Re: [syzbot] KASAN: null-ptr-deref Write in __pm_runtime_resume
From: Pavel Skripkin
Date: Thu Sep 02 2021 - 15:19:16 EST
On 9/2/21 01:57, syzbot wrote:
syzbot has found a reproducer for the following issue on:
HEAD commit: 835d31d319d9 Merge tag 'media/v5.15-1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1374b85d300000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c32e23fada3a0e4
dashboard link: https://syzkaller.appspot.com/bug?extid=7d41312fe3f123a6f605
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16fde215300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11aa9149300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7d41312fe3f123a6f605@xxxxxxxxxxxxxxxxxxxxxxxxx
Bluetooth: : Invalid header checksum
Bluetooth: : Invalid header checksum
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc include/linux/atomic/atomic-instrumented.h:181 [inline]
BUG: KASAN: null-ptr-deref in __pm_runtime_resume+0x154/0x180 drivers/base/power/runtime.c:1105
Write of size 4 at addr 0000000000000388 by task kworker/u4:4/244
Looks like missing if (hu->serdev)
#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
With regards,
Pavel SkripkinFrom a30dfa93fc6f7e2ecc7759ac75c742e512b527f0 Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@xxxxxxxxx>
Date: Thu, 2 Sep 2021 22:17:05 +0300
Subject: [PATCH] Bluetooth: hci: fix GPF in h5_recv
/* ... */
Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
---
drivers/bluetooth/hci_h5.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index 0c0dedece59c..eb0099a21288 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -587,9 +587,11 @@ static int h5_recv(struct hci_uart *hu, const void *data, int count)
count -= processed;
}
- pm_runtime_get(&hu->serdev->dev);
- pm_runtime_mark_last_busy(&hu->serdev->dev);
- pm_runtime_put_autosuspend(&hu->serdev->dev);
+ if (hu->serdev) {
+ pm_runtime_get(&hu->serdev->dev);
+ pm_runtime_mark_last_busy(&hu->serdev->dev);
+ pm_runtime_put_autosuspend(&hu->serdev->dev);
+ }
return 0;
}
--
2.33.0