/endian.h:51:22: note: expanded from macro 'be64toh'
# define be64toh(x) __bswap_64 (x)
^~~~~~~~~~~~~~
tools/hcidump.c:403:13: warning: 1st function call argument is an uninitialized value
frm.in = be32toh(dp.flags) & 0x01;
^~~~~~~~~~~~~~~~~
/usr/include/endian.h:46:22: note: expanded from macro 'be32toh'
# define be32toh(x) __bswap_32 (x)
^~~~~~~~~~~~~~
tools/hcidump.c:408:11: warning: Assigned value is garbage or undefined
frm.in = dh.in;
^ ~~~~~
tools/hcidump.c:437:7: warning: Null pointer passed to 1st parameter expecting 'nonnull'
fd = open(file, open_flags, 0644);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
11 warnings generated.
tools/rfcomm.c:228:3: warning: Value stored to 'i' is never read
i = execvp(cmdargv[0], cmdargv);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:228:7: warning: Null pointer passed to 1st parameter expecting 'nonnull'
i = execvp(cmdargv[0], cmdargv);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:348:8: warning: Although the value stored to 'fd' is used in the enclosing expression, the value is never actually read from 'fd'
if ((fd = open(devname, O_RDONLY | O_NOCTTY)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:491:14: warning: Assigned value is garbage or undefined
req.channel = raddr.rc_channel;
^ ~~~~~~~~~~~~~~~~
tools/rfcomm.c:509:8: warning: Although the value stored to 'fd' is used in the enclosing expression, the value is never actually read from 'fd'
if ((fd = open(devname, O_RDONLY | O_NOCTTY)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5 warnings generated.
src/sdp-xml.c:126:10: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
src/sdp-xml.c:300:11: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
src/sdp-xml.c:338:11: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
3 warnings generated.
tools/ciptool.c:350:7: warning: 5th function call argument is an uninitialized value
sk = do_connect(ctl, dev_id, &src, &dst, psm, (1 << CMTP_LOOPBACK));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/sdptool.c:941:26: warning: Result of 'malloc' is converted to a pointer of type 'uint32_t', which is incompatible with sizeof operand type 'int'
uint32_t *value_int = malloc(sizeof(int));
~~~~~~~~~~ ^~~~~~ ~~~~~~~~~~~
tools/sdptool.c:980:4: warning: 1st function call argument is an uninitialized value
free(allocArray[i]);
^~~~~~~~~~~~~~~~~~~
tools/sdptool.c:3777:2: warning: Potential leak of memory pointed to by 'si.name'
return add_service(0, &si);
^~~~~~~~~~~~~~~~~~~~~~~~~~
tools/sdptool.c:4112:4: warning: Potential leak of memory pointed to by 'context.svc'
return -1;
^~~~~~~~~
4 warnings generated.
tools/avtest.c:224:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:234:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 4);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:243:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:257:5: warning: Value stored to 'len' is never read
len = write(sk, buf,
^ ~~~~~~~~~~~~~~
tools/avtest.c:264:5: warning: Value stored to 'len' is never read
len = write(sk, buf,
^ ~~~~~~~~~~~~~~
tools/avtest.c:271:5: warning: Value stored to 'len' is never read
len = write(sk, buf,
^ ~~~~~~~~~~~~~~
tools/avtest.c:278:5: warning: Value stored to 'len' is never read
len = write(sk, buf,
^ ~~~~~~~~~~~~~~
tools/avtest.c:289:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 4);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:293:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:302:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:306:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:315:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:322:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:344:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 4);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:348:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:357:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:361:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:374:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 4);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:378:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:385:4: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:395:4: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:559:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:567:3: warning: Value stored to 'len' is never read
