Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp1567655iol; Fri, 10 Jun 2022 10:01:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzz3Z58Rs1e6KHWC3cSn+eFkhQQEHyd4z+51qdqXx/PTM1s3icxaUqDeelFfpVKiVpi7f76 X-Received: by 2002:a63:86c3:0:b0:3fd:9c06:ee37 with SMTP id x186-20020a6386c3000000b003fd9c06ee37mr25939079pgd.357.1654880496017; Fri, 10 Jun 2022 10:01:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654880496; cv=none; d=google.com; s=arc-20160816; b=DmeqsIENBMaTlfdY8qzSueQmhMcr+MlryWJbcwIOVEAwibeuXhybxVVj6Cf96P3AuU n8+eB+wusV6EeKQwL0B57PNtM/EZ/ce3OKohYVW/oRJ6PK0vfzouMZCS5zEQYxbPogSi PrEI3Y5pAxyU+bnyFsirXgUk6ug9lBFpWCDXiYwf49+/ingKQ4pzuSGsgmLxVINGRPwk HCbBDYu1JNGxBnmVypLwLB2mXIEYc1jMkMi7bDeqKM4XplqbzKCu9qTxW5mlAQm1sAuf erKrmUTj/+mC72MgSBGtaWgXRqMmYNSrWefKZ0BKSEN2K0PUUyaZkWY2HuPckQiE76aR XzIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=8MXmjtpRfIxwcwc7y+xo5axaJXjza99CVzvE1CrLJRI=; b=DKZFs95ak+TuQXUYrsjs6YuR7W/lAlNS4GAUSSeeQkTIaH5eMPKxicSpj2UzsnL25+ 7fPrN673ApnbflrgBR8NYd+82BlxYb17ZNGQWrRJnCMom5E4X0uIF6lAArFNcIkE/J7M PoHU49MrnBjTE7q8nhUBIZw4Wn3S4exSilWknCA8IAJKHpxPBUsuxhhjsFAMqLA1IvVf 7wsGgHV7ZFqQLm0dAA/ZtxY5D4mn75xmN7tbvnI9/C2myIqTivIXWEuOsgBPvHFnhbss Rt+DTXJ3Ksip4nwtrhYuTeTKpQN1lw7sByZdWTtTv3h5JBK6iLEoa1cOrGOXMI7j2oAk BgRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=bgt7SVNh; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l22-20020a637016000000b003fc85b530cdsi32366492pgc.124.2022.06.10.10.01.12; Fri, 10 Jun 2022 10:01:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=bgt7SVNh; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349925AbiFJQ4A (ORCPT + 99 others); Fri, 10 Jun 2022 12:56:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245376AbiFJQz7 (ORCPT ); Fri, 10 Jun 2022 12:55:59 -0400 Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6CA112FE52 for ; Fri, 10 Jun 2022 09:55:58 -0700 (PDT) Received: by mail-yb1-xb2a.google.com with SMTP id w2so47947552ybi.7 for ; Fri, 10 Jun 2022 09:55:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=8MXmjtpRfIxwcwc7y+xo5axaJXjza99CVzvE1CrLJRI=; b=bgt7SVNh+TwNPxhgV3yb7XHMWJAo6MNucdlJ0caato+KCJi6CeiV2OVXzjQdYEeAVw +kqjmbExf7bhABraxQxguCsq9PY/7FdS/nippLpQas89j83fChYSA+Sv46EsnXBwiD57 sDhmQekh8sk2rvwQbc5gnkaNYX65G47bJL5Xy5JG0KngsDnOn46cCgxpHC0Hjm5SHWYV CBGOQYx0ksSl8gyNGafOHbxJTRTQc+C8rFJ6O8Fge1/h/aKpUibtUXywfXrbjp37hsog 16PrfqWPOOxzUdsgrbe6mjTcMFYwTLsICzTuYAKn2BVAE4bcRkun77+qB0Fj0Cs2IP1r IbUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=8MXmjtpRfIxwcwc7y+xo5axaJXjza99CVzvE1CrLJRI=; b=dGFYaOgEjm6cMZlu8G4YrFrtFEJwb3fBfmhkvwpeuCyVS+NuJ6jeC10NBd4CTU7r/B mOIAJtJgjtxXfKrpZvo32CYcNTledptlgEQTTCi3voxQ3Fn13r5B2ANCOHJZVpMdhz/t 7QQDtJGzlGiToR37IpkEDh9Fnq+TAOzap2nGTAMnTEDPS8q7msgvvm5UkwpKVT6zdIh7 MMwO82UQ1n4wi0hrLblbPjtG9k5U/wbgojehAR5FNLz3Jb10beCkZpp0Td6PyGYDpeLH x/N4hGvBocP6D11pMU5IBos+tnfZNr6snZ5Fuat8+SR1Zpi35sbkJW9vIe590svdDK4l TDww== X-Gm-Message-State: AOAM531OIy2zOjXWZ6MtUUaUXNJi4RR/histUzBqsFrunUPBSpuX/RYS RilJZrfP4XouhkscadHuU0Q0I1RZeLFT51mxwp/UEg== X-Received: by 2002:a25:aa32:0:b0:65c:af6a:3502 with SMTP id s47-20020a25aa32000000b0065caf6a3502mr46009854ybi.598.1654880157232; Fri, 10 Jun 2022 09:55:57 -0700 (PDT) MIME-Version: 1.0 References: <20220610110749.110881-1-soenke.huster@eknoes.de> <9f214837-dc68-ef1a-0199-27d6af582115@eknoes.de> In-Reply-To: <9f214837-dc68-ef1a-0199-27d6af582115@eknoes.de> From: Eric Dumazet Date: Fri, 10 Jun 2022 09:55:45 -0700 Message-ID: Subject: Re: [PATCH v2] Bluetooth: RFCOMM: Use skb_trim to trim checksum To: =?UTF-8?Q?S=C3=B6nke_Huster?