Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in hci_conn_drop (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+1683f76f1b20b826de67@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, lizhi.xu@windriver.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in hci_conn_drop (2)
Date: Fri, 03 Nov 2023 23:00:05 -0700	[thread overview]
Message-ID: <0000000000001fe42606094d5524@google.com> (raw)
In-Reply-To: <20231104054009.3030149-1-lizhi.xu@windriver.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in bt_link_release

------------[ cut here ]------------
ODEBUG: free active (active state 0) object: 000000004ad6f07b object type: work_struct hint: hci_conn_timeout+0x0/0x1e8 net/bluetooth/hci_conn.c:928
WARNING: CPU: 1 PID: 6612 at lib/debugobjects.c:517 debug_print_object lib/debugobjects.c:514 [inline]
WARNING: CPU: 1 PID: 6612 at lib/debugobjects.c:517 __debug_check_no_obj_freed lib/debugobjects.c:1032 [inline]
WARNING: CPU: 1 PID: 6612 at lib/debugobjects.c:517 debug_check_no_obj_freed+0x41c/0x534 lib/debugobjects.c:1063
Modules linked in:
CPU: 1 PID: 6612 Comm: syz-executor.0 Not tainted 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:514 [inline]
pc : __debug_check_no_obj_freed lib/debugobjects.c:1032 [inline]
pc : debug_check_no_obj_freed+0x41c/0x534 lib/debugobjects.c:1063
lr : debug_print_object lib/debugobjects.c:514 [inline]
lr : __debug_check_no_obj_freed lib/debugobjects.c:1032 [inline]
lr : debug_check_no_obj_freed+0x41c/0x534 lib/debugobjects.c:1063
sp : ffff800097057960
x29: ffff8000970579b0 x28: ffff80008a8710a0 x27: dfff800000000000
x26: ffff0000c6644348 x25: 0000000000000000 x24: ffff800092a17c98
x23: ffff80008a8710a0 x22: ffff0000c6644348 x21: ffff800092a17c90
x20: ffff80008ad65078 x19: ffff0000c6644000 x18: ffff800097056e60
x17: 626f206237306636 x16: ffff80008a71b27c x15: 0000000000000001
x14: 1fffe00036833432 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000001 x10: 0000000000000000 x9 : e8b2fd3c26f6bd00
x8 : e8b2fd3c26f6bd00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800097057258 x4 : ffff80008e4210a0 x3 : ffff8000805a359c
x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000000
Call trace:
 debug_print_object lib/debugobjects.c:514 [inline]
 __debug_check_no_obj_freed lib/debugobjects.c:1032 [inline]
 debug_check_no_obj_freed+0x41c/0x534 lib/debugobjects.c:1063
 slab_free_hook mm/slub.c:1775 [inline]
 slab_free_freelist_hook mm/slub.c:1826 [inline]
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0x250/0x480 mm/slub.c:3822
 kfree+0xb8/0x19c mm/slab_common.c:1075
 bt_link_release+0x20/0x30 net/bluetooth/hci_sysfs.c:16
 device_release+0x8c/0x1ac
 kobject_cleanup lib/kobject.c:682 [inline]
 kobject_release lib/kobject.c:716 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1c4/0x3c4 lib/kobject.c:733
 put_device+0x28/0x40 drivers/base/core.c:3732
 hci_conn_put include/net/bluetooth/hci_core.h:1506 [inline]
 __sco_sock_close+0x3dc/0x7e4 net/bluetooth/sco.c:445
 sco_sock_close net/bluetooth/sco.c:470 [inline]
 sco_sock_release+0xb4/0x2c0 net/bluetooth/sco.c:1247
 __sock_release net/socket.c:659 [inline]
 sock_close+0xa4/0x1e8 net/socket.c:1419
 __fput+0x324/0x7f8 fs/file_table.c:384
 __fput_sync+0x60/0x9c fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __arm64_sys_close+0x150/0x1e0 fs/open.c:1557
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
irq event stamp: 15314
hardirqs last  enabled at (15313): [<ffff800080355dd4>] __up_console_sem kernel/printk/printk.c:347 [inline]
hardirqs last  enabled at (15313): [<ffff800080355dd4>] __console_unlock kernel/printk/printk.c:2718 [inline]
hardirqs last  enabled at (15313): [<ffff800080355dd4>] console_unlock+0x17c/0x3d4 kernel/printk/printk.c:3037
hardirqs last disabled at (15314): [<ffff80008a716da0>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:436
softirqs last  enabled at (15298): [<ffff800080021894>] softirq_handle_end kernel/softirq.c:399 [inline]
softirqs last  enabled at (15298): [<ffff800080021894>] __do_softirq+0xac0/0xd54 kernel/softirq.c:582
softirqs last disabled at (15287): [<ffff80008002aadc>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
---[ end trace 0000000000000000 ]---
BUG: sleeping function called from invalid context at kernel/workqueue.c:3344
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6612, name: syz-executor.0
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by syz-executor.0/6612:
 #0: ffff0000df81c410 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:802 [inline]
 #0: ffff0000df81c410 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: __sock_release net/socket.c:658 [inline]
 #0: ffff0000df81c410 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: sock_close+0x80/0x1e8 net/socket.c:1419
 #1: ffff0000c8dca130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1720 [inline]
 #1: ffff0000c8dca130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_close net/bluetooth/sco.c:468 [inline]
 #1: ffff0000c8dca130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x60/0x2c0 net/bluetooth/sco.c:1247
 #2: ffff0000c6413620 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #2: ffff0000c6413620 (&conn->lock#2){+.+.}-{2:2}, at: __sco_sock_close+0x378/0x7e4 net/bluetooth/sco.c:443
Preemption disabled at:
[<ffff800089996cf8>] spin_lock include/linux/spinlock.h:351 [inline]
[<ffff800089996cf8>] __sco_sock_close+0x378/0x7e4 net/bluetooth/sco.c:443
CPU: 1 PID: 6612 Comm: syz-executor.0 Tainted: G        W          6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
 show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 __might_resched+0x374/0x4d0 kernel/sched/core.c:10187
 __might_sleep+0x90/0xe4 kernel/sched/core.c:10116
 start_flush_work+0x44/0x7bc kernel/workqueue.c:3344
 __flush_work+0x11c/0x1c0 kernel/workqueue.c:3406
 __cancel_work_timer+0x3e4/0x540 kernel/workqueue.c:3494
 cancel_work_sync kernel/workqueue.c:3530 [inline]
 work_fixup_free+0x40/0x70 kernel/workqueue.c:554
 debug_object_fixup lib/debugobjects.c:530 [inline]
 __debug_check_no_obj_freed lib/debugobjects.c:1033 [inline]
 debug_check_no_obj_freed+0x464/0x534 lib/debugobjects.c:1063
 slab_free_hook mm/slub.c:1775 [inline]
 slab_free_freelist_hook mm/slub.c:1826 [inline]
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0x250/0x480 mm/slub.c:3822
 kfree+0xb8/0x19c mm/slab_common.c:1075
 bt_link_release+0x20/0x30 net/bluetooth/hci_sysfs.c:16
 device_release+0x8c/0x1ac
 kobject_cleanup lib/kobject.c:682 [inline]
 kobject_release lib/kobject.c:716 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1c4/0x3c4 lib/kobject.c:733
 put_device+0x28/0x40 drivers/base/core.c:3732
 hci_conn_put include/net/bluetooth/hci_core.h:1506 [inline]
 __sco_sock_close+0x3dc/0x7e4 net/bluetooth/sco.c:445
 sco_sock_close net/bluetooth/sco.c:470 [inline]
 sco_sock_release+0xb4/0x2c0 net/bluetooth/sco.c:1247
 __sock_release net/socket.c:659 [inline]
 sock_close+0xa4/0x1e8 net/socket.c:1419
 __fput+0x324/0x7f8 fs/file_table.c:384
 __fput_sync+0x60/0x9c fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __arm64_sys_close+0x150/0x1e0 fs/open.c:1557
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595


