Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work

From: "Tamás Koczka" <poprdi@google.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, Andy Nguyen <theflow@google.com>,
	Aleksandr Nogikh <nogikh@google.com>
Subject: Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
Date: Tue, 14 Jun 2022 15:34:25 +0200	[thread overview]
Message-ID: <CAPUC6b+xMnk8VDGv_7p9j4GHD75FrxG3hWKpTSF2zHj508=x9A@mail.gmail.com> (raw)
In-Reply-To: <CAPUC6bJbVMPn1FMLYnXg2GUX4ikesMSRjj=oPOOrS5H2DOx_bA@mail.gmail.com>

Hello Marcel,

I hope this was the change you originally requested, and I did not
misunderstand anything, but if you need any additional modification to
the code or the commit, please feel free to let me know!

Thank you,
Tamas

On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <poprdi@google.com> wrote:
>
> Hello Marcel,
>
> I added some comments into the code about what the kcov_remote calls do and
> why they were implemented and I also added some reasoning to the commit
> message.
>
> I did not mention in the commit but these functions only run if the kernel
> is compiled with CONFIG_KCOV.
>
> Thank you again for reviewing the patch!
>
> --
> Tamas
>
> On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <poprdi@google.com> wrote:
> >
> > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > calls, so remote KCOV coverage is collected while processing the rx_q
> > queue which is the main incoming Bluetooth packet queue.
> >
> > Coverage is associated with the thread which created the packet skb.
> >
> > The collected extra coverage helps kernel fuzzing efforts in finding
> > vulnerabilities.
> >
> > Signed-off-by: Tamas Koczka <poprdi@google.com>
> > ---
> > Changelog since v1:
> >  - add comment about why kcov_remote functions are called
> >
> > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
> >
> >  net/bluetooth/hci_core.c | 10 +++++++++-
> >  1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > index 45c2dd2e1590..0af43844c55a 100644
> > --- a/net/bluetooth/hci_core.c
> > +++ b/net/bluetooth/hci_core.c
> > @@ -29,6 +29,7 @@
> >  #include <linux/rfkill.h>
> >  #include <linux/debugfs.h>
> >  #include <linux/crypto.h>
> > +#include <linux/kcov.h>
> >  #include <linux/property.h>
> >  #include <linux/suspend.h>
> >  #include <linux/wait.h>
> > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> >
> >         BT_DBG("%s", hdev->name);
> >
> > -       while ((skb = skb_dequeue(&hdev->rx_q))) {
> > +       /* The kcov_remote functions used for collecting packet parsing
> > +        * coverage information from this background thread and associate
> > +        * the coverage with the syscall's thread which originally injected
> > +        * the packet. This helps fuzzing the kernel.
> > +        */
> > +       for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > +               kcov_remote_start_common(skb_get_kcov_handle(skb));
> > +
> >                 /* Send copy to monitor */
> >                 hci_send_to_monitor(hdev, skb);
> >
> > --
> > 2.36.1.255.ge46751e96f-goog
> >