Re: Passive scanning of iBeacons results in a "Data Buffer Overflow"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi guys,
I'm having something similar to what Adam is reporting. I'm running on a BeagleBone Black, which uses a TI MUSB controller (I think it's different to the Raspberry Pi USB controller?). 

I have 2 vendor's USB bluetooth receivers.
One is a Cambridge Silicon Radio (0a12:0001) and the other is a Broadcom BCM20702A1 (0a5c:21e8). The Broadcom needs a RAM patch to behave slightly better, but it outside the scope of this problem. BOTH exhibit the same problem (so I seriously doubt it's a problem with the Bluetooth receivers)
Both devices are operating in HCI mode. I'm running Ubuntu on my BeagleBone Black. 

I've also built the latest version of Bluez (5.15)
The problem is when running a lescan (hcitool lescan) with a LE device in paring mode, which is transmitting a lot of LE Advertising report packets, the HCI drivers eventually loses sync. I've traced it down to a duplicate USB fragment.
I've tested these USB receivers under Ubuntu on an Intel machine with the same Bluez 5.15, and the problem is not present. 

hcidump shows when things go crazy:

2014-03-08 06:32:12.111970 > HCI Event: LE Meta Event (0x3e) plen 33
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr E1:F9:7C:05:30:3C (Random)
      Flags: 0x05
      Complete local name: 'Scosche PROX'
      Unknown type 0x19 with 2 bytes data
      RSSI: -62
2014-03-08 06:32:12.163087 > HCI Event: Unknown (0x00) plen 2
  C7 3E
2014-03-08 06:32:12.163136 > HCI Event: Flow Specification Complete (0x21) plen 2 
    status 0x01 handle 0x0000 flags 1 incoming
    Error: Unknown HCI Command
2014-03-08 06:32:12.192009 > HCI Event: Inquiry Complete (0x01) plen 60
    status 0x30
    Error: Parameter out of Mandatory Range
    05 7C F9 E1 15 02 01 05 0D 09 53 63 6F 73 63 68 65 20 50 52
    4F 58 03 19 00 02 C5 3E 21 02 01 00 01 3C 30 05 7C F9 E1 15
    02 01 05 0D 09 53 63 6F 73 63 68 65 20 50 52 4F 58 03 19
2014-03-08 06:32:12.218055 > HCI Event: Unknown (0x00) plen 2
  C5 3E
I added some code to btusb_intr_complete to print each urb as it comes up from the USB stack. Here's the output for the above problem. Note the extra "00 02 c7" -- Should not be there... 

Mar  8 06:32:12 arm kernel: [  122.915094] hci1 urb df4a8540 status 0 count 16 flags 768
Mar  8 06:32:12 arm kernel: [  122.915176] hci1 urb contents:  3e 21 02 01 00 01 3c 30 05 7c f9 e1 15 02 01 05
Mar  8 06:32:12 arm kernel: [  122.916004] hci1 urb df4a8540 status 0 count 16 flags 768
Mar  8 06:32:12 arm kernel: [  122.916085] hci1 urb contents:  0d 09 53 63 6f 73 63 68 65 20 50 52 4f 58 03 19
Mar  8 06:32:12 arm kernel: [  122.916985] hci1 urb df4a8540 status 0 count 3 flags 768
Mar  8 06:32:12 arm kernel: [  122.917018] hci1 urb contents:  00 02 c2
Mar  8 06:32:12 arm kernel: [  122.942995] hci1 urb df4a8540 status 0 count 3 flags 768
Mar  8 06:32:12 arm kernel: [  122.943028] hci1 urb contents:  00 02 c7
I used usbmon to do a "sniff" of the USB traffic. Here's a snippet of a correct HCI LE Advertising report event, followed by one where the middle fragment is repeated (frame 1300 is a repeat) This is a different capture from the above example. I can provide the pcap somewhere if needed 

No.     Time                       Source                Destination           Protocol Length Info
   1291 2014-03-07 02:40:16.942573 host                  3.1                   USB      64     URB_INTERRUPT in
   1292 2014-03-07 02:40:16.959480 3.1                   host                  HCI_USB  80     Rcvd Fragment
3e21020100013c30057cf9e115020105
   1293 2014-03-07 02:40:16.959624 host                  3.1                   USB      64     URB_INTERRUPT in
   1294 2014-03-07 02:40:16.960449 3.1                   host                  HCI_USB  80     Rcvd Fragment
0d0953636f736368652050524f580319
   1295 2014-03-07 02:40:16.960546 host                  3.1                   USB      64     URB_INTERRUPT in
   1296 2014-03-07 02:40:16.961455 3.1                   host                  HCI_EVT  67     Rcvd LE Meta (LE Advertising Report)
0002ae
   1297 2014-03-07 02:40:16.961560 host                  3.1                   USB      64     URB_INTERRUPT in
   1298 2014-03-07 02:40:16.981627 3.1                   host                  HCI_USB  80     Rcvd Fragment
3e21020100013c30057cf9e115020105
   1299 2014-03-07 02:40:16.981696 host                  3.1                   USB      64     URB_INTERRUPT in
   1300 2014-03-07 02:40:17.002651 3.1                   host                  HCI_USB  80     Rcvd Fragment
3e21020100013c30057cf9e115020105
   1301 2014-03-07 02:40:17.002720 host                  3.1                   USB      64     URB_INTERRUPT in
   1302 2014-03-07 02:40:17.003560 3.1                   host                  HCI_USB  80     Rcvd Fragment
0d0953636f736368652050524f580319
   1303 2014-03-07 02:40:17.003649 host                  3.1                   USB      64     URB_INTERRUPT in
   1304 2014-03-07 02:40:17.004567 3.1                   host                  HCI_USB  67     Rcvd Fragment
0002b5


--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux