[syzbot] [bluetooth?] general protection fault in btintel_read_version

[syzbot] [bluetooth?] general protection fault in btintel_read_version

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    943b9f0ab2cf Add linux-next specific files for 20240117
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17c60debe80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1151c2a3e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=110f7913e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9c032ce79e0f/disk-943b9f0a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/93163e287878/vmlinux-943b9f0a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/512cc2e14a4b/bzImage-943b9f0a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 4455 Comm: kworker/u5:1 Not tainted 6.7.0-next-20240117-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: hci0 hci_power_on
RIP: 0010:btintel_read_version+0x65/0x1e0 drivers/bluetooth/btintel.c:444
Code: 08 c5 f9 48 81 fb 00 f0 ff ff 0f 87 9e 00 00 00 e8 c0 0d c5 f9 48 8d 7b 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e de 00 00 00 8b 6b 70 bf 0a 00
RSP: 0018:ffffc9000e057958 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87c7146e
RDX: 000000000000000e RSI: ffffffff87c71480 RDI: 0000000000000070
RBP: ffffc9000e057a10 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888030f74000
R13: ffffc9000e0579f0 R14: ffff888030f74000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27722fa1d0 CR3: 000000007ff6a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ag6xx_setup+0x1b0/0xc10 drivers/bluetooth/hci_ag6xx.c:169
 hci_uart_setup+0x224/0x4d0 drivers/bluetooth/hci_ldisc.c:423
 hci_dev_setup_sync net/bluetooth/hci_sync.c:4631 [inline]
 hci_dev_init_sync net/bluetooth/hci_sync.c:4699 [inline]
 hci_dev_open_sync+0x35b/0x2650 net/bluetooth/hci_sync.c:4799
 hci_dev_do_open+0x2a/0x90 net/bluetooth/hci_core.c:483
 hci_power_on+0x132/0x670 net/bluetooth/hci_core.c:1015
 process_one_work+0x8d5/0x16e0 kernel/workqueue.c:2633
 process_scheduled_works kernel/workqueue.c:2707 [inline]
 worker_thread+0x8b6/0x1290 kernel/workqueue.c:2788
 kthread+0x2c1/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:242
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btintel_read_version+0x65/0x1e0 drivers/bluetooth/btintel.c:444
Code: 08 c5 f9 48 81 fb 00 f0 ff ff 0f 87 9e 00 00 00 e8 c0 0d c5 f9 48 8d 7b 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e de 00 00 00 8b 6b 70 bf 0a 00
RSP: 0018:ffffc9000e057958 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87c7146e
RDX: 000000000000000e RSI: ffffffff87c71480 RDI: 0000000000000070
RBP: ffffc9000e057a10 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888030f74000
R13: ffffc9000e0579f0 R14: ffff888030f74000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27722fa1d0 CR3: 000000007ff6a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	08 c5                	or     %al,%ch
   2:	f9                   	stc
   3:	48 81 fb 00 f0 ff ff 	cmp    $0xfffffffffffff000,%rbx
   a:	0f 87 9e 00 00 00    	ja     0xae
  10:	e8 c0 0d c5 f9       	call   0xf9c50dd5
  15:	48 8d 7b 70          	lea    0x70(%rbx),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e de 00 00 00    	jle    0x118
  3a:	8b 6b 70             	mov    0x70(%rbx),%ebp
  3d:	bf                   	.byte 0xbf
  3e:	0a 00                	or     (%rax),%al


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version

[Edward Adam Davis]

please test null ptr deref in btintel_read_version

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 943b9f0ab2cf

diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
 	struct sk_buff *skb;
 
 	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb)) {
+	if (IS_ERR_OR_NULL(skb)) {
 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
 			   PTR_ERR(skb));
 		return PTR_ERR(skb);

Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git on commit 943b9f0ab2cf: failed to run ["git" "fetch" "--force" "--tags" "fc608f7504e8b3e110eb6e7b798cef357818c5e1" "943b9f0ab2cf"]: exit status 128
fatal: couldn't find remote ref 943b9f0ab2cf



Tested on:

commit:         [unknown 
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 943b9f0ab2cf
kernel config:  https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10f9e90be80000

Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version

[Edward Adam Davis]

please test null ptr deref in btintel_read_version

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
 	struct sk_buff *skb;
 
 	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb)) {
+	if (IS_ERR_OR_NULL(skb)) {
 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
 			   PTR_ERR(skb));
 		return PTR_ERR(skb);

Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com

Tested on:

commit:         943b9f0a Add linux-next specific files for 20240117
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10fab583e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=132f7913e80000

Note: testing is done by a robot and is best-effort only.

[PATCH next] bluetooth/btintel: fix null ptr deref in btintel_read_version

[Edward Adam Davis]

If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
which will cause this issue.

Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 drivers/bluetooth/btintel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
 	struct sk_buff *skb;
 
 	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb)) {
+	if (IS_ERR_OR_NULL(skb)) {
 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
 			   PTR_ERR(skb));
 		return PTR_ERR(skb);
-- 
2.43.0

RE: [next] bluetooth/btintel: fix null ptr deref in btintel_read_version

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3236 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=817714

---Test result---

Test Summary:
CheckPatch                    FAIL      0.93 seconds
GitLint                       FAIL      0.92 seconds
SubjectPrefix                 FAIL      0.35 seconds
BuildKernel                   PASS      27.62 seconds
CheckAllWarning               PASS      30.64 seconds
CheckSparse                   PASS      35.85 seconds
CheckSmatch                   PASS      98.80 seconds
BuildKernel32                 PASS      27.17 seconds
TestRunnerSetup               PASS      434.34 seconds
TestRunner_l2cap-tester       PASS      22.86 seconds
TestRunner_iso-tester         PASS      47.19 seconds
TestRunner_bnep-tester        PASS      6.79 seconds
TestRunner_mgmt-tester        PASS      155.13 seconds
TestRunner_rfcomm-tester      PASS      10.67 seconds
TestRunner_sco-tester         PASS      14.34 seconds
TestRunner_ioctl-tester       PASS      12.04 seconds
TestRunner_mesh-tester        PASS      8.75 seconds
TestRunner_smp-tester         PASS      9.62 seconds
TestRunner_userchan-tester    PASS      8.21 seconds
IncrementalBuild              PASS      25.88 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[next] bluetooth/btintel: fix null ptr deref in btintel_read_version
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#83: 
If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,

WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#86: 
Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>

total: 0 errors, 2 warnings, 8 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13522361.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[next] bluetooth/btintel: fix null ptr deref in btintel_read_version

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
3: B1 Line exceeds max length (84>80): "If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,"
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject


---
Regards,
Linux Bluetooth

Re: [PATCH next] bluetooth/btintel: fix null ptr deref in btintel_read_version

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 18 Jan 2024 12:40:34 +0800 you wrote:
> If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
> which will cause this issue.
> 
> Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  drivers/bluetooth/btintel.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Here is the summary with links:
  - [next] bluetooth/btintel: fix null ptr deref in btintel_read_version
    https://git.kernel.org/bluetooth/bluetooth-next/c/693a94db9e8c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html