From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E86F8CCA47F for ; Tue, 7 Jun 2022 11:44:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242263AbiFGLok (ORCPT ); Tue, 7 Jun 2022 07:44:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51044 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229549AbiFGLoi (ORCPT ); Tue, 7 Jun 2022 07:44:38 -0400 Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 827126D1A2 for ; Tue, 7 Jun 2022 04:44:36 -0700 (PDT) Received: by mail-ot1-x32b.google.com with SMTP id r14-20020a056830418e00b0060b8da9ff75so12703092otu.11 for ; Tue, 07 Jun 2022 04:44:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CC06lgSkGCWh2r8wfAjwA7M8zDgeCJ0ppn5yYsqmoig=; b=HqM5sBfI+Wffho9iQKZFCEXNcdbw+bZ00r50l6VV2zoaRZm3V64sxJZIx0FGeKUUA6 TKzNgYEbcrLQn5eE3KEEGL6HCVLLNpQW+rp0ZuUwlR28dz67wARscmwnXF4ZKfpl3H94 k2/HYjU7+2Xt35P9Qz4g3YixC9T21Bp5z816THKeYPEXa4sJk2GHjN4yyFf5sYDzOFj6 nqzf5QpOOAFNMSo7Tt8b8TD6DYq87i/0uqBpd4nbSmlA9yxw7qOycxFzIOKQj8LPYvIb 30Z6OO0vgjLuXEiJy3ACjdeaBpCDVbw3DtqjlTonVvEx9hjZhYjjuchZVQXP8LoOenWD x6Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CC06lgSkGCWh2r8wfAjwA7M8zDgeCJ0ppn5yYsqmoig=; b=Vc/dAbtkHMZImIbIFP/6XYWDoQcVvmR8uXIxzENG4uoDiTzM8Nd9P1Xt8wjDS6QBHV 4qponAojaDW/iKl0NBW2KtjAiCRC4XCTGRBzPpKHZUMnb2c5r5GGdXdLDSLZOq4gprKy 0fd5c83mfdaSwWkN5g4rIfKf9NFrplDsa+WUJVuJNKRBimZ7MhhwVSz/PY/+o2EbI/ew MLgYtc03rPw1/N1QnVhCzF0VLrlOGAHUNdCoJwVayLwgDmT7INXQtoUFaJ+gnk/Wx0LP U7iYKXyOvC88uZUcU9oaPcCOBiSSmj06nTogi/9DyF2bk8IWrcgYOoFgo2EfUNcBJ+F/ 0wPQ== X-Gm-Message-State: AOAM531YnXLnxgFfhzenHVtqC1UzcO+UnHyc/IzGb3Yj+HCWGW7VXi4I +lxvsyw91l4rirqrEgwgGdDn3M5BHv3t54wtJWBUWg== X-Google-Smtp-Source: ABdhPJzL7Vuh/AufKDbpBMNH4VLSCca/2H5JVQO9+WcMs4dxgzTHQWSvnGABZmiJbFgtR97Vg6CDSkoqnxbUYtfkRU4= X-Received: by 2002:a05:6830:1be8:b0:60c:1e7:52d7 with SMTP id k8-20020a0568301be800b0060c01e752d7mr2732437otb.126.1654602275684; Tue, 07 Jun 2022 04:44:35 -0700 (PDT) MIME-Version: 1.0 References: <20220607104015.2126118-1-poprdi@google.com> In-Reply-To: <20220607104015.2126118-1-poprdi@google.com> From: =?UTF-8?Q?Tam=C3=A1s_Koczka?= Date: Tue, 7 Jun 2022 13:44:24 +0200 Message-ID: Subject: Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work To: Marcel Holtmann Cc: Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Andy Nguyen , Aleksandr Nogikh Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Marcel, I added some comments into the code about what the kcov_remote calls do and why they were implemented and I also added some reasoning to the commit message. I did not mention in the commit but these functions only run if the kernel is compiled with CONFIG_KCOV. Thank you again for reviewing the patch! -- Tamas On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka wrote: > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop() > calls, so remote KCOV coverage is collected while processing the rx_q > queue which is the main incoming Bluetooth packet queue. > > Coverage is associated with the thread which created the packet skb. > > The collected extra coverage helps kernel fuzzing efforts in finding > vulnerabilities. > > Signed-off-by: Tamas Koczka > --- > Changelog since v1: > - add comment about why kcov_remote functions are called > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/ > > net/bluetooth/hci_core.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c > index 45c2dd2e1590..0af43844c55a 100644 > --- a/net/bluetooth/hci_core.c > +++ b/net/bluetooth/hci_core.c > @@ -29,6 +29,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work) > > BT_DBG("%s", hdev->name); > > - while ((skb = skb_dequeue(&hdev->rx_q))) { > + /* The kcov_remote functions used for collecting packet parsing > + * coverage information from this background thread and associate > + * the coverage with the syscall's thread which originally injected > + * the packet. This helps fuzzing the kernel. > + */ > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) { > + kcov_remote_start_common(skb_get_kcov_handle(skb)); > + > /* Send copy to monitor */ > hci_send_to_monitor(hdev, skb); > > -- > 2.36.1.255.ge46751e96f-goog >