len = write(sk, buf, invalid ? 2 : 3);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/avtest.c:581:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 4 + sizeof(media_transport));
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/avtest.c:594:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:604:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:616:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:631:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:643:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:652:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:659:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:695:2: warning: Value stored to 'len' is never read
len = write(sk, buf, AVCTP_HEADER_LENGTH + sizeof(play_pressed));
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32 warnings generated.
tools/btproxy.c:836:15: warning: Null pointer passed to 1st parameter expecting 'nonnull'
tcp_port = atoi(optarg);
^~~~~~~~~~~~
tools/btproxy.c:839:8: warning: Null pointer passed to 1st parameter expecting 'nonnull'
if (strlen(optarg) > 3 && !strncmp(optarg, "hci", 3))
^~~~~~~~~~~~~~
2 warnings generated.
tools/create-image.c:76:3: warning: Value stored to 'fd' is never read
fd = -1;
^ ~~
tools/create-image.c:84:3: warning: Value stored to 'fd' is never read
fd = -1;
^ ~~
tools/create-image.c:92:3: warning: Value stored to 'fd' is never read
fd = -1;
^ ~~
tools/create-image.c:105:2: warning: Value stored to 'fd' is never read
fd = -1;
^ ~~
4 warnings generated.
tools/btgatt-client.c:1597:2: warning: Value stored to 'argv' is never read
argv += optind;
^ ~~~~~~
1 warning generated.
tools/btgatt-server.c:1212:2: warning: Value stored to 'argv' is never read
argv -= optind;
^ ~~~~~~
1 warning generated.
tools/check-selftest.c:42:3: warning: Value stored to 'ptr' is never read
ptr = fgets(result, sizeof(result), fp);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/gatt-service.c:294:2: warning: 2nd function call argument is an uninitialized value
chr_write(chr, value, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/obex-server-tool.c:133:13: warning: Null pointer passed to 1st parameter expecting 'nonnull'
data->fd = open(name, O_WRONLY | O_CREAT | O_NOCTTY, 0600);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/obex-server-tool.c:192:13: warning: Null pointer passed to 1st parameter expecting 'nonnull'
data->fd = open(name, O_RDONLY | O_NOCTTY, 0);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
tools/test-runner.c:945:2: warning: 2nd function call argument is an uninitialized value
printf("Running command %s\n", cmdname ? cmdname : argv[0]);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/btpclientctl.c:402:3: warning: Value stored to 'bit' is never read
bit = 0;
^ ~
tools/btpclientctl.c:1655:2: warning: Null pointer passed to 2nd parameter expecting 'nonnull'
memcpy(cp->data, ad_data, ad_len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
src/sdpd-request.c:211:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint16_t'
pElem = malloc(sizeof(uint16_t));
^~~~~~ ~~~~~~~~~~~~~~~~
src/sdpd-request.c:239:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint32_t'
pElem = malloc(sizeof(uint32_t));
^~~~~~ ~~~~~~~~~~~~~~~~
2 warnings generated.
android/avrcp-lib.c:1968:3: warning: 1st function call argument is an uninitialized value
g_free(text[i]);
^~~~~~~~~~~~~~~
1 warning generated.
profiles/health/hdp.c:644:3: warning: Use of memory after it is freed
hdp_tmp_dc_data_unref(dc_data);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
profiles/health/hdp.c:800:19: warning: Use of memory after it is freed
path = g_strdup(chan->path);
^~~~~~~~~~
profiles/health/hdp.c:1779:6: warning: Use of memory after it is freed
hdp_tmp_dc_data_ref(hdp_conn),
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
profiles/health/hdp.c:1836:30: warning: Use of memory after it is freed
reply = g_dbus_create_error(data->msg, ERROR_INTERFACE ".HealthError",
^~~~~~~~~
4 warnings generated.
profiles/health/hdp_util.c:1053:2: warning: Use of memory after it is freed
conn_data->func(conn_data->data, gerr);
^~~~~~~~~~~~~~~
1 warning generated.
attrib/gatt.c:970:2: warning: Potential leak of memory pointed to by 'long_write'
