Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp5643608iog; Thu, 23 Jun 2022 02:23:31 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uzcGGYifgj1hRjq9F7Ist4W0HQ1cTq4ozmkDEWSHR+txqjQLNObf+jhuO2+gWfY0RvODC1 X-Received: by 2002:a17:907:3e84:b0:6fe:8c5f:d552 with SMTP id hs4-20020a1709073e8400b006fe8c5fd552mr6979643ejc.710.1655976211377; Thu, 23 Jun 2022 02:23:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655976211; cv=none; d=google.com; s=arc-20160816; b=veTSHnjfSmClzSoxBJTqjMvtjcwCwwgodHAGSsON7oy00M9g8jC6f+K7AWQA395F0Z mb4w2BmmgQBoSIgatGHcQwYp68HYNOFvb/Cxd3gW4Eo8bmMQQPwcYK4ltWBectlJ//aU RnvhuY/qDeXw4XQSHv0viIPvRALEJrXyudUB+16AM+TwG3/cosMKH32Mb2L122DacF7z PyDBD9zm5Vm+FD2PyMROpM9B3R8KBAFcaCx6kfGkUBy55A0uIrY/gsbOtGz0YUDkrGYJ 0Hg0JwfkY0Vir2RHb64dOTG3AlS8xJbIzYBmPiQ8waChBywkCueqBGkJ34E34rJ8UxKR atxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=XcQS1XCkl/vk/iiK9UlBRssI2Zu/U1XTYmHdI6QOmKg=; b=fpKLDQk6Kf7yPvRRy0ZvZVE5/L3hNvQEvaMdBORfOU1ffQViNxabj/KoHT1tiZgpi+ fO+dNZaADWFRajFmrRIB1zB/fvoEowddn/QHm2mK10JI6PEL09ZwxhkowHB6tuuOUw19 alk6klOuTcK4WG14prIucpFihAPUr820gjuSLonqqFr1CS+GLtwZ1JJppqnIobNCxybe Tgfp2tBRc8Y+1hp3PswA3mMhuozyFGvi5kCHmEZ5kJC/Yd0xVkeq2hHFKXfwJ+88oDm0 MgBvUBtINCAAaOuZF/qSl2pSGjm34Oo5Rbg+Nq15hrPuiYM/h/eMWV3vztNO5vsosjKA 6Rqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=NCukPQSV; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t16-20020a056402525000b0042dbcd63aabsi25176964edd.587.2022.06.23.02.22.54; Thu, 23 Jun 2022 02:23:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=NCukPQSV; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230373AbiFWJSm (ORCPT + 99 others); Thu, 23 Jun 2022 05:18:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229451AbiFWJSl (ORCPT ); Thu, 23 Jun 2022 05:18:41 -0400 Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFB9046CBE for ; Thu, 23 Jun 2022 02:18:38 -0700 (PDT) Received: by mail-lj1-x235.google.com with SMTP id b7so22543947ljr.6 for ; Thu, 23 Jun 2022 02:18:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=XcQS1XCkl/vk/iiK9UlBRssI2Zu/U1XTYmHdI6QOmKg=; b=NCukPQSVf9nm4WScxjlBsKJl1tSICpwfp1JKN9pkxN5Js4SU4FWxjMg0gKJq4i/Z3m juea/x0zHxdUfCT/ONLj7NebPZEoZJQqOyHhdztWJd5fEexSPqteI81MXJCxC5gpxjwn UdWSFNlaYPg6BXAtysbcR07TeooqQQPSQryAXEZvP4+kg0k+4fBeJ6fAk+GWUnxbteMk TjTguyQ95dylDp9yGPe2XzK81ISIWdfO08e8MwwSvjEb7vRfPC/KRSfzQA49Ib/nxmlh 70eR5CzA+OqKFS/EQ/t2WDFWh9SEsUU4uWB0Mx4QH7EQY6iI5lEus1EvmxmQZBcWKTGM Dy9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=XcQS1XCkl/vk/iiK9UlBRssI2Zu/U1XTYmHdI6QOmKg=; b=wjDGzjAqf0/qag5w46fIfI7lrChnNzkDR4ho2fI7aFA/SubRzDS7eKEmDzHkpnCLNO 5p/eCd2n41CR+l6/UyNiAnzoyTQhzJRG4bmqb5/y9TbQ821PS3FeQ1Zm0lgJ2+S1hRKK 88VRYQbDmgN1OjMntLRVEA8u1z8q9ybdeNSQQiMsW4l+MVwxepNbM/4Nda/M4Kyp+7c+ rr4+nzNS7MgTIKxMZWWXMDZ9BzV8KYDTBhux7Z5vrnXYt8dSM/YKs3jHzL+8PzhPGHZD j7FUPaMI5c3sHlt00KIuILeLxdIjfablYSd2OmngdSH/J4KIUP5rvTNes2mnpZi7DVjg rg8A== X-Gm-Message-State: AJIora8dp49GWk+HdhKZrPplA13m/USJcC3lDDIhfQNOA2c+AeJSgYAe 1wsqR3zUd8MPV79KOu13ILxXhiT9xK/in+l0Ekxo3w== X-Received: by 2002:a2e:b0fc:0:b0:255:6f92:f9d4 with SMTP id h28-20020a2eb0fc000000b002556f92f9d4mr4259427ljl.92.1655975917005; Thu, 23 Jun 2022 02:18:37 -0700 (PDT) MIME-Version: 1.0 References: <20220607104015.2126118-1-poprdi@google.com> In-Reply-To: From: Dmitry Vyukov Date: Thu, 23 Jun 2022 11:18:25 +0200 Message-ID: Subject: Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work To: Aleksandr Nogikh Cc: =?UTF-8?Q?Tam=C3=A1s_Koczka?= , Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth , netdev , LKML , Andy Nguyen Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On Wed, 22 Jun 2022 at 12:20, Aleksandr Nogikh wrote: > > (Resending the reply I sent to the v1 of the patch. I sent it by > mistake with HTML content, so it did not reach lore.) > > I checked out v5.18.1, applied this patch and fuzzed it with syzkaller > for a day. The fuzzer was indeed able to find and report more coverage > of the BT subsystem than without the patch. > > Tested-by: Aleksandr Nogikh > > > On Tue, Jun 14, 2022 at 3:34 PM Tam=C3=A1s Koczka wro= te: > > > > Hello Marcel, > > > > I hope this was the change you originally requested, and I did not > > misunderstand anything, but if you need any additional modification to > > the code or the commit, please feel free to let me know! > > > > Thank you, > > Tamas > > > > On Tue, Jun 7, 2022 at 1:44 PM Tam=C3=A1s Koczka wr= ote: > > > > > > Hello Marcel, > > > > > > I added some comments into the code about what the kcov_remote calls = do and > > > why they were implemented and I also added some reasoning to the comm= it > > > message. > > > > > > I did not mention in the commit but these functions only run if the k= ernel > > > is compiled with CONFIG_KCOV. > > > > > > Thank you again for reviewing the patch! > > > > > > -- > > > Tamas > > > > > > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka wrot= e: > > > > > > > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_sto= p() > > > > calls, so remote KCOV coverage is collected while processing the rx= _q > > > > queue which is the main incoming Bluetooth packet queue. > > > > > > > > Coverage is associated with the thread which created the packet skb= . > > > > > > > > The collected extra coverage helps kernel fuzzing efforts in findin= g > > > > vulnerabilities. > > > > > > > > Signed-off-by: Tamas Koczka > > > > --- > > > > Changelog since v1: > > > > - add comment about why kcov_remote functions are called > > > > > > > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@goo= gle.com/ > > > > > > > > net/bluetooth/hci_core.c | 10 +++++++++- > > > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c > > > > index 45c2dd2e1590..0af43844c55a 100644 > > > > --- a/net/bluetooth/hci_core.c > > > > +++ b/net/bluetooth/hci_core.c > > > > @@ -29,6 +29,7 @@ > > > > #include > > > > #include > > > > #include > > > > +#include > > > > #include > > > > #include > > > > #include > > > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *= work) > > > > > > > > BT_DBG("%s", hdev->name); > > > > > > > > - while ((skb =3D skb_dequeue(&hdev->rx_q))) { > > > > + /* The kcov_remote functions used for collecting packet par= sing > > > > + * coverage information from this background thread and ass= ociate > > > > + * the coverage with the syscall's thread which originally = injected > > > > + * the packet. This helps fuzzing the kernel. > > > > + */ > > > > + for (; (skb =3D skb_dequeue(&hdev->rx_q)); kcov_remote_stop= ()) { > > > > + kcov_remote_start_common(skb_get_kcov_handle(skb)); > > > > + > > > > /* Send copy to monitor */ > > > > hci_send_to_monitor(hdev, skb); Looks good to me. Anything else needed to merge this patch? Reviewed-by: Dmitry Vyukov