Message ID | 20220420221433.2933868-1-luiz.dentz@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | Bluetooth: hci_event: Fix checking for invalid handle on error status | expand |
Hi Luiz, I love your patch! Yet something to improve: [auto build test ERROR on bluetooth-next/master] [also build test ERROR on linus/master v5.18-rc3 next-20220420] [cannot apply to bluetooth/master] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/intel-lab-lkp/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-hci_event-Fix-checking-for-invalid-handle-on-error-status/20220421-061600 base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master config: arc-randconfig-r043-20220420 (https://download.01.org/0day-ci/archive/20220421/202204210853.eFHdXHTU-lkp@intel.com/config) compiler: arc-elf-gcc (GCC) 11.2.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/91a252b91692543d5f9536ebdf10f20a413a858f git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Luiz-Augusto-von-Dentz/Bluetooth-hci_event-Fix-checking-for-invalid-handle-on-error-status/20220421-061600 git checkout 91a252b91692543d5f9536ebdf10f20a413a858f # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross W=1 O=build_dir ARCH=arc SHELL=/bin/bash net/bluetooth/ If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): net/bluetooth/hci_event.c: In function 'hci_conn_complete_evt': >> net/bluetooth/hci_event.c:3071:14: error: 'status' undeclared (first use in this function); did you mean 'kstatfs'? 3071 | if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { | ^~~~~~ | kstatfs net/bluetooth/hci_event.c:3071:14: note: each undeclared identifier is reported only once for each function it appears in net/bluetooth/hci_event.c: In function 'hci_sync_conn_complete_evt': net/bluetooth/hci_event.c:4693:14: error: 'status' undeclared (first use in this function); did you mean 'kstatfs'? 4693 | if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { | ^~~~~~ | kstatfs vim +3071 net/bluetooth/hci_event.c 3064 3065 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, 3066 struct sk_buff *skb) 3067 { 3068 struct hci_ev_conn_complete *ev = data; 3069 struct hci_conn *conn; 3070 > 3071 if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { 3072 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for invalid handle"); 3073 return; 3074 } 3075 3076 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3077 3078 hci_dev_lock(hdev); 3079 3080 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3081 if (!conn) { 3082 /* Connection may not exist if auto-connected. Check the bredr 3083 * allowlist to see if this device is allowed to auto connect. 3084 * If link is an ACL type, create a connection class 3085 * automatically. 3086 * 3087 * Auto-connect will only occur if the event filter is 3088 * programmed with a given address. Right now, event filter is 3089 * only used during suspend. 3090 */ 3091 if (ev->link_type == ACL_LINK && 3092 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 3093 &ev->bdaddr, 3094 BDADDR_BREDR)) { 3095 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 3096 HCI_ROLE_SLAVE); 3097 if (!conn) { 3098 bt_dev_err(hdev, "no memory for new conn"); 3099 goto unlock; 3100 } 3101 } else { 3102 if (ev->link_type != SCO_LINK) 3103 goto unlock; 3104 3105 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 3106 &ev->bdaddr); 3107 if (!conn) 3108 goto unlock; 3109 3110 conn->type = SCO_LINK; 3111 } 3112 } 3113 3114 /* The HCI_Connection_Complete event is only sent once per connection. 3115 * Processing it more than once per connection can corrupt kernel memory. 3116 * 3117 * As the connection handle is set here for the first time, it indicates 3118 * whether the connection is already set up. 3119 */ 3120 if (conn->handle != HCI_CONN_HANDLE_UNSET) { 3121 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 3122 goto unlock; 3123 } 3124 3125 if (!ev->status) { 3126 conn->handle = __le16_to_cpu(ev->handle); 3127 3128 if (conn->type == ACL_LINK) { 3129 conn->state = BT_CONFIG; 3130 hci_conn_hold(conn); 3131 3132 if (!conn->out && !hci_conn_ssp_enabled(conn) && 3133 !hci_find_link_key(hdev, &ev->bdaddr)) 3134 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3135 else 3136 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3137 } else 3138 conn->state = BT_CONNECTED; 3139 3140 hci_debugfs_create_conn(conn); 3141 hci_conn_add_sysfs(conn); 3142 3143 if (test_bit(HCI_AUTH, &hdev->flags)) 3144 set_bit(HCI_CONN_AUTH, &conn->flags); 3145 3146 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 3147 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3148 3149 /* Get remote features */ 3150 if (conn->type == ACL_LINK) { 3151 struct hci_cp_read_remote_features cp; 3152 cp.handle = ev->handle; 3153 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 3154 sizeof(cp), &cp); 3155 3156 hci_req_update_scan(hdev); 3157 } 3158 3159 /* Set packet type for incoming connection */ 3160 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 