This adds a few tests checking ISO socket handling of invalid input
parameters and cleanup in some race conditions:
ISO QoS CIG 0xF0 - Invalid
ISO QoS CIS 0xF0 - Invalid
ISO Connect2 CIG 0x01 - Success/Invalid
ISO AC 6(ii) CIS 0xEF/auto - Success
ISO AC 6(ii) CIS 0xEF/0xEF - Invalid
ISO Defer Close - Success
ISO Connect Close - Success
ISO Defer Wait Close - Success
ISO Connect Wait Close - Success
There's also one for a hci_sync race condition that triggers GPF:
eSCO Simultaneous Disconnect - Failure
I have a patch series fixing these, but we'll revisit the
HCI_CONN_DELETED flag there, so maybe discussion needed.
These fail on current bluetooth-next/master, so it could make most sense
to wait for the fixes first.
Pauli Virtanen (5):
btdev: check error conditions for HCI_Create_Connection_Cancel
sco-tester: test local and remote disconnecting simultaneously
iso-tester: test with large CIS_ID and invalid CIG_ID/CIS_ID
iso-tester: add tests checking Remove CIG is emitted
btdev: fix Command Status command opcodes for Setup Sync Conn
emulator/btdev.c | 80 ++++++++++++++++++---
tools/iso-tester.c | 168 +++++++++++++++++++++++++++++++++++++++++++++
tools/sco-tester.c | 59 ++++++++++++++++
3 files changed, 297 insertions(+), 10 deletions(-)
--
2.41.0
Add test with a large CIS_ID and multiple CIS so it hits an error
condition in current kernels (which is why the AC configuration is
used).
Add tests for invalid configurations with bad or duplicate IDs, and for
trying to connect two CIS in same CIG without BT_DEFER_SETUP.
ISO QoS CIG 0xF0 - Invalid
ISO QoS CIS 0xF0 - Invalid
ISO Connect2 CIG 0x01 - Success/Invalid
ISO AC 6(ii) CIS 0xEF/auto - Success
ISO AC 6(ii) CIS 0xEF/0xEF - Invalid
---
Notes:
Current bluetooth-next/master fails these tests with
ISO QoS CIG 0xF0 - Invalid Timed out 2.301 seconds
ISO QoS CIS 0xF0 - Invalid Failed 0.117 seconds
ISO Connect2 CIG 0x01 - Success/Invalid Failed 0.189 seconds
ISO AC 6(ii) CIS 0xEF/auto - Success Failed 0.196 seconds
tools/iso-tester.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 72 insertions(+)
diff --git a/tools/iso-tester.c b/tools/iso-tester.c
index 8f43d7bec..9f853a0f9 100644
--- a/tools/iso-tester.c
+++ b/tools/iso-tester.c
@@ -95,6 +95,10 @@
QOS_FULL(0x01, 0x02, \
{}, QOS_IO(_interval, _latency, _sdu, _phy, _rtn))
+#define QOS_OUT_1_EF(_interval, _latency, _sdu, _phy, _rtn) \
+ QOS_FULL(0x01, 0xEF, \
+ {}, QOS_IO(_interval, _latency, _sdu, _phy, _rtn))
+
#define QOS_IN(_interval, _latency, _sdu, _phy, _rtn) \
QOS_FULL(BT_ISO_QOS_CIG_UNSET, BT_ISO_QOS_CIS_UNSET, \
QOS_IO(_interval, _latency, _sdu, _phy, _rtn), {})
@@ -172,6 +176,7 @@
*/
#define AC_6ii_1 QOS_OUT_1(10000, 10, 40, 0x02, 2)
#define AC_6ii_2 QOS_OUT_1(10000, 10, 40, 0x02, 2)
+#define AC_6ii_1_EF QOS_OUT_1_EF(10000, 10, 40, 0x02, 2) /* different CIS ID */
/* Two unidirectional CISes. Unicast Server is Audio Sink and Audio Source.
