Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2718730ybf;
        Mon, 2 Mar 2020 14:13:10 -0800 (PST)
X-Google-Smtp-Source: ADFU+vsX9Cyoh/VqE2N4strBDUXjkhzktAKqdvevz90oJ6hq1+C0/7EWtDbBH48gpFr4PWLL7hDe
X-Received: by 2002:a9d:7ad9:: with SMTP id m25mr1009418otn.13.1583187189874;
        Mon, 02 Mar 2020 14:13:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583187189; cv=none;
        d=google.com; s=arc-20160816;
        b=R/XYpQFD0iY75eCm/Zg/OUyc0xuDbjT4tf6fKV3kl/XXj+rRbG7Wd9gAxCbtkgVY/p
         OTGUvfqbgU/ywfqevARTeLkgmn7t0dhrDk+auWG+VNkkVf9exehahH9hXa1/FPxoqcrm
         +yvvKi7Nh7PJ+GbqoJa8Y4Oq4NEX4I9FAG7h4s9o44kIdf0qHljo98u8HhejMsIcR15J
         6lQtW9+gzgUTSJ2CCNe6Ltp3njsB/41nrZYAiMUpX8AYP45YFG+R9D9mzQDtxeA0b2Bq
         w1yROB2Ap9EiZ4V5o9zWWqqrvsMpYXx6LeQvUEAHTNUpXwDjTv6LH3J6rKOTUoCM+EoS
         TjpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version;
        bh=Mn8dgY6EFr0zNk3iIPutqL8JhUnn1HXO8nHfWQ+gpCI=;
        b=KTLzjzUPcmKyOAqf01KCQkB0UND/BTOv/aaCqHbp3PLjbVN74dncrZ1V53SUN8sGbE
         nhIZiWplxwotQgKTr/AxEq4ZB0Nrt8J0lQtzOPK2Tm1OcnCdzcZ1caeAx3VVfqmrlm0T
         Fh9mKx4A/ZhCN1TC3FFTRY4dQQHZJZc35AQL5bza5cr/SNruq9yvjVnBphRLPHGDPSlO
         SsovHKmnl9bjC+NlbJYtSWg+eOE+TTd890GUJwc6pG3pYCL6vAWVtoQjo1o99qvxFH8k
         3HBfFuDhUIowOIrl3hvJHFAxVGWcsKXGOYiytiE4fR8s8VfZ1RGKizF8YkcuGJiwSe/G
         2Jrg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v19si2405385otq.57.2020.03.02.14.12.58;
        Mon, 02 Mar 2020 14:13:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726232AbgCBWMx convert rfc822-to-8bit (ORCPT
        <rfc822;chrisbkr2020@gmail.com> + 99 others);
        Mon, 2 Mar 2020 17:12:53 -0500
Received: from coyote.holtmann.net ([212.227.132.17]:48079 "EHLO
        mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725781AbgCBWMx (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Mon, 2 Mar 2020 17:12:53 -0500
Received: from marcel-macbook.fritz.box (p4FEFC5A7.dip0.t-ipconnect.de [79.239.197.167])
        by mail.holtmann.org (Postfix) with ESMTPSA id 109EDCECC4;
        Mon,  2 Mar 2020 23:22:19 +0100 (CET)
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Subject: Re: [PATCH v2] bluetooth: guard against controllers sending zero'd
 events
From:   Marcel Holtmann <marcel@holtmann.org>
In-Reply-To: <20200302154249.25047-1-alainm@chromium.org>
Date:   Mon, 2 Mar 2020 23:12:51 +0100
Cc:     Bluez mailing list <linux-bluetooth@vger.kernel.org>
Content-Transfer-Encoding: 8BIT
Message-Id: <DA78EC88-88D2-4086-BC83-FCC1E2B2BE2C@holtmann.org>
References: <20200302154249.25047-1-alainm@chromium.org>
To:     Alain Michaud <alainm@chromium.org>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Alain,

> Some controllers have been observed to send zero'd events under some
> conditions.  This change guards against this condition as well as adding
> a trace to facilitate diagnosability of this condition.
> 
> Signed-off-by: Alain Michaud <alainm@chromium.org>
> ---
> 
> net/bluetooth/hci_event.c | 6 ++++++
> 1 file changed, 6 insertions(+)
> 
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 591e7477e925..56305b3a865e 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -5868,6 +5868,12 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
> 	u8 status = 0, event = hdr->evt, req_evt = 0;
> 	u16 opcode = HCI_OP_NOP;
> 
> +	if (!event) {
> +		bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
> +		kfree_skb(skb);
> +		hdev->stat.evt_rx++;
> +	}
> +
> 	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
> 		struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
> 		opcode = __le16_to_cpu(cmd_hdr->opcode);

what about doing just this:

@@ -5868,6 +5868,11 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
        u8 status = 0, event = hdr->evt, req_evt = 0;
        u16 opcode = HCI_OP_NOP;
 
+       if (!event) {
+               bt_dev_warn(hdev, ..);
+               goto done;
+       }
+
        if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
                struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
                opcode = __le16_to_cpu(cmd_hdr->opcode);
@@ -6079,6 +6084,7 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
                req_complete_skb(hdev, status, opcode, orig_skb);
        }
 
+done:
        kfree_skb(orig_skb);
        kfree_skb(skb);
        hdev->stat.evt_rx++;

Regards

Marcel