| Message ID | 20240129114900.92919-2-verdre@v0yd.nl (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Adjust tests for sequential conn establishing | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | success | CheckPatch PASS |
| tedd_an/GitLint | success | Gitlint PASS |
| tedd_an/BuildEll | success | Build ELL PASS |
| tedd_an/BluezMake | success | Bluez Make PASS |
| tedd_an/MakeCheck | success | Bluez Make Check PASS |
| tedd_an/MakeDistcheck | success | Make Distcheck PASS |
| tedd_an/CheckValgrind | success | Check Valgrind PASS |
| tedd_an/CheckSmatch | warning | CheckSparse WARNING emulator/btdev.c:420:29: warning: Variable length array is used. |
| tedd_an/bluezmakeextell | success | Make External ELL PASS |
| tedd_an/IncrementalBuild | success | Incremental Build PASS |
| tedd_an/ScanBuild | warning | ScanBuild: emulator/btdev.c:1084:10: warning: Although the value stored to 'conn' is used in the enclosing expression, the value is never actually read from 'conn' while ((conn = queue_find(dev->conns, match_handle, ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ emulator/btdev.c:1363:24: warning: Access to field 'link' results in a dereference of a null pointer (loaded from variable 'conn') pending_conn_del(dev, conn->link->dev); ^~~~~~~~~~ emulator/btdev.c:1485:13: warning: Access to field 'dev' results in a dereference of a null pointer (loaded from variable 'conn') send_event(conn->dev, BT_HCI_EVT_AUTH_COMPLETE, &ev, sizeof(ev)); ^~~~~~~~~ 3 warnings generated. |
Hi Jonas, On Mon, Jan 29, 2024 at 6:49 AM Jonas Dreßler <verdre@v0yd.nl> wrote: > > In add_expect_hci_list() we iterate through the entries of the > expect_hci_list as long as there is an opcode, which means currently > this relies on overflowing the buffer to detect the end of the list. > > This is not great and when running with address sanitizer, the > out-of-bounds read gets detected and mgmt-tester aborts. Fix it by > adding a trailing 0-opcode to all those lists. > --- > tools/mgmt-tester.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c > index 7dfd1b0c7..ee12ed7d5 100644 > --- a/tools/mgmt-tester.c > +++ b/tools/mgmt-tester.c > @@ -8798,6 +8798,9 @@ static const struct hci_cmd_data multi_ext_adv_add_second_hci_cmds[] = { > .len = sizeof(le_set_ext_adv_enable_inst_2), > .param = le_set_ext_adv_enable_inst_2, > }, > + { > + .opcode = 0, > + }, Normally the compiler would put a NULL term when last member has ',', but we should either use {} to properly terminate the list or perhaps it would have been better to have a something like .expect_hci_list_len = ARRAY_SIZE(list) to ensure we never access past the end of the list. > }; > > static const struct generic_data multi_ext_advertising_add_second_2 = { > @@ -8845,6 +8848,9 @@ static const struct hci_cmd_data multi_ext_adv_remove_adv_hci_cmds[] = { > .len = sizeof(advertising_instance1_param), > .param = advertising_instance1_param, > }, > + { > + .opcode = 0, > + }, > }; > > static const struct generic_data multi_ext_advertising_remove = { > @@ -8877,6 +8883,9 @@ static const struct hci_cmd_data multi_ext_adv_remove_all_adv_hci_cmds[] = { > { > .opcode = BT_HCI_CMD_LE_CLEAR_ADV_SETS, > }, > + { > + .opcode = 0, > + }, > }; > > static const struct generic_data multi_ext_advertising_remove_all = { > @@ -8913,6 +8922,9 @@ static const struct hci_cmd_data multi_ext_adv_add_2_advs_hci_cmds[] = { > .len = sizeof(set_ext_adv_data_test1), > .param = set_ext_adv_data_test1, > }, > + { > + .opcode = 0, > + }, > }; > > static const struct generic_data multi_ext_advertising_add_no_power = { > @@ -10378,6 +10390,9 @@ static const struct hci_cmd_data ll_privacy_add_device_3_hci_list[] = { > .param = set_resolv_on_param, > .len = sizeof(set_resolv_on_param), > }, > + { > + .opcode = 0, > + }, > }; > > static const struct generic_data ll_privacy_add_device_3 = { > @@ -10495,6 +10510,9 @@ static const struct hci_cmd_data ll_privacy_add_device_9_hci_list[] = { > .len = sizeof(le_add_to_resolv_list_param), > .param = le_add_to_resolv_list_param > }, > + { > + .opcode = 0, > + }, > }; > > static const struct generic_data ll_privacy_add_device_9 = { > @@ -10823,6 +10841,9 @@ static const struct hci_cmd_data ll_privacy_set_device_flags_1_hci_list[] = { > .param = set_resolv_on_param, > .len = sizeof(set_resolv_on_param), > }, > + { > + .opcode = 0, > + }, > }; > > static const uint8_t device_flags_changed_params_1[] = { > -- > 2.43.0 >