* #1 - CIG 1 CIS 1 (input)
* #2 - CIG 1 CIS 2 (output)
@@ -801,6 +806,16 @@ static const struct iso_client_data connect_reject = {
.expect_err = -ENOSYS
};
+static const struct iso_client_data connect_cig_f0_invalid = {
+ .qos = QOS_FULL(0xF0, 0x00, {}, QOS_IO(10000, 10, 40, 0x02, 2)),
+ .expect_err = -EINVAL
+};
+
+static const struct iso_client_data connect_cis_f0_invalid = {
+ .qos = QOS_FULL(0x00, 0xF0, {}, QOS_IO(10000, 10, 40, 0x02, 2)),
+ .expect_err = -EINVAL
+};
+
static const uint8_t data_16_2_1[40] = { [0 ... 39] = 0xff };
static const struct iovec send_16_2_1 = {
.iov_base = (void *)data_16_2_1,
@@ -960,6 +975,22 @@ static const struct iso_client_data reconnect_ac_6ii = {
.disconnect = true,
};
+static const struct iso_client_data connect_ac_6ii_cis_ef_auto = {
+ .qos = AC_6ii_1_EF,
+ .qos_2 = AC_6ii_2,
+ .expect_err = 0,
+ .mconn = true,
+ .defer = true,
+};
+
+static const struct iso_client_data connect_ac_6ii_cis_ef_ef = {
+ .qos = AC_6ii_1_EF,
+ .qos_2 = AC_6ii_1_EF,
+ .expect_err = -EINVAL,
+ .mconn = true,
+ .defer = true,
+};
+
static const struct iso_client_data connect_ac_7i = {
.qos = AC_7i_1,
.qos_2 = AC_7i_2,
@@ -2371,6 +2402,29 @@ static void test_connect2_seq(const void *test_data)
setup_connect(data, 0, iso_connect2_seq_cb);
}
+static void test_connect2_nodefer(const void *test_data)
+{
+ struct test_data *data = tester_get_data();
+ int sk, err;
+
+ /* Second connect() shall fail, because CIG is then busy,
+ * but the first connect() shall succeed.
+ */
+ setup_connect(data, 0, iso_connect_cb);
+
+ sk = create_iso_sock(data);
+ if (sk < 0) {
+ tester_test_failed();
+ return;
+ }
+
+ err = connect_iso_sock(data, 1, sk);
+ if (err != -EINVAL)
+ tester_test_failed();
+
+ close(sk);
+}
+
static void test_bcast(const void *test_data)
{
struct test_data *data = tester_get_data();
@@ -2518,6 +2572,12 @@ int main(int argc, char *argv[])
test_iso("ISO QoS - Invalid", &connect_invalid, setup_powered,
test_connect);
+ test_iso("ISO QoS CIG 0xF0 - Invalid", &connect_cig_f0_invalid,
+ setup_powered, test_connect);
+
+ test_iso("ISO QoS CIS 0xF0 - Invalid", &connect_cis_f0_invalid,
+ setup_powered, test_connect);
+
test_iso_rej("ISO Connect - Reject", &connect_reject, setup_powered,
test_connect, BT_HCI_ERR_CONN_FAILED_TO_ESTABLISH);
@@ -2545,6 +2605,10 @@ int main(int argc, char *argv[])
setup_powered,
test_connect2);
+ test_iso2("ISO Connect2 CIG 0x01 - Success/Invalid", &connect_1_16_2_1,
+ setup_powered,
+ test_connect2_nodefer);
+
test_iso("ISO Defer Send - Success", &connect_16_2_1_defer_send,
setup_powered,
test_connect);
@@ -2630,6 +2694,14 @@ int main(int argc, char *argv[])
setup_powered,
test_reconnect);
+ test_iso2("ISO AC 6(ii) CIS 0xEF/auto - Success",
+ &connect_ac_6ii_cis_ef_auto,
+ setup_powered, test_connect);
+
+ test_iso2("ISO AC 6(ii) CIS 0xEF/0xEF - Invalid",
+ &connect_ac_6ii_cis_ef_ef,
+ setup_powered, test_connect);
+
test_iso("ISO Broadcaster - Success", &bcast_16_2_1_send, setup_powered,
test_bcast);
test_iso("ISO Broadcaster Encrypted - Success", &bcast_enc_16_2_1_send,
--
2.41.0
The command opcode should be the CMD, not EVT.
