Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Wed, 5 Jul 2023 17:36:36 +0800
From:   joeyli <jlee@suse.com>
To:     Weiteng Chen <wchen130@ucr.edu>, Yu Hao <yhao016@ucr.edu>
Cc:     linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: How to reproduce the BUG general protection fault in
 hci_uart_tty_ioctl?
Message-ID: <20230705093636.GL5866@linux-l9pv.suse>
References: <20230628150140.GU21539@linux-l9pv.suse>
 <CA+UBctDPEvHdkHMwD340=n02rh+jNRJNNQ5LBZNA+Wm4Keh2ow@mail.gmail.com>
 <20230704030131.GY5866@linux-l9pv.suse>
 <191B9131-6E47-49B6-8089-108E2B12B9DC@ucr.edu>
 <20230705084148.GK5866@linux-l9pv.suse>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20230705084148.GK5866@linux-l9pv.suse>
User-Agent: Mutt/1.11.4 (2019-03-13)
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?a2cyb1Nid21zMkpLZVEzMStONmxFa1dySnV3QkFSR1VVdGVXandZdEcrL1Ir?=
 =?utf-8?B?SDNHbVpEd2JKWUtJOXZYbWkycDN5c0wvckQzVUhSNi9oTTF2eUtTQkpOd0ZQ?=
 =?utf-8?B?ckR3cGlFL1JzZ2MxMjhWL05XdnVkREowRVFmSmF1dk1FeXhSbGZTU0E1YTNG?=
 =?utf-8?B?WDRyYnhGUWFkSW14aE1ER0RDRmxwOExoUUVmdHlMZDFkL1Q4aUZKQ2UreWVE?=
 =?utf-8?B?TVZBM1llaTg2UlUxVHhhTU5qQ3RETTYyak9lY0IwOHZYc09OTCttSGdFRXI4?=
 =?utf-8?B?WEpoWUVQTUhIQjRIc2V3NUJoMEFxeWhYS3U2UHNmcUxQWGNjT1RiUFR0MjNx?=
 =?utf-8?B?RHRGQ003NHVieEIxL29ldWE4bGcyb2FKdms4d1hmWUtnVTBhckRxcnBvcmJL?=
 =?utf-8?B?eGgxVkp1Q0YwL3hFQ3VLUTJBZ3hNWlRRc21OV2tBdnhESGlPMFVnaWFNd1JX?=
 =?utf-8?B?amcvU2hBM3NzbUlORG8wcGs5Sk9tcEVkcEZBSksvaDdVdzBaSEx6MGlMNktS?=
 =?utf-8?B?RG1sN0xrV3lwRGtzK1ZTbXkwcmxwU2dXSDErNEI2RUMzaUJlaWVBbUxQcTA2?=
 =?utf-8?B?aW9ManVQT29HQW5MQ2NDTU9FMWUvanM0VkNFYVFSV3pHR3QzYlpzeVNRTUpM?=
 =?utf-8?B?TWZqcUlybytVak9GaHZndVROOWIwTUNlNWhmZHlxeGZHV1AvMWcrcklpNU5B?=
 =?utf-8?B?R1hxLy9kcWdaOU5jaHpsNEI2ek15bHJTRkZiK2dRMlhHMnpLajUwQnV2b2Vw?=
 =?utf-8?B?SHZ0THdYVFNvbGNkMiswaHpla3JJbk5ZVVJWYWlQb21oL2I1bnV5SEtkLzZP?=
 =?utf-8?B?NVVOcE9sUlpMc1VqWWJIY1NEbHNiaW1OVHI5cTJhL0Z5RHBBaGZpNE1uL0ZG?=
 =?utf-8?B?SkpYUmZFRnBYTjRYRTYwTGRPRVZWalNmeTlCekNaWCs3NWNWVzF1SCtRdGdK?=
 =?utf-8?B?eTd4U21zaGZNb1pHamZGZmdqYVc4M3c5K25ZT0hvY1RXNXpibklKZlVTbTFO?=
 =?utf-8?B?MXJkMXM2UnVYV2xBQklRUkpXd21FbGZFVm8zZFhDQkx6NWRXL2NpdjhNSmMz?=
 =?utf-8?B?RDlQb2dLY0t0cWxBZDRlRlVGTzhoZWczcHFZaHMrakFGVnRVUFloSUtPQnZt?=
 =?utf-8?B?TWpwODVQSlJRcWVXVi80OUg1REh5eFJvM3VwbDd2L3NqdC8vZnBqUElBcy9I?=
 =?utf-8?B?ZSt0SnBRR3JLKy9DV3FpdHpDQmR1ZG5QNzVCQkNMTmtRR3FWZWxyUlB4K2M5?=
 =?utf-8?B?aXUyeWhlNW51bUgrWlA0TVp5WEhpNVBycGtUY244VklBbTBlcUN3MnNUQlBL?=
 =?utf-8?B?cXpNckZneWFERmxrYStCTG9ESVUzZFZkNVI1ZXVRTjRHdG5ULzRmbGMvL0Qw?=
 =?utf-8?B?NUgvdXBmR2thYVRnNUlqczhDNzVzRkdNbmp6d09HSnZ2NStDSFRhczBzaW1K?=
 =?utf-8?B?L0hhRGVnMDdpeC9vRXBkQnhLNzNUNllsTHphRWJ4T29zTnhjTkozamRETE1y?=
 =?utf-8?B?Q2txWFBCdDFXWlJnTFhkbk5XNHpsWVlZSUNSVGMyUnBPUUdPRHErUEI1b3Y4?=
 =?utf-8?B?SHEwMy9wWlh3cDdzRWs3TmF6YzhKaDV2UHRQeDcvak8zQnFtcVR3REJoTHJY?=
 =?utf-8?B?T0dQRlUzWGRRSUlkTkY0RkMvaFJNOUVjaWJpQkZ1RW9vZFV2eHduRE9LWkVl?=
 =?utf-8?B?Tm81NVplLzFtZUUrZC9HeE1pVDUxcVlCaEQ5RlNNbnRQVjg2Z2FUaEgyUURj?=
 =?utf-8?B?MGUxYi81eHRiSjNtem1aQ0xWWVBJSEMyZnZOMUZSWnZVY2kva0sxZDU2NURL?=
 =?utf-8?B?S2t6SGU1RUlmbm5IRDhpUG93ZGhmenJqVFdCeDFraWVKMjBQM0dKbU5hTUJH?=
 =?utf-8?B?RHRDaXNUcXFDVjBHc2dJME5aeDVKZStkRjRCTmdTQUxUN1ZTT0RDNDc2OXF3?=
 =?utf-8?B?SitrUTg4ZUNoS3ZsQTBBRW54bndhQS8xemdlbkpxMGNmUjgvU1pUUXFUcGxu?=
 =?utf-8?B?WGVnSUN0blJBZ3BXY0g5aG9FS0dLalo0TmJvZ2NiWWcvUWI0a3QxN2Z6eXJa?=
 =?utf-8?B?ckRkV1ZjT2RwY3V0TG01V3Vkb0RXTzl5aUtGRXFYZEdGTGlPVmk5V0xEODJJ?=
 =?utf-8?Q?HCpE=3D?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fef5162d-8889-4156-8d05-08db7d3b5aff
X-MS-Exchange-CrossTenant-AuthSource: DB8PR04MB7164.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jul 2023 09:36:48.7433
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: i0/BPSip4EGYdZeNH3IZQcJiIC+fQxVfpuFZHb3rFslIc/tCR0tStZdbz086NNSI
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR04MB9623
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE,
        URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

