From: syzbot <syzbot+60bfed6b415fbd1fbb87@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in __lock_sock
Date: Fri, 24 Nov 2023 17:58:03 -0800 [thread overview]
Message-ID: <0000000000003aa603060af06631@google.com> (raw)
In-Reply-To: <tencent_10DE52D4065BC98B6EC92ECCCCB3E7C34606@qq.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in __lock_sock
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x114/0x75e8 kernel/locking/lockdep.c:5004
Read of size 8 at addr ffff0000ce5ce0b0 by task kworker/u5:0/51
CPU: 1 PID: 51 Comm: kworker/u5:0 Not tainted 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Workqueue: hci1 hci_cmd_sync_work
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x174/0x514 mm/kasan/report.c:475
kasan_report+0xd8/0x138 mm/kasan/report.c:588
__asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
__lock_acquire+0x114/0x75e8 kernel/locking/lockdep.c:5004
lock_acquire+0x23c/0x71c kernel/locking/lockdep.c:5753
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:356 [inline]
__lock_sock+0x170/0x2d4 net/core/sock.c:2960
lock_sock_nested+0xa4/0x11c net/core/sock.c:3510
lock_sock include/net/sock.h:1720 [inline]
sco_conn_ready net/bluetooth/sco.c:1272 [inline]
sco_connect_cfm+0x140/0x948 net/bluetooth/sco.c:1363
hci_connect_cfm include/net/bluetooth/hci_core.h:1935 [inline]
hci_conn_failed+0x17c/0x2c0 net/bluetooth/hci_conn.c:1251
hci_abort_conn_sync+0x688/0xe38 net/bluetooth/hci_sync.c:5428
abort_conn_sync+0x5c/0x8c net/bluetooth/hci_conn.c:2910
hci_cmd_sync_work+0x1cc/0x34c net/bluetooth/hci_sync.c:306
process_one_work+0x694/0x1204 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2784
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:857
Allocated by task 8236:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:511
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1026 [inline]
__kmalloc+0xcc/0x1b8 mm/slab_common.c:1039
kmalloc include/linux/slab.h:603 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2090
sk_alloc+0x44/0x3f4 net/core/sock.c:2143
bt_sock_alloc+0x4c/0x32c net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:499 [inline]
sco_sock_create+0xbc/0x31c net/bluetooth/sco.c:530
bt_sock_create+0x14c/0x248 net/bluetooth/af_bluetooth.c:132
__sock_create+0x43c/0x884 net/socket.c:1569
sock_create net/socket.c:1620 [inline]
__sys_socket_create net/socket.c:1657 [inline]
__sys_socket+0x134/0x340 net/socket.c:1708
__do_sys_socket net/socket.c:1722 [inline]
__se_sys_socket net/socket.c:1720 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1720
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
Freed by task 8236:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:522
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x2ac/0x480 mm/slub.c:3822
kfree+0xb8/0x19c mm/slab_common.c:1075
sk_prot_free net/core/sock.c:2126 [inline]
__sk_destruct+0x4c0/0x770 net/core/sock.c:2218
sk_destruct net/core/sock.c:2233 [inline]
__sk_free+0x37c/0x4e8 net/core/sock.c:2244
sk_free+0x60/0xc8 net/core/sock.c:2255
sock_put include/net/sock.h:1989 [inline]
sco_sock_kill+0xfc/0x1b4 net/bluetooth/sco.c:429
sco_sock_release+0x1fc/0x2c0 net/bluetooth/sco.c:1260
__sock_release net/socket.c:659 [inline]
sock_close+0xa4/0x1e8 net/socket.c:1419
__fput+0x324/0x7f8 fs/file_table.c:384
____fput+0x20/0x30 fs/file_table.c:412
task_work_run+0x230/0x2e0 kernel/task_work.c:180
get_signal+0x13f4/0x15ec kernel/signal.c:2668
do_signal arch/arm64/kernel/signal.c:1249 [inline]
do_notify_resume+0x3bc/0x393c arch/arm64/kernel/signal.c:1302
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline]
el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
The buggy address belongs to the object at ffff0000ce5ce000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 176 bytes inside of
freed 2048-byte region [ffff0000ce5ce000, ffff0000ce5ce800)
The buggy address belongs to the physical page:
page:00000000b6dddcc6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e5c8
head:00000000b6dddcc6 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000840 ffff0000c0002000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000ce5cdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000ce5ce000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000ce5ce080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000ce5ce100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000ce5ce180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Bluetooth: hci1: command 0x0409 tx timeout
Bluetooth: hci1: command 0x040f tx timeout
Tested on:
commit: 8de1e7af Merge branch 'for-next/core' into for-kernelci
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=113dcbcce80000
kernel config: https://syzkaller.appspot.com/x/.config?x=3e6feaeda5dcbc27
dashboard link: https://syzkaller.appspot.com/bug?extid=60bfed6b415fbd1fbb87
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=1451e294e80000
next parent reply other threads:[~2023-11-25 2:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <tencent_10DE52D4065BC98B6EC92ECCCCB3E7C34606@qq.com>
2023-11-25 1:58 ` syzbot [this message]
[not found] <tencent_148DEA923ADD925D92193DCF888DACA5B807@qq.com>
2023-11-25 3:47 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in __lock_sock syzbot
[not found] <tencent_8E3BCF900DCF25FA0DA212145DC45DDF1907@qq.com>
2023-11-24 14:36 ` syzbot
[not found] <tencent_38DDEF5DB0192CCFD60D8BA5AA8DA1924107@qq.com>
2023-11-24 12:22 ` syzbot
[not found] <tencent_ABBB2A33F49E801B384B7B1BC02538BA4A08@qq.com>
2023-11-24 11:56 ` syzbot
[not found] <tencent_93DC466109A02ECE6EC20CAE67D5C6CCD206@qq.com>
2023-11-23 14:27 ` syzbot
[not found] <tencent_D3FF464CC98C2ED92ED18C9367E746E65206@qq.com>
2023-11-23 3:06 ` syzbot
[not found] <tencent_370274657663662E3C37373E97B236864A09@qq.com>
2023-11-23 1:35 ` syzbot
2023-11-23 2:06 ` syzbot
2023-11-23 3:19 ` syzbot
2023-11-24 11:29 ` syzbot
2023-11-24 11:41 ` syzbot
2023-11-24 13:54 ` syzbot
2023-11-25 1:31 ` syzbot
2023-11-25 3:20 ` syzbot
2023-11-23 1:14 syzbot
-- strict thread matches above, loose matches on Subject: below --
2023-11-22 15:43 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000003aa603060af06631@google.com \
--to=syzbot+60bfed6b415fbd1fbb87@syzkaller.appspotmail.com \
--cc=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.