= Cc: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Jakub Kicinski , Paolo Abeni , linux-bluetooth@vger.kernel.org, netdev , LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On Fri, Jun 10, 2022 at 8:35 AM S=C3=B6nke Huster = wrote: > > Hi Eric, > > On 10.06.22 15:59, Eric Dumazet wrote: > > On Fri, Jun 10, 2022 at 4:08 AM Soenke Huster = wrote: > >> > >> As skb->tail might be zero, it can underflow. This leads to a page > >> fault: skb_tail_pointer simply adds skb->tail (which is now MAX_UINT) > >> to skb->head. > >> > >> BUG: unable to handle page fault for address: ffffed1021de29ff > >> #PF: supervisor read access in kernel mode > >> #PF: error_code(0x0000) - not-present page > >> RIP: 0010:rfcomm_run+0x831/0x4040 (net/bluetooth/rfcomm/core.c:175= 1) > >> > >> By using skb_trim instead of the direct manipulation, skb->tail > >> is reset. Thus, the correct pointer to the checksum is used. > >> > >> Signed-off-by: Soenke Huster > >> --- > >> v2: Clarified how the bug triggers, minimize code change > >> > >> net/bluetooth/rfcomm/core.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c > >> index 7324764384b6..443b55edb3ab 100644 > >> --- a/net/bluetooth/rfcomm/core.c > >> +++ b/net/bluetooth/rfcomm/core.c > >> @@ -1747,7 +1747,7 @@ static struct rfcomm_session *rfcomm_recv_frame(= struct rfcomm_session *s, > >> type =3D __get_type(hdr->ctrl); > >> > >> /* Trim FCS */ > >> - skb->len--; skb->tail--; > >> + skb_trim(skb, skb->len - 1); > >> fcs =3D *(u8 *)skb_tail_pointer(skb); > >> > >> if (__check_fcs(skb->data, type, fcs)) { > >> -- > >> 2.36.1 > >> > > > > Again, I do not see how skb->tail could possibly zero at this point. > > > > If it was, skb with illegal layout has been queued in the first place, > > we need to fix the producer, not the consumer. > > > > Sorry, I thought that might be a right place as there is not much code in= the kernel > that manipulates ->tail directly. > > > A driver missed an skb_put() perhaps. > > > > I am using the (I guess quite unused) virtio_bt driver, and figured out t= hat the following > fixes the bug: > > --- a/drivers/bluetooth/virtio_bt.c > +++ b/drivers/bluetooth/virtio_bt.c > @@ -219,7 +219,7 @@ static void virtbt_rx_work(struct work_struct *work) > if (!skb) > return; > > - skb->len =3D len; > + skb_put(skb, len); Removing skb->len=3Dlen seems about right. But skb_put() should be done earlier. We are approaching the skb producer :) Now you have to find/check who added this illegal skb in the virt queue. Maybe virtbt_add_inbuf() ? Also there is kernel info leak I think. diff --git a/drivers/bluetooth/virtio_bt.c b/drivers/bluetooth/virtio_bt.c index 67c21263f9e0f250f0719b8e7f1fe15b0eba5ee0..c9b832c447ee451f027430b284d= 7bb246f6ecb24 100644 --- a/drivers/bluetooth/virtio_bt.c +++ b/drivers/bluetooth/virtio_bt.c @@ -37,6 +37,9 @@ static int virtbt_add_inbuf(struct virtio_bluetooth *vbt) if (!skb) return -ENOMEM; + skb_put(skb, 1000); + memset(skb->data, 0, 1000); + sg_init_one(sg, skb->data, 1000); err =3D virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL); > virtbt_rx_handle(vbt, skb); > > if (virtbt_add_inbuf(vbt) < 0) > > I guess this is the root cause? I just used Bluetooth for a while in the = VM > and no error occurred, everything worked fine. > > > Can you please dump the skb here ? > > > > diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c > > index 7324764384b6773074032ad671777bf86bd3360e..358ccb4fe7214aea0bb4084= 188c7658316fe0ff7 > > 100644 > > --- a/net/bluetooth/rfcomm/core.c > > +++ b/net/bluetooth/rfcomm/core.c > > @@ -1746,6 +1746,11 @@ static struct rfcomm_session > > *rfcomm_recv_frame(struct rfcomm_session *s, > > dlci =3D __get_dlci(hdr->addr); > > type =3D __get_type(hdr->ctrl); > > > > + if (!skb->tail) { > > + DO_ONCE_LITE(skb_dump(KERN_ERR, skb, false)); > > + kfree_skb(skb); > > + return s; > > + } > > /* Trim FCS */ > > skb->len--; skb->tail--; > > fcs =3D *(u8 *)skb_tail_pointer(skb); > > If it might still help: > > skb len=3D4 headroom=3D9 headlen=3D4 tailroom=3D1728 > mac=3D(-1,-1) net=3D(0,-1) trans=3D-1 > shinfo(txflags=3D0 nr_frags=3D0 gso(size=3D0 type=3D0 segs=3D0)) > csum(0x0 ip_summed=3D0 complete_sw=3D0 valid=3D0 level=3D0) > hash(0x0 sw=3D0 l4=3D0) proto=3D0x0000 pkttype=3D0 iif=3D0 > skb linear: 00000000: 03 3f 01 1c >