Tested on:

commit:         8de1e7af Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17259c7b680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3e6feaeda5dcbc27
dashboard link: https://syzkaller.appspot.com/bug?extid=1683f76f1b20b826de67
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15bfc4df680000

next      parent reply	other threads:[~2023-11-04  6:03 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20231104054009.3030149-1-lizhi.xu@windriver.com>
2023-11-04  6:00 ` syzbot [this message]
     [not found] <20231104044729.2716748-1-lizhi.xu@windriver.com>
2023-11-04  5:17 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in hci_conn_drop (2) syzbot
     [not found] <20231104032323.2233372-1-lizhi.xu@windriver.com>
2023-11-04  3:36 ` syzbot
     [not found] <20231103121804.1421-1-hdanton@sina.com>
2023-11-03 12:43 ` syzbot
     [not found] <20231103080016.3516726-1-lizhi.xu@windriver.com>
2023-11-03  8:17 ` syzbot
     [not found] <20231103070111.2610655-1-lizhi.xu@windriver.com>
2023-11-03  7:11 ` syzbot
     [not found] <20231103051306.721321-1-lizhi.xu@windriver.com>
2023-11-03  5:23 ` syzbot
     [not found] <20231103010143.3182694-1-lizhi.xu@windriver.com>
2023-11-03  3:54 ` syzbot
2023-11-02 22:01 syzbot
2024-02-17  2:09 ` syzbot
2024-02-17 10:57   ` Hillf Danton
2024-02-17 11:23     ` syzbot
2024-02-18  8:44   ` Hillf Danton
2024-02-18  8:46     ` syzbot
2024-02-17 19:33 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000001fe42606094d5524@google.com \
    --to=syzbot+1683f76f1b20b826de67@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizhi.xu@windriver.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.