diff mbox series

[BlueZ] mgmt-tester: Add a regression test hitting hci_sync bug

Message ID 482831b8629d9f4f98ef88c769371a03a872d1b7.1686859345.git.pav@iki.fi (mailing list archive)
State Accepted
Commit 19ce052d35d367005bfcf63461e43758301556f1
Headers show
Series [BlueZ] mgmt-tester: Add a regression test hitting hci_sync bug | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/CheckPatch success CheckPatch PASS
tedd_an/GitLint success Gitlint PASS
tedd_an/BuildEll success Build ELL PASS
tedd_an/BluezMake success Bluez Make PASS
tedd_an/MakeCheck success Bluez Make Check PASS
tedd_an/MakeDistcheck success Make Distcheck PASS
tedd_an/CheckValgrind success Check Valgrind PASS
tedd_an/CheckSmatch success CheckSparse PASS
tedd_an/bluezmakeextell success Make External ELL PASS
tedd_an/IncrementalBuild success Incremental Build PASS
tedd_an/ScanBuild success Scan Build PASS

Commit Message

Pauli Virtanen June 15, 2023, 8:02 p.m. UTC 
Add a test "Add + Remove Device Nowait - Success" that hits a race
condition in kernel hci_sync.c.  On current kernels this causes

BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync+0x857/0x1230

due to unsafe iteration of hdev->pend_le_conns (in Linux <= 6.4-rc4).

This seems to hit the race condition also without the added emulator
delay (since the emulator runs in the same thread), but it's better to
add the delay since otherwise it'll depend on timings on kernel side.
---
 tools/mgmt-tester.c | 49 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

Comments

bluez.test.bot@gmail.com June 15, 2023, 9:13 p.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=757622

---Test result---

Test Summary:
CheckPatch                    PASS      0.37 seconds
GitLint                       PASS      0.23 seconds
BuildEll                      PASS      27.33 seconds
BluezMake                     PASS      866.65 seconds
MakeCheck                     PASS      12.34 seconds
MakeDistcheck                 PASS      157.73 seconds
CheckValgrind                 PASS      256.24 seconds
CheckSmatch                   PASS      337.11 seconds
bluezmakeextell               PASS      100.92 seconds
IncrementalBuild              PASS      699.94 seconds
ScanBuild                     PASS      1061.65 seconds



---
Regards,
Linux Bluetooth
patchwork-bot+bluetooth@kernel.org July 5, 2023, 6 p.m. UTC | #2 
Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 15 Jun 2023 23:02:51 +0300 you wrote:
> Add a test "Add + Remove Device Nowait - Success" that hits a race
> condition in kernel hci_sync.c.  On current kernels this causes
> 
> BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync+0x857/0x1230
> 
> due to unsafe iteration of hdev->pend_le_conns (in Linux <= 6.4-rc4).
> 
> [...]

Here is the summary with links:
  - [BlueZ] mgmt-tester: Add a regression test hitting hci_sync bug
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=19ce052d35d3

You are awesome, thank you!
diff mbox series

Patch

diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c
index b819bccbc..aec91fb41 100644
--- a/tools/mgmt-tester.c
+++ b/tools/mgmt-tester.c
@@ -4682,6 +4682,16 @@  static const struct generic_data remove_device_success_6 = {
 	.expect_status = MGMT_STATUS_SUCCESS,
 };
 
+static const struct generic_data add_remove_device_nowait = {
+	.setup_settings = settings_powered_le,
+	.expect_param = remove_device_param_2,
+	.expect_len = sizeof(remove_device_param_2),
+	.expect_status = MGMT_STATUS_SUCCESS,
+	.expect_alt_ev = MGMT_EV_DEVICE_REMOVED,
+	.expect_alt_ev_param = remove_device_param_2,
+	.expect_alt_ev_len = sizeof(remove_device_param_2),
+};
+
 static const struct generic_data read_adv_features_invalid_param_test = {
 	.send_opcode = MGMT_OP_READ_ADV_FEATURES,
 	.send_param = dummy_data,
@@ -11460,6 +11470,41 @@  static void test_remove_device(const void *test_data)
 	test_add_condition(data);
 }
 
+static bool hook_delay_cmd(const void *data, uint16_t len, void *user_data)
+{
+	tester_print("Delaying emulator response...");
+	g_usleep(250000);
+	tester_print("Delaying emulator response... Done.");
+	return true;
+}
+
+static void test_add_remove_device_nowait(const void *test_data)
+{
+	struct test_data *data = tester_get_data();
+
+	/* Add and remove LE device with autoconnect without waiting for reply,
+	 * while delaying emulator response to better hit a race condition.
+	 * This shall not crash the kernel (but eg Linux 6.4-rc4 crashes).
+	 */
+
+	tester_print("Adding and removing a device");
+
+	test_add_condition(data);
+
+	hciemu_add_hook(data->hciemu, HCIEMU_HOOK_PRE_CMD,
+					BT_HCI_CMD_LE_ADD_TO_ACCEPT_LIST,
+					hook_delay_cmd, NULL);
+
+	mgmt_send_nowait(data->mgmt, MGMT_OP_ADD_DEVICE, data->mgmt_index,
+				sizeof(add_device_success_param_3),
+				add_device_success_param_3, NULL, NULL, NULL);
+
+	mgmt_send_nowait(data->mgmt, MGMT_OP_REMOVE_DEVICE, data->mgmt_index,
+				sizeof(remove_device_param_2),
+				remove_device_param_2,
+				command_generic_callback, NULL, NULL);
+}
+
 static void trigger_device_found(void *user_data)
 {
 	struct test_data *data = tester_get_data();
@@ -13540,6 +13585,10 @@  int main(int argc, char *argv[])
 				&remove_device_success_6,
 				setup_add_device, test_remove_device);
 
+	test_le("Add + Remove Device Nowait - Success",
+				&add_remove_device_nowait,
+				NULL, test_add_remove_device_nowait);
+
 	test_bredrle("Read Advertising Features - Invalid parameters",
 				&read_adv_features_invalid_param_test,
 				NULL, test_command_generic);