return prepare_write(long_write);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
src/sdpd-request.c:211:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint16_t'
pElem = malloc(sizeof(uint16_t));
^~~~~~ ~~~~~~~~~~~~~~~~
src/sdpd-request.c:239:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint32_t'
pElem = malloc(sizeof(uint32_t));
^~~~~~ ~~~~~~~~~~~~~~~~
2 warnings generated.
src/sdp-xml.c:126:10: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
src/sdp-xml.c:300:11: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
src/sdp-xml.c:338:11: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
3 warnings generated.
src/sdp-client.c:353:14: warning: Access to field 'cb' results in a dereference of a null pointer
(*ctxt)->cb = cb;
~~~~~~~~~~~~^~~~
1 warning generated.
src/gatt-database.c:1138:10: warning: Value stored to 'bits' during its initialization is never read
uint8_t bits[] = { BT_GATT_CHRC_CLI_FEAT_ROBUST_CACHING,
^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
gobex/gobex-header.c:67:2: warning: Null pointer passed to 2nd parameter expecting 'nonnull'
memcpy(to, from, count);
^~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
gobex/gobex-transfer.c:423:7: warning: Use of memory after it is freed
if (!g_slist_find(transfers, transfer))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
mesh/main.c:161:3: warning: Value stored to 'optarg' is never read
optarg += strlen("auto");
^ ~~~~~~~~~~~~~~
1 warning generated.
lib/hci.c:97:4: warning: Value stored to 'ptr' is never read
ptr += sprintf(ptr, "%s", m->str);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
gdbus/watch.c:204:3: warning: Attempt to free released memory
g_free(l->data);
^~~~~~~~~~~~~~~
1 warning generated.
lib/sdp.c:507:16: warning: Dereference of undefined pointer value
int8_t dtd = *(uint8_t *) dtds[i];
^~~~~~~~~~~~~~~~~~~~
lib/sdp.c:535:17: warning: Dereference of undefined pointer value
uint8_t dtd = *(uint8_t *) dtds[i];
^~~~~~~~~~~~~~~~~~~~
lib/sdp.c:580:12: warning: Access to field 'attrId' results in a dereference of a null pointer (loaded from variable 'd')
d->attrId = attr;
~ ^
lib/sdp.c:1870:26: warning: Potential leak of memory pointed to by 'ap'
for (; pdlist; pdlist = pdlist->next) {
^~~~~~
lib/sdp.c:1884:6: warning: Potential leak of memory pointed to by 'pds'
ap = sdp_list_append(ap, pds);
~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
lib/sdp.c:1929:10: warning: Potential leak of memory pointed to by 'u'
*seqp = sdp_list_append(*seqp, u);
~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
lib/sdp.c:2034:4: warning: Potential leak of memory pointed to by 'lang'
sdp_list_free(*langSeq, free);
^~~~~~~~~~~~~
lib/sdp.c:2123:9: warning: Potential leak of memory pointed to by 'profDesc'
return 0;
^
lib/sdp.c:3250:8: warning: Potential leak of memory pointed to by 'pSvcRec'
pSeq = sdp_list_append(pSeq, pSvcRec);
~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
lib/sdp.c:3251:9: warning: Potential leak of memory pointed to by 'pSeq'
pdata += sizeof(uint32_t);
~~~~~~^~~~~~~~~~~~~~~~~~~
lib/sdp.c:4587:13: warning: Potential leak of memory pointed to by 'rec_list'
} while (scanned < attr_list_len && pdata_len > 0);
^~~~~~~
lib/sdp.c:4883:40: warning: Potential leak of memory pointed to by 'tseq'
for (d = sdpdata->val.dataseq; d; d = d->next) {
^
lib/sdp.c:4919:8: warning: Potential leak of memory pointed to by 'subseq'
tseq = sdp_list_append(tseq, subseq);
~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13 warnings generated.
src/shared/gatt-client.c:451:21: warning: Use of memory after it is freed
gatt_db_unregister(op->client->db, op->db_id);
^~~~~~~~~~
src/shared/gatt-client.c:696:2: warning: Use of memory after it is freed
discovery_op_complete(op, false, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:993:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1099:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1291:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1356:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1631:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1636:2: warning: Use of memory after it is freed
discover_all(op);
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2140:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2148:8: warning: Use of memory after it is freed
