* [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
@ 2020-09-10 4:34 Anmol Karn
2020-09-10 5:06 ` Eric Biggers
2020-09-10 10:49 ` Dan Carpenter
0 siblings, 2 replies; 12+ messages in thread
From: Anmol Karn @ 2020-09-10 4:34 UTC (permalink / raw)
To: marcel, johan.hedberg
Cc: netdev, syzbot+0bef568258653cff272f, syzkaller-bugs,
linux-kernel, linux-bluetooth, kuba, linux-kernel-mentees, davem
Prevent hci_phy_link_complete_evt() from dereferencing 'hcon->amp_mgr'
as NULL. Fix it by adding pointer check for it.
Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
---
net/bluetooth/hci_event.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..871e16804433 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
return;
}
+ if (IS_ERR_OR_NULL(hcon->amp_mgr)) {
+ hci_dev_unlock(hdev);
+ return;
+ }
+
if (ev->status) {
hci_conn_del(hcon);
hci_dev_unlock(hdev);
--
2.28.0
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-10 4:34 [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet() Anmol Karn
@ 2020-09-10 5:06 ` Eric Biggers
2020-09-10 6:02 ` Anmol Karn
2020-09-10 10:49 ` Dan Carpenter
1 sibling, 1 reply; 12+ messages in thread
From: Eric Biggers @ 2020-09-10 5:06 UTC (permalink / raw)
To: Anmol Karn
Cc: syzbot+0bef568258653cff272f, johan.hedberg, netdev, marcel,
syzkaller-bugs, linux-kernel, linux-bluetooth, kuba,
linux-kernel-mentees, davem
On Thu, Sep 10, 2020 at 10:04:24AM +0530, Anmol Karn wrote:
> Prevent hci_phy_link_complete_evt() from dereferencing 'hcon->amp_mgr'
> as NULL. Fix it by adding pointer check for it.
>
> Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
> Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
> ---
> net/bluetooth/hci_event.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 4b7fc430793c..871e16804433 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> return;
> }
>
> + if (IS_ERR_OR_NULL(hcon->amp_mgr)) {
> + hci_dev_unlock(hdev);
> + return;
> + }
> +
In patches that fix a NULL pointer dereference, please include a brief
explanation of why the pointer can be NULL, including what it means
semantically; and why the proposed change is the best fix for the problem.
Also, why IS_ERR_OR_NULL()?
- Eric
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-10 5:06 ` Eric Biggers
@ 2020-09-10 6:02 ` Anmol Karn
0 siblings, 0 replies; 12+ messages in thread
From: Anmol Karn @ 2020-09-10 6:02 UTC (permalink / raw)
To: Eric Biggers
Cc: syzbot+0bef568258653cff272f, johan.hedberg, netdev, marcel,
syzkaller-bugs, linux-kernel, linux-bluetooth, kuba,
linux-kernel-mentees, davem
On Wed, Sep 09, 2020 at 10:06:59PM -0700, Eric Biggers wrote:
> On Thu, Sep 10, 2020 at 10:04:24AM +0530, Anmol Karn wrote:
> > Prevent hci_phy_link_complete_evt() from dereferencing 'hcon->amp_mgr'
> > as NULL. Fix it by adding pointer check for it.
> >
> > Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
> > Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
> > ---
> > net/bluetooth/hci_event.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 4b7fc430793c..871e16804433 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> > return;
> > }
> >
> > + if (IS_ERR_OR_NULL(hcon->amp_mgr)) {
> > + hci_dev_unlock(hdev);
> > + return;
> > + }
> > +
>
Hello Sir,
> In patches that fix a NULL pointer dereference, please include a brief
> explanation of why the pointer can be NULL, including what it means
> semantically; and why the proposed change is the best fix for the problem.
>
I will surely add more explaination in v2.
> Also, why IS_ERR_OR_NULL()?
>
I used IS_ERR_OR_NULL() to check if the 'hcon->amp_mgr' is a valid pointer or not,
and unregister the 'hcon' and signal error, but will make changes in v2 with only
NULL check included, if you think it's incorrect to use IS_ERR check here along with
NULL.
