diff options
| author | Tamas Koczka <poprdi@google.com> | 2022-11-02 10:30:06 +0000 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2022-11-07 09:57:47 -0800 |
| commit | 6feb842be06bf94e4751c499cd8b4659974c6f03 (patch) | |
| tree | 1432308b34d4581248d39133a6758d341a47fc41 /executor/executor_bsd.h | |
| parent | a779b11a80536d17c6097a8169f009d6597a078e (diff) | |
executor: fix "wrong response packet" in BT fuzzing (#3493)
Problem: the BT initialization logic (`initialize_vhci()` in `common_linux.h`)
expected `HCI_VENDOR_PKT` to be sent first, but this is not always the case as
the kernel sends these two packets almost at the same time (both are sent as
the result of the `open("/dev/vhci", …)` call):
* syscall thread: `HCI_VENDOR_PKT` (in `__vhci_create_device`)
* `power_on` queue thread: `HCI_OP_RESET` (from `hci_reset_sync` <-
`hci_init1_sync` <- `hci_init_sync` <- `hci_dev_open_sync` <-
`hci_dev_do_open` <- `hci_power_on` <- `hdev->power_on` <- (worker queue)
<- `hci_register_dev` <- `__vhci_create_device`)
Solution: handle both `HCI_OP_RESET` and `HCI_VENDOR_PKT` packets in
`initialize_vhci`.
Also instead of waiting for the kernel to send `HCI_VENDOR_PKT` after 1 second,
we initiate the setup by sending `HCI_VENDOR_PKT` (request) to the kernel first.
Diffstat (limited to 'executor/executor_bsd.h')
0 files changed, 0 insertions, 0 deletions