Hello,
syzbot found the following issue on:
HEAD commit: 943b9f0ab2cf Add linux-next specific files for 20240117
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17c60debe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=12af1d067b6a6d19
dashboard link: https://syzkaller.appspot.com/bug?extid=830d9e3fa61968246abd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1151c2a3e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110f7913e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9c032ce79e0f/disk-943b9f0a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/93163e287878/vmlinux-943b9f0a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/512cc2e14a4b/bzImage-943b9f0a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 4455 Comm: kworker/u5:1 Not tainted 6.7.0-next-20240117-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: hci0 hci_power_on
RIP: 0010:btintel_read_version+0x65/0x1e0 drivers/bluetooth/btintel.c:444
Code: 08 c5 f9 48 81 fb 00 f0 ff ff 0f 87 9e 00 00 00 e8 c0 0d c5 f9 48 8d 7b 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e de 00 00 00 8b 6b 70 bf 0a 00
RSP: 0018:ffffc9000e057958 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87c7146e
RDX: 000000000000000e RSI: ffffffff87c71480 RDI: 0000000000000070
RBP: ffffc9000e057a10 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888030f74000
R13: ffffc9000e0579f0 R14: ffff888030f74000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27722fa1d0 CR3: 000000007ff6a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ag6xx_setup+0x1b0/0xc10 drivers/bluetooth/hci_ag6xx.c:169
hci_uart_setup+0x224/0x4d0 drivers/bluetooth/hci_ldisc.c:423
hci_dev_setup_sync net/bluetooth/hci_sync.c:4631 [inline]
hci_dev_init_sync net/bluetooth/hci_sync.c:4699 [inline]
hci_dev_open_sync+0x35b/0x2650 net/bluetooth/hci_sync.c:4799
hci_dev_do_open+0x2a/0x90 net/bluetooth/hci_core.c:483
hci_power_on+0x132/0x670 net/bluetooth/hci_core.c:1015
process_one_work+0x8d5/0x16e0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2707 [inline]
worker_thread+0x8b6/0x1290 kernel/workqueue.c:2788
kthread+0x2c1/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btintel_read_version+0x65/0x1e0 drivers/bluetooth/btintel.c:444
Code: 08 c5 f9 48 81 fb 00 f0 ff ff 0f 87 9e 00 00 00 e8 c0 0d c5 f9 48 8d 7b 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e de 00 00 00 8b 6b 70 bf 0a 00
RSP: 0018:ffffc9000e057958 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87c7146e
RDX: 000000000000000e RSI: ffffffff87c71480 RDI: 0000000000000070
RBP: ffffc9000e057a10 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888030f74000
R13: ffffc9000e0579f0 R14: ffff888030f74000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27722fa1d0 CR3: 000000007ff6a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 c5 or %al,%ch
2: f9 stc
3: 48 81 fb 00 f0 ff ff cmp $0xfffffffffffff000,%rbx
a: 0f 87 9e 00 00 00 ja 0xae
10: e8 c0 0d c5 f9 call 0xf9c50dd5
15: 48 8d 7b 70 lea 0x70(%rbx),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e de 00 00 00 jle 0x118
3a: 8b 6b 70 mov 0x70(%rbx),%ebp
3d: bf .byte 0xbf
3e: 0a 00 or (%rax),%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
which will cause this issue.
Reported-and-tested-by: [email protected]
Signed-off-by: Edward Adam Davis <[email protected]>
---
drivers/bluetooth/btintel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0..e5b043d96207 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
--
2.43.0
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=817714
---Test result---
Test Summary:
CheckPatch FAIL 0.93 seconds
GitLint FAIL 0.92 seconds
SubjectPrefix FAIL 0.35 seconds
BuildKernel PASS 27.62 seconds
CheckAllWarning PASS 30.64 seconds
CheckSparse PASS 35.85 seconds
CheckSmatch PASS 98.80 seconds
BuildKernel32 PASS 27.17 seconds
TestRunnerSetup PASS 434.34 seconds
TestRunner_l2cap-tester PASS 22.86 seconds
TestRunner_iso-tester PASS 47.19 seconds
TestRunner_bnep-tester PASS 6.79 seconds
TestRunner_mgmt-tester PASS 155.13 seconds
TestRunner_rfcomm-tester PASS 10.67 seconds
TestRunner_sco-tester PASS 14.34 seconds
TestRunner_ioctl-tester PASS 12.04 seconds
TestRunner_mesh-tester PASS 8.75 seconds
TestRunner_smp-tester PASS 9.62 seconds
TestRunner_userchan-tester PASS 8.21 seconds
IncrementalBuild PASS 25.88 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[next] bluetooth/btintel: fix null ptr deref in btintel_read_version
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#83:
If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#86:
Reported-and-tested-by: [email protected]
Signed-off-by: Edward Adam Davis <[email protected]>
total: 0 errors, 2 warnings, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13522361.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[next] bluetooth/btintel: fix null ptr deref in btintel_read_version
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
3: B1 Line exceeds max length (84>80): "If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,"
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Thu, 18 Jan 2024 12:40:34 +0800 you wrote:
> If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL,
> which will cause this issue.
>
> Reported-and-tested-by: [email protected]
> Signed-off-by: Edward Adam Davis <[email protected]>
> ---
> drivers/bluetooth/btintel.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Here is the summary with links:
- [next] bluetooth/btintel: fix null ptr deref in btintel_read_version
https://git.kernel.org/bluetooth/bluetooth-next/c/693a94db9e8c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html