discovery_op_ref(op),
^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3236:2: warning: Use of memory after it is freed
complete_write_long_op(req, success, 0, false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3258:2: warning: Use of memory after it is freed
request_unref(req);
^~~~~~~~~~~~~~~~~~
12 warnings generated.
src/shared/shell.c:1228:13: warning: Access to field 'options' results in a dereference of a null pointer (loaded from variable 'opt')
if (c != opt->options[index - offset].val) {
^~~~~~~~~~~~
1 warning generated.
monitor/l2cap.c:1640:4: warning: Value stored to 'data' is never read
data += len;
^ ~~~
monitor/l2cap.c:1641:4: warning: Value stored to 'size' is never read
size -= len;
^ ~~~
2 warnings generated.
monitor/packet.c:12370:2: warning: Null pointer passed to 2nd parameter expecting 'nonnull'
memcpy(tx, tv, sizeof(*tv));
^~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
monitor/hwdb.c:59:2: warning: Value stored to 'hwdb' is never read
hwdb = udev_hwdb_unref(hwdb);
^ ~~~~~~~~~~~~~~~~~~~~~
monitor/hwdb.c:64:2: warning: Value stored to 'udev' is never read
udev = udev_unref(udev);
^ ~~~~~~~~~~~~~~~~
monitor/hwdb.c:106:2: warning: Value stored to 'hwdb' is never read
hwdb = udev_hwdb_unref(hwdb);
^ ~~~~~~~~~~~~~~~~~~~~~
monitor/hwdb.c:111:2: warning: Value stored to 'udev' is never read
udev = udev_unref(udev);
^ ~~~~~~~~~~~~~~~~
4 warnings generated.
tools/bluemoon.c:1101:8: warning: Null pointer passed to 1st parameter expecting 'nonnull'
if (strlen(optarg) > 3 && !strncmp(optarg, "hci", 3))
^~~~~~~~~~~~~~
1 warning generated.
tools/meshctl.c:326:19: warning: Access to field 'mesh_devices' results in a dereference of a null pointer (loaded from variable 'default_ctrl')
g_list_free_full(default_ctrl->mesh_devices, g_free);
^~~~~~~~~~~~~~~~~~~~~~~~~~
tools/meshctl.c:762:2: warning: 2nd function call argument is an uninitialized value
bt_shell_printf("Attempting to disconnect from %s\n", addr);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/meshctl.c:1957:2: warning: Value stored to 'len' is never read
len = len + extra + strlen("local_node.json");
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3 warnings generated.
In file included from tools/mesh-gatt/crypto.c:32:
./src/shared/util.h:191:9: warning: 1st function call argument is an uninitialized value
return be32_to_cpu(get_unaligned((const uint32_t *) ptr));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./src/shared/util.h:33:26: note: expanded from macro 'be32_to_cpu'
#define be32_to_cpu(val) bswap_32(val)
^~~~~~~~~~~~~
/usr/include/byteswap.h:34:21: note: expanded from macro 'bswap_32'
#define bswap_32(x) __bswap_32 (x)
^~~~~~~~~~~~~~
In file included from tools/mesh-gatt/crypto.c:32:
./src/shared/util.h:201:9: warning: 1st function call argument is an uninitialized value
return be64_to_cpu(get_unaligned((const uint64_t *) ptr));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./src/shared/util.h:34:26: note: expanded from macro 'be64_to_cpu'
#define be64_to_cpu(val) bswap_64(val)
^~~~~~~~~~~~~
/usr/include/byteswap.h:37:21: note: expanded from macro 'bswap_64'
#define bswap_64(x) __bswap_64 (x)
^~~~~~~~~~~~~~
2 warnings generated.
ell/util.c:796:8: warning: The left operand of '>' is a garbage value
if (x > UINT8_MAX)
~ ^
ell/util.c:814:8: warning: The left operand of '>' is a garbage value
if (x > UINT16_MAX)
~ ^
2 warnings generated.
ell/queue.c:529:4: warning: Value stored to 'entry' is never read
entry = entry->next;
^ ~~~~~~~~~~~
1 warning generated.
ell/pem.c:146:8: warning: Dereference of null pointer (loaded from variable 'eol')
if (*eol == '\r' || *eol == '\n')
^~~~
ell/pem.c:181:18: warning: Dereference of null pointer (loaded from variable 'eol')
if (buf_len && *eol == '\r' && *buf_ptr == '\n') {
^~~~
ell/pem.c:181:34: warning: Dereference of null pointer (loaded from variable 'buf_ptr')
if (buf_len && *eol == '\r' && *buf_ptr == '\n') {
^~~~~~~~
ell/pem.c:319:11: warning: 1st function call argument is an uninitialized value
result = pem_load_buffer(file.data, file.st.st_size,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ell/pem.c:484:9: warning: 1st function call argument is an uninitialized value