3161 struct hci_cp_change_conn_ptype cp; 3162 cp.handle = ev->handle; 3163 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3164 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 3165 &cp); 3166 } 3167 } else { 3168 conn->state = BT_CLOSED; 3169 if (conn->type == ACL_LINK) 3170 mgmt_connect_failed(hdev, &conn->dst, conn->type, 3171 conn->dst_type, ev->status); 3172 } 3173 3174 if (conn->type == ACL_LINK) 3175 hci_sco_setup(conn, ev->status); 3176 3177 if (ev->status) { 3178 hci_connect_cfm(conn, ev->status); 3179 hci_conn_del(conn); 3180 } else if (ev->link_type == SCO_LINK) { 3181 switch (conn->setting & SCO_AIRMODE_MASK) { 3182 case SCO_AIRMODE_CVSD: 3183 if (hdev->notify) 3184 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 3185 break; 3186 } 3187 3188 hci_connect_cfm(conn, ev->status); 3189 } 3190 3191 unlock: 3192 hci_dev_unlock(hdev); 3193 3194 hci_conn_check_pending(hdev); 3195 } 3196
Hi Luiz, I love your patch! Yet something to improve: [auto build test ERROR on bluetooth-next/master] [also build test ERROR on linus/master v5.18-rc3 next-20220420] [cannot apply to bluetooth/master] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/intel-lab-lkp/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-hci_event-Fix-checking-for-invalid-handle-on-error-status/20220421-061600 base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master config: riscv-randconfig-r042-20220420 (https://download.01.org/0day-ci/archive/20220421/202204210838.G9CZnn9u-lkp@intel.com/config) compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project bac6cd5bf85669e3376610cfc4c4f9ca015e7b9b) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # install riscv cross compiling tool for clang build # apt-get install binutils-riscv64-linux-gnu # https://github.com/intel-lab-lkp/linux/commit/91a252b91692543d5f9536ebdf10f20a413a858f git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Luiz-Augusto-von-Dentz/Bluetooth-hci_event-Fix-checking-for-invalid-handle-on-error-status/20220421-061600 git checkout 91a252b91692543d5f9536ebdf10f20a413a858f # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=riscv SHELL=/bin/bash net/bluetooth/ If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): >> net/bluetooth/hci_event.c:3071:7: error: use of undeclared identifier 'status' if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { ^ net/bluetooth/hci_event.c:4693:7: error: use of undeclared identifier 'status' if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { ^ 2 errors generated. vim +/status +3071 net/bluetooth/hci_event.c 3064 3065 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, 3066 struct sk_buff *skb) 3067 { 3068 struct hci_ev_conn_complete *ev = data; 3069 struct hci_conn *conn; 3070 > 3071 if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { 3072 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for invalid handle"); 3073 return; 3074 } 3075 3076 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3077 3078 hci_dev_lock(hdev); 3079 3080 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3081 if (!conn) { 3082 /* Connection may not exist if auto-connected. Check the bredr 3083 * allowlist to see if this device is allowed to auto connect. 3084 * If link is an ACL type, create a connection class 3085 * automatically. 3086 * 3087 * Auto-connect will only occur if the event filter is 3088 * programmed with a given address. Right now, event filter is 3089 * only used during suspend. 3090 */ 3091 if (ev->link_type == ACL_LINK && 3092 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 3093 &ev->bdaddr, 3094 BDADDR_BREDR)) { 3095 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 3096 HCI_ROLE_SLAVE); 3097 if (!conn) { 3098 bt_dev_err(hdev, "no memory for new conn"); 3099 goto unlock; 3100 } 3101 } else { 3102 if (ev->link_type != SCO_LINK) 3103 goto unlock; 3104 3105 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 3106 &ev->bdaddr); 3107 if (!conn) 3108 goto unlock; 3109 3110 conn->type = SCO_LINK; 3111 } 3112 } 3113 3114 /* The HCI_Connection_Complete event is only sent once per connection. 3115 * Processing it more than once per connection can corrupt kernel memory. 3116 * 3117 * As the connection handle is set here for the first time, it indicates 3118 * whether the connection is already set up. 3119 */ 3120 if (conn->handle != HCI_CONN_HANDLE_UNSET) { 3121 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 3122 goto unlock; 3123 } 3124 3125 if (!ev->status) { 3126 conn->handle = __le16_to_cpu(ev->handle); 3127 3128 if (conn->type == ACL_LINK) { 3129 conn->state = BT_CONFIG; 3130 hci_conn_hold(conn); 3131 3132 if (!conn->out && !hci_conn_ssp_enabled(conn) && 3133 !hci_find_link_key(hdev, &ev->bdaddr)) 3134 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3135 else 3136 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3137 } else 3138 conn->state = BT_CONNECTED; 3139 3140 hci_debugfs_create_conn(conn); 3141 