From: kernel test robot <lkp@intel.com>
To: Pavel Skripkin <paskripkin@gmail.com>,
Marcel Holtmann <marcel@holtmann.org>
Cc: kbuild-all@lists.01.org,
syzbot <syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com>,
Johan Hedberg <johan.hedberg@gmail.com>,
kuba@kernel.org, linux-bluetooth@vger.kernel.org,
linux-kernel@vger.kernel.org,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] Bluetooth: add timeout sanity check to hci_inquiry
Date: Tue, 17 Aug 2021 06:39:26 +0800 [thread overview]
Message-ID: <202108170602.pGhhVg7u-lkp@intel.com> (raw)
In-Reply-To: <568c354b-6e4b-d15a-613e-3389c99a93a1@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 5026 bytes --]
Hi Pavel,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master net-next/master net/master sparc-next/master v5.14-rc6 next-20210816]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Pavel-Skripkin/Bluetooth-add-timeout-sanity-check-to-hci_inquiry/20210817-040113
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
config: arc-randconfig-r043-20210816 (attached as .config)
compiler: arc-elf-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/cb175bf2ea0de6152c66ce30cd1d3d665fda338b
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Pavel-Skripkin/Bluetooth-add-timeout-sanity-check-to-hci_inquiry/20210817-040113
git checkout cb175bf2ea0de6152c66ce30cd1d3d665fda338b
# save the attached .config to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arc SHELL=/bin/bash net/bluetooth/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
net/bluetooth/hci_core.c: In function 'hci_inquiry':
>> net/bluetooth/hci_core.c:1346:25: error: 'HCI_MAX_TIMEOUT' undeclared (first use in this function); did you mean 'HCI_CMD_TIMEOUT'?
1346 | if (ir.length > HCI_MAX_TIMEOUT) {
| ^~~~~~~~~~~~~~~
| HCI_CMD_TIMEOUT
net/bluetooth/hci_core.c:1346:25: note: each undeclared identifier is reported only once for each function it appears in
vim +1346 net/bluetooth/hci_core.c
1309
1310 int hci_inquiry(void __user *arg)
1311 {
1312 __u8 __user *ptr = arg;
1313 struct hci_inquiry_req ir;
1314 struct hci_dev *hdev;
1315 int err = 0, do_inquiry = 0, max_rsp;
1316 long timeo;
1317 __u8 *buf;
1318
1319 if (copy_from_user(&ir, ptr, sizeof(ir)))
1320 return -EFAULT;
1321
1322 hdev = hci_dev_get(ir.dev_id);
1323 if (!hdev)
1324 return -ENODEV;
1325
1326 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1327 err = -EBUSY;
1328 goto done;
1329 }
1330
1331 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1332 err = -EOPNOTSUPP;
1333 goto done;
1334 }
1335
1336 if (hdev->dev_type != HCI_PRIMARY) {
1337 err = -EOPNOTSUPP;
1338 goto done;
1339 }
1340
1341 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1342 err = -EOPNOTSUPP;
1343 goto done;
1344 }
1345
> 1346 if (ir.length > HCI_MAX_TIMEOUT) {
1347 err = -EINVAL;
1348 goto done;
1349 }
1350
1351 hci_dev_lock(hdev);
1352 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1353 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1354 hci_inquiry_cache_flush(hdev);
1355 do_inquiry = 1;
1356 }
1357 hci_dev_unlock(hdev);
1358
1359 timeo = ir.length * msecs_to_jiffies(2000);
1360
1361 if (do_inquiry) {
1362 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1363 timeo, NULL);
1364 if (err < 0)
1365 goto done;
1366
1367 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1368 * cleared). If it is interrupted by a signal, return -EINTR.
1369 */
1370 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1371 TASK_INTERRUPTIBLE)) {
1372 err = -EINTR;
1373 goto done;
1374 }
1375 }
1376
1377 /* for unlimited number of responses we will use buffer with
1378 * 255 entries
1379 */
1380 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1381
1382 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1383 * copy it to the user space.
1384 */
1385 buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
1386 if (!buf) {
1387 err = -ENOMEM;
1388 goto done;
1389 }
1390
1391 hci_dev_lock(hdev);
1392 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1393 hci_dev_unlock(hdev);
1394
1395 BT_DBG("num_rsp %d", ir.num_rsp);
1396
1397 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1398 ptr += sizeof(ir);
1399 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1400 ir.num_rsp))
1401 err = -EFAULT;
1402 } else
1403 err = -EFAULT;
1404
1405 kfree(buf);
1406
1407 done:
1408 hci_dev_put(hdev);
1409 return err;
1410 }
1411
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 32665 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH] Bluetooth: add timeout sanity check to hci_inquiry
Date: Tue, 17 Aug 2021 06:39:26 +0800 [thread overview]
Message-ID: <202108170602.pGhhVg7u-lkp@intel.com> (raw)
In-Reply-To: <568c354b-6e4b-d15a-613e-3389c99a93a1@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 5175 bytes --]
Hi Pavel,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master net-next/master net/master sparc-next/master v5.14-rc6 next-20210816]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Pavel-Skripkin/Bluetooth-add-timeout-sanity-check-to-hci_inquiry/20210817-040113
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
config: arc-randconfig-r043-20210816 (attached as .config)
compiler: arc-elf-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/cb175bf2ea0de6152c66ce30cd1d3d665fda338b
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Pavel-Skripkin/Bluetooth-add-timeout-sanity-check-to-hci_inquiry/20210817-040113
git checkout cb175bf2ea0de6152c66ce30cd1d3d665fda338b
# save the attached .config to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arc SHELL=/bin/bash net/bluetooth/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
net/bluetooth/hci_core.c: In function 'hci_inquiry':
>> net/bluetooth/hci_core.c:1346:25: error: 'HCI_MAX_TIMEOUT' undeclared (first use in this function); did you mean 'HCI_CMD_TIMEOUT'?
