All of lore.kernel.org
 help / color / mirror / Atom feed
From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: Tedd Ho-Jeong An <tedd.an@linux.intel.com>
Cc: "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>
Subject: Re: [RFC 5/5] Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3
Date: Tue, 1 Jun 2021 14:20:46 -0700	[thread overview]
Message-ID: <CABBYNZKpRcvm4JL2+oa=f_Vx=so03Mg+WmuLz48YQNQWeEos9w@mail.gmail.com> (raw)
In-Reply-To: <b86289bb96ba971ef5a26b6a255b094cc2d7ffdc.camel@linux.intel.com>

Hi Tedd,

On Tue, Jun 1, 2021 at 1:24 PM Tedd Ho-Jeong An <tedd.an@linux.intel.com> wrote:
>
> Hi Luiz,
>
> On Thu, 2021-05-27 at 17:01 -0700, Luiz Augusto von Dentz wrote:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > This make use of hci_cmd_sync_queue for the following MGMT commands:
> >
> >     Add Device
> >     Remove Device
> >
> > Tested with:
> >
> > mgmt-tester -s "Add Device"
> >
> > Test Summary
> > ------------
> > Add Device - Invalid Params 1                        Passed       0.017 seconds
> > Add Device - Invalid Params 2                        Passed       0.013 seconds
> > Add Device - Invalid Params 3                        Passed       0.013 seconds
> > Add Device - Invalid Params 4                        Passed       0.013 seconds
> > Add Device - Success 1                               Passed       0.014 seconds
> > Add Device - Success 2                               Passed       0.014 seconds
> > Add Device - Success 3                               Passed       0.014 seconds
> > Add Device - Success 4                               Passed       0.017 seconds
> > Add Device - Success 5                               Passed       0.017 seconds
> > Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
> > Overall execution time: 0.14 seconds
> >
> > mgmt-tester -s "Remove Device"
> >
> > Test Summary
> > ------------
> > Remove Device - Invalid Params 1                     Passed       0.153 seconds
> > Remove Device - Invalid Params 2                     Passed       0.014 seconds
> > Remove Device - Invalid Params 3                     Passed       0.013 seconds
> > Remove Device - Success 1                            Passed       0.016 seconds
> > Remove Device - Success 2                            Passed       0.017 seconds
> > Remove Device - Success 3                            Passed       1.022 seconds
> > Remove Device - Success 4                            Passed       1.021 seconds
> > Remove Device - Success 5                            Passed       1.022 seconds
> > Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
> > Overall execution time: 3.29 seconds
> >
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > ---
> >  net/bluetooth/hci_sync.c | 606 ++++++++++++++++++++++++++++++++++++++-
> >  net/bluetooth/hci_sync.h |   2 +
> >  net/bluetooth/mgmt.c     |  19 +-
> >  3 files changed, 622 insertions(+), 5 deletions(-)
> >
>
> While running new test cases for checking LL Privacy (submitted the series to mailing list),
> some test cases caused the kernel oops:
>
> general protection fault, probably for non-canonical address 0xdead000000000116: 0000 [#1] PTI
> CPU: 0 PID: 113 Comm: kworker/u3:2 Not tainted 5.12.0-g01861ba6bbe9-dirty #11
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
> Workqueue: hci0 hci_cmd_sync_work
> RIP: 0010:hci_passive_scan_sync.part.0+0xed/0x820
> Code: 7c 24 13 00 75 12 48 8b 85 00 10 00 00 48 0f ba e0 29 0f 83 97 02 00 00 80 44 24 1e 01 4d 8b 3f 4c 39 3c 24 0f 84 25 01 00 00 <41> 0f b6 57 16 4d 8d 67 10 4c 89 ef 4c 89 e6 e8 2f 95 fb ff 41 0f
> RSP: 0018:ffffad9400187dc8 EFLAGS: 00010202
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: ffff8d0a01850ca8 RSI: ffff8d0a0186a210 RDI: ffff8d0a01850000
> RBP: ffff8d0a01850000 R08: ffff8d0a01803ae6 R09: 0000000000004ffb
> R10: 0000000078563412 R11: 3fffffffffffffff R12: ffff8d0a0186a210
> R13: ffff8d0a01850cf8 R14: ffff8d0a01850d08 R15: dead000000000100
> FS:  0000000000000000(0000) GS:ffffffff87846000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000558641956130 CR3: 00000000018a2000 CR4: 00000000000006f0
> Call Trace:
>  ? unblock_device+0xe0/0xe0
>  hci_update_background_scan_sync+0x268/0x310
>  hci_cmd_sync_work+0x91/0xe0
>  process_one_work+0x19d/0x2f0
>  worker_thread+0x5a/0x3b0
>  ? rescuer_thread+0x330/0x330
>  kthread+0x108/0x120
>  ? __kthread_create_worker+0xf0/0xf0
>  ret_from_fork+0x22/0x30
> ---[ end trace efd7eab9e13c521e ]---
> RIP: 0010:hci_passive_scan_sync.part.0+0xed/0x820
> Code: 7c 24 13 00 75 12 48 8b 85 00 10 00 00 48 0f ba e0 29 0f 83 97 02 00 00 80 44 24 1e 01 4d 8b 3f 4c 39 3c 24 0f 84 25 01 00 00 <41> 0f b6 57 16 4d 8d 67 10 4c 89 ef 4c 89 e6 e8 2f 95 fb ff 41 0f
> RSP: 0018:ffffad9400187dc8 EFLAGS: 00010202
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: ffff8d0a01850ca8 RSI: ffff8d0a0186a210 RDI: ffff8d0a01850000
> RBP: ffff8d0a01850000 R08: ffff8d0a01803ae6 R09: 0000000000004ffb
> R10: 0000000078563412 R11: 3fffffffffffffff R12: ffff8d0a0186a210
> R13: ffff8d0a01850cf8 R14: ffff8d0a01850d08 R15: dead000000000100
> FS:  0000000000000000(0000) GS:ffffffff87846000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000558641956130 CR3: 00000000018a2000 CR4: 00000000000006f0