hci_conn_add_sysfs(conn); 3142 3143 if (test_bit(HCI_AUTH, &hdev->flags)) 3144 set_bit(HCI_CONN_AUTH, &conn->flags); 3145 3146 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 3147 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3148 3149 /* Get remote features */ 3150 if (conn->type == ACL_LINK) { 3151 struct hci_cp_read_remote_features cp; 3152 cp.handle = ev->handle; 3153 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 3154 sizeof(cp), &cp); 3155 3156 hci_req_update_scan(hdev); 3157 } 3158 3159 /* Set packet type for incoming connection */ 3160 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 3161 struct hci_cp_change_conn_ptype cp; 3162 cp.handle = ev->handle; 3163 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3164 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 3165 &cp); 3166 } 3167 } else { 3168 conn->state = BT_CLOSED; 3169 if (conn->type == ACL_LINK) 3170 mgmt_connect_failed(hdev, &conn->dst, conn->type, 3171 conn->dst_type, ev->status); 3172 } 3173 3174 if (conn->type == ACL_LINK) 3175 hci_sco_setup(conn, ev->status); 3176 3177 if (ev->status) { 3178 hci_connect_cfm(conn, ev->status); 3179 hci_conn_del(conn); 3180 } else if (ev->link_type == SCO_LINK) { 3181 switch (conn->setting & SCO_AIRMODE_MASK) { 3182 case SCO_AIRMODE_CVSD: 3183 if (hdev->notify) 3184 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 3185 break; 3186 } 3187 3188 hci_connect_cfm(conn, ev->status); 3189 } 3190 3191 unlock: 3192 hci_dev_unlock(hdev); 3193 3194 hci_conn_check_pending(hdev); 3195 } 3196
Hi Luiz, > Commit d5ebaa7c5f6f6 introduces checks for handle range > (e.g HCI_CONN_HANDLE_MAX) but controllers don't seem to respect the > valid range int case of error status: > >> HCI Event: Connect Complete (0x03) plen 11 > Status: Page Timeout (0x04) > Handle: 65535 > Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& > Sound Products Inc) > Link type: ACL (0x01) > Encryption: Disabled (0x00) > [1644965.827560] Bluetooth: hci0: Ignoring HCI_Connection_Complete for > invalid handle so the problem is that with BR/EDR the lookup is by BD_ADDR. I think the check for valid handle is wrong at the beginning of connect complete handler. The problem is really the fact the we trying a big hammer at the beginning. The hci_conn_add in case of auto-connect should validate status and handle. We are not even validating the status right now assuming we always get a status == 0 on auto-connect. The second handle validation should only occur if we have !status in the bottom half of that function. > Because of it is impossible to cleanup the connections properly since > the stack would attempt to cancel the connection which is no longer in > progress causing the following trace: > > < HCI Command: Create Connection Cancel (0x01|0x0008) plen 6 > Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& > Sound Products Inc) > = bluetoothd: src/profile.c:record_cb() Unable to get Hands-Free Voice > gateway SDP record: Connection timed out >> HCI Event: Command Complete (0x0e) plen 10 > Create Connection Cancel (0x01|0x0008) ncmd 1 > Status: Unknown Connection Identifier (0x02) > Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& > Sound Products Inc) > < HCI Command: Create Connection Cancel (0x01|0x0008) plen 6 > Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& > Sound Products Inc) Can we get details about which controller uses 0xffff instead of 0 for the handle? > > Fixes: d5ebaa7c5f6f6 ("Bluetooth: hci_event: Ignore multiple conn complete events") > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > --- > net/bluetooth/hci_event.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index abaabfae19cc..1cc5a712459e 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -3068,7 +3068,7 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, > struct hci_ev_conn_complete *ev = data; > struct hci_conn *conn; > > - if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { > + if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { > bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for invalid handle"); > return; > } See comments above. > @@ -4690,7 +4690,7 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, > return; > } > > - if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { > + if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { > bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete for invalid handle"); > return; > } This is also in the wrong position. Fundamentally we need to check the validity of the handle before we assign it and not just globally. > @@ -5527,7 +5527,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, > struct smp_irk *irk; > u8 addr_type; > > - if (handle > HCI_CONN_HANDLE_MAX) { > + if (!status && handle > HCI_CONN_HANDLE_MAX) { > bt_dev_err(hdev, "Ignoring HCI_LE_Connection_Complete for invalid handle"); > return; > } Same here. The global check is pointless. Check before using it. Regards Marcel