list = l_pem_load_certificate_list_from_data(file.data,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5 warnings generated.
ell/cert.c:657:41: warning: Access to field 'asn1_len' results in a dereference of a null pointer (loaded from variable 'cert')
key = l_key_new(L_KEY_RSA, cert->asn1, cert->asn1_len);
^~~~~~~~~~~~~~
ell/cert.c:1690:8: warning: Although the value stored to 'elem_data' is used in the enclosing expression, the value is never actually read from 'elem_data'
if (!(elem_data = asn1_der_find_elem(seq, seq_len,
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
ell/dbus.c:1707:10: warning: Although the value stored to 'type' is used in the enclosing expression, the value is never actually read from 'type'
while ((type = va_arg(args, enum l_dbus_match_type)) !=
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
ell/gvariant-util.c:158:18: warning: The left operand of '>' is a garbage value
if (alignment > max_alignment)
~~~~~~~~~ ^
ell/gvariant-util.c:471:5: warning: Dereference of null pointer
!children[0].fixed_size) {
^~~~~~~~~~~~~~~~~~~~~~
ell/gvariant-util.c:861:2: warning: Value stored to 'i' is never read
i = container->offset_index - 1;
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
3 warnings generated.
ell/ecc-external.c:68:24: warning: The left operand of '&' is a garbage value
return (vli[bit / 64] & ((uint64_t) 1 << (bit % 64)));
~~~~~~~~~~~~~ ^
ell/ecc-external.c:160:18: warning: The right operand of '-' is a garbage value
diff = left[i] - right[i] - borrow;
^ ~~~~~~~~
2 warnings generated.
In file included from tools/parser/amp.c:15:
tools/parser/parser.h:121:16: warning: Dereference of null pointer
time_t t = f->ts.tv_sec;
^~~~~~~~~~~~
tools/parser/parser.h:127:27: warning: Dereference of null pointer
printf("%8lu.%06lu ", f->ts.tv_sec, f->ts.tv_usec);
^~~~~~~~~~~~
tools/parser/parser.h:129:18: warning: Access to field 'in' results in a dereference of a null pointer (loaded from variable 'f')
printf("%c ", (f->in ? '>' : '<'));
^~~~~
3 warnings generated.
In file included from tools/parser/sdp.c:24:
tools/parser/parser.h:121:16: warning: Dereference of null pointer
time_t t = f->ts.tv_sec;
^~~~~~~~~~~~
tools/parser/parser.h:127:27: warning: Dereference of null pointer
printf("%8lu.%06lu ", f->ts.tv_sec, f->ts.tv_usec);
^~~~~~~~~~~~
tools/parser/parser.h:129:18: warning: Access to field 'in' results in a dereference of a null pointer (loaded from variable 'f')
printf("%c ", (f->in ? '>' : '<'));
^~~~~
3 warnings generated.
In file included from tools/parser/ppp.c:22:
tools/parser/parser.h:156:2: warning: Undefined or garbage value returned to caller
return *u8_ptr;
^~~~~~~~~~~~~~
tools/parser/ppp.c:108:30: warning: The left operand of '&' is a garbage value
if (*((uint8_t *) frm->ptr) & 0x80)
~~~~~~~~~~~~~~~~~~~~~~~ ^
2 warnings generated.
emulator/serial.c:150:2: warning: Assigned value is garbage or undefined
enum btdev_type uninitialized_var(type);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/serial.c:150:36: warning: Value stored to 'type' during its initialization is never read
enum btdev_type uninitialized_var(type);
^~~~
emulator/serial.c:35:30: note: expanded from macro 'uninitialized_var'
#define uninitialized_var(x) x = x
^ ~
emulator/serial.c:213:2: warning: Assigned value is garbage or undefined
enum btdev_type uninitialized_var(dev_type);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/serial.c:213:36: warning: Value stored to 'dev_type' during its initialization is never read
enum btdev_type uninitialized_var(dev_type);
^~~~~~~~
emulator/serial.c:35:30: note: expanded from macro 'uninitialized_var'
#define uninitialized_var(x) x = x
^ ~
4 warnings generated.
emulator/server.c:200:2: warning: Assigned value is garbage or undefined
enum btdev_type uninitialized_var(type);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/server.c:200:36: warning: Value stored to 'type' during its initialization is never read
enum btdev_type uninitialized_var(type);
^~~~
emulator/server.c:36:30: note: expanded from macro 'uninitialized_var'
#define uninitialized_var(x) x = x
^ ~
2 warnings generated.
emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:16: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7645: emulator/btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4537: all] Error 2


