[v6.1] BUG: unable to handle kernel paging request in btintel_read_version
0 views
Skip to first unread message
syzbot
Mar 26, 2024, 10:05:28 PMMar 26
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e5cd595e23c1 Linux 6.1.83
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16a43ef1180000
kernel config: https://syzkaller.appspot.com/x/.config?x=638c7154137d2582
dashboard link: https://syzkaller.appspot.com/bug?extid=431cb687015204d8ad1a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9b3de36bd43/disk-e5cd595e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2af9bc6e6ea4/vmlinux-e5cd595e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7f58381bafc0/Image-e5cd595e.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+431cb6...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff80000000000e
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff80000000000e] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4259 Comm: kworker/u5:5 Not tainted 6.1.83-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: hci3 hci_power_on
pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : btintel_read_version+0x90/0x194 drivers/bluetooth/btintel.c:414
lr : btintel_read_version+0x3c/0x194 drivers/bluetooth/btintel.c:407
sp : ffff80001df47420
x29: ffff80001df47420 x28: ffff80001df474c0 x27: ffff80001df47640
x26: 0000000000000000 x25: ffff700003be8e98 x24: ffff0000dbc85fb8
x23: dfff800000000000 x22: ffff80001df47620 x21: ffff0000dbc84000
x20: ffff80001df47620 x19: 0000000000000000 x18: ffff80001def7480
x17: ffff8000188cc000 x16: ffff8000084f9258 x15: 0000000000000000
x14: 0000000000000002 x13: ffff0000c4e91bc0 x12: 0000000000ff0100
x11: 0000000000ff0100 x10: 0000000000000003 x9 : 000000000000000e
x8 : 0000000000000070 x7 : ffff8000082db800 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : 0000000000000031 x0 : 0000000000000000
Call trace:
btintel_read_version+0x90/0x194 drivers/bluetooth/btintel.c:414
ag6xx_setup+0x1a4/0xd0c drivers/bluetooth/hci_ag6xx.c:169
hci_uart_setup+0x330/0x7d8 drivers/bluetooth/hci_ldisc.c:423
hci_dev_setup_sync net/bluetooth/hci_sync.c:4678 [inline]
hci_dev_init_sync net/bluetooth/hci_sync.c:4748 [inline]
hci_dev_open_sync+0x35c/0x3078 net/bluetooth/hci_sync.c:4846
hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
hci_power_on+0x150/0x68c net/bluetooth/hci_core.c:984
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Code: f2fbfff7 d343fd09 1200090a 11000d4a (38f76929)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: f2fbfff7 movk x23, #0xdfff, lsl #48
4: d343fd09 lsr x9, x8, #3
8: 1200090a and w10, w8, #0x7
c: 11000d4a add w10, w10, #0x3
* 10: 38f76929 ldrsb w9, [x9, x23] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e5cd595e23c1 Linux 6.1.83
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16a43ef1180000
kernel config: https://syzkaller.appspot.com/x/.config?x=638c7154137d2582
dashboard link: https://syzkaller.appspot.com/bug?extid=431cb687015204d8ad1a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9b3de36bd43/disk-e5cd595e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2af9bc6e6ea4/vmlinux-e5cd595e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7f58381bafc0/Image-e5cd595e.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+431cb6...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff80000000000e
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff80000000000e] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4259 Comm: kworker/u5:5 Not tainted 6.1.83-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: hci3 hci_power_on
pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : btintel_read_version+0x90/0x194 drivers/bluetooth/btintel.c:414
lr : btintel_read_version+0x3c/0x194 drivers/bluetooth/btintel.c:407
sp : ffff80001df47420
x29: ffff80001df47420 x28: ffff80001df474c0 x27: ffff80001df47640
x26: 0000000000000000 x25: ffff700003be8e98 x24: ffff0000dbc85fb8
x23: dfff800000000000 x22: ffff80001df47620 x21: ffff0000dbc84000
x20: ffff80001df47620 x19: 0000000000000000 x18: ffff80001def7480
