From: syzbot <syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)
Date: Sun, 08 Sep 2024 06:10:03 -0700 [thread overview]
Message-ID: <000000000000c0339406219b5b0d@google.com> (raw)
In-Reply-To: <20240908125017.2529-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in l2cap_recv_acldata
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_recv_acldata+0xa0b/0xb70 net/bluetooth/l2cap_core.c:7480
Read of size 8 at addr ffff888031b08fe8 by task kworker/u9:8/7223
CPU: 0 UID: 0 PID: 7223 Comm: kworker/u9:8 Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_recv_acldata+0xa0b/0xb70 net/bluetooth/l2cap_core.c:7480
hci_acldata_packet net/bluetooth/hci_core.c:3792 [inline]
hci_rx_work+0xac0/0x1630 net/bluetooth/hci_core.c:4030
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 6015:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
__hci_conn_add+0x131/0x1a50 net/bluetooth/hci_conn.c:934
hci_conn_add_unset+0x6d/0x100 net/bluetooth/hci_conn.c:1043
hci_conn_request_evt+0x8c4/0xb40 net/bluetooth/hci_event.c:3288
hci_event_func net/bluetooth/hci_event.c:7446 [inline]
hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
hci_rx_work+0x2c6/0x1630 net/bluetooth/hci_core.c:4025
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 6017:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2256 [inline]
slab_free mm/slub.c:4477 [inline]
kfree+0x12a/0x3b0 mm/slub.c:4598
device_release+0xa1/0x240 drivers/base/core.c:2582
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e4/0x5a0 lib/kobject.c:737
put_device drivers/base/core.c:3790 [inline]
device_unregister+0x2f/0xc0 drivers/base/core.c:3913
hci_conn_del_sysfs+0xb4/0x180 net/bluetooth/hci_sysfs.c:86
hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
hci_conn_del+0x54e/0xdb0 net/bluetooth/hci_conn.c:1162
hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff888031b08000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4072 bytes inside of
freed 8192-byte region [ffff888031b08000, ffff888031b0a000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888031b0c000 pfn:0x31b08
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff88801ac42280 ffffea0001f09000 0000000000000003
raw: ffff888031b0c000 0000000000020001 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff88801ac42280 ffffea0001f09000 0000000000000003
head: ffff888031b0c000 0000000000020001 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0000c6c201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 6015, tgid 6015 (kworker/u9:6), ts 133220298161, free_ts 131544899649
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3446
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4702
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x4e/0xf0 mm/slub.c:2325
allocate_slab mm/slub.c:2488 [inline]
new_slab+0x84/0x260 mm/slub.c:2541
___slab_alloc+0xdac/0x1870 mm/slub.c:3727
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3817
__slab_alloc_node mm/slub.c:3870 [inline]
slab_alloc_node mm/slub.c:4029 [inline]
__kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4188
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
__hci_conn_add+0x131/0x1a50 net/bluetooth/hci_conn.c:934
hci_conn_add_unset+0x6d/0x100 net/bluetooth/hci_conn.c:1043
hci_conn_request_evt+0x8c4/0xb40 net/bluetooth/hci_event.c:3288
hci_event_func net/bluetooth/hci_event.c:7446 [inline]
hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
hci_rx_work+0x2c6/0x1630 net/bluetooth/hci_core.c:4025
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
page last free pid 5957 tgid 5957 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1101 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2619
__put_partials+0x14c/0x170 mm/slub.c:3055
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3992 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