Thanks,
Anmol Karn
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-10 4:34 [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet() Anmol Karn
2020-09-10 5:06 ` Eric Biggers
@ 2020-09-10 10:49 ` Dan Carpenter
2020-09-10 14:58 ` Anmol Karn
2020-09-12 9:10 ` Anmol Karn
1 sibling, 2 replies; 12+ messages in thread
From: Dan Carpenter @ 2020-09-10 10:49 UTC (permalink / raw)
To: Anmol Karn
Cc: syzbot+0bef568258653cff272f, johan.hedberg, netdev, marcel,
syzkaller-bugs, linux-kernel, linux-bluetooth, kuba,
linux-kernel-mentees, davem
On Thu, Sep 10, 2020 at 10:04:24AM +0530, Anmol Karn wrote:
> Prevent hci_phy_link_complete_evt() from dereferencing 'hcon->amp_mgr'
> as NULL. Fix it by adding pointer check for it.
>
> Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
> Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
> ---
> net/bluetooth/hci_event.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 4b7fc430793c..871e16804433 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> return;
> }
>
> + if (IS_ERR_OR_NULL(hcon->amp_mgr)) {
It can't be an error pointer. Shouldn't we call hci_conn_del() on this
path? Try to find the Fixes tag to explain how this bug was introduced.
(Don't rush to send a v2. The patch requires quite a bit more digging
and detective work before it is ready).
> + hci_dev_unlock(hdev);
> + return;
> + }
> +
> if (ev->status) {
> hci_conn_del(hcon);
> hci_dev_unlock(hdev);
regards,
dan carpenter
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-10 10:49 ` Dan Carpenter
@ 2020-09-10 14:58 ` Anmol Karn
2020-09-12 9:10 ` Anmol Karn
1 sibling, 0 replies; 12+ messages in thread
From: Anmol Karn @ 2020-09-10 14:58 UTC (permalink / raw)
To: Dan Carpenter
Cc: syzbot+0bef568258653cff272f, johan.hedberg, netdev, marcel,
syzkaller-bugs, linux-kernel, linux-bluetooth, kuba,
linux-kernel-mentees, davem
On Thu, Sep 10, 2020 at 01:49:18PM +0300, Dan Carpenter wrote:
> On Thu, Sep 10, 2020 at 10:04:24AM +0530, Anmol Karn wrote:
> > Prevent hci_phy_link_complete_evt() from dereferencing 'hcon->amp_mgr'
> > as NULL. Fix it by adding pointer check for it.
> >
> > Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
> > Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
> > ---
> > net/bluetooth/hci_event.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 4b7fc430793c..871e16804433 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> > return;
> > }
> >
> > + if (IS_ERR_OR_NULL(hcon->amp_mgr)) {
>
> It can't be an error pointer. Shouldn't we call hci_conn_del() on this
> path? Try to find the Fixes tag to explain how this bug was introduced.
>
> (Don't rush to send a v2. The patch requires quite a bit more digging
> and detective work before it is ready).
>
> > + hci_dev_unlock(hdev);
> > + return;
> > + }
> > +
> > if (ev->status) {
> > hci_conn_del(hcon);
> > hci_dev_unlock(hdev);
>
> regards,
> dan carpenter
>
Sure sir, will work on it, thanks for your review.
Anmol Karn
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-10 10:49 ` Dan Carpenter
2020-09-10 14:58 ` Anmol Karn
@ 2020-09-12 9:10 ` Anmol Karn
2020-09-14 15:44 ` Dan Carpenter
1 sibling, 1 reply; 12+ messages in thread
From: Anmol Karn @ 2020-09-12 9:10 UTC (permalink / raw)
To: Dan Carpenter
Cc: syzbot+0bef568258653cff272f, johan.hedberg, netdev, marcel,
syzkaller-bugs, linux-kernel, linux-bluetooth, kuba,
linux-kernel-mentees, davem
On Thu, Sep 10, 2020 at 01:49:18PM +0300, Dan Carpenter wrote:
> On Thu, Sep 10, 2020 at 10:04:24AM +0530, Anmol Karn wrote:
> > Prevent hci_phy_link_complete_evt() from dereferencing 'hcon->amp_mgr'
> > as NULL. Fix it by adding pointer check for it.