Remove Device - Success 7 - Remove from whitelist - setup complete
Remove Device - Success 7 - Remove from whitelist - run
  Registering Device Removed notification
  Test condition added, total 1
  Registering HCI command callback
  Test condition added, total 2
  Sending Remove Device (0x0034)
  Test condition added, total 3
  Remove Device (0x0034): Success (0x00)
  Test condition complete, 2 left
  New Device Removed event received
  Test condition complete, 1 left
  HCI Command 0x2042 length 6
[   58.818744] ==================================================================
[   58.819253] BUG: KASAN: use-after-free in
hci_passive_scan_sync.part.0+0x52e/0xaf0
[   58.819833] Read of size 6 at addr ffff8880019bca10 by task kworker/u3:0/49
[   58.820305]
[   58.820584]
[   58.820708] Allocated by task 92:
[   58.820979]
[   58.821092] Freed by task 93:
[   58.821345]
[   58.821489] The buggy address belongs to the object at ffff8880019bca00
[   58.821489]  which belongs to the cache kmalloc-32 of size 32
[   58.822488] The buggy address is located 16 bytes inside of
[   58.822488]  32-byte region [ffff8880019bca00, ffff8880019bca20)
[   58.823363] The buggy address belongs to the page:
[   58.823773]
[   58.823881] Memory state around the buggy address:
[   58.824215]  ffff8880019bc900: fb fb fb fb fc fc fc fc fa fb fb fb
fc fc fc fc
[   58.824771]  ffff8880019bc980: 00 00 00 00 fc fc fc fc fb fb fb fb
fc fc fc fc
[   58.825275] >ffff8880019bca00: fa fb fb fb fc fc fc fc fa fb fb fb
fc fc fc fc
[   58.825884]                          ^
[   58.826169]  ffff8880019bca80: fb fb fb fb fc fc fc fc fb fb fb fb
fc fc fc fc
[   58.826790]  ffff8880019bcb00: fb fb fb fb fc fc fc fc fb fb fb fb
fc fc fc fc
[   58.827330] ==================================================================
  HCI Command 0x2012 length 7
  Test condition complete, 0 left

Btw, it is a good idea to enable KSAN when testing, Im afraid this
might be related to hdev_lock.

>
> However, it is not seen on the current bluetooth-next tree.
>
> Regards,
>
> Tedd
>


-- 
Luiz Augusto von Dentz

  reply	other threads:[~2021-06-01 21:20 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-28  0:01 [RFC 1/5] Bluetooth: Add helper for serialized HCI command execution Luiz Augusto von Dentz
2021-05-28  0:01 ` [RFC 2/5] Bluetooth: eir: Move EIR/Adv Data functions to its own file Luiz Augusto von Dentz
2021-05-28  0:01 ` [RFC 3/5] Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 1 Luiz Augusto von Dentz
2021-05-28  0:01 ` [RFC 4/5] Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 2 Luiz Augusto von Dentz
2021-05-28  0:01 ` [RFC 5/5] Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3 Luiz Augusto von Dentz
2021-05-28  2:54   ` kernel test robot
2021-06-01 20:24   ` Tedd Ho-Jeong An
2021-06-01 21:20     ` Luiz Augusto von Dentz [this message]
2021-06-01 21:56       ` Luiz Augusto von Dentz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CABBYNZKpRcvm4JL2+oa=f_Vx=so03Mg+WmuLz48YQNQWeEos9w@mail.gmail.com' \
    --to=luiz.dentz@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=tedd.an@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.