diff mbox series

[v2] Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs

Message ID 20240706225124.1247944-1-iam@sung-woo.kim (mailing list archive)
State New, archived
Headers show
Series [v2] Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/CheckPatch warning WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?) #86: CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 total: 0 errors, 1 warnings, 0 checks, 36 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13725924.patch has style problems, please review. NOTE: Ignored message types: UNKNOWN_COMMIT_ID NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/GitLint fail WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 12: B1 Line exceeds max length (199>80): "Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78"
tedd_an/SubjectPrefix success Gitlint PASS
tedd_an/BuildKernel success BuildKernel PASS
tedd_an/CheckAllWarning success CheckAllWarning PASS
tedd_an/CheckSparse success CheckSparse PASS
tedd_an/CheckSmatch success CheckSparse PASS
tedd_an/BuildKernel32 success BuildKernel32 PASS
tedd_an/TestRunnerSetup success TestRunnerSetup PASS
tedd_an/TestRunner_l2cap-tester success TestRunner PASS
tedd_an/TestRunner_iso-tester success TestRunner PASS
tedd_an/TestRunner_bnep-tester success TestRunner PASS
tedd_an/TestRunner_mgmt-tester success TestRunner PASS
tedd_an/TestRunner_rfcomm-tester success TestRunner PASS
tedd_an/TestRunner_sco-tester success TestRunner PASS
tedd_an/TestRunner_ioctl-tester success TestRunner PASS
tedd_an/TestRunner_mesh-tester success TestRunner PASS
tedd_an/TestRunner_smp-tester success TestRunner PASS
tedd_an/TestRunner_userchan-tester success TestRunner PASS
tedd_an/IncrementalBuild success Incremental Build PASS

Commit Message

Sungwoo Kim July 6, 2024, 10:51 p.m. UTC 
__hci_cmd_sync_sk() returns NULL if a command returns a status event
as there are no parameters.
Fix __hci_cmd_sync_sk() to not return NULL.

KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci7 hci_power_on
RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138
Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78
RSP: 0018:ffff888120bafac8 EFLAGS: 00010212
RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040
RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4
RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054
R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000
FS:  0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 <TASK>
 hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]
 hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]
 hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]
 hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]
 hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]
 hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994
 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
 hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015
 process_one_work kernel/workqueue.c:3267 [inline]
 process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348
 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429
 kthread+0x2cb/0x360 kernel/kthread.c:388
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")

Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
v1 -> v2: make __hci_cmd_sync_sk() not return NULL

 net/bluetooth/hci_sync.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

Comments

bluez.test.bot@gmail.com July 6, 2024, 11:33 p.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=869029

---Test result---

Test Summary:
CheckPatch                    FAIL      0.85 seconds
GitLint                       FAIL      0.47 seconds
SubjectPrefix                 PASS      0.10 seconds
BuildKernel                   PASS      30.03 seconds
CheckAllWarning               PASS      32.33 seconds
CheckSparse                   PASS      37.80 seconds
CheckSmatch                   PASS      102.95 seconds
BuildKernel32                 PASS      28.77 seconds
TestRunnerSetup               PASS      524.00 seconds
TestRunner_l2cap-tester       PASS      20.16 seconds
TestRunner_iso-tester         PASS      32.93 seconds
TestRunner_bnep-tester        PASS      4.83 seconds
TestRunner_mgmt-tester        PASS      114.05 seconds
TestRunner_rfcomm-tester      PASS      7.37 seconds
TestRunner_sco-tester         PASS      15.05 seconds
TestRunner_ioctl-tester       PASS      7.93 seconds
TestRunner_mesh-tester        PASS      5.99 seconds
TestRunner_smp-tester         PASS      6.95 seconds
TestRunner_userchan-tester    PASS      5.03 seconds
IncrementalBuild              PASS      27.85 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v2] Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#86: 
CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10

total: 0 errors, 1 warnings, 0 checks, 36 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13725924.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v2] Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
12: B1 Line exceeds max length (199>80): "Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78"


---
Regards,
Linux Bluetooth
Markus Elfring July 7, 2024, 8:45 a.m. UTC | #2 
Please put email addresses for recipients not only into the message field “Cc”.


…
> Fix __hci_cmd_sync_sk() to not return NULL.
>
> KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
…

How do you think about to use a summary phrase like
“Prevent null pointer dereference in hci_read_supported_codecs()”?


…
> Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
…

Would you like to add a “stable tag” accordingly?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/stable-kernel-rules.rst?h=v6.10-rc6#n34

Regards,
Markus
Sungwoo Kim Oct. 29, 2024, 2:41 a.m. UTC | #3 
Dear Luiz, could you review this? This bug and fix are still valid but
have been forgotten for some reason.

