Gopal Tiwari
unread,Mar 3, 2021, 5:11:47 AM3/3/21Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Dmitry Vyukov, Peilin Ye, Marcel Holtmann, Johan Hedberg, Andrei Emeltchenko, Greg Kroah-Hartman, David S. Miller, Jakub Kicinski, linux-kern...@lists.linuxfoundation.org, syzkaller-bugs, linux-bluetooth, netdev, LKML, syzbot+f4fb0e...@syzkaller.appspotmail.com
Hi,
I tried to search the patch for one of the bugzilla reported (Internal)
https://bugzilla.redhat.com/show_bug.cgi?id=1916057 with the traces
[ 405.938525] Workqueue: hci0 hci_rx_work [bluetooth]
[ 405.941360] RIP: 0010:amp_read_loc_assoc_final_data+0xfc/0x1c0 [bluetooth]
[ 405.944740] Code: 89 44 24 29 48 b8 00 00 00 00 00 fc ff df 0f b6 04 02 84 c0 74 08 3c 01 0f 8e 9d 00 00 00 0f b7 85 c0 03 00 00 66 89 44 24 2b <f0> 41 80 4c 24 30 04 4c 8d 64 24 68 48 89 ee 4c 89 e7 e8 3d 48 fe
[ 405.952396] RSP: 0018:ffff88802ea0f838 EFLAGS: 00010246
[ 405.955368] RAX: 0000000000000000 RBX: 1ffff11005d41f08 RCX: dffffc0000000000
[ 405.958669] RDX: 1ffff110254cc878 RSI: ffff88802eeee000 RDI: ffff88812a6643c0
[ 405.961980] RBP: ffff88812a664000 R08: 0000000000000000 R09: 0000000000000000
[ 405.965319] R10: ffff88802ea0fd00 R11: 0000000000000000 R12: 0000000000000000
[ 405.968624] R13: 0000000000000041 R14: ffff88802b836800 R15: ffff8881250570c0
[ 405.971989] FS: 0000000000000000(0000) GS:ffff888055a00000(0000) knlGS:0000000000000000
[ 405.975645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 405.978755] CR2: 0000000000000030 CR3: 000000002d200000 CR4: 0000000000340ee0
[ 405.982150] Call Trace:
[ 405.984768] ? amp_read_loc_assoc+0x170/0x170 [bluetooth]
[ 405.987875] ? rcu_read_unlock+0x50/0x50
[ 405.990663] ? deref_stack_reg+0xf0/0xf0
[ 405.993403] ? __module_address+0x3f/0x370
[ 405.996184] ? hci_cmd_work+0x180/0x330 [bluetooth]
[ 405.999170] ? hci_conn_hash_lookup_handle+0x1a1/0x270 [bluetooth]
[ 406.002354] hci_event_packet+0x1476/0x7e00 [bluetooth]
[ 406.005407] ? arch_stack_walk+0x8f/0xf0
[ 406.008206] ? ret_from_fork+0x27/0x50
[ 406.010887] ? hci_cmd_complete_evt+0xbf70/0xbf70 [bluetooth]
[ 406.013933] ? stack_trace_save+0x8a/0xb0
[ 406.016618] ? do_profile_hits.isra.4.cold.9+0x2d/0x2d
[ 406.019483] ? lock_acquire+0x1a3/0x970
[ 406.022092] ? __wake_up_common_lock+0xaf/0x130
I didn't found any solution upstream. After the vmcore analysis I found what is wrong. And took reference from the following patch, which seems to be on the similar line
commit 6dfccd13db2ff2b709ef60a50163925d477549aa
Author: Anmol Karn <
anmol.k...@gmail.com>
Date: Wed Sep 30 19:48:13 2020 +0530
Bluetooth: Fix null pointer dereference in hci_event_packet()
AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called
from hci_event_packet() and there is a possibility, that hcon->amp_mgr may
not be found when accessing after initialization of hcon.
- net/bluetooth/hci_event.c:4945
How we can avoid this scenario. So I made the chages and tested. It worked or avoided the kernel panic. But I really don't know that some one has already posted the patch. I would have love to backport the patch, I was more of looking for the fix. That's where I didn't applied the reported-by tag as I thought it reported internal only.
Thanks & regards,
Gopal Tiwari