---
Regards,
Linux Bluetooth

2023-07-27 10:01:04

by Pauli Virtanen

[permalink] [raw]
Subject: Re: [PATCH BlueZ 1/5] btdev: check error conditions for HCI_Create_Connection_Cancel

to, 2023-07-27 kello 00:25 +0300, Pauli Virtanen kirjoitti:
> Create Connection Cancel shall return Command Complete with error status
> when there is no Create Connection that can be canceled. In these
> cases, we should not send a (spurious) Connection Complete event.
>
> Fix by keeping a list of pending Create Connection commands, and
> returning command errors if there is none pending at the moment.
> ---
> emulator/btdev.c | 76 +++++++++++++++++++++++++++++++++++++++++++-----
> 1 file changed, 68 insertions(+), 8 deletions(-)
>
> diff --git a/emulator/btdev.c b/emulator/btdev.c
> index 637f0bb98..0c75e71c0 100644
> --- a/emulator/btdev.c
> +++ b/emulator/btdev.c
> @@ -62,6 +62,7 @@ struct hook {
>
> #define MAX_HOOK_ENTRIES 16
> #define MAX_EXT_ADV_SETS 3
> +#define MAX_PENDING_CONN 16
>
> struct btdev_conn {
> uint16_t handle;
> @@ -223,6 +224,8 @@ struct btdev {
> uint8_t le_rl_enable;
> uint16_t le_rl_timeout;
>
> + struct btdev *pending_conn[MAX_PENDING_CONN];
> +
> uint8_t le_local_sk256[32];
>
> uint16_t sync_train_interval;
> @@ -1211,10 +1214,36 @@ static struct btdev_conn *conn_link_bis(struct btdev *dev, struct btdev *remote,
> return conn;
> }
>
> +static void pending_conn_add(struct btdev *btdev, struct btdev *remote)
> +{
> + int i;
> +
> + for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
> + if (!btdev->pending_conn[i]) {
> + btdev->pending_conn[i] = remote;
> + return;
> + }
> + }
> +}
> +
> +static bool pending_conn_del(struct btdev *btdev, struct btdev *remote)
> +{
> + int i;
> +
> + for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
> + if (btdev->pending_conn[i] == remote) {
> + btdev->pending_conn[i] = NULL;
> + return true;
> + }
> + }
> + return false;
> +}
> +
> static void conn_complete(struct btdev *btdev,
> const uint8_t *bdaddr, uint8_t status)
> {
> struct bt_hci_evt_conn_complete cc;
> + struct btdev *remote = find_btdev_by_bdaddr(bdaddr);
>
> if (!status) {
> struct btdev_conn *conn;
> @@ -1223,6 +1252,8 @@ static void conn_complete(struct btdev *btdev,
> if (!conn)
> return;
>
> + pending_conn_del(conn->link->dev, btdev);
> +
> cc.status = status;
> memcpy(cc.bdaddr, btdev->bdaddr, 6);
> cc.encr_mode = 0x00;
> @@ -1240,6 +1271,8 @@ static void conn_complete(struct btdev *btdev,
> cc.link_type = 0x01;
> }
>
> + pending_conn_del(btdev, remote);
> +
> cc.status = status;
> memcpy(cc.bdaddr, bdaddr, 6);
> cc.encr_mode = 0x00;
> @@ -1260,6 +1293,8 @@ static int cmd_create_conn_complete(struct btdev *dev, const void *data,
> memcpy(cr.dev_class, dev->dev_class, 3);
> cr.link_type = 0x01;
>
> + pending_conn_add(dev, remote);
> +
> send_event(remote, BT_HCI_EVT_CONN_REQUEST, &cr, sizeof(cr));
> } else {
> conn_complete(dev, cmd->bdaddr, BT_HCI_ERR_PAGE_TIMEOUT);
> @@ -1296,14 +1331,47 @@ static int cmd_add_sco_conn(struct btdev *dev, const void *data, uint8_t len)
> cc.encr_mode = 0x00;
>
> done:
> + pending_conn_del(dev, conn->link->dev);
> +
> send_event(dev, BT_HCI_EVT_CONN_COMPLETE, &cc, sizeof(cc));
>
> return 0;
> }
>
> +static bool match_bdaddr(const void *data, const void *match_data)
> +{
> + const struct btdev_conn *conn = data;
> + const uint8_t *bdaddr = match_data;
> +
> + return !memcmp(conn->link->dev->bdaddr, bdaddr, 6);
> +}
> +
> static int cmd_create_conn_cancel(struct btdev *dev, const void *data,
> uint8_t len)
> {
> + const struct bt_hci_cmd_create_conn_cancel *cmd = data;
> + struct btdev *remote = find_btdev_by_bdaddr(cmd->bdaddr);
> + struct btdev_conn *conn;
> +
> + /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 1848
> + *
> + * If the connection is already established, and the
> + * HCI_Connection_Complete event has been sent, then the Controller
> + * shall return an HCI_Command_Complete event with the error code
> + * Connection Already Exists (0x0B). If the HCI_Create_Connection_Cancel
> + * command is sent to the Controller without a preceding
> + * HCI_Create_Connection command to the same device, the BR/EDR
> + * Controller shall return an HCI_Command_Complete event with the error
> + * code Unknown Connection Identifier (0x02).
> + */
> + if (!pending_conn_del(dev, remote)) {
> + conn = queue_find(dev->conns, match_bdaddr, cmd->bdaddr);
> + if (conn)
> + return -EEXIST;
> +
> + return -ENOENT;
> + }
> +
> cmd_status(dev, BT_HCI_ERR_SUCCESS, BT_HCI_CMD_CREATE_CONN_CANCEL);

This should have been Command_Complete not Command_Status.