1346 | if (ir.length > HCI_MAX_TIMEOUT) {
| ^~~~~~~~~~~~~~~
| HCI_CMD_TIMEOUT
net/bluetooth/hci_core.c:1346:25: note: each undeclared identifier is reported only once for each function it appears in
vim +1346 net/bluetooth/hci_core.c
1309
1310 int hci_inquiry(void __user *arg)
1311 {
1312 __u8 __user *ptr = arg;
1313 struct hci_inquiry_req ir;
1314 struct hci_dev *hdev;
1315 int err = 0, do_inquiry = 0, max_rsp;
1316 long timeo;
1317 __u8 *buf;
1318
1319 if (copy_from_user(&ir, ptr, sizeof(ir)))
1320 return -EFAULT;
1321
1322 hdev = hci_dev_get(ir.dev_id);
1323 if (!hdev)
1324 return -ENODEV;
1325
1326 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1327 err = -EBUSY;
1328 goto done;
1329 }
1330
1331 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1332 err = -EOPNOTSUPP;
1333 goto done;
1334 }
1335
1336 if (hdev->dev_type != HCI_PRIMARY) {
1337 err = -EOPNOTSUPP;
1338 goto done;
1339 }
1340
1341 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1342 err = -EOPNOTSUPP;
1343 goto done;
1344 }
1345
> 1346 if (ir.length > HCI_MAX_TIMEOUT) {
1347 err = -EINVAL;
1348 goto done;
1349 }
1350
1351 hci_dev_lock(hdev);
1352 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1353 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1354 hci_inquiry_cache_flush(hdev);
1355 do_inquiry = 1;
1356 }
1357 hci_dev_unlock(hdev);
1358
1359 timeo = ir.length * msecs_to_jiffies(2000);
1360
1361 if (do_inquiry) {
1362 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1363 timeo, NULL);
1364 if (err < 0)
1365 goto done;
1366
1367 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1368 * cleared). If it is interrupted by a signal, return -EINTR.
1369 */
1370 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1371 TASK_INTERRUPTIBLE)) {
1372 err = -EINTR;
1373 goto done;
1374 }
1375 }
1376
1377 /* for unlimited number of responses we will use buffer with
1378 * 255 entries
1379 */
1380 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1381
1382 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1383 * copy it to the user space.
1384 */
1385 buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
1386 if (!buf) {
1387 err = -ENOMEM;
1388 goto done;
1389 }
1390
1391 hci_dev_lock(hdev);
1392 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1393 hci_dev_unlock(hdev);
1394
1395 BT_DBG("num_rsp %d", ir.num_rsp);
1396
1397 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1398 ptr += sizeof(ir);
1399 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1400 ir.num_rsp))
1401 err = -EFAULT;
1402 } else
1403 err = -EFAULT;
1404
1405 kfree(buf);
1406
1407 done:
1408 hci_dev_put(hdev);
1409 return err;
1410 }
1411
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 32665 bytes --]
next prev parent reply other threads:[~2021-08-16 22:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-12 6:13 [syzbot] INFO: task hung in hci_req_sync syzbot
2021-08-12 9:49 ` Pavel Skripkin
2021-08-16 15:56 ` Marcel Holtmann
2021-08-16 20:00 ` Pavel Skripkin
2021-08-16 21:01 ` syzbot
2021-08-16 21:04 ` Pavel Skripkin
2021-08-17 3:03 ` syzbot
2021-08-16 22:39 ` kernel test robot [this message]
2021-08-16 22:39 ` [PATCH] Bluetooth: add timeout sanity check to hci_inquiry kernel test robot
2021-08-16 23:28 ` kernel test robot
2021-08-16 23:28 ` kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2021-08-17 10:31 Pavel Skripkin
2021-08-19 15:05 ` Marcel Holtmann
2021-08-19 15:09 ` Pavel Skripkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202108170602.pGhhVg7u-lkp@intel.com \
--to=lkp@intel.com \
--cc=johan.hedberg@gmail.com \
--cc=kbuild-all@lists.01.org \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=paskripkin@gmail.com \
--cc=syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.