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=820846
---Test result---
Test Summary:
CheckPatch FAIL 1.60 seconds
GitLint FAIL 1.10 seconds
BuildEll PASS 23.92 seconds
BluezMake PASS 715.16 seconds
MakeCheck PASS 11.73 seconds
MakeDistcheck PASS 163.35 seconds
CheckValgrind PASS 226.37 seconds
CheckSmatch WARNING 334.43 seconds
bluezmakeextell PASS 109.33 seconds
IncrementalBuild PASS 2785.53 seconds
ScanBuild WARNING 941.74 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,2/4] mgmt-tester: Adjust a test for recent kernel changes
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#58:
sequentially", https://lore.kernel.org/linux-bluetooth/20240108224614.56900-1-verdre@v0yd.nl/),
/github/workspace/src/src/13535450.patch total: 0 errors, 1 warnings, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13535450.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[BlueZ,3/4] emulator/btdev: Send page timeout after 2 secs delay
WARNING:LONG_LINE: line length of 86 exceeds 80 columns
#102: FILE: emulator/btdev.c:1322:
+ struct page_timeout_data *pt_data = new0(struct page_timeout_data, 1);
WARNING:LINE_SPACING: Missing a blank line after declarations
#103: FILE: emulator/btdev.c:1323:
+ struct page_timeout_data *pt_data = new0(struct page_timeout_data, 1);
+ pt_data->btdev = dev;
/github/workspace/src/src/13535451.patch total: 0 errors, 2 warnings, 42 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13535451.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[BlueZ,4/4] mgmt-tester: Add a test for connecting sequentially
WARNING:LONG_LINE: line length of 92 exceeds 80 columns
#125: FILE: tools/mgmt-tester.c:12836:
+ if (pd_data->n_connect_failed_evts != pd_data->n_create_conn_commands - 1) {
WARNING:LONG_LINE_COMMENT: line length of 93 exceeds 80 columns
#143: FILE: tools/mgmt-tester.c:12854:
+ 0x31, 0xAB, 0xCD, 0x32, 0x34, 0x73, /* random bdaddr so we fail to connect */
/github/workspace/src/src/13535452.patch total: 0 errors, 2 warnings, 117 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13535452.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,2/4] mgmt-tester: Adjust a test for recent kernel changes
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
5: B1 Line exceeds max length (95>80): "sequentially", https://lore.kernel.org/linux-bluetooth/20240108224614.56900-1-verdre@v0yd.nl/),"
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
emulator/btdev.c:420:29: warning: Variable length array is used.
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
emulator/btdev.c:1084:10: warning: Although the value stored to 'conn' is used in the enclosing expression, the value is never actually read from 'conn'
while ((conn = queue_find(dev->conns, match_handle,
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/btdev.c:1363:24: warning: Access to field 'link' results in a dereference of a null pointer (loaded from variable 'conn')
pending_conn_del(dev, conn->link->dev);
^~~~~~~~~~
emulator/btdev.c:1485:13: warning: Access to field 'dev' results in a dereference of a null pointer (loaded from variable 'conn')
send_event(conn->dev, BT_HCI_EVT_AUTH_COMPLETE, &ev, sizeof(ev));
^~~~~~~~~
3 warnings generated.
---
Regards,
Linux Bluetooth
Hi Luiz, On 29.01.24 14:40, Luiz Augusto von Dentz wrote: > Hi Jonas, > > On Mon, Jan 29, 2024 at 6:49 AM Jonas Dreßler <verdre@v0yd.nl> wrote: >> >> In add_expect_hci_list() we iterate through the entries of the >> expect_hci_list as long as there is an opcode, which means currently >> this relies on overflowing the buffer to detect the end of the list. >> >> This is not great and when running with address sanitizer, the >> out-of-bounds read gets detected and mgmt-tester aborts. Fix it by >> adding a trailing 0-opcode to all those lists. >> --- >> tools/mgmt-tester.c | 21 +++++++++++++++++++++ >> 1 file changed, 21 insertions(+) >> >> diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c >> index 7dfd1b0c7..ee12ed7d5 100644 >> --- a/tools/mgmt-tester.c >> +++ b/tools/mgmt-tester.c >> @@ -8798,6 +8798,9 @@ static const struct hci_cmd_data multi_ext_adv_add_second_hci_cmds[] = { >> .len = sizeof(le_set_ext_adv_enable_inst_2), >> .param = le_set_ext_adv_enable_inst_2, >> }, >> + { >> + .opcode = 0, >> + }, > > Normally the compiler would put a NULL term when last member has ',', > but we should either use {} to properly terminate the list