All of lore.kernel.org
 help / color / mirror / Atom feed
From: Anmol Karn <anmol.karan123@gmail.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: marcel@holtmann.org, johan.hedberg@gmail.com,
	linux-kernel-mentees@lists.linuxfoundation.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	netdev@vger.kernel.org, linux-bluetooth@vger.kernel.org,
	kuba@kernel.org, davem@davemloft.net,
	syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
Subject: Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
Date: Tue, 15 Sep 2020 00:07:34 +0530	[thread overview]
Message-ID: <20200914183734.GA213347@Thinkpad> (raw)
In-Reply-To: <20200914154405.GC18329@kadam>

Hello Sir,
 
> > I have looked into the Bisected logs and the problem occurs from this commit:
> > 
> > 941992d29447 ("ethernet: amd: use IS_ENABLED() instead of checking for built-in or module")
> > 
> 
> That's just the patch which made the code testable by syzbot.  It didn't
> introduce the bug.
> 
> > 
> > Here is a diff of patch which i modified from last patch,
> > 
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 4b7fc430793c..6ce435064e0b 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -4936,6 +4936,12 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> >                 return;
> >         }
> > 
> > +       if (!hcon->amp_mgr) {
> > +               hci_conn_del(hcon);
> > +               hci_dev_unlock(hdev);
> 
> I have no idea if calling hci_conn_del() is really the correct, thing.
> I don't know the code at all.  Anyway, do some research and figure out
> for sure what the correct thing is.

I have created my patch on the basis of the already applied conditions handling
in this function, i.e whenever NULL dereference occurs, connection cleanup is 
required hence, hci_conn_del() is used here. Will see if anything else could be
done.

> 
> Also look for similar bugs in other places where hcon->amp_mgr is
> dereferenced.  For example, amp_read_loc_assoc_final_data() seems to
> have a similar bug.
> 

Sure sir will look into it.

> regards,
> dan carpenter
> 

Thanks,
Anmol

WARNING: multiple messages have this Message-ID (diff)
From: Anmol Karn <anmol.karan123@gmail.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com,
	johan.hedberg@gmail.com, netdev@vger.kernel.org,
	marcel@holtmann.org, syzkaller-bugs@googlegroups.com,
	linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org,
	kuba@kernel.org, linux-kernel-mentees@lists.linuxfoundation.org,
	davem@davemloft.net
Subject: Re: [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet()
Date: Tue, 15 Sep 2020 00:07:34 +0530	[thread overview]
Message-ID: <20200914183734.GA213347@Thinkpad> (raw)
In-Reply-To: <20200914154405.GC18329@kadam>

Hello Sir,
 
> > I have looked into the Bisected logs and the problem occurs from this commit:
> > 
> > 941992d29447 ("ethernet: amd: use IS_ENABLED() instead of checking for built-in or module")
> > 
> 
> That's just the patch which made the code testable by syzbot.  It didn't
> introduce the bug.
> 
> > 
> > Here is a diff of patch which i modified from last patch,
> > 
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 4b7fc430793c..6ce435064e0b 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -4936,6 +4936,12 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
> >                 return;
> >         }
> > 
> > +       if (!hcon->amp_mgr) {
> > +               hci_conn_del(hcon);
> > +               hci_dev_unlock(hdev);
> 
> I have no idea if calling hci_conn_del() is really the correct, thing.
> I don't know the code at all.  Anyway, do some research and figure out
> for sure what the correct thing is.

I have created my patch on the basis of the already applied conditions handling
in this function, i.e whenever NULL dereference occurs, connection cleanup is 
required hence, hci_conn_del() is used here. Will see if anything else could be
done.

> 
> Also look for similar bugs in other places where hcon->amp_mgr is
> dereferenced.  For example, amp_read_loc_assoc_final_data() seems to
> have a similar bug.
> 

Sure sir will look into it.

> regards,
> dan carpenter
> 

Thanks,
Anmol
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

  reply	other threads:[~2020-09-14 18:38 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-10  4:34 [Linux-kernel-mentees] [PATCH] net: bluetooth: Fix null pointer dereference in hci_event_packet() Anmol Karn
2020-09-10  4:34 ` Anmol Karn
2020-09-10  5:06 ` Eric Biggers
2020-09-10  5:06   ` [Linux-kernel-mentees] " Eric Biggers
2020-09-10  6:02   ` Anmol Karn
2020-09-10  6:02     ` [Linux-kernel-mentees] " Anmol Karn
2020-09-10 10:49 ` Dan Carpenter
2020-09-10 10:49   ` Dan Carpenter
2020-09-10 14:58   ` Anmol Karn
2020-09-10 14:58     ` Anmol Karn
2020-09-12  9:10   ` Anmol Karn
2020-09-12  9:10     ` Anmol Karn
2020-09-14 15:44     ` Dan Carpenter
2020-09-14 15:44       ` Dan Carpenter
2020-09-14 18:37       ` Anmol Karn [this message]
2020-09-14 18:37         ` Anmol Karn
2020-09-29 17:32       ` Anmol Karn
2020-09-29 17:32         ` Anmol Karn
2020-09-30 14:18         ` Anmol Karn
2020-09-30 14:18           ` [Linux-kernel-mentees] " Anmol Karn
2020-10-01  7:06           ` Marcel Holtmann
2020-10-01  7:06             ` [Linux-kernel-mentees] " Marcel Holtmann
2020-10-01  7:45             ` Anmol Karn
2020-10-01  7:45               ` [Linux-kernel-mentees] " Anmol Karn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200914183734.GA213347@Thinkpad \
    --to=anmol.karan123@gmail.com \
    --cc=dan.carpenter@oracle.com \
    --cc=davem@davemloft.net \
    --cc=johan.hedberg@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel-mentees@lists.linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzbot+0bef568258653cff272f@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.