syzbot


KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data

Status: fixed on 2021/04/09 19:46
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+f4fb0eaafdb51c32a153@syzkaller.appspotmail.com
Fix commit: e8bd76ede155 Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
First crash: 1530d, last: 1328d
Cause bisection: introduced by (bisect log) :
commit a4585c31c5018578b4abf699ddfdff719dd1c313
Author: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Date: Tue Oct 18 19:44:09 2016 +0000

  [media] marvell-ccic: don't break long lines

Crash: WARNING in nf_unregister_net_hook (log)
Repro: C syz .config
  
Discussions (2)
Title Replies (including bot) Last reply
[Linux-kernel-mentees] [PATCH net] Bluetooth: Fix NULL pointer dereference in amp_read_loc_assoc_final_data() 4 (4) 2021/03/03 10:27
KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data 0 (1) 2020/07/31 17:04
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data C done 207 1312d 1530d 1/1 fixed on 2021/04/07 11:21
linux-4.19 BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data C done 114 1314d 1530d 1/1 fixed on 2021/04/07 11:11
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/08/08 00:46 16m yepeilin.cs@gmail.com patch upstream OK

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KASAN: null-ptr-deref in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: null-ptr-deref in amp_read_loc_assoc_final_data+0x117/0x1f0 net/bluetooth/amp.c:304
Write of size 8 at addr 0000000000000030 by task kworker/u5:1/8474

