Re: [PATCH] Bluetooth: add timeout sanity check to hci_inquiry

From: kernel test robot <lkp@intel.com>
To: Pavel Skripkin <paskripkin@gmail.com>,
	Marcel Holtmann <marcel@holtmann.org>
Cc: clang-built-linux@googlegroups.com, kbuild-all@lists.01.org,
	syzbot <syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com>,
	Johan Hedberg <johan.hedberg@gmail.com>,
	kuba@kernel.org, linux-bluetooth@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
	netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] Bluetooth: add timeout sanity check to hci_inquiry
Date: Tue, 17 Aug 2021 07:28:15 +0800	[thread overview]
Message-ID: <202108170725.VbM2skmZ-lkp@intel.com> (raw)
In-Reply-To: <568c354b-6e4b-d15a-613e-3389c99a93a1@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4760 bytes --]

Hi Pavel,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master net-next/master net/master sparc-next/master v5.14-rc6 next-20210816]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Pavel-Skripkin/Bluetooth-add-timeout-sanity-check-to-hci_inquiry/20210817-040113
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
config: hexagon-randconfig-r022-20210816 (attached as .config)
compiler: clang version 12.0.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/cb175bf2ea0de6152c66ce30cd1d3d665fda338b
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Pavel-Skripkin/Bluetooth-add-timeout-sanity-check-to-hci_inquiry/20210817-040113
        git checkout cb175bf2ea0de6152c66ce30cd1d3d665fda338b
        # save the attached .config to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross O=build_dir ARCH=hexagon SHELL=/bin/bash net/bluetooth/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

>> net/bluetooth/hci_core.c:1346:18: error: use of undeclared identifier 'HCI_MAX_TIMEOUT'
           if (ir.length > HCI_MAX_TIMEOUT) {
                           ^
   1 error generated.

vim +/HCI_MAX_TIMEOUT +1346 net/bluetooth/hci_core.c

  1309	
  1310	int hci_inquiry(void __user *arg)
  1311	{
  1312		__u8 __user *ptr = arg;
  1313		struct hci_inquiry_req ir;
  1314		struct hci_dev *hdev;
  1315		int err = 0, do_inquiry = 0, max_rsp;
  1316		long timeo;
  1317		__u8 *buf;
  1318	
  1319		if (copy_from_user(&ir, ptr, sizeof(ir)))
  1320			return -EFAULT;
  1321	
  1322		hdev = hci_dev_get(ir.dev_id);
  1323		if (!hdev)
  1324			return -ENODEV;
  1325	
  1326		if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
  1327			err = -EBUSY;
  1328			goto done;
  1329		}
  1330	
  1331		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
  1332			err = -EOPNOTSUPP;
  1333			goto done;
  1334		}
  1335	
  1336		if (hdev->dev_type != HCI_PRIMARY) {
  1337			err = -EOPNOTSUPP;
  1338			goto done;
  1339		}
  1340	
  1341		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
  1342			err = -EOPNOTSUPP;
  1343			goto done;
  1344		}
  1345	
> 1346		if (ir.length > HCI_MAX_TIMEOUT) {
  1347			err = -EINVAL;
  1348			goto done;
  1349		}
  1350	
  1351		hci_dev_lock(hdev);
  1352		if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
  1353		    inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
  1354			hci_inquiry_cache_flush(hdev);
  1355			do_inquiry = 1;
  1356		}
  1357		hci_dev_unlock(hdev);
  1358	
  1359		timeo = ir.length * msecs_to_jiffies(2000);
  1360	
  1361		if (do_inquiry) {
  1362			err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
  1363					   timeo, NULL);
  1364			if (err < 0)
  1365				goto done;
  1366	
  1367			/* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
  1368			 * cleared). If it is interrupted by a signal, return -EINTR.
  1369			 */
  1370			if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
  1371					TASK_INTERRUPTIBLE)) {
  1372				err = -EINTR;
  1373				goto done;
  1374			}
  1375		}
  1376	
  1377		/* for unlimited number of responses we will use buffer with
  1378		 * 255 entries
  1379		 */
  1380		max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
  1381	
  1382		/* cache_dump can't sleep. Therefore we allocate temp buffer and then
  1383		 * copy it to the user space.
  1384		 */
  1385		buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
  1386		if (!buf) {
  1387			err = -ENOMEM;
  1388			goto done;
  1389		}
  1390	
  1391		hci_dev_lock(hdev);
  1392		ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
  1393		hci_dev_unlock(hdev);
  1394	
  1395		BT_DBG("num_rsp %d", ir.num_rsp);
  1396	
  1397		if (!copy_to_user(ptr, &ir, sizeof(ir))) {
  1398			ptr += sizeof(ir);
  1399			if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
  1400					 ir.num_rsp))
  1401				err = -EFAULT;
  1402		} else
  1403			err = -EFAULT;
  1404	
  1405		kfree(buf);
  1406	
  1407	done:
  1408		hci_dev_put(hdev);
  1409		return err;
  1410	}
  1411	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 31583 bytes --]