From: Dmitry Vyukov <dvyukov@google.com>
To: Gopal Tiwari <gtiwari@redhat.com>
Cc: Peilin Ye <yepeilin.cs@gmail.com>,
Marcel Holtmann <marcel@holtmann.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Andrei Emeltchenko <andrei.emeltchenko@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
linux-bluetooth <linux-bluetooth@vger.kernel.org>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzbot+f4fb0eaafdb51c32a153@syzkaller.appspotmail.com
Subject: Re: [Linux-kernel-mentees] [PATCH net] Bluetooth: Fix NULL pointer dereference in amp_read_loc_assoc_final_data()
Date: Wed, 3 Mar 2021 11:27:41 +0100 [thread overview]
Message-ID: <CACT4Y+Y090LkpY=PcuG_VGhaah1uPduO+dHww3uERP_x1MEUMQ@mail.gmail.com> (raw)
In-Reply-To: <1576870386.32806253.1614766300531.JavaMail.zimbra@redhat.com>
On Wed, Mar 3, 2021 at 11:11 AM Gopal Tiwari <gtiwari@redhat.com> wrote:
>
> Hi,
>
> I tried to search the patch for one of the bugzilla reported (Internal) https://bugzilla.redhat.com/show_bug.cgi?id=1916057 with the traces
>
> [ 405.938525] Workqueue: hci0 hci_rx_work [bluetooth]
> [ 405.941360] RIP: 0010:amp_read_loc_assoc_final_data+0xfc/0x1c0 [bluetooth]
> [ 405.944740] Code: 89 44 24 29 48 b8 00 00 00 00 00 fc ff df 0f b6 04 02 84 c0 74 08 3c 01 0f 8e 9d 00 00 00 0f b7 85 c0 03 00 00 66 89 44 24 2b <f0> 41 80 4c 24 30 04 4c 8d 64 24 68 48 89 ee 4c 89 e7 e8 3d 48 fe
> [ 405.952396] RSP: 0018:ffff88802ea0f838 EFLAGS: 00010246
> [ 405.955368] RAX: 0000000000000000 RBX: 1ffff11005d41f08 RCX: dffffc0000000000
> [ 405.958669] RDX: 1ffff110254cc878 RSI: ffff88802eeee000 RDI: ffff88812a6643c0
> [ 405.961980] RBP: ffff88812a664000 R08: 0000000000000000 R09: 0000000000000000
> [ 405.965319] R10: ffff88802ea0fd00 R11: 0000000000000000 R12: 0000000000000000
> [ 405.968624] R13: 0000000000000041 R14: ffff88802b836800 R15: ffff8881250570c0
> [ 405.971989] FS: 0000000000000000(0000) GS:ffff888055a00000(0000) knlGS:0000000000000000
> [ 405.975645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 405.978755] CR2: 0000000000000030 CR3: 000000002d200000 CR4: 0000000000340ee0
> [ 405.982150] Call Trace:
> [ 405.984768] ? amp_read_loc_assoc+0x170/0x170 [bluetooth]
> [ 405.987875] ? rcu_read_unlock+0x50/0x50
> [ 405.990663] ? deref_stack_reg+0xf0/0xf0
> [ 405.993403] ? __module_address+0x3f/0x370
> [ 405.996184] ? hci_cmd_work+0x180/0x330 [bluetooth]
> [ 405.999170] ? hci_conn_hash_lookup_handle+0x1a1/0x270 [bluetooth]
> [ 406.002354] hci_event_packet+0x1476/0x7e00 [bluetooth]
> [ 406.005407] ? arch_stack_walk+0x8f/0xf0
> [ 406.008206] ? ret_from_fork+0x27/0x50
> [ 406.010887] ? hci_cmd_complete_evt+0xbf70/0xbf70 [bluetooth]
> [ 406.013933] ? stack_trace_save+0x8a/0xb0
> [ 406.016618] ? do_profile_hits.isra.4.cold.9+0x2d/0x2d
> [ 406.019483] ? lock_acquire+0x1a3/0x970
> [ 406.022092] ? __wake_up_common_lock+0xaf/0x130
>
>
> I didn't found any solution upstream. After the vmcore analysis I found what is wrong. And took reference from the following patch, which seems to be on the similar line
>
> commit 6dfccd13db2ff2b709ef60a50163925d477549aa
> Author: Anmol Karn <anmol.karan123@gmail.com>
> Date: Wed Sep 30 19:48:13 2020 +0530
>
> Bluetooth: Fix null pointer dereference in hci_event_packet()
>
> AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called
> from hci_event_packet() and there is a possibility, that hcon->amp_mgr may
> not be found when accessing after initialization of hcon.
>
> - net/bluetooth/hci_event.c:4945
>
> How we can avoid this scenario. So I made the chages and tested. It worked or avoided the kernel panic. But I really don't know that some one has already posted the patch. I would have love to backport the patch, I was more of looking for the fix. That's where I didn't applied the reported-by tag as I thought it reported internal only.
Hi Gopal,
I think it's somewhat inherent to the current kernel unstructured
processes with bugs being reported on mailing lists, bugzilla,
distro-specific trackers.
One useful thing, though, is searching Lore, e.g. searching for just
the crashing function:
https://lore.kernel.org/lkml/?q=amp_read_loc_assoc_final_data
gives the report and the patch (if we filter out all entries produced
by your patch, which obviously wasn't yet there before you wrote it
:)):
12. [Linux-kernel-mentees] [PATCH net] Bluetooth: Fix NULL pointer
dereference in amp_read_loc_assoc_final_data()
- by Peilin Ye @ 2020-08-08 4:04 UTC [21%]
13. KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
- by syzbot @ 2020-07-31 17:04 UTC [13%]
> Thanks & regards,
> Gopal Tiwari
>
>
>
> ----- Original Message -----
> From: "Dmitry Vyukov" <dvyukov@google.com>
> To: "Peilin Ye" <yepeilin.cs@gmail.com>
> Cc: "Marcel Holtmann" <marcel@holtmann.org>, "Johan Hedberg" <johan.hedberg@gmail.com>, "Andrei Emeltchenko" <andrei.emeltchenko@intel.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "David S. Miller" <davem@davemloft.net>, "Jakub Kicinski" <kuba@kernel.org>, linux-kernel-mentees@lists.linuxfoundation.org, "syzkaller-bugs" <syzkaller-bugs@googlegroups.com>, "linux-bluetooth" <linux-bluetooth@vger.kernel.org>, "netdev" <netdev@vger.kernel.org>, "LKML" <linux-kernel@vger.kernel.org>, gtiwari@redhat.com, syzbot+f4fb0eaafdb51c32a153@syzkaller.appspotmail.com
> Sent: Wednesday, March 3, 2021 1:51:41 PM
> Subject: Re: [Linux-kernel-mentees] [PATCH net] Bluetooth: Fix NULL pointer dereference in amp_read_loc_assoc_final_data()
>
> On Sat, Aug 8, 2020 at 6:06 AM Peilin Ye <yepeilin.cs@gmail.com> wrote:
> >
> > Prevent amp_read_loc_assoc_final_data() from dereferencing `mgr` as NULL.
> >
> > Reported-and-tested-by: syzbot+f4fb0eaafdb51c32a153@syzkaller.appspotmail.com
> > Fixes: 9495b2ee757f ("Bluetooth: AMP: Process Chan Selected event")
> > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
> > ---
> > net/bluetooth/amp.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c
> > index 9c711f0dfae3..be2d469d6369 100644
> > --- a/net/bluetooth/amp.c
> > +++ b/net/bluetooth/amp.c
> > @@ -297,6 +297,9 @@ void amp_read_loc_assoc_final_data(struct hci_dev *hdev,
> > struct hci_request req;
> > int err;
> >
> > + if (!mgr)
> > + return;
> > +
> > cp.phy_handle = hcon->handle;
> > cp.len_so_far = cpu_to_le16(0);
> > cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
>
> Not sure what happened here, but the merged patch somehow has a
> different author and no Reported-by tag:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e8bd76ede155fd54d8c41d045dda43cd3174d506
> so let's tell syzbot what fixed it manually:
> #syz fix:
> Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
>
WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Vyukov via Linux-kernel-mentees <linux-kernel-mentees@lists.linuxfoundation.org>
To: Gopal Tiwari <gtiwari@redhat.com>
Cc: Johan Hedberg <johan.hedberg@gmail.com>,
