* [syzbot] [bluetooth?] general protection fault in btintel_read_version
@ 2024-01-17 12:05 syzbot
2024-01-17 13:37 ` Edward Adam Davis
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: syzbot @ 2024-01-17 12:05 UTC (permalink / raw)
To: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 943b9f0ab2cf Add linux-next specific files for 20240117
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17c60debe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1151c2a3e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110f7913e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9c032ce79e0f/disk-943b9f0a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/93163e287878/vmlinux-943b9f0a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/512cc2e14a4b/bzImage-943b9f0a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 4455 Comm: kworker/u5:1 Not tainted 6.7.0-next-20240117-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: hci0 hci_power_on
RIP: 0010:btintel_read_version+0x65/0x1e0 drivers/bluetooth/btintel.c:444
Code: 08 c5 f9 48 81 fb 00 f0 ff ff 0f 87 9e 00 00 00 e8 c0 0d c5 f9 48 8d 7b 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e de 00 00 00 8b 6b 70 bf 0a 00
RSP: 0018:ffffc9000e057958 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87c7146e
RDX: 000000000000000e RSI: ffffffff87c71480 RDI: 0000000000000070
RBP: ffffc9000e057a10 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888030f74000
R13: ffffc9000e0579f0 R14: ffff888030f74000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27722fa1d0 CR3: 000000007ff6a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ag6xx_setup+0x1b0/0xc10 drivers/bluetooth/hci_ag6xx.c:169
hci_uart_setup+0x224/0x4d0 drivers/bluetooth/hci_ldisc.c:423
hci_dev_setup_sync net/bluetooth/hci_sync.c:4631 [inline]
hci_dev_init_sync net/bluetooth/hci_sync.c:4699 [inline]
hci_dev_open_sync+0x35b/0x2650 net/bluetooth/hci_sync.c:4799
hci_dev_do_open+0x2a/0x90 net/bluetooth/hci_core.c:483
hci_power_on+0x132/0x670 net/bluetooth/hci_core.c:1015
process_one_work+0x8d5/0x16e0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2707 [inline]
worker_thread+0x8b6/0x1290 kernel/workqueue.c:2788
kthread+0x2c1/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btintel_read_version+0x65/0x1e0 drivers/bluetooth/btintel.c:444
Code: 08 c5 f9 48 81 fb 00 f0 ff ff 0f 87 9e 00 00 00 e8 c0 0d c5 f9 48 8d 7b 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e de 00 00 00 8b 6b 70 bf 0a 00
RSP: 0018:ffffc9000e057958 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87c7146e
RDX: 000000000000000e RSI: ffffffff87c71480 RDI: 0000000000000070
RBP: ffffc9000e057a10 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888030f74000
R13: ffffc9000e0579f0 R14: ffff888030f74000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27722fa1d0 CR3: 000000007ff6a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 c5 or %al,%ch
2: f9 stc
3: 48 81 fb 00 f0 ff ff cmp $0xfffffffffffff000,%rbx
a: 0f 87 9e 00 00 00 ja 0xae
10: e8 c0 0d c5 f9 call 0xf9c50dd5
15: 48 8d 7b 70 lea 0x70(%rbx),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e de 00 00 00 jle 0x118
3a: 8b 6b 70 mov 0x70(%rbx),%ebp
3d: bf .byte 0xbf
3e: 0a 00 or (%rax),%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version
2024-01-17 12:05 [syzbot] [bluetooth?] general protection fault in btintel_read_version syzbot
@ 2024-01-17 13:37 ` Edward Adam Davis
2024-01-17 15:45 ` syzbot
2024-01-17 22:53 ` Edward Adam Davis
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
2 siblings, 1 reply; 7+ messages in thread
From: Edward Adam Davis @ 2024-01-17 13:37 UTC (permalink / raw)
To: syzbot+830d9e3fa61968246abd; +Cc: linux-kernel, syzkaller-bugs
please test null ptr deref in btintel_read_version
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 943b9f0ab2cf
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version
2024-01-17 13:37 ` Edward Adam Davis
@ 2024-01-17 15:45 ` syzbot
0 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2024-01-17 15:45 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git on commit 943b9f0ab2cf: failed to run ["git" "fetch" "--force" "--tags" "fc608f7504e8b3e110eb6e7b798cef357818c5e1" "943b9f0ab2cf"]: exit status 128
fatal: couldn't find remote ref 943b9f0ab2cf
Tested on:
commit: [unknown
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 943b9f0ab2cf
kernel config: https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f9e90be80000
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version
2024-01-17 12:05 [syzbot] [bluetooth?] general protection fault in btintel_read_version syzbot
2024-01-17 13:37 ` Edward Adam Davis
@ 2024-01-17 22:53 ` Edward Adam Davis
2024-01-18 1:56 ` syzbot
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
2 siblings, 1 reply; 7+ messages in thread
From: Edward Adam Davis @ 2024-01-17 22:53 UTC (permalink / raw)
To: syzbot+830d9e3fa61968246abd; +Cc: linux-kernel, syzkaller-bugs
please test null ptr deref in btintel_read_version
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [syzbot] [bluetooth?] general protection fault in btintel_read_version
2024-01-17 22:53 ` Edward Adam Davis
@ 2024-01-18 1:56 ` syzbot
0 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2024-01-18 1:56 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Tested on:
commit: 943b9f0a Add linux-next specific files for 20240117
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10fab583e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=132f7913e80000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH next] bluetooth/btintel: fix null ptr deref in btintel_read_version
2024-01-17 12:05 [syzbot] [bluetooth?] general protection fault in btintel_read_version syzbot
2024-01-17 13:37 ` Edward Adam Davis
2024-01-17 22:53 ` Edward Adam Davis
@ 2024-01-18 4:40 ` Edward Adam Davis
2024-01-25 20:50 ` patchwork-bot+bluetooth
2 siblings, 1 reply; 7+ messages in thread
From: Edward Adam Davis @ 2024-01-18 4:40 UTC (permalink / raw)
To: syzbot+830d9e3fa61968246abd
Cc: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs
If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
which will cause this issue.
Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
drivers/bluetooth/btintel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH next] bluetooth/btintel: fix null ptr deref in btintel_read_version
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
@ 2024-01-25 20:50 ` patchwork-bot+bluetooth
0 siblings, 0 replies; 7+ messages in thread
From: patchwork-bot+bluetooth @ 2024-01-25 20:50 UTC (permalink / raw)
To: Edward Adam Davis
Cc: syzbot+830d9e3fa61968246abd, johan.hedberg, linux-bluetooth,
linux-kernel, luiz.dentz, marcel, syzkaller-bugs
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 18 Jan 2024 12:40:34 +0800 you wrote:
> If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
> which will cause this issue.
>
> Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/bluetooth/btintel.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Here is the summary with links:
- [next] bluetooth/btintel: fix null ptr deref in btintel_read_version
https://git.kernel.org/bluetooth/bluetooth-next/c/693a94db9e8c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-01-25 20:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-17 12:05 [syzbot] [bluetooth?] general protection fault in btintel_read_version syzbot
2024-01-17 13:37 ` Edward Adam Davis
2024-01-17 15:45 ` syzbot
2024-01-17 22:53 ` Edward Adam Davis
2024-01-18 1:56 ` syzbot
2024-01-18 4:40 ` [PATCH next] bluetooth/btintel: fix null ptr deref " Edward Adam Davis
2024-01-25 20:50 ` patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).