On Wed, Jul 05, 2023 at 04:41:48PM +0800, joeyli wrote:
> Hi Weiteng Chen, Yu Hao, 
> 
> On Mon, Jul 03, 2023 at 09:07:38PM -0700, Weiteng Chen wrote:
> > Hi Joey,
> > 
> > Sorry for my late response.
> > 
> > https://elixir.bootlin.com/linux/v6.3-rc7/source/drivers/bluetooth/hci_ldisc.c#L764
> > 
> > switch (cmd) {
> >         case HCIUARTSETPROTO:
> >                 if (!test_and_set_bit(HCI_UART_PROTO_SET, &hu->flags)) {
> >                         printk(“test_and_set_bit…”) // insert a prink to make the race easy to trigger
> >                         err = hci_uart_set_proto(hu, arg);
> >                         if (err)
> >                                 clear_bit(HCI_UART_PROTO_SET, &hu->flags);
> >                 } else
> >                         err = -EBUSY;
> >                 break;
> > 
> >         case HCIUARTGETPROTO:
> >                 if (test_bit(HCI_UART_PROTO_SET, &hu->flags))
> >                         err = hu->proto->id;  ←- null pointer deference
> >                 else
> >                         err = -EUNATCH;
> >                 break;
> > 
> > This is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set and thus it may dereference a null pointer.
> > 
> > To easily trigger this bug, I inserted a prink in the source code so that the C producer can easily trigger the bug. Please let me know if you have any questions.
> > 
> 
> Thanks! I can reproduce the issue now. 
> 
> Weiteng, Yu Hao, do you have plan for sending patch to fix this problem?
> 
> Joey Lee

