[PATCH 3.10 32/43] Bluetooth: Fix HCI H5 corrupted ack value

From: Greg Kroah-Hartman
Date: Mon Oct 27 2014 - 23:53:17 EST


3.10-stable review patch. If anyone has any objections, please let me know.

------------------

From: Loic Poulain <loic.poulain@xxxxxxxxx>

commit 4807b51895dce8aa650ebebc51fa4a795ed6b8b8 upstream.

In this expression: seq = (seq - 1) % 8
seq (u8) is implicitly converted to an int in the arithmetic operation.
So if seq value is 0, operation is ((0 - 1) % 8) => (-1 % 8) => -1.
The new seq value is 0xff which is an invalid ACK value, we expect 0x07.
It leads to frequent dropped ACK and retransmission.
Fix this by using '&' binary operator instead of '%'.

Signed-off-by: Loic Poulain <loic.poulain@xxxxxxxxx>
Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/bluetooth/hci_h5.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -237,7 +237,7 @@ static void h5_pkt_cull(struct h5 *h5)
break;

to_remove--;
- seq = (seq - 1) % 8;
+ seq = (seq - 1) & 0x07;
}

if (seq != h5->rx_ack)


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/