---
emulator/btdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/emulator/btdev.c b/emulator/btdev.c
index 0c75e71c0..2483a35c5 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -2681,7 +2681,7 @@ static int cmd_enhanced_setup_sync_conn(struct btdev *dev, const void *data,
if (cmd->tx_coding_format[0] > 5)
status = BT_HCI_ERR_INVALID_PARAMETERS;
- cmd_status(dev, status, BT_HCI_EVT_SYNC_CONN_COMPLETE);
+ cmd_status(dev, status, BT_HCI_CMD_ENHANCED_SETUP_SYNC_CONN);
return 0;
}
@@ -2727,7 +2727,7 @@ done:
static int cmd_setup_sync_conn(struct btdev *dev, const void *data, uint8_t len)
{
- cmd_status(dev, BT_HCI_ERR_SUCCESS, BT_HCI_EVT_SYNC_CONN_COMPLETE);
+ cmd_status(dev, BT_HCI_ERR_SUCCESS, BT_HCI_CMD_SETUP_SYNC_CONN);
return 0;
}
--
2.41.0
Kernel should send LE Remove CIG after all CIS are shut down. Add tests
checking this, closing either immediately or after waiting connection to
complete.
ISO Defer Close - Success
ISO Connect Close - Success
ISO Defer Wait Close - Success
ISO Connect Wait Close - Success
---
tools/iso-tester.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 96 insertions(+)
diff --git a/tools/iso-tester.c b/tools/iso-tester.c
index 9f853a0f9..bbf959420 100644
--- a/tools/iso-tester.c
+++ b/tools/iso-tester.c
@@ -2425,6 +2425,90 @@ static void test_connect2_nodefer(const void *test_data)
close(sk);
}
+static gboolean iso_connect_close_cb(GIOChannel *io, GIOCondition cond,
+ gpointer user_data)
+{
+ struct test_data *data = user_data;
+
+ data->io_id[0] = 0;
+
+ tester_print("Disconnected");
+
+ --data->step;
+ if (!data->step)
+ tester_test_passed();
+
+ return FALSE;
+}
+
+static bool hook_remove_cig(const void *msg, uint16_t len, void *user_data)
+{
+ struct test_data *data = user_data;
+
+ tester_print("Remove CIG");
+
+ --data->step;
+ if (!data->step)
+ tester_test_passed();
+
+ return true;
+}
+
+static void test_connect_close(const void *test_data)
+{
+ struct test_data *data = tester_get_data();
+ int sk;
+ GIOChannel *io;
+
+ data->step = 2;
+
+ hciemu_add_hook(data->hciemu, HCIEMU_HOOK_PRE_CMD,
+ BT_HCI_CMD_LE_REMOVE_CIG,
+ hook_remove_cig, data);
+
+ sk = setup_sock(data, 0);
+ if (sk < 0)
+ return;
+
+ io = g_io_channel_unix_new(sk);
+ g_io_channel_set_close_on_unref(io, TRUE);
+ data->io_id[0] = g_io_add_watch(io, G_IO_HUP, iso_connect_close_cb,
+ data);
+
+ shutdown(sk, SHUT_RDWR);
+}
+
+static gboolean iso_connect_wait_close_cb(GIOChannel *io, GIOCondition cond,
+ gpointer user_data)
+{
+ struct test_data *data = tester_get_data();
+ int sk;
+
+ tester_print("Connected");
+
+ sk = g_io_channel_unix_get_fd(io);
+
+ data->io_id[0] = g_io_add_watch(io, G_IO_HUP, iso_connect_close_cb,
+ data);
+
+ shutdown(sk, SHUT_RDWR);
+
+ return FALSE;
+}
+
+static void test_connect_wait_close(const void *test_data)
+{
+ struct test_data *data = tester_get_data();
+
+ data->step = 1;
+
+ hciemu_add_hook(data->hciemu, HCIEMU_HOOK_PRE_CMD,
+ BT_HCI_CMD_LE_REMOVE_CIG,
+ hook_remove_cig, data);
+
+ setup_connect(data, 0, iso_connect_wait_close_cb);
+}
+
static void test_bcast(const void *test_data)
{
struct test_data *data = tester_get_data();
@@ -2601,6 +2685,18 @@ int main(int argc, char *argv[])
test_iso("ISO Defer Connect - Success", &defer_16_2_1, setup_powered,
test_connect);
+ test_iso("ISO Defer Close - Success", &defer_16_2_1, setup_powered,
+ test_connect_close);
+
+ test_iso("ISO Connect Close - Success", &connect_16_2_1, setup_powered,
+ test_connect_close);
+
+ test_iso("ISO Defer Wait Close - Success", &defer_16_2_1,
+ setup_powered, test_connect_wait_close);
+
+ test_iso("ISO Connect Wait Close - Success", &connect_16_2_1,
+ setup_powered, test_connect_wait_close);
+
test_iso2("ISO Defer Connect2 CIG 0x01 - Success", &defer_1_16_2_1,
setup_powered,
test_connect2);
--
2.41.0
Demonstrate a kernel race condition when remote side disconnects at the
same time as local side tries to cancel the connection. I.e.