> >
> > Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
> > Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
> > ---
> > net/bluetooth/hci_event.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 4b7fc430793c..871e16804433 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> > return;
> > }
> >
> > + if (IS_ERR_OR_NULL(hcon->amp_mgr)) {
>
> It can't be an error pointer. Shouldn't we call hci_conn_del() on this
> path? Try to find the Fixes tag to explain how this bug was introduced.
>
> (Don't rush to send a v2. The patch requires quite a bit more digging
> and detective work before it is ready).
>
> > + hci_dev_unlock(hdev);
> > + return;
> > + }
> > +
> > if (ev->status) {
> > hci_conn_del(hcon);
> > hci_dev_unlock(hdev);
>
> regards,
> dan carpenter
>
Sir,
I need little advice in continuing with this Patch,
I have looked into the Bisected logs and the problem occurs from this commit:
941992d29447 ("ethernet: amd: use IS_ENABLED() instead of checking for built-in or module")
Here is a diff of patch which i modified from last patch,
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..6ce435064e0b 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4936,6 +4936,12 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
return;
}
+ if (!hcon->amp_mgr) {
+ hci_conn_del(hcon);
+ hci_dev_unlock(hdev);
+ return;
+ }
+
if (ev->status) {
hci_conn_del(hcon);
hci_dev_unlock(hdev);
The value of 'hcon->amp_mgr' getting NULL due to hci_conn_hash_lookup_handle call
, and there is not any checks there for the members of hcon, which enables
hci_phy_link_complete_evt() to dereference 'hcon->amp_mgr' as NULL.
please suggest improvements to this patch.
Regards,
Anmol
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-12 9:10 ` Anmol Karn
@ 2020-09-14 15:44 ` Dan Carpenter
2020-09-14 18:37 ` Anmol Karn
2020-09-29 17:32 ` Anmol Karn
0 siblings, 2 replies; 12+ messages in thread
From: Dan Carpenter @ 2020-09-14 15:44 UTC (permalink / raw)
To: Anmol Karn
Cc: syzbot+0bef568258653cff272f, johan.hedberg, netdev, marcel,
syzkaller-bugs, linux-kernel, linux-bluetooth, kuba,
linux-kernel-mentees, davem
On Sat, Sep 12, 2020 at 02:40:28PM +0530, Anmol Karn wrote:
> On Thu, Sep 10, 2020 at 01:49:18PM +0300, Dan Carpenter wrote:
> > On Thu, Sep 10, 2020 at 10:04:24AM +0530, Anmol Karn wrote:
> > > Prevent hci_phy_link_complete_evt() from dereferencing 'hcon->amp_mgr'
> > > as NULL. Fix it by adding pointer check for it.
> > >
> > > Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
> > > Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
> > > Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
> > > ---
> > > net/bluetooth/hci_event.c | 5 +++++
> > > 1 file changed, 5 insertions(+)
> > >
> > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > > index 4b7fc430793c..871e16804433 100644
> > > --- a/net/bluetooth/hci_event.c
> > > +++ b/net/bluetooth/hci_event.c
> > > @@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> > > return;
> > > }
> > >
> > > + if (IS_ERR_OR_NULL(hcon->amp_mgr)) {
> >
> > It can't be an error pointer. Shouldn't we call hci_conn_del() on this
> > path? Try to find the Fixes tag to explain how this bug was introduced.
> >
> > (Don't rush to send a v2. The patch requires quite a bit more digging
> > and detective work before it is ready).
> >
> > > + hci_dev_unlock(hdev);
> > > + return;
> > > + }
> > > +
> > > if (ev->status) {
> > > hci_conn_del(hcon);
> > > hci_dev_unlock(hdev);
> >
> > regards,
> > dan carpenter
> >
>
> Sir,
>
> I need little advice in continuing with this Patch,
>
> I have looked into the Bisected logs and the problem occurs from this commit:
>
> 941992d29447 ("ethernet: amd: use IS_ENABLED() instead of checking for built-in or module")
>
That's just the patch which made the code testable by syzbot. It didn't
introduce the bug.