or perhaps > it would have been better to have a something like > .expect_hci_list_len = ARRAY_SIZE(list) to ensure we never access past > the end of the list. Ahh good point, I'll add an {} entry to the lists instead. Yeah I also thought a bit about adding expect_hci_list_len, but decided against it because that could cause weird situations where the list is updated with a new HCI command but increasing the expect_hci_list_len is forgotten. Then we silently wouldn't test the new command, which seems to be a lot worse compared to a failing address sanitizer. Cheers, Jonas > >> }; >> >> static const struct generic_data multi_ext_advertising_add_second_2 = { >> @@ -8845,6 +8848,9 @@ static const struct hci_cmd_data multi_ext_adv_remove_adv_hci_cmds[] = { >> .len = sizeof(advertising_instance1_param), >> .param = advertising_instance1_param, >> }, >> + { >> + .opcode = 0, >> + }, >> }; >> >> static const struct generic_data multi_ext_advertising_remove = { >> @@ -8877,6 +8883,9 @@ static const struct hci_cmd_data multi_ext_adv_remove_all_adv_hci_cmds[] = { >> { >> .opcode = BT_HCI_CMD_LE_CLEAR_ADV_SETS, >> }, >> + { >> + .opcode = 0, >> + }, >> }; >> >> static const struct generic_data multi_ext_advertising_remove_all = { >> @@ -8913,6 +8922,9 @@ static const struct hci_cmd_data multi_ext_adv_add_2_advs_hci_cmds[] = { >> .len = sizeof(set_ext_adv_data_test1), >> .param = set_ext_adv_data_test1, >> }, >> + { >> + .opcode = 0, >> + }, >> }; >> >> static const struct generic_data multi_ext_advertising_add_no_power = { >> @@ -10378,6 +10390,9 @@ static const struct hci_cmd_data ll_privacy_add_device_3_hci_list[] = { >> .param = set_resolv_on_param, >> .len = sizeof(set_resolv_on_param), >> }, >> + { >> + .opcode = 0, >> + }, >> }; >> >> static const struct generic_data ll_privacy_add_device_3 = { >> @@ -10495,6 +10510,9 @@ static const struct hci_cmd_data ll_privacy_add_device_9_hci_list[] = { >> .len = sizeof(le_add_to_resolv_list_param), >> .param = le_add_to_resolv_list_param >> }, >> + { >> + .opcode = 0, >> + }, >> }; >> >> static const struct generic_data ll_privacy_add_device_9 = { >> @@ -10823,6 +10841,9 @@ static const struct hci_cmd_data ll_privacy_set_device_flags_1_hci_list[] = { >> .param = set_resolv_on_param, >> .len = sizeof(set_resolv_on_param), >> }, >> + { >> + .opcode = 0, >> + }, >> }; >> >> static const uint8_t device_flags_changed_params_1[] = { >> -- >> 2.43.0 >> > >
diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c index 7dfd1b0c7..ee12ed7d5 100644 --- a/tools/mgmt-tester.c +++ b/tools/mgmt-tester.c @@ -8798,6 +8798,9 @@ static const struct hci_cmd_data multi_ext_adv_add_second_hci_cmds[] = { .len = sizeof(le_set_ext_adv_enable_inst_2), .param = le_set_ext_adv_enable_inst_2, }, + { + .opcode = 0, + }, }; static const struct generic_data multi_ext_advertising_add_second_2 = { @@ -8845,6 +8848,9 @@ static const struct hci_cmd_data multi_ext_adv_remove_adv_hci_cmds[] = { .len = sizeof(advertising_instance1_param), .param = advertising_instance1_param, }, + { + .opcode = 0, + }, }; static const struct generic_data multi_ext_advertising_remove = { @@ -8877,6 +8883,9 @@ static const struct hci_cmd_data multi_ext_adv_remove_all_adv_hci_cmds[] = { { .opcode = BT_HCI_CMD_LE_CLEAR_ADV_SETS, }, + { + .opcode = 0, + }, }; static const struct generic_data multi_ext_advertising_remove_all = { @@ -8913,6 +8922,9 @@ static const struct hci_cmd_data multi_ext_adv_add_2_advs_hci_cmds[] = { .len = sizeof(set_ext_adv_data_test1), .param = set_ext_adv_data_test1, }, + { + .opcode = 0, + }, }; static const struct generic_data multi_ext_advertising_add_no_power = { @@ -10378,6 +10390,9 @@ static const struct hci_cmd_data ll_privacy_add_device_3_hci_list[] = { .param = set_resolv_on_param, .len = sizeof(set_resolv_on_param), }, + { + .opcode = 0, + }, }; static const struct generic_data ll_privacy_add_device_3 = { @@ -10495,6 +10510,9 @@ static const struct hci_cmd_data ll_privacy_add_device_9_hci_list[] = { .len = sizeof(le_add_to_resolv_list_param), .param = le_add_to_resolv_list_param }, + { + .opcode = 0, + }, }; static const struct generic_data ll_privacy_add_device_9 = { @@ -10823,6 +10841,9 @@ static const struct hci_cmd_data ll_privacy_set_device_flags_1_hci_list[] = { .param = set_resolv_on_param, .len = sizeof(set_resolv_on_param), }, + { + .opcode = 0, + }, }; static const uint8_t device_flags_changed_params_1[] = {