* [syzbot] [bluetooth?] general protection fault in btintel_read_version
@ 2024-01-17 12:05 syzbot
2024-01-17 13:37 ` Edward Adam Davis
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: syzbot @ 2024-01-17 12:05 UTC (permalink / raw)
To: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 943b9f0ab2cf Add linux-next specific files for 20240117
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17c60debe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1151c2a3e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110f7913e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9c032ce79e0f/disk-943b9f0a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/93163e287878/vmlinux-943b9f0a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/512cc2e14a4b/bzImage-943b9f0a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 4455 Comm: kworker/u5:1 Not tainted 6.7.0-next-20240117-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: hci0 hci_power_on
RIP: 0010:btintel_read_version+0x65/0x1e0 drivers/bluetooth/btintel.c:444
Code: 08 c5 f9 48 81 fb 00 f0 ff ff 0f 87 9e 00 00 00 e8 c0 0d c5 f9 48 8d 7b 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e de 00 00 00 8b 6b 70 bf 0a 00
RSP: 0018:ffffc9000e057958 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87c7146e
RDX: 000000000000000e RSI: ffffffff87c71480 RDI: 0000000000000070
RBP: ffffc9000e057a10 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888030f74000
R13: ffffc9000e0579f0 R14: ffff888030f74000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27722fa1d0 CR3: 000000007ff6a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ag6xx_setup+0x1b0/0xc10 drivers/bluetooth/hci_ag6xx.c:169
hci_uart_setup+0x224/0x4d0 drivers/bluetooth/hci_ldisc.c:423
hci_dev_setup_sync net/bluetooth/hci_sync.c:4631 [inline]
hci_dev_init_sync net/bluetooth/hci_sync.c:4699 [inline]
hci_dev_open_sync+0x35b/0x2650 net/bluetooth/hci_sync.c:4799
hci_dev_do_open+0x2a/0x90 net/bluetooth/hci_core.c:483
hci_power_on+0x132/0x670 net/bluetooth/hci_core.c:1015
process_one_work+0x8d5/0x16e0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2707 [inline]
worker_thread+0x8b6/0x1290 kernel/workqueue.c:2788
kthread+0x2c1/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btintel_read_version+0x65/0x1e0 drivers/bluetooth/btintel.c:444
Code: 08 c5 f9 48 81 fb 00 f0 ff ff 0f 87 9e 00 00 00 e8 c0 0d c5 f9 48 8d 7b 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e de 00 00 00 8b 6b 70 bf 0a 00
RSP: 0018:ffffc9000e057958 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87c7146e
RDX: 000000000000000e RSI: ffffffff87c71480 RDI: 0000000000000070
RBP: ffffc9000e057a10 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888030f74000
R13: ffffc9000e0579f0 R14: ffff888030f74000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27722fa1d0 CR3: 000000007ff6a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 c5 or %al,%ch
2: f9 stc
3: 48 81 fb 00 f0 ff ff cmp $0xfffffffffffff000,%rbx
a: 0f 87 9e 00 00 00 ja 0xae
10: e8 c0 0d c5 f9 call 0xf9c50dd5
15: 48 8d 7b 70 lea 0x70(%rbx),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e de 00 00 00 jle 0x118
3a: 8b 6b 70 mov 0x70(%rbx),%ebp
3d: bf .byte 0xbf
3e: 0a 00 or (%rax),%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version
2024-01-17 12:05 [syzbot] [bluetooth?] general protection fault in btintel_read_version syzbot
@ 2024-01-17 13:37 ` Edward Adam Davis
2024-01-17 15:45 ` syzbot
2024-01-17 22:53 ` Edward Adam Davis
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
2 siblings, 1 reply; 8+ messages in thread
From: Edward Adam Davis @ 2024-01-17 13:37 UTC (permalink / raw)
To: syzbot+830d9e3fa61968246abd; +Cc: linux-kernel, syzkaller-bugs
please test null ptr deref in btintel_read_version
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 943b9f0ab2cf
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version
2024-01-17 13:37 ` Edward Adam Davis
@ 2024-01-17 15:45 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2024-01-17 15:45 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git on commit 943b9f0ab2cf: failed to run ["git" "fetch" "--force" "--tags" "fc608f7504e8b3e110eb6e7b798cef357818c5e1" "943b9f0ab2cf"]: exit status 128
fatal: couldn't find remote ref 943b9f0ab2cf
Tested on:
commit: [unknown
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 943b9f0ab2cf
kernel config: https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f9e90be80000
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version
2024-01-17 12:05 [syzbot] [bluetooth?] general protection fault in btintel_read_version syzbot
2024-01-17 13:37 ` Edward Adam Davis
@ 2024-01-17 22:53 ` Edward Adam Davis
2024-01-18 1:56 ` syzbot
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
2 siblings, 1 reply; 8+ messages in thread
From: Edward Adam Davis @ 2024-01-17 22:53 UTC (permalink / raw)
To: syzbot+830d9e3fa61968246abd; +Cc: linux-kernel, syzkaller-bugs
please test null ptr deref in btintel_read_version
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version
2024-01-17 22:53 ` Edward Adam Davis
@ 2024-01-18 1:56 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2024-01-18 1:56 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Tested on:
commit: 943b9f0a Add linux-next specific files for 20240117
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10fab583e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=132f7913e80000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH next] bluetooth/btintel: fix null ptr deref in btintel_read_version
2024-01-17 12:05 [syzbot] [bluetooth?] general protection fault in btintel_read_version syzbot
2024-01-17 13:37 ` Edward Adam Davis
2024-01-17 22:53 ` Edward Adam Davis
@ 2024-01-18 4:40 ` Edward Adam Davis
2024-01-18 5:32 ` [next] " bluez.test.bot
2024-01-25 20:50 ` [PATCH next] " patchwork-bot+bluetooth
2 siblings, 2 replies; 8+ messages in thread
From: Edward Adam Davis @ 2024-01-18 4:40 UTC (permalink / raw)
To: syzbot+830d9e3fa61968246abd
Cc: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs
If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
which will cause this issue.
Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
drivers/bluetooth/btintel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* RE: [next] bluetooth/btintel: fix null ptr deref in btintel_read_version
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
@ 2024-01-18 5:32 ` bluez.test.bot
2024-01-25 20:50 ` [PATCH next] " patchwork-bot+bluetooth
1 sibling, 0 replies; 8+ messages in thread
From: bluez.test.bot @ 2024-01-18 5:32 UTC (permalink / raw)
To: linux-bluetooth, eadavis
[-- Attachment #1: Type: text/plain, Size: 3236 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=817714
---Test result---
Test Summary:
CheckPatch FAIL 0.93 seconds
GitLint FAIL 0.92 seconds
SubjectPrefix FAIL 0.35 seconds
BuildKernel PASS 27.62 seconds
CheckAllWarning PASS 30.64 seconds
CheckSparse PASS 35.85 seconds
CheckSmatch PASS 98.80 seconds
BuildKernel32 PASS 27.17 seconds
TestRunnerSetup PASS 434.34 seconds
TestRunner_l2cap-tester PASS 22.86 seconds
TestRunner_iso-tester PASS 47.19 seconds
TestRunner_bnep-tester PASS 6.79 seconds
TestRunner_mgmt-tester PASS 155.13 seconds
TestRunner_rfcomm-tester PASS 10.67 seconds
TestRunner_sco-tester PASS 14.34 seconds
TestRunner_ioctl-tester PASS 12.04 seconds
TestRunner_mesh-tester PASS 8.75 seconds
TestRunner_smp-tester PASS 9.62 seconds
TestRunner_userchan-tester PASS 8.21 seconds
IncrementalBuild PASS 25.88 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[next] bluetooth/btintel: fix null ptr deref in btintel_read_version
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#83:
If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#86:
Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
total: 0 errors, 2 warnings, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13522361.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[next] bluetooth/btintel: fix null ptr deref in btintel_read_version
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
3: B1 Line exceeds max length (84>80): "If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,"
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH next] bluetooth/btintel: fix null ptr deref in btintel_read_version
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
2024-01-18 5:32 ` [next] " bluez.test.bot
@ 2024-01-25 20:50 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 8+ messages in thread
From: patchwork-bot+bluetooth @ 2024-01-25 20:50 UTC (permalink / raw)
To: Edward Adam Davis
Cc: syzbot+830d9e3fa61968246abd, johan.hedberg, linux-bluetooth,
linux-kernel, luiz.dentz, marcel, syzkaller-bugs
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 18 Jan 2024 12:40:34 +0800 you wrote:
> If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
> which will cause this issue.
>
> Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/bluetooth/btintel.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Here is the summary with links:
- [next] bluetooth/btintel: fix null ptr deref in btintel_read_version
https://git.kernel.org/bluetooth/bluetooth-next/c/693a94db9e8c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-01-25 20:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-17 12:05 [syzbot] [bluetooth?] general protection fault in btintel_read_version syzbot
2024-01-17 13:37 ` Edward Adam Davis
2024-01-17 15:45 ` syzbot
2024-01-17 22:53 ` Edward Adam Davis
2024-01-18 1:56 ` syzbot
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
2024-01-18 5:32 ` [next] " bluez.test.bot
2024-01-25 20:50 ` [PATCH next] " patchwork-bot+bluetooth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.