>
> Here is a diff of patch which i modified from last patch,
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 4b7fc430793c..6ce435064e0b 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -4936,6 +4936,12 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> return;
> }
>
> + if (!hcon->amp_mgr) {
> + hci_conn_del(hcon);
> + hci_dev_unlock(hdev);
I have no idea if calling hci_conn_del() is really the correct, thing.
I don't know the code at all. Anyway, do some research and figure out
for sure what the correct thing is.
Also look for similar bugs in other places where hcon->amp_mgr is
dereferenced. For example, amp_read_loc_assoc_final_data() seems to
have a similar bug.
regards,
dan carpenter
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-14 15:44 ` Dan Carpenter
@ 2020-09-14 18:37 ` Anmol Karn
2020-09-29 17:32 ` Anmol Karn
1 sibling, 0 replies; 12+ messages in thread
From: Anmol Karn @ 2020-09-14 18:37 UTC (permalink / raw)
To: Dan Carpenter
Cc: syzbot+0bef568258653cff272f, johan.hedberg, netdev, marcel,
syzkaller-bugs, linux-kernel, linux-bluetooth, kuba,
linux-kernel-mentees, davem
Hello Sir,
> > I have looked into the Bisected logs and the problem occurs from this commit:
> >
> > 941992d29447 ("ethernet: amd: use IS_ENABLED() instead of checking for built-in or module")
> >
>
> That's just the patch which made the code testable by syzbot. It didn't
> introduce the bug.
>
> >
> > Here is a diff of patch which i modified from last patch,
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 4b7fc430793c..6ce435064e0b 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -4936,6 +4936,12 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> > return;
> > }
> >
> > + if (!hcon->amp_mgr) {
> > + hci_conn_del(hcon);
> > + hci_dev_unlock(hdev);
>
> I have no idea if calling hci_conn_del() is really the correct, thing.
> I don't know the code at all. Anyway, do some research and figure out
> for sure what the correct thing is.
I have created my patch on the basis of the already applied conditions handling
in this function, i.e whenever NULL dereference occurs, connection cleanup is
required hence, hci_conn_del() is used here. Will see if anything else could be
done.
>
> Also look for similar bugs in other places where hcon->amp_mgr is
> dereferenced. For example, amp_read_loc_assoc_final_data() seems to
> have a similar bug.
>
Sure sir will look into it.
> regards,
> dan carpenter
>
Thanks,
Anmol
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-14 15:44 ` Dan Carpenter
2020-09-14 18:37 ` Anmol Karn
@ 2020-09-29 17:32 ` Anmol Karn
2020-09-30 14:18 ` Anmol Karn
1 sibling, 1 reply; 12+ messages in thread
From: Anmol Karn @ 2020-09-29 17:32 UTC (permalink / raw)
To: marcel, johan.hedberg
Cc: netdev, syzbot+0bef568258653cff272f, syzkaller-bugs,
linux-kernel, linux-bluetooth, kuba, linux-kernel-mentees, davem
AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called from hci_event_packet() and there is a possibility, that hcon->amp_mgr may not be found when accessing after initialization of hcon.
- net/bluetooth/hci_event.c:4945
The bug seems to get triggered in this line:
bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status.
Fixes: d5e911928bd8 ("Bluetooth: AMP: Process Physical Link Complete evt")
Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
---
Cahnge in v2:
- Replaced IS_ERR_OR_NULL check with NULL check only (Suggested by: Dan Carpenter <dan.carpenter@oracle.com>)
- Added "Fixes:" tag (Suggested by: Dan Carpenter <dan.carpenter@oracle.com>)
net/bluetooth/hci_event.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..b084142c578e 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
return;
}
+ if (!hcon->amp_mgr) {
+ hci_dev_unlock(hdev);
+ return 0;
+ }
+
if (ev->status) {
hci_conn_del(hcon);
hci_dev_unlock(hdev);
--
2.28.0
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-29 17:32 ` Anmol Karn
@ 2020-09-30 14:18 ` Anmol Karn
2020-10-01 7:06 ` Marcel Holtmann
0 siblings, 1 reply; 12+ messages in thread
From: Anmol Karn @ 2020-09-30 14:18 UTC (permalink / raw)
To: marcel, johan.hedberg
Cc: netdev, syzbot+0bef568258653cff272f, syzkaller-bugs,
linux-kernel, linux-bluetooth, kuba, linux-kernel-mentees, davem
AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called from hci_event_packet() and there is a possibility, that hcon->amp_mgr may not be found when accessing after initialization of hcon.