For v2

>
> return 0;
> @@ -1372,14 +1440,6 @@ static int cmd_link_key_reply(struct btdev *dev, const void *data, uint8_t len)
> return 0;
> }
>
> -static bool match_bdaddr(const void *data, const void *match_data)
> -{
> - const struct btdev_conn *conn = data;
> - const uint8_t *bdaddr = match_data;
> -
> - return !memcmp(conn->link->dev->bdaddr, bdaddr, 6);
> -}
> -
> static void auth_complete(struct btdev_conn *conn, uint8_t status)
> {
> struct bt_hci_evt_auth_complete ev;


2023-08-01 00:24:50

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: Re: [PATCH BlueZ 1/5] btdev: check error conditions for HCI_Create_Connection_Cancel

Hi Pauli,

On Thu, Jul 27, 2023 at 3:00 AM Pauli Virtanen <[email protected]> wrote:
>
> to, 2023-07-27 kello 00:25 +0300, Pauli Virtanen kirjoitti:
> > Create Connection Cancel shall return Command Complete with error status
> > when there is no Create Connection that can be canceled. In these
> > cases, we should not send a (spurious) Connection Complete event.
> >
> > Fix by keeping a list of pending Create Connection commands, and
> > returning command errors if there is none pending at the moment.
> > ---
> > emulator/btdev.c | 76 +++++++++++++++++++++++++++++++++++++++++++-----
> > 1 file changed, 68 insertions(+), 8 deletions(-)
> >
> > diff --git a/emulator/btdev.c b/emulator/btdev.c
> > index 637f0bb98..0c75e71c0 100644
> > --- a/emulator/btdev.c
> > +++ b/emulator/btdev.c
> > @@ -62,6 +62,7 @@ struct hook {
> >
> > #define MAX_HOOK_ENTRIES 16
> > #define MAX_EXT_ADV_SETS 3
> > +#define MAX_PENDING_CONN 16
> >
> > struct btdev_conn {
> > uint16_t handle;
> > @@ -223,6 +224,8 @@ struct btdev {
> > uint8_t le_rl_enable;
> > uint16_t le_rl_timeout;
> >
> > + struct btdev *pending_conn[MAX_PENDING_CONN];
> > +
> > uint8_t le_local_sk256[32];
> >
> > uint16_t sync_train_interval;
> > @@ -1211,10 +1214,36 @@ static struct btdev_conn *conn_link_bis(struct btdev *dev, struct btdev *remote,
> > return conn;
> > }
> >
> > +static void pending_conn_add(struct btdev *btdev, struct btdev *remote)
> > +{
> > + int i;
> > +
> > + for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
> > + if (!btdev->pending_conn[i]) {
> > + btdev->pending_conn[i] = remote;
> > + return;
> > + }
> > + }
> > +}
> > +
> > +static bool pending_conn_del(struct btdev *btdev, struct btdev *remote)
> > +{
> > + int i;
> > +
> > + for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
> > + if (btdev->pending_conn[i] == remote) {
> > + btdev->pending_conn[i] = NULL;
> > + return true;
> > + }
> > + }
> > + return false;
> > +}
> > +
> > static void conn_complete(struct btdev *btdev,
> > const uint8_t *bdaddr, uint8_t status)
> > {
> > struct bt_hci_evt_conn_complete cc;
> > + struct btdev *remote = find_btdev_by_bdaddr(bdaddr);
> >
> > if (!status) {
> > struct btdev_conn *conn;
> > @@ -1223,6 +1252,8 @@ static void conn_complete(struct btdev *btdev,
> > if (!conn)
> > return;
> >
> > + pending_conn_del(conn->link->dev, btdev);
> > +
> > cc.status = status;
> > memcpy(cc.bdaddr, btdev->bdaddr, 6);
> > cc.encr_mode = 0x00;
> > @@ -1240,6 +1271,8 @@ static void conn_complete(struct btdev *btdev,
> > cc.link_type = 0x01;
> > }
> >
> > + pending_conn_del(btdev, remote);
> > +
> > cc.status = status;
> > memcpy(cc.bdaddr, bdaddr, 6);
> > cc.encr_mode = 0x00;
> > @@ -1260,6 +1293,8 @@ static int cmd_create_conn_complete(struct btdev *dev, const void *data,
> > memcpy(cr.dev_class, dev->dev_class, 3);
> > cr.link_type = 0x01;
> >
> > + pending_conn_add(dev, remote);
> > +
> > send_event(remote, BT_HCI_EVT_CONN_REQUEST, &cr, sizeof(cr));
> > } else {
> > conn_complete(dev, cmd->bdaddr, BT_HCI_ERR_PAGE_TIMEOUT);
> > @@ -1296,14 +1331,47 @@ static int cmd_add_sco_conn(struct btdev *dev, const void *data, uint8_t len)
> > cc.encr_mode = 0x00;
> >
> > done:
> > + pending_conn_del(dev, conn->link->dev);
> > +
> > send_event(dev, BT_HCI_EVT_CONN_COMPLETE, &cc, sizeof(cc));
> >
> > return 0;
> > }
> >
> > +static bool match_bdaddr(const void *data, const void *match_data)
> > +{
> > + const struct btdev_conn *conn = data;
> > + const uint8_t *bdaddr = match_data;
> > +
> > + return !memcmp(conn->link->dev->bdaddr, bdaddr, 6);
> > +}
> > +
> > static int cmd_create_conn_cancel(struct btdev *dev, const void *data,
> > uint8_t len)
> > {
> > + const struct bt_hci_cmd_create_conn_cancel *cmd = data;
> > + struct btdev *remote = find_btdev_by_bdaddr(cmd->bdaddr);
> > + struct btdev_conn *conn;
> > +
> > + /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 1848
> > + *
> > + * If the connection is already established, and the
> > + * HCI_Connection_Complete event has been sent, then the Controller
> > + * shall return an HCI_Command_Complete event with the error code
> > + * Connection Already Exists (0x0B). If the HCI_Create_Connection_Cancel
> > + * command is sent to the Controller without a preceding
> > + * HCI_Create_Connection command to the same device, the BR/EDR
> > + * Controller shall return an HCI_Command_Complete event with the error
> > + * code Unknown Connection Identifier (0x02).
> > + */
> > + if (!pending_conn_del(dev, remote)) {
> > + conn = queue_find(dev->conns, match_bdaddr, cmd->bdaddr);
> > + if (conn)
> > + return -EEXIST;
> > +
> > + return -ENOENT;
> > + }
> > +
> > cmd_status(dev, BT_HCI_ERR_SUCCESS, BT_HCI_CMD_CREATE_CONN_CANCEL);
>
> This should have been Command_Complete not Command_Status.