CPU: 0 PID: 8474 Comm: kworker/u5:1 Not tainted 5.11.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 __kasan_report mm/kasan/report.c:400 [inline]
 kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413
 check_memory_region_inline mm/kasan/generic.c:179 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:185
 instrument_atomic_write include/linux/instrumented.h:86 [inline]
 set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
 amp_read_loc_assoc_final_data+0x117/0x1f0 net/bluetooth/amp.c:304
 hci_chan_selected_evt net/bluetooth/hci_event.c:4943 [inline]
 hci_event_packet+0xed9/0x7d60 net/bluetooth/hci_event.c:6296
 hci_rx_work+0x511/0xd30 net/bluetooth/hci_core.c:4971
 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 8474 Comm: kworker/u5:1 Tainted: G    B             5.11.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 panic+0x306/0x73d kernel/panic.c:231
 end_report+0x58/0x5e mm/kasan/report.c:100
 __kasan_report mm/kasan/report.c:403 [inline]
 kasan_report.cold+0x67/0xd5 mm/kasan/report.c:413
 check_memory_region_inline mm/kasan/generic.c:179 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:185
 instrument_atomic_write include/linux/instrumented.h:86 [inline]
 set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
 amp_read_loc_assoc_final_data+0x117/0x1f0 net/bluetooth/amp.c:304
 hci_chan_selected_evt net/bluetooth/hci_event.c:4943 [inline]
 hci_event_packet+0xed9/0x7d60 net/bluetooth/hci_event.c:6296
 hci_rx_work+0x511/0xd30 net/bluetooth/hci_core.c:4971
 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (185):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/07 19:02 upstream 71c061d24438 c104d4a3 .config console log report syz C ci-upstream-kasan-gce
2020/08/24 16:48 upstream d012a7190fc1 67b599d1 .config console log report syz C ci-upstream-kasan-gce
2020/08/23 08:05 upstream c3d8f220d012 1da71ab0 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/23 03:07 upstream c3d8f220d012 1da71ab0 .config console log report syz C ci-upstream-kasan-gce-root
2020/08/23 03:01 upstream c3d8f220d012 1da71ab0 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/08/02 19:18 upstream ac3a0c847296 63a73341 .config console log report syz C ci-upstream-kasan-gce-root
2020/08/02 16:58 upstream ac3a0c847296 63a73341 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/08/02 07:26 upstream d52daa8620c6 d895b3be .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/01 03:56 upstream d8b9faec54ae d895b3be .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/07/31 04:42 upstream 83bdc7275e62 8df85ed9 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/24 20:02 upstream d012a7190fc1 67b599d1 .config console log report syz C ci-upstream-kasan-gce-386
2020/08/24 02:36 linux-next 494d311a82bb cef5ae68 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2021/02/17 16:38 upstream f40ddce88593 052f8d9f .config console log report info ci-upstream-kasan-gce KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/02/14 15:43 upstream 358feceebbf6 98682e5e .config console log report info ci-upstream-kasan-gce KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/02/10 23:52 upstream 291009f656e8 a52ee10a .config console log report info ci-upstream-kasan-gce-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/02/10 10:58 upstream e0756cfc7d7c 2bd9619f .config console log report info ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/02/07 07:15 upstream 964d069f93c4 0655e081 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/02/03 08:57 upstream 3aaf0a27ffc2 624dad51 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/31 09:58 upstream 8c947645151c fc9fd31e .config console log report info ci-upstream-kasan-gce-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/28 06:03 upstream 76c057c84d28 eefc07f2 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/27 18:51 upstream 2ab38c17aac1 a0ebf917 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/25 08:21 upstream e68061375f79 52e37319 .config console log report info ci-upstream-kasan-gce KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/24 17:17 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/21 09:26 upstream 75439bc439e0 d4f4eca5 .config console log report info ci-upstream-kasan-gce-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/19 03:08 upstream 19c329f68089 63631df1 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/02/09 14:21 upstream e0756cfc7d7c 2bd9619f .config console log report info ci-qemu2-arm64-compat KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/02/01 17:13 upstream 1048ba83fb1c e6b95f32 .config console log report info ci-qemu2-arm64-compat KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/29 08:48 upstream bec4c2968fce 6593fd32 .config console log report info ci-qemu-upstream-386 KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data
2021/01/11 22:07 upstream 7c53f6b671f4 2c1f2513 .config console log report info ci-upstream-kasan-gce-root
2021/01/09 02:33 upstream 6279d812eab6 c104d4a3 .config console log report info ci-upstream-kasan-gce-root
2021/01/06 12:14 upstream 9f1abbe97c08 fff20c29 .config console log report info ci-qemu-upstream
2021/01/05 07:00 upstream 36bbbd0e234d 2a28ff1f .config console log report info ci-upstream-kasan-gce
2021/01/04 18:08 upstream e71ba9452f0b 79264ae3 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/03 18:48 upstream 3516bd729358 79264ae3 .config console log report info ci-upstream-kasan-gce
2021/01/02 15:13 upstream eda809aef534 79264ae3 .config console log report info ci-upstream-kasan-gce
2021/01/01 17:19 upstream f6e1ea196492 79264ae3 .config console log report info ci-upstream-kasan-gce
2021/01/01 14:37 upstream f6e1ea196492 79264ae3 .config console log report info ci-upstream-kasan-gce
2020/12/27 23:55 upstream f838f8d2b694 2242f77f .config console log report info ci-upstream-kasan-gce-root
2020/12/27 01:05 upstream 40f78232f973 821e0b09 .config console log report info ci-upstream-kasan-gce
2020/12/26 18:39 upstream 40f78232f973 821e0b09 .config console log report info ci-upstream-kasan-gce
2020/12/26 06:28 upstream 5814bc2d4cc2 821e0b09 .config console log report info ci-upstream-kasan-gce
2020/12/13 17:42 upstream 6bff9bb8a292 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/12 18:32 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-root
2020/12/10 09:03 upstream a68a0262abda c090b4da .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/07 19:19 upstream 0477e9288185 1190297f .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/07 08:12 upstream 7059c2c00a21 c521566d .config console log report info ci-upstream-kasan-gce
2020/12/05 09:06 upstream e87297fa080a 20366b87 .config console log report info ci-upstream-kasan-gce
2020/12/05 07:11 upstream e87297fa080a 20366b87 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/02 14:55 upstream 509a15421674 c42a35e9 .config console log report info ci-upstream-kasan-gce-root
2020/11/29 10:23 upstream 45e885c439e8 a0092f9d .config console log report info ci-upstream-kasan-gce
2020/11/29 02:20 upstream 45e885c439e8 a0092f9d .config console log report info ci-qemu-upstream
2020/11/26 00:32 upstream fa02fcd94b0c 2f1cec62 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/11/25 04:24 upstream 80145ac2f739 e34b696c .config console log report info ci-upstream-kasan-gce
2020/11/24 09:02 upstream d5beb3140f91 1ab681a4 .config console log report info ci-upstream-kasan-gce
2020/11/23 05:25 upstream a349e4c65960 0d27f508 .config console log report info ci-upstream-kasan-gce-root
2020/11/19 12:15 upstream c2e7554e1b85 0767f13f .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/15 11:42 upstream 146620506274 65a7a854 .config console log report info ci-upstream-kasan-gce-386
2021/01/11 03:39 upstream 0653161f0fac 2c1f2513 .config console log report info ci-upstream-kasan-gce-386
2020/12/26 19:56 upstream 40f78232f973 821e0b09 .config console log report info ci-upstream-kasan-gce-386
2020/12/16 10:30 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce-386
2020/12/11 02:47 upstream a2f5ea9e314b f900b48c .config console log report info ci-upstream-kasan-gce-386
2020/12/08 14:11 upstream cd796ed33450 51a9082e .config console log report info ci-upstream-kasan-gce-386
2020/12/08 08:28 upstream cd796ed33450 9af51e31 .config console log report info ci-qemu-upstream-386
2020/12/03 04:43 upstream 3bb61aa61828 8c9190ef .config console log report info ci-upstream-kasan-gce-386
2020/11/27 05:22 upstream 85a2c56cb445 5018c946 .config console log report info ci-upstream-kasan-gce-386
2020/12/29 09:55 linux-next d7a03a44a5e9 8259d56c .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/11/25 02:04 linux-next 62918e6fd7b5 e34b696c .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.