On Sat, Jul 6, 2024 at 6:53 PM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> __hci_cmd_sync_sk() returns NULL if a command returns a status event
> as there are no parameters.
> Fix __hci_cmd_sync_sk() to not return NULL.
>
> KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
> CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Workqueue: hci7 hci_power_on
> RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138
> Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78
> RSP: 0018:ffff888120bafac8 EFLAGS: 00010212
> RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040
> RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4
> RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054
> R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070
> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000
> FS:  0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0
> PKRU: 55555554
> Call Trace:
>  <TASK>
>  hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]
>  hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]
>  hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]
>  hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]
>  hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]
>  hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994
>  hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
>  hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015
>  process_one_work kernel/workqueue.c:3267 [inline]
>  process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348
>  worker_thread+0x91f/0xe50 kernel/workqueue.c:3429
>  kthread+0x2cb/0x360 kernel/kthread.c:388
>  ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
>
> Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
>
> Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
> ---
> v1 -> v2: make __hci_cmd_sync_sk() not return NULL
>
>  net/bluetooth/hci_sync.c | 18 +++++++++++-------
>  1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index 76b283b8e..c4e4abc6e 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -201,6 +201,12 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
>                 return ERR_PTR(err);
>         }
>
> +       /* If command return a status event skb will be set to NULL as there are
> +        * no parameters.
> +        */
> +       if (!skb)
> +               return ERR_PTR(-ENODATA);
> +
>         return skb;
>  }
>  EXPORT_SYMBOL(__hci_cmd_sync_sk);
> @@ -250,6 +256,11 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
>         u8 status;
>
>         skb = __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout, sk);
> +
> +       /* If command return a status event, skb will be set to -ENODATA */
> +       if (skb == ERR_PTR(-ENODATA))
> +               return 0;
> +
>         if (IS_ERR(skb)) {
>                 if (!event)
>                         bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", opcode,
> @@ -257,13 +268,6 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
>                 return PTR_ERR(skb);
>         }
>
> -       /* If command return a status event skb will be set to NULL as there are
> -        * no parameters, in case of failure IS_ERR(skb) would have be set to
> -        * the actual error would be found with PTR_ERR(skb).
> -        */
> -       if (!skb)
> -               return 0;
> -
>         status = skb->data[0];
>
>         kfree_skb(skb);
> --
> 2.34.1
>
Luiz Augusto von Dentz Oct. 29, 2024, 2 p.m. UTC | #4 
Hi Sungwoo,

On Mon, Oct 28, 2024 at 10:41 PM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> Dear Luiz, could you review this? This bug and fix are still valid but
> have been forgotten for some reason.

Please resend.

> On Sat, Jul 6, 2024 at 6:53 PM Sungwoo Kim <iam@sung-woo.kim> wrote:
> >
> > __hci_cmd_sync_sk() returns NULL if a command returns a status event
> > as there are no parameters.
> > Fix __hci_cmd_sync_sk() to not return NULL.
> >
> > KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
> > CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > Workqueue: hci7 hci_power_on
> > RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138
> > Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78
> > RSP: 0018:ffff888120bafac8 EFLAGS: 00010212
> > RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040
> > RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4
> > RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054
> > R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070
> > R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000
> > FS:  0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0
> > PKRU: 55555554
> > Call Trace:
> >  <TASK>
> >  hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]
> >  hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]
> >  hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]
> >  hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]
> >  hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]
> >  hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994
> >  hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
> >  hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015
> >  process_one_work kernel/workqueue.c:3267 [inline]
> >  process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348
> >  worker_thread+0x91f/0xe50 kernel/workqueue.c:3429
> >  kthread+0x2cb/0x360 kernel/kthread.c:388
> >  ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> >  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> >
> > Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
> >
> > Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
> > ---
> > v1 -> v2: make __hci_cmd_sync_sk() not return NULL
> >
> >  net/bluetooth/hci_sync.c | 18 +++++++++++-------
> >  1 file changed, 11 insertions(+), 7 deletions(-)
> >
> > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > index 76b283b8e..c4e4abc6e 100644
> > --- a/net/bluetooth/hci_sync.c
> > +++ b/net/bluetooth/hci_sync.c
> > @@ -201,6 +201,12 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
> >                 return ERR_PTR(err);
> >         }
> >
> > +       /* If command return a status event skb will be set to NULL as there are
> > +        * no parameters.
> > +        */
> > +       if (!skb)
> > +               return ERR_PTR(-ENODATA);
> > +
> >         return skb;
> >  }
> >  EXPORT_SYMBOL(__hci_cmd_sync_sk);
> > @@ -250,6 +256,11 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
> >         u8 status;
> >
> >         skb = __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout, sk);
> > +
> > +       /* If command return a status event, skb will be set to -ENODATA */
> > +       if (skb == ERR_PTR(-ENODATA))
> > +               return 0;
> > +
> >         if (IS_ERR(skb)) {
> >                 if (!event)
> >                         bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", opcode,
> > @@ -257,13 +268,6 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
> >                 return PTR_ERR(skb);
> >         }
> >
> > -       /* If command return a status event skb will be set to NULL as there are
> > -        * no parameters, in case of failure IS_ERR(skb) would have be set to
> > -        * the actual error would be found with PTR_ERR(skb).
> > -        */
> > -       if (!skb)
> > -               return 0;
> > -
> >         status = skb->data[0];
> >
> >         kfree_skb(skb);
> > --
> > 2.34.1
> >
diff mbox series

Patch

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 76b283b8e..c4e4abc6e 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -201,6 +201,12 @@  struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 		return ERR_PTR(err);
 	}
 
+	/* If command return a status event skb will be set to NULL as there are
+	 * no parameters.
+	 */
+	if (!skb)
+		return ERR_PTR(-ENODATA);
+
 	return skb;
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);
@@ -250,6 +256,11 @@  int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 	u8 status;
 
 	skb = __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout, sk);
+
+	/* If command return a status event, skb will be set to -ENODATA */
+	if (skb == ERR_PTR(-ENODATA))
+		return 0;
+
 	if (IS_ERR(skb)) {
 		if (!event)
 			bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", opcode,
@@ -257,13 +268,6 @@  int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 		return PTR_ERR(skb);
 	}
 
-	/* If command return a status event skb will be set to NULL as there are
-	 * no parameters, in case of failure IS_ERR(skb) would have be set to
-	 * the actual error would be found with PTR_ERR(skb).
-	 */
-	if (!skb)
-		return 0;
-
 	status = skb->data[0];
 
 	kfree_skb(skb);