There is quite a few errors when Ive tried to compile this one:

emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:23: error: comparison of integer expressions of
different signedness: ‘int’ and ‘long unsigned int’
[-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:23: error: comparison of integer expressions of
different signedness: ‘int’ and ‘long unsigned int’
[-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:23: error: comparison of integer expressions of
different signedness: ‘int’ and ‘long unsigned int’
[-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:23: error: comparison of integer expressions of
different signedness: ‘int’ and ‘long unsigned int’
[-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8484: emulator/android_android_tester-btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:7648: emulator/btdev.o] Error 1
emulator/btdev.c: In function ‘pending_conn_add’:
emulator/btdev.c:1221:23: error: comparison of integer expressions of
different signedness: ‘int’ and ‘long unsigned int’
[-Werror=sign-compare]
1221 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
emulator/btdev.c: In function ‘pending_conn_del’:
emulator/btdev.c:1233:23: error: comparison of integer expressions of
different signedness: ‘int’ and ‘long unsigned int’
[-Werror=sign-compare]
1233 | for (i = 0; i < ARRAY_SIZE(btdev->pending_conn); ++i) {
| ^
cc1: all warnings being treated as errors


> For v2

Please have the errors fixed as well.

> >
> > return 0;
> > @@ -1372,14 +1440,6 @@ static int cmd_link_key_reply(struct btdev *dev, const void *data, uint8_t len)
> > return 0;
> > }
> >
> > -static bool match_bdaddr(const void *data, const void *match_data)
> > -{
> > - const struct btdev_conn *conn = data;
> > - const uint8_t *bdaddr = match_data;
> > -
> > - return !memcmp(conn->link->dev->bdaddr, bdaddr, 6);
> > -}
> > -
> > static void auth_complete(struct btdev_conn *conn, uint8_t status)
> > {
> > struct bt_hci_evt_auth_complete ev;
>


--
Luiz Augusto von Dentz