Andrei Emeltchenko <andrei.emeltchenko@intel.com>,
Marcel Holtmann <marcel@holtmann.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
LKML <linux-kernel@vger.kernel.org>,
Peilin Ye <yepeilin.cs@gmail.com>,
linux-bluetooth <linux-bluetooth@vger.kernel.org>,
syzbot+f4fb0eaafdb51c32a153@syzkaller.appspotmail.com,
netdev <netdev@vger.kernel.org>, Jakub Kicinski <kuba@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Linux-kernel-mentees] [PATCH net] Bluetooth: Fix NULL pointer dereference in amp_read_loc_assoc_final_data()
Date: Wed, 3 Mar 2021 11:27:41 +0100 [thread overview]
Message-ID: <CACT4Y+Y090LkpY=PcuG_VGhaah1uPduO+dHww3uERP_x1MEUMQ@mail.gmail.com> (raw)
In-Reply-To: <1576870386.32806253.1614766300531.JavaMail.zimbra@redhat.com>
On Wed, Mar 3, 2021 at 11:11 AM Gopal Tiwari <gtiwari@redhat.com> wrote:
>
> Hi,
>
> I tried to search the patch for one of the bugzilla reported (Internal) https://bugzilla.redhat.com/show_bug.cgi?id=1916057 with the traces
>
> [ 405.938525] Workqueue: hci0 hci_rx_work [bluetooth]
> [ 405.941360] RIP: 0010:amp_read_loc_assoc_final_data+0xfc/0x1c0 [bluetooth]
> [ 405.944740] Code: 89 44 24 29 48 b8 00 00 00 00 00 fc ff df 0f b6 04 02 84 c0 74 08 3c 01 0f 8e 9d 00 00 00 0f b7 85 c0 03 00 00 66 89 44 24 2b <f0> 41 80 4c 24 30 04 4c 8d 64 24 68 48 89 ee 4c 89 e7 e8 3d 48 fe
> [ 405.952396] RSP: 0018:ffff88802ea0f838 EFLAGS: 00010246
> [ 405.955368] RAX: 0000000000000000 RBX: 1ffff11005d41f08 RCX: dffffc0000000000
> [ 405.958669] RDX: 1ffff110254cc878 RSI: ffff88802eeee000 RDI: ffff88812a6643c0
> [ 405.961980] RBP: ffff88812a664000 R08: 0000000000000000 R09: 0000000000000000
> [ 405.965319] R10: ffff88802ea0fd00 R11: 0000000000000000 R12: 0000000000000000
> [ 405.968624] R13: 0000000000000041 R14: ffff88802b836800 R15: ffff8881250570c0
> [ 405.971989] FS: 0000000000000000(0000) GS:ffff888055a00000(0000) knlGS:0000000000000000
> [ 405.975645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 405.978755] CR2: 0000000000000030 CR3: 000000002d200000 CR4: 0000000000340ee0
> [ 405.982150] Call Trace:
> [ 405.984768] ? amp_read_loc_assoc+0x170/0x170 [bluetooth]
> [ 405.987875] ? rcu_read_unlock+0x50/0x50
> [ 405.990663] ? deref_stack_reg+0xf0/0xf0
> [ 405.993403] ? __module_address+0x3f/0x370
> [ 405.996184] ? hci_cmd_work+0x180/0x330 [bluetooth]
> [ 405.999170] ? hci_conn_hash_lookup_handle+0x1a1/0x270 [bluetooth]
> [ 406.002354] hci_event_packet+0x1476/0x7e00 [bluetooth]
> [ 406.005407] ? arch_stack_walk+0x8f/0xf0
> [ 406.008206] ? ret_from_fork+0x27/0x50
> [ 406.010887] ? hci_cmd_complete_evt+0xbf70/0xbf70 [bluetooth]
> [ 406.013933] ? stack_trace_save+0x8a/0xb0
> [ 406.016618] ? do_profile_hits.isra.4.cold.9+0x2d/0x2d
> [ 406.019483] ? lock_acquire+0x1a3/0x970
> [ 406.022092] ? __wake_up_common_lock+0xaf/0x130
>
>
> I didn't found any solution upstream. After the vmcore analysis I found what is wrong. And took reference from the following patch, which seems to be on the similar line
>
> commit 6dfccd13db2ff2b709ef60a50163925d477549aa
> Author: Anmol Karn <anmol.karan123@gmail.com>
> Date: Wed Sep 30 19:48:13 2020 +0530
>
> Bluetooth: Fix null pointer dereference in hci_event_packet()
>
> AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called
> from hci_event_packet() and there is a possibility, that hcon->amp_mgr may
> not be found when accessing after initialization of hcon.