Looks that check HCI_UART_PROTO_READY is enough to avoid problem:

--- linux.orig/drivers/bluetooth/hci_ldisc.c
+++ linux/drivers/bluetooth/hci_ldisc.c
@@ -771,7 +771,7 @@ static int hci_uart_tty_ioctl(struct tty
                break;
 
        case HCIUARTGETPROTO:
-               if (test_bit(HCI_UART_PROTO_SET, &hu->flags))
+               if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
                        err = hu->proto->id;
                else
                        err = -EUNATCH;

If you do not have plan to send patch, then I will send the above change.

Thanks
Joey Lee

> 
> 
> > Best,
> > Weiteng Chen
> > 
> > > On Jul 3, 2023, at 8:01 PM, joeyli <jlee@suse.com> wrote:
> > > 
> > > Hi,
> > > 
> > > On Wed, Jun 28, 2023 at 06:57:47PM -0700, Yu Hao wrote:
> > >> Hi Weiteng,
> > >> 
> > >> Could you give more info about the bug, e.g., kernel configuration,
> > >> qemu arguments.
> > >> 
> > > 
> > > Base on kernel code, looks that the HCIUARTSETPROTO and HCIUARTGETPROTO
> > > blocks in hci_uart_tty_ioctl() should use hci_uart->proto_lock. 
> > > 
> > > I have run the C reproducer a couple of days in qemu, but it did not
> > > reproduce issue until now.
> > > 
> > > Does anyone know how to reproduce this issue easily?
> > > 
> > > Thanks
> > > Joey Lee
> > >> 
> > >> On Wed, Jun 28, 2023 at 8:02 AM joeyli <jlee@suse.com> wrote:
> > >>> 
> > >>> Hi Yu Hao,
> > >>> 
> > >>> I am looking at your "BUG: general protection fault in hci_uart_tty_ioctl":
> > >>> 
> > >>> https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com/
> > >>> 
> > >>> I am trying the C reproducer in your URL, but it is not success yet:
> > >>> https://gist.github.com/ZHYfeng/a3e3ff2bdfea5ed5de5475f0b54d55cb
> > >>> 
> > >>> I am using v6.2 mainline kernel to run the C reproducer.
> > >>> 
> > >>> Could you please provide suggestions for how to reproduce this issue?
> > >>> And what is your qemu environment for reproducing issue?
> > >>> 
> > >>> Thanks a lot!
> > >>> Joey Lee