x17: ffff8000188cc000 x16: ffff8000084f9258 x15: 0000000000000000
x14: 0000000000000002 x13: ffff0000c4e91bc0 x12: 0000000000ff0100
x11: 0000000000ff0100 x10: 0000000000000003 x9 : 000000000000000e
x8 : 0000000000000070 x7 : ffff8000082db800 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : 0000000000000031 x0 : 0000000000000000
Call trace:
btintel_read_version+0x90/0x194 drivers/bluetooth/btintel.c:414
ag6xx_setup+0x1a4/0xd0c drivers/bluetooth/hci_ag6xx.c:169
hci_uart_setup+0x330/0x7d8 drivers/bluetooth/hci_ldisc.c:423
hci_dev_setup_sync net/bluetooth/hci_sync.c:4678 [inline]
hci_dev_init_sync net/bluetooth/hci_sync.c:4748 [inline]
hci_dev_open_sync+0x35c/0x3078 net/bluetooth/hci_sync.c:4846
hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
hci_power_on+0x150/0x68c net/bluetooth/hci_core.c:984
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Code: f2fbfff7 d343fd09 1200090a 11000d4a (38f76929)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: f2fbfff7 movk x23, #0xdfff, lsl #48
4: d343fd09 lsr x9, x8, #3
8: 1200090a and w10, w8, #0x7
c: 11000d4a add w10, w10, #0x3
* 10: 38f76929 ldrsb w9, [x9, x23] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 27, 2024, 12:18:18 AMMar 27
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: e5cd595e23c1 Linux 6.1.83
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13bd1291180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1520823a180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9b3de36bd43/disk-e5cd595e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2af9bc6e6ea4/vmlinux-e5cd595e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7f58381bafc0/Image-e5cd595e.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+431cb6...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff80000000000e
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff80000000000e] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4242 Comm: kworker/u5:7 Not tainted 6.1.83-syzkaller #0
x29: ffff80001dda7420 x28: ffff80001dda74c0 x27: ffff80001dda7640
x26: 0000000000000000 x25: ffff700003bb4e98 x24: ffff0000d7cc9fb8
x23: dfff800000000000 x22: ffff80001dda7620 x21: ffff0000d7cc8000
x20: ffff80001dda7620 x19: 0000000000000000 x18: ffff80001dd87480
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: e5cd595e23c1 Linux 6.1.83
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=638c7154137d2582
dashboard link: https://syzkaller.appspot.com/bug?extid=431cb687015204d8ad1a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112de6be180000
dashboard link: https://syzkaller.appspot.com/bug?extid=431cb687015204d8ad1a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1520823a180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9b3de36bd43/disk-e5cd595e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2af9bc6e6ea4/vmlinux-e5cd595e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7f58381bafc0/Image-e5cd595e.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+431cb6...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff80000000000e
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff80000000000e] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: hci3 hci_power_on
pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : btintel_read_version+0x90/0x194 drivers/bluetooth/btintel.c:414
lr : btintel_read_version+0x3c/0x194 drivers/bluetooth/btintel.c:407
sp : ffff80001dda7420
Workqueue: hci3 hci_power_on
pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : btintel_read_version+0x90/0x194 drivers/bluetooth/btintel.c:414
lr : btintel_read_version+0x3c/0x194 drivers/bluetooth/btintel.c:407
x29: ffff80001dda7420 x28: ffff80001dda74c0 x27: ffff80001dda7640
x26: 0000000000000000 x25: ffff700003bb4e98 x24: ffff0000d7cc9fb8
x23: dfff800000000000 x22: ffff80001dda7620 x21: ffff0000d7cc8000
x20: ffff80001dda7620 x19: 0000000000000000 x18: ffff80001dd87480
x17: ffff8000188cc000 x16: ffff8000084f9258 x15: 0000000000000000
x14: 0000000000000002 x13: ffff0000d7c3d340 x12: 0000000000ff0100
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages