On Fri, Jan 19, 2024 at 12:58:21PM +0100, Dmitry Vyukov wrote: > On Thu, 18 Jan 2024 at 15:02, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote: > > > > On Thu, Jan 18, 2024 at 11:21:34AM +0100, Dmitry Vyukov wrote: > > > On Sat, 25 Nov 2023 at 14:18, syzbot > > > <syzbot+51baee846ddab52d5230@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > syzbot has found a reproducer for the following issue on: > > > > > > > > HEAD commit: 8c9660f65153 Add linux-next specific files for 20231124 > > > > git tree: linux-next > > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1678a3cce80000 > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ca1e8655505e280 > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=51baee846ddab52d5230 > > > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d54c08e80000 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160ef1a4e80000 > > > > > > > > Downloadable assets: > > > > disk image: https://storage.googleapis.com/syzbot-assets/345ed4af3a0d/disk-8c9660f6.raw.xz > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/191053c69d57/vmlinux-8c9660f6.xz > > > > kernel image: https://storage.googleapis.com/syzbot-assets/aac7ee5e55e0/bzImage-8c9660f6.xz > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > Reported-by: syzbot+51baee846ddab52d5230@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > > > > > Bluetooth: hci0: hardware error 0x00 > > > > ================================================================== > > > > BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] > > > > BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] > > > > BUG: KASAN: null-ptr-deref in ida_free+0x218/0x2e0 lib/idr.c:511 > > > > Read of size 8 at addr 0000000000000078 by task kworker/u5:1/4455 > > > > > > > > CPU: 1 PID: 4455 Comm: kworker/u5:1 Not tainted 6.7.0-rc2-next-20231124-syzkaller #0 > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 > > > > Workqueue: hci0 hci_error_reset > > > > Call Trace: > > > > <TASK> > > > > __dump_stack lib/dump_stack.c:88 [inline] > > > > dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 > > > > kasan_report+0xd9/0x110 mm/kasan/report.c:588 > > > > check_region_inline mm/kasan/generic.c:182 [inline] > > > > kasan_check_range+0xef/0x190 mm/kasan/generic.c:188 > > > > instrument_atomic_read include/linux/instrumented.h:68 [inline] > > > > _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] > > > > > > Wonder if this is fixed with: > > > > > > ida: Fix crash in ida_free when the bitmap is empty > > > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=af73483f4e8b6f5c68c9aa63257bdd929a9c194a > > > > > > ? > > > > Should be. The backtrace below looks like it's the same bug that got > > reported 3-4 weeks ago. > > On second thought, perhaps the bluetooth stack shouldn't free invalid > ids in the first place. > It may even take these bogus ids from the wire, which would be pretty bad. Oh, that was my first response. Unfortunately, the original reporter was all "I filed a CVE and this is S3CUR1+Y F!X" so none of that interaction is public. What my patch will do is convert this NULL pointer dereference into a warning (which will still be noticed by syzbot). The bluetooth stack still needs to be fixed to not free invalid IDs.