Hi Marcel, On Thu, Apr 21, 2022 at 8:57 AM Marcel Holtmann <marcel@holtmann.org> wrote: > > Hi Luiz, > > > Commit d5ebaa7c5f6f6 introduces checks for handle range > > (e.g HCI_CONN_HANDLE_MAX) but controllers don't seem to respect the > > valid range int case of error status: > > > >> HCI Event: Connect Complete (0x03) plen 11 > > Status: Page Timeout (0x04) > > Handle: 65535 > > Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& > > Sound Products Inc) > > Link type: ACL (0x01) > > Encryption: Disabled (0x00) > > [1644965.827560] Bluetooth: hci0: Ignoring HCI_Connection_Complete for > > invalid handle > > so the problem is that with BR/EDR the lookup is by BD_ADDR. I think the check for valid handle is wrong at the beginning of connect complete handler. > > The problem is really the fact the we trying a big hammer at the beginning. The hci_conn_add in case of auto-connect should validate status and handle. We are not even validating the status right now assuming we always get a status == 0 on auto-connect. Ive sent a separate patch addressing the use of hci_conn_add on error status, in some places we did it properly but others didn't so it would result in hci_conn object being created just to be freed later at the same function. > The second handle validation should only occur if we have !status in the bottom half of that function. Send a v2 checking the handle just before assigning it to hci_conn object. > > > Because of it is impossible to cleanup the connections properly since > > the stack would attempt to cancel the connection which is no longer in > > progress causing the following trace: > > > > < HCI Command: Create Connection Cancel (0x01|0x0008) plen 6 > > Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& > > Sound Products Inc) > > = bluetoothd: src/profile.c:record_cb() Unable to get Hands-Free Voice > > gateway SDP record: Connection timed out > >> HCI Event: Command Complete (0x0e) plen 10 > > Create Connection Cancel (0x01|0x0008) ncmd 1 > > Status: Unknown Connection Identifier (0x02) > > Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& > > Sound Products Inc) > > < HCI Command: Create Connection Cancel (0x01|0x0008) plen 6 > > Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& > > Sound Products Inc) > > Can we get details about which controller uses 0xffff instead of 0 for the handle? > > > > > Fixes: d5ebaa7c5f6f6 ("Bluetooth: hci_event: Ignore multiple conn complete events") > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > --- > > net/bluetooth/hci_event.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > > index abaabfae19cc..1cc5a712459e 100644 > > --- a/net/bluetooth/hci_event.c > > +++ b/net/bluetooth/hci_event.c > > @@ -3068,7 +3068,7 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, > > struct hci_ev_conn_complete *ev = data; > > struct hci_conn *conn; > > > > - if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { > > + if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { > > bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for invalid handle"); > > return; > > } > > See comments above. > > > @@ -4690,7 +4690,7 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, > > return; > > } > > > > - if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { > > + if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { > > bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete for invalid handle"); > > return; > > } > > This is also in the wrong position. Fundamentally we need to check the validity of the handle before we assign it and not just globally. > > > @@ -5527,7 +5527,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, > > struct smp_irk *irk; > > u8 addr_type; > > > > - if (handle > HCI_CONN_HANDLE_MAX) { > > + if (!status && handle > HCI_CONN_HANDLE_MAX) { > > bt_dev_err(hdev, "Ignoring HCI_LE_Connection_Complete for invalid handle"); > > return; > > } > > Same here. The global check is pointless. Check before using it. > > Regards > > Marcel >
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index abaabfae19cc..1cc5a712459e 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3068,7 +3068,7 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, struct hci_ev_conn_complete *ev = data; struct hci_conn *conn; - if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { + if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for invalid handle"); return; } @@ -4690,7 +4690,7 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, return; } - if (__le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { + if (!status && __le16_to_cpu(ev->handle) > HCI_CONN_HANDLE_MAX) { bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete for invalid handle"); return; } @@ -5527,7 +5527,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, struct smp_irk *irk; u8 addr_type; - if (handle > HCI_CONN_HANDLE_MAX) { + if (!status && handle > HCI_CONN_HANDLE_MAX) { bt_dev_err(hdev, "Ignoring HCI_LE_Connection_Complete for invalid handle"); return; }