Add a test "Add + Remove Device Nowait - Success" that hits a race
condition in kernel hci_sync.c. On current kernels this causes
BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync+0x857/0x1230
due to unsafe iteration of hdev->pend_le_conns (in Linux <= 6.4-rc4).
This seems to hit the race condition also without the added emulator
delay (since the emulator runs in the same thread), but it's better to
add the delay since otherwise it'll depend on timings on kernel side.
---
tools/mgmt-tester.c | 49 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c
index b819bccbc..aec91fb41 100644
--- a/tools/mgmt-tester.c
+++ b/tools/mgmt-tester.c
@@ -4682,6 +4682,16 @@ static const struct generic_data remove_device_success_6 = {
.expect_status = MGMT_STATUS_SUCCESS,
};
+static const struct generic_data add_remove_device_nowait = {
+ .setup_settings = settings_powered_le,
+ .expect_param = remove_device_param_2,
+ .expect_len = sizeof(remove_device_param_2),
+ .expect_status = MGMT_STATUS_SUCCESS,
+ .expect_alt_ev = MGMT_EV_DEVICE_REMOVED,
+ .expect_alt_ev_param = remove_device_param_2,
+ .expect_alt_ev_len = sizeof(remove_device_param_2),
+};
+
static const struct generic_data read_adv_features_invalid_param_test = {
.send_opcode = MGMT_OP_READ_ADV_FEATURES,
.send_param = dummy_data,
@@ -11460,6 +11470,41 @@ static void test_remove_device(const void *test_data)
test_add_condition(data);
}
+static bool hook_delay_cmd(const void *data, uint16_t len, void *user_data)
+{
+ tester_print("Delaying emulator response...");
+ g_usleep(250000);
+ tester_print("Delaying emulator response... Done.");
+ return true;
+}
+
+static void test_add_remove_device_nowait(const void *test_data)
+{
+ struct test_data *data = tester_get_data();
+
+ /* Add and remove LE device with autoconnect without waiting for reply,
+ * while delaying emulator response to better hit a race condition.
+ * This shall not crash the kernel (but eg Linux 6.4-rc4 crashes).
+ */
+
+ tester_print("Adding and removing a device");
+
+ test_add_condition(data);
+
+ hciemu_add_hook(data->hciemu, HCIEMU_HOOK_PRE_CMD,
+ BT_HCI_CMD_LE_ADD_TO_ACCEPT_LIST,
+ hook_delay_cmd, NULL);
+
+ mgmt_send_nowait(data->mgmt, MGMT_OP_ADD_DEVICE, data->mgmt_index,
+ sizeof(add_device_success_param_3),
+ add_device_success_param_3, NULL, NULL, NULL);
+
+ mgmt_send_nowait(data->mgmt, MGMT_OP_REMOVE_DEVICE, data->mgmt_index,
+ sizeof(remove_device_param_2),
+ remove_device_param_2,
+ command_generic_callback, NULL, NULL);
+}
+
static void trigger_device_found(void *user_data)
{
struct test_data *data = tester_get_data();
@@ -13540,6 +13585,10 @@ int main(int argc, char *argv[])
&remove_device_success_6,
setup_add_device, test_remove_device);
+ test_le("Add + Remove Device Nowait - Success",
+ &add_remove_device_nowait,
+ NULL, test_add_remove_device_nowait);
+
test_bredrle("Read Advertising Features - Invalid parameters",
&read_adv_features_invalid_param_test,
NULL, test_command_generic);
--
2.40.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=757622
---Test result---
Test Summary:
CheckPatch PASS 0.37 seconds
GitLint PASS 0.23 seconds
BuildEll PASS 27.33 seconds
BluezMake PASS 866.65 seconds
MakeCheck PASS 12.34 seconds
MakeDistcheck PASS 157.73 seconds
CheckValgrind PASS 256.24 seconds
CheckSmatch PASS 337.11 seconds
bluezmakeextell PASS 100.92 seconds
IncrementalBuild PASS 699.94 seconds
ScanBuild PASS 1061.65 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Thu, 15 Jun 2023 23:02:51 +0300 you wrote:
> Add a test "Add + Remove Device Nowait - Success" that hits a race
> condition in kernel hci_sync.c. On current kernels this causes
>
> BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync+0x857/0x1230
>
> due to unsafe iteration of hdev->pend_le_conns (in Linux <= 6.4-rc4).
>
> [...]
Here is the summary with links:
- [BlueZ] mgmt-tester: Add a regression test hitting hci_sync bug
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=19ce052d35d3
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html