- net/bluetooth/hci_event.c:4945
The bug seems to get triggered in this line:
bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status.
Fixes: d5e911928bd8 ("Bluetooth: AMP: Process Physical Link Complete evt")
Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
---
Change in v3:
- changed return o; to return; (Reported-by: kernel test robot <lkp@intel.com>
)
net/bluetooth/hci_event.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..bbe0ca42cad2 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
return;
}
+ if (!hcon->amp_mgr) {
+ hci_dev_unlock(hdev);
+ return;
+ }
+
if (ev->status) {
hci_conn_del(hcon);
hci_dev_unlock(hdev);
--
2.28.0
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-09-30 14:18 ` Anmol Karn
@ 2020-10-01 7:06 ` Marcel Holtmann
2020-10-01 7:45 ` Anmol Karn
0 siblings, 1 reply; 12+ messages in thread
From: Marcel Holtmann @ 2020-10-01 7:06 UTC (permalink / raw)
To: Anmol Karn
Cc: Johan Hedberg, open list:NETWORKING [GENERAL],
syzbot+0bef568258653cff272f, syzkaller-bugs, open list,
linux-bluetooth, Jakub Kicinski, linux-kernel-mentees,
David S. Miller
Hi Anmol,
> AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called from hci_event_packet() and there is a possibility, that hcon->amp_mgr may not be found when accessing after initialization of hcon.
>
> - net/bluetooth/hci_event.c:4945
> The bug seems to get triggered in this line:
>
> bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
>
> Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status.
>
> Fixes: d5e911928bd8 ("Bluetooth: AMP: Process Physical Link Complete evt")
> Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
> Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
> ---
> Change in v3:
> - changed return o; to return; (Reported-by: kernel test robot <lkp@intel.com>
> )
>
> net/bluetooth/hci_event.c | 5 +++++
> 1 file changed, 5 insertions(+)
patch has been applied to bluetooth-next tree.
Regards
Marcel
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
2020-10-01 7:06 ` Marcel Holtmann
@ 2020-10-01 7:45 ` Anmol Karn
0 siblings, 0 replies; 12+ messages in thread
From: Anmol Karn @ 2020-10-01 7:45 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Johan Hedberg, open list:NETWORKING [GENERAL],
syzbot+0bef568258653cff272f, syzkaller-bugs, open list,
linux-bluetooth, Jakub Kicinski, linux-kernel-mentees,
David S. Miller
On Thu, Oct 01, 2020 at 09:06:42AM +0200, Marcel Holtmann wrote:
> Hi Anmol,
>
> > AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called from hci_event_packet() and there is a possibility, that hcon->amp_mgr may not be found when accessing after initialization of hcon.
> >
> > - net/bluetooth/hci_event.c:4945
> > The bug seems to get triggered in this line:
> >
> > bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
> >
> > Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status.
> >
> > Fixes: d5e911928bd8 ("Bluetooth: AMP: Process Physical Link Complete evt")
> > Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
> > Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
> > ---
> > Change in v3:
> > - changed return o; to return; (Reported-by: kernel test robot <lkp@intel.com>
> > )
> >
> > net/bluetooth/hci_event.c | 5 +++++
> > 1 file changed, 5 insertions(+)
>
> patch has been applied to bluetooth-next tree.
>
> Regards
>
> Marcel
>
Thank you :)
Best,
Anmol
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2020-10-01 7:45 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-10 4:34 [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet() Anmol Karn
2020-09-10 5:06 ` Eric Biggers
2020-09-10 6:02 ` Anmol Karn
2020-09-10 10:49 ` Dan Carpenter
2020-09-10 14:58 ` Anmol Karn
2020-09-12 9:10 ` Anmol Karn
2020-09-14 15:44 ` Dan Carpenter
2020-09-14 18:37 ` Anmol Karn
2020-09-29 17:32 ` Anmol Karn
2020-09-30 14:18 ` Anmol Karn
2020-10-01 7:06 ` Marcel Holtmann
2020-10-01 7:45 ` Anmol Karn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).