[controller] > HCI Synchronous Connect Complete
[controller] > HCI Disconnection Complete (from remote)
[user] shutdown(sco_socket)
[kernel] hci_conn_abort(SCO handle)
[kernel] > HCI Create Connection Cancel
[kernel] < HCI Synchronous Connect Complete
[kernel] < HCI Disconnect Complete
[controller] < HCI Create Connection Cancel
[controller] > HCI Command Status (Create Connection Cancel)
[kernel] < HCI Command Status (Create Connection Cancel)
and then we get BUG: KASAN: slab-use-after-free in hci_conn_failed when
hci_conn_abort tries to delete the same connection a second time.
This type of crash is probably not limited to the sequence here, but for
this one it was possible to get the timing right in the emulator.
Add a test that hits this in the emulator environment (pretty narrow
window to hit on real hardware):
eSCO Simultaneous Disconnect - Failure
---
Notes:
==================================================================
BUG: KASAN: slab-use-after-free in hci_conn_failed+0x25/0x190
Read of size 8 at addr ffff8880029e1958 by task kworker/u3:2/35
CPU: 0 PID: 35 Comm: kworker/u3:2 Not tainted 6.5.0-rc1-00520-gf57f797eebfe #152
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
print_report+0xce/0x620
? __virt_addr_valid+0xd8/0x160
? hci_conn_failed+0x25/0x190
kasan_report+0xd5/0x110
? hci_conn_failed+0x25/0x190
hci_conn_failed+0x25/0x190
hci_abort_conn_sync+0x23b/0x370
? __pfx_hci_abort_conn_sync+0x10/0x10
? __pfx_lock_acquire+0x10/0x10
? __pfx_abort_conn_sync+0x10/0x10
? __pfx_abort_conn_sync+0x10/0x10
hci_cmd_sync_work+0x125/0x200
process_one_work+0x4ee/0x8f0
? __pfx_process_one_work+0x10/0x10
? __kthread_parkme+0x5f/0xe0
? mark_held_locks+0x1a/0x90
worker_thread+0x8c/0x630
? __kthread_parkme+0xc5/0xe0
? __pfx_worker_thread+0x10/0x10
kthread+0x17c/0x1c0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2b/0x50
</TASK>
Allocated by task 31:
kasan_save_stack+0x33/0x60
kasan_set_track+0x24/0x30
__kasan_kmalloc+0x8f/0xa0
hci_conn_add+0xa8/0xad0
hci_connect_sco+0x1cf/0x6e0
sco_sock_connect+0x1a2/0x600
__sys_connect+0x1a2/0x1d0
__x64_sys_connect+0x3b/0x50
do_syscall_64+0x47/0x90
entry_SYSCALL_64_after_hwframe+0x6c/0xd6
Freed by task 32:
kasan_save_stack+0x33/0x60
kasan_set_track+0x24/0x30
kasan_save_free_info+0x2b/0x50
__kasan_slab_free+0xfa/0x150
__kmem_cache_free+0xab/0x200
device_release+0x58/0xf0
kobject_put+0xee/0x310
hci_disconn_complete_evt+0x276/0x3a0
hci_event_packet+0x54b/0x800
hci_rx_work+0x2a4/0xae0
process_one_work+0x4ee/0x8f0
worker_thread+0x8c/0x630
kthread+0x17c/0x1c0
ret_from_fork+0x2b/0x50
Last potentially related work creation:
kasan_save_stack+0x33/0x60
__kasan_record_aux_stack+0x94/0xa0
insert_work+0x2d/0x150
__queue_work+0x2f1/0x610
queue_delayed_work_on+0x88/0x90
sco_chan_del+0x117/0x230
sco_sock_shutdown+0x109/0x230
__sys_shutdown+0xb4/0x130
__x64_sys_shutdown+0x29/0x40
do_syscall_64+0x47/0x90
entry_SYSCALL_64_after_hwframe+0x6c/0xd6
The buggy address belongs to the object at ffff8880029e1000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2392 bytes inside of
freed 4096-byte region [ffff8880029e1000, ffff8880029e2000)
The buggy address belongs to the physical page:
page:ffffea00000a7800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29e0
head:ffffea00000a7800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
page_type: 0xffffffff()
raw: 4000000000010200 ffff8880010424c0 ffffea0000063010 ffffea00000a8610
raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880029e1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880029e1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880029e1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880029e1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880029e1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
tools/sco-tester.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/tools/sco-tester.c b/tools/sco-tester.c
index 44606328a..f3de42c7b 100644
--- a/tools/sco-tester.c
+++ b/tools/sco-tester.c
@@ -29,6 +29,7 @@
#include "src/shared/tester.h"
#include "src/shared/mgmt.h"
+#include "src/shared/util.h"
struct test_data {
const void *test_data;
@@ -37,6 +38,7 @@ struct test_data {
struct hciemu *hciemu;
enum hciemu_type hciemu_type;
unsigned int io_id;
+ int sk;
bool disable_esco;
bool enable_codecs;
};
@@ -225,6 +227,7 @@ static void test_data_free(void *test_data)
break; \
user->hciemu_type = HCIEMU_TYPE_BREDRLE; \
user->io_id = 0; \
+ user->sk = -1; \
user->test_data = data; \
user->disable_esco = _disable_esco; \
user->enable_codecs = _enable_codecs; \
@@ -250,6 +253,10 @@ static const struct sco_client_data connect_failure = {
.expect_err = EOPNOTSUPP
};
+static const struct sco_client_data connect_failure_reset = {
+ .expect_err = ECONNRESET
+};
+
const uint8_t data[] = {0, 1, 2, 3, 4, 5, 6, 7, 8};
static const struct sco_client_data connect_send_success = {
@@ -650,6 +657,8 @@ static void test_connect(const void *test_data)
return;
}
+ data->sk = sk;
+
io = g_io_channel_unix_new(sk);
g_io_channel_set_close_on_unref(io, TRUE);
@@ -745,6 +754,52 @@ static void test_connect_offload_msbc(const void *test_data)
end:
close(sk);
}
+
+static bool hook_simult_disc(const void *msg, uint16_t len, void *user_data)
+{
+ const struct bt_hci_evt_sync_conn_complete *ev = msg;
+ struct test_data *data = tester_get_data();
+ struct bthost *bthost;
+
+ tester_print("Simultaneous disconnect");
+
+ if (len != sizeof(struct bt_hci_evt_sync_conn_complete)) {
+ tester_test_failed();
+ return true;
+ }
+
+ /* Disconnect from local and remote sides at the same time */
+ bthost = hciemu_client_get_host(data->hciemu);
+ bthost_hci_disconnect(bthost, le16_to_cpu(ev->handle), 0x13);
+
+ shutdown(data->sk, SHUT_RDWR);
+
+ return true;
+}
+
+static bool hook_delay_cmd(const void *data, uint16_t len, void *user_data)
+{
+ tester_print("Delaying emulator response...");
+ g_usleep(250000);
+ tester_print("Delaying emulator response... Done.");
+ return true;
+}
+
+static void test_connect_simult_disc(const void *test_data)
+{
+ struct test_data *data = tester_get_data();
+
+ /* Kernel shall not crash, but <= 6.5-rc1 crash */
+ hciemu_add_hook(data->hciemu, HCIEMU_HOOK_POST_EVT,
+ BT_HCI_EVT_SYNC_CONN_COMPLETE,
+ hook_simult_disc, NULL);
+ hciemu_add_hook(data->hciemu, HCIEMU_HOOK_PRE_CMD,
+ BT_HCI_CMD_CREATE_CONN_CANCEL,
+ hook_delay_cmd, NULL);
+
+ test_connect(test_data);
+}
+
int main(int argc, char *argv[])
{
tester_init(&argc, &argv);
@@ -767,6 +822,10 @@ int main(int argc, char *argv[])
test_sco("eSCO mSBC - Success", &connect_success, setup_powered,
test_connect_transp);
+ test_sco("eSCO Simultaneous Disconnect - Failure",
+ &connect_failure_reset, setup_powered,
+ test_connect_simult_disc);
+
test_sco_11("SCO CVSD 1.1 - Success", &connect_success, setup_powered,
test_connect);
--
2.41.0