>
> - net/bluetooth/hci_event.c:4945
>
> How we can avoid this scenario. So I made the chages and tested. It worked or avoided the kernel panic. But I really don't know that some one has already posted the patch. I would have love to backport the patch, I was more of looking for the fix. That's where I didn't applied the reported-by tag as I thought it reported internal only.
Hi Gopal,
I think it's somewhat inherent to the current kernel unstructured
processes with bugs being reported on mailing lists, bugzilla,
distro-specific trackers.
One useful thing, though, is searching Lore, e.g. searching for just
the crashing function:
https://lore.kernel.org/lkml/?q=amp_read_loc_assoc_final_data
gives the report and the patch (if we filter out all entries produced
by your patch, which obviously wasn't yet there before you wrote it
:)):
12. [Linux-kernel-mentees] [PATCH net] Bluetooth: Fix NULL pointer
dereference in amp_read_loc_assoc_final_data()
- by Peilin Ye @ 2020-08-08 4:04 UTC [21%]
13. KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
- by syzbot @ 2020-07-31 17:04 UTC [13%]
> Thanks & regards,
> Gopal Tiwari
>
>
>
> ----- Original Message -----
> From: "Dmitry Vyukov" <dvyukov@google.com>
> To: "Peilin Ye" <yepeilin.cs@gmail.com>
> Cc: "Marcel Holtmann" <marcel@holtmann.org>, "Johan Hedberg" <johan.hedberg@gmail.com>, "Andrei Emeltchenko" <andrei.emeltchenko@intel.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "David S. Miller" <davem@davemloft.net>, "Jakub Kicinski" <kuba@kernel.org>, linux-kernel-mentees@lists.linuxfoundation.org, "syzkaller-bugs" <syzkaller-bugs@googlegroups.com>, "linux-bluetooth" <linux-bluetooth@vger.kernel.org>, "netdev" <netdev@vger.kernel.org>, "LKML" <linux-kernel@vger.kernel.org>, gtiwari@redhat.com, syzbot+f4fb0eaafdb51c32a153@syzkaller.appspotmail.com
> Sent: Wednesday, March 3, 2021 1:51:41 PM
> Subject: Re: [Linux-kernel-mentees] [PATCH net] Bluetooth: Fix NULL pointer dereference in amp_read_loc_assoc_final_data()
>
> On Sat, Aug 8, 2020 at 6:06 AM Peilin Ye <yepeilin.cs@gmail.com> wrote:
> >
> > Prevent amp_read_loc_assoc_final_data() from dereferencing `mgr` as NULL.
> >
> > Reported-and-tested-by: syzbot+f4fb0eaafdb51c32a153@syzkaller.appspotmail.com
> > Fixes: 9495b2ee757f ("Bluetooth: AMP: Process Chan Selected event")
> > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
> > ---
> > net/bluetooth/amp.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c
> > index 9c711f0dfae3..be2d469d6369 100644
> > --- a/net/bluetooth/amp.c
> > +++ b/net/bluetooth/amp.c
> > @@ -297,6 +297,9 @@ void amp_read_loc_assoc_final_data(struct hci_dev *hdev,
> > struct hci_request req;
> > int err;
> >
> > + if (!mgr)
> > + return;
> > +
> > cp.phy_handle = hcon->handle;
> > cp.len_so_far = cpu_to_le16(0);
> > cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
>
> Not sure what happened here, but the merged patch somehow has a
> different author and no Reported-by tag:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e8bd76ede155fd54d8c41d045dda43cd3174d506
> so let's tell syzbot what fixed it manually:
> #syz fix:
> Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
>
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2021-03-03 15:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-08 4:04 [Linux-kernel-mentees] [PATCH net] Bluetooth: Fix NULL pointer dereference in amp_read_loc_assoc_final_data() Peilin Ye
2020-08-08 4:04 ` Peilin Ye
2021-03-03 8:21 ` Dmitry Vyukov
2021-03-03 8:21 ` Dmitry Vyukov via Linux-kernel-mentees
2021-03-03 10:11 ` Gopal Tiwari
2021-03-03 10:11 ` Gopal Tiwari
2021-03-03 10:27 ` Dmitry Vyukov [this message]
2021-03-03 10:27 ` Dmitry Vyukov via Linux-kernel-mentees
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+Y090LkpY=PcuG_VGhaah1uPduO+dHww3uERP_x1MEUMQ@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=andrei.emeltchenko@intel.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=gtiwari@redhat.com \
--cc=johan.hedberg@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+f4fb0eaafdb51c32a153@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yepeilin.cs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.