diff mbox series

Bluetooth: btusb: Add date->evt_skb is NULL check

Message ID 20231011051447.92581-1-wangyouwan@126.com (mailing list archive)
State Accepted
Commit 79fd960e01d75708ba61ec31996d724744accc59
Headers show
Series Bluetooth: btusb: Add date->evt_skb is NULL check | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/CheckPatch success CheckPatch PASS
tedd_an/GitLint success Gitlint PASS
tedd_an/SubjectPrefix success Gitlint PASS
tedd_an/BuildKernel success BuildKernel PASS
tedd_an/CheckAllWarning success CheckAllWarning PASS
tedd_an/CheckSparse success CheckSparse PASS
tedd_an/CheckSmatch success CheckSparse PASS
tedd_an/BuildKernel32 success BuildKernel32 PASS
tedd_an/TestRunnerSetup success TestRunnerSetup PASS
tedd_an/TestRunner_l2cap-tester success TestRunner PASS
tedd_an/TestRunner_iso-tester success TestRunner PASS
tedd_an/TestRunner_bnep-tester success TestRunner PASS
tedd_an/TestRunner_mgmt-tester success TestRunner PASS
tedd_an/TestRunner_rfcomm-tester success TestRunner PASS
tedd_an/TestRunner_sco-tester success TestRunner PASS
tedd_an/TestRunner_ioctl-tester success TestRunner PASS
tedd_an/TestRunner_mesh-tester success TestRunner PASS
tedd_an/TestRunner_smp-tester success TestRunner PASS
tedd_an/TestRunner_userchan-tester success TestRunner PASS
tedd_an/IncrementalBuild success Incremental Build PASS

Commit Message

wangyouwan Oct. 11, 2023, 5:14 a.m. UTC
From: youwan Wang <wangyouwan@126.com>

fix crash because of null pointers

[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8
[ 6104.969667] #PF: supervisor read access in kernel mode
[ 6104.969668] #PF: error_code(0x0000) - not-present page
[ 6104.969670] PGD 0 P4D 0
[ 6104.969673] Oops: 0000 [#1] SMP NOPTI
[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]
[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246
[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006
[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000
[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001
[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0
[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90
[ 6104.969697] FS:  00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000
[ 6104.969699] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0
[ 6104.969701] PKRU: 55555554
[ 6104.969702] Call Trace:
[ 6104.969708]  btusb_mtk_shutdown+0x44/0x80 [btusb]
[ 6104.969732]  hci_dev_do_close+0x470/0x5c0 [bluetooth]
[ 6104.969748]  hci_rfkill_set_block+0x56/0xa0 [bluetooth]
[ 6104.969753]  rfkill_set_block+0x92/0x160
[ 6104.969755]  rfkill_fop_write+0x136/0x1e0
[ 6104.969759]  __vfs_write+0x18/0x40
[ 6104.969761]  vfs_write+0xdf/0x1c0
[ 6104.969763]  ksys_write+0xb1/0xe0
[ 6104.969765]  __x64_sys_write+0x1a/0x20
[ 6104.969769]  do_syscall_64+0x51/0x180
[ 6104.969771]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6104.969773] RIP: 0033:0x7f5a21f18fef
[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef
[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012
[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017
[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002
[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0

Signed-off-by: youwan Wang <wangyouwan@126.com>
---
 drivers/bluetooth/btusb.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

bluez.test.bot@gmail.com Oct. 11, 2023, 6:01 a.m. UTC | #1
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=792044

---Test result---

Test Summary:
CheckPatch                    PASS      0.61 seconds
GitLint                       PASS      0.28 seconds
SubjectPrefix                 PASS      0.08 seconds
BuildKernel                   PASS      35.48 seconds
CheckAllWarning               PASS      38.26 seconds
CheckSparse                   PASS      44.26 seconds
CheckSmatch                   PASS      117.11 seconds
BuildKernel32                 PASS      34.25 seconds
TestRunnerSetup               PASS      525.24 seconds
TestRunner_l2cap-tester       PASS      31.43 seconds
TestRunner_iso-tester         PASS      55.62 seconds
TestRunner_bnep-tester        PASS      10.71 seconds
TestRunner_mgmt-tester        PASS      223.06 seconds
TestRunner_rfcomm-tester      PASS      16.46 seconds
TestRunner_sco-tester         PASS      19.86 seconds
TestRunner_ioctl-tester       PASS      18.50 seconds
TestRunner_mesh-tester        PASS      15.09 seconds
TestRunner_smp-tester         PASS      15.11 seconds
TestRunner_userchan-tester    PASS      11.38 seconds
IncrementalBuild              PASS      32.91 seconds



---
Regards,
Linux Bluetooth
patchwork-bot+bluetooth@kernel.org Oct. 12, 2023, 7:40 p.m. UTC | #2
Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 11 Oct 2023 13:14:47 +0800 you wrote:
> From: youwan Wang <wangyouwan@126.com>
> 
> fix crash because of null pointers
> 
> [ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8
> [ 6104.969667] #PF: supervisor read access in kernel mode
> [ 6104.969668] #PF: error_code(0x0000) - not-present page
> [ 6104.969670] PGD 0 P4D 0
> [ 6104.969673] Oops: 0000 [#1] SMP NOPTI
> [ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]
> [ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246
> [ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006
> [ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000
> [ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001
> [ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0
> [ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90
> [ 6104.969697] FS:  00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000
> [ 6104.969699] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0
> [ 6104.969701] PKRU: 55555554
> [ 6104.969702] Call Trace:
> [ 6104.969708]  btusb_mtk_shutdown+0x44/0x80 [btusb]
> [ 6104.969732]  hci_dev_do_close+0x470/0x5c0 [bluetooth]
> [ 6104.969748]  hci_rfkill_set_block+0x56/0xa0 [bluetooth]
> [ 6104.969753]  rfkill_set_block+0x92/0x160
> [ 6104.969755]  rfkill_fop_write+0x136/0x1e0
> [ 6104.969759]  __vfs_write+0x18/0x40
> [ 6104.969761]  vfs_write+0xdf/0x1c0
> [ 6104.969763]  ksys_write+0xb1/0xe0
> [ 6104.969765]  __x64_sys_write+0x1a/0x20
> [ 6104.969769]  do_syscall_64+0x51/0x180
> [ 6104.969771]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 6104.969773] RIP: 0033:0x7f5a21f18fef
> [ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
> [ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef
> [ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012
> [ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017
> [ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002
> [ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0
> 
> [...]

Here is the summary with links:
  - Bluetooth: btusb: Add date->evt_skb is NULL check
    https://git.kernel.org/bluetooth/bluetooth-next/c/79fd960e01d7

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 3fdad35e5e1d..d793dcd06687 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2824,6 +2824,9 @@  static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev,
 		goto err_free_wc;
 	}
 
+	if (data->evt_skb == NULL)
+		goto err_free_wc;
+
 	/* Parse and handle the return WMT event */
 	wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data;
 	if (wmt_evt->whdr.op != hdr->op) {