kmem_cache_alloc_noprof+0x121/0x2f0 mm/slub.c:4048
ptlock_alloc mm/memory.c:6589 [inline]
ptlock_init include/linux/mm.h:2944 [inline]
pmd_ptlock_init include/linux/mm.h:3048 [inline]
pagetable_pmd_ctor include/linux/mm.h:3086 [inline]
pmd_alloc_one_noprof include/asm-generic/pgalloc.h:141 [inline]
__pmd_alloc+0xc3/0x820 mm/memory.c:6079
pmd_alloc include/linux/mm.h:2835 [inline]
alloc_new_pmd mm/mremap.c:96 [inline]
move_page_tables+0x2218/0x3780 mm/mremap.c:608
shift_arg_pages+0x1eb/0x410 fs/exec.c:758
setup_arg_pages+0x516/0xc70 fs/exec.c:880
load_elf_binary+0xa66/0x4d90 fs/binfmt_elf.c:1014
search_binary_handler fs/exec.c:1827 [inline]
exec_binprm fs/exec.c:1869 [inline]
bprm_execve fs/exec.c:1920 [inline]
bprm_execve+0x703/0x1960 fs/exec.c:1896
do_execveat_common.isra.0+0x4f1/0x630 fs/exec.c:2027
do_execve fs/exec.c:2101 [inline]
__do_sys_execve fs/exec.c:2177 [inline]
__se_sys_execve fs/exec.c:2172 [inline]
__x64_sys_execve+0x8c/0xb0 fs/exec.c:2172
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888031b08e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888031b08f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888031b08f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888031b09000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888031b09080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: d1f2d51b Merge tag 'clk-fixes-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14151f29980000
kernel config: https://syzkaller.appspot.com/x/.config?x=57042fe37c7ee7c2
dashboard link: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15449ffb980000
next prev parent reply other threads:[~2024-09-08 13:10 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-24 20:23 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2) syzbot
2024-09-07 14:42 ` syzbot
2024-09-08 0:01 ` Hillf Danton
2024-09-08 0:24 ` syzbot
2024-09-08 1:28 ` Edward Adam Davis
2024-09-08 1:51 ` syzbot
2024-09-08 2:06 ` Edward Adam Davis
2024-09-08 2:29 ` syzbot
2024-09-08 2:41 ` Edward Adam Davis
2024-09-08 3:06 ` syzbot
2024-09-08 3:15 ` Edward Adam Davis
2024-09-08 3:58 ` syzbot
2024-09-08 3:25 ` Hillf Danton
2024-09-08 4:07 ` syzbot
2024-09-08 4:07 ` Edward Adam Davis
2024-09-08 4:37 ` syzbot
2024-09-08 7:22 ` [PATCH] Bluetooth/l2cap: Fix uaf in l2cap_connect Edward Adam Davis
2024-09-10 20:56 ` Luiz Augusto von Dentz
2024-09-20 15:07 ` Luiz Augusto von Dentz
2024-09-21 1:40 ` Edward Adam Davis
2024-09-21 10:56 ` Hillf Danton
2024-09-23 14:32 ` Luiz Augusto von Dentz
2024-09-23 14:37 ` Aleksandr Nogikh
2024-09-23 15:20 ` Luiz Augusto von Dentz
2024-09-23 15:28 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2) syzbot
2024-09-23 15:38 ` [PATCH] Bluetooth/l2cap: Fix uaf in l2cap_connect Aleksandr Nogikh
2024-09-23 15:48 ` Luiz Augusto von Dentz
2024-09-23 16:21 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2) syzbot
2024-09-08 8:32 ` Hillf Danton
2024-09-08 8:52 ` syzbot
2024-09-08 11:15 ` Hillf Danton
2024-09-08 11:33 ` syzbot
2024-09-08 12:50 ` Hillf Danton
2024-09-08 13:10 ` syzbot [this message]
2024-09-08 13:37 ` Hillf Danton
2024-09-08 13:58 ` syzbot
2024-09-09 11:06 ` Hillf Danton
2024-09-09 11:31 ` syzbot
2024-09-11 11:29 ` Hillf Danton
2024-09-11 11:59 ` syzbot
2024-09-12 11:49 ` Hillf Danton
2024-09-12 14:51 ` syzbot
2024-09-10 18:43 ` syzbot
2024-09-23 16:13 ` [syzbot] Re: [PATCH] Bluetooth/l2cap: Fix uaf in l2cap_connect syzbot
[not found] <CABBYNZ+Fj1bDqSG7PkF5OFEx_OWkgm2gEm8640odaQX5EBGxPg@mail.gmail.com>
2024-09-23 16:45 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2) syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000c0339406219b5b0d@google.com \
--to=syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.