From: syzbot <syzbot+60bfed6b415fbd1fbb87@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in __lock_sock
Date: Wed, 22 Nov 2023 19:06:05 -0800 [thread overview]
Message-ID: <000000000000d53b43060ac91d56@google.com> (raw)
In-Reply-To: <tencent_D3FF464CC98C2ED92ED18C9367E746E65206@qq.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in __sco_sock_close
==================================================================
BUG: KASAN: slab-use-after-free in sco_chan_del net/bluetooth/sco.c:170 [inline]
BUG: KASAN: slab-use-after-free in __sco_sock_close+0x274/0x788 net/bluetooth/sco.c:456
Read of size 8 at addr ffff0000c7299400 by task syz-executor661/9434
CPU: 1 PID: 9434 Comm: syz-executor661 Not tainted 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x174/0x514 mm/kasan/report.c:475
kasan_report+0xd8/0x138 mm/kasan/report.c:588
__asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
sco_chan_del net/bluetooth/sco.c:170 [inline]
__sco_sock_close+0x274/0x788 net/bluetooth/sco.c:456
sco_sock_close net/bluetooth/sco.c:471 [inline]
sco_sock_release+0xb4/0x2c0 net/bluetooth/sco.c:1248
__sock_release net/socket.c:659 [inline]
sock_close+0xa4/0x1e8 net/socket.c:1419
__fput+0x324/0x7f8 fs/file_table.c:384
____fput+0x20/0x30 fs/file_table.c:412
task_work_run+0x230/0x2e0 kernel/task_work.c:180
get_signal+0x13f4/0x15ec kernel/signal.c:2668
do_signal arch/arm64/kernel/signal.c:1249 [inline]
do_notify_resume+0x3bc/0x393c arch/arm64/kernel/signal.c:1302
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline]
el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
Allocated by task 9431:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:511
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
kmalloc_trace+0x70/0x88 mm/slab_common.c:1122
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
sco_conn_add+0xc4/0x2cc net/bluetooth/sco.c:134
sco_connect net/bluetooth/sco.c:274 [inline]
sco_sock_connect+0x2a0/0x848 net/bluetooth/sco.c:593
__sys_connect_file net/socket.c:2050 [inline]
__sys_connect+0x268/0x290 net/socket.c:2067
__do_sys_connect net/socket.c:2077 [inline]
__se_sys_connect net/socket.c:2074 [inline]
__arm64_sys_connect+0x7c/0x94 net/socket.c:2074
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
Freed by task 6094:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:522
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x2ac/0x480 mm/slub.c:3822
kfree+0xb8/0x19c mm/slab_common.c:1075
sco_conn_del+0x3b4/0x498 net/bluetooth/sco.c:210
sco_connect_cfm+0xf0/0x948 net/bluetooth/sco.c:1363
hci_connect_cfm include/net/bluetooth/hci_core.h:1935 [inline]
hci_conn_failed+0x17c/0x2c0 net/bluetooth/hci_conn.c:1251
hci_abort_conn_sync+0x688/0xe38 net/bluetooth/hci_sync.c:5428
abort_conn_sync+0x5c/0x8c net/bluetooth/hci_conn.c:2910
hci_cmd_sync_work+0x1cc/0x34c net/bluetooth/hci_sync.c:306
process_one_work+0x694/0x1204 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2784
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:857
Last potentially related work creation:
kasan_save_stack+0x40/0x6c mm/kasan/common.c:45
__kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:492
kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502
kvfree_call_rcu+0xac/0x674 kernel/rcu/tree.c:3372
drop_sysctl_table+0x2c8/0x410 fs/proc/proc_sysctl.c:1508
drop_sysctl_table+0x2d8/0x410 fs/proc/proc_sysctl.c:1511
unregister_sysctl_table+0x48/0x68 fs/proc/proc_sysctl.c:1529
unregister_net_sysctl_table+0x20/0x30 net/sysctl_net.c:185
mpls_dev_sysctl_unregister+0x88/0xc0 net/mpls/af_mpls.c:1447
mpls_dev_notify+0x448/0x654 net/mpls/af_mpls.c:1659
notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93
raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461
call_netdevice_notifiers_info net/core/dev.c:1995 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2033 [inline]
call_netdevice_notifiers net/core/dev.c:2047 [inline]
unregister_netdevice_many_notify+0xd44/0x17a8 net/core/dev.c:10967
unregister_netdevice_many net/core/dev.c:11023 [inline]
default_device_exit_batch+0x6c8/0x744 net/core/dev.c:11492
ops_exit_list net/core/net_namespace.c:175 [inline]
cleanup_net+0x5dc/0x8d0 net/core/net_namespace.c:614
process_one_work+0x694/0x1204 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2784
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:857
The buggy address belongs to the object at ffff0000c7299400
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
freed 256-byte region [ffff0000c7299400, ffff0000c7299500)
The buggy address belongs to the physical page:
page:0000000073a3d90c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107298
head:0000000073a3d90c order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000840 ffff0000c0001b40 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c7299300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c7299380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c7299400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000c7299480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000c7299500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 8de1e7af Merge branch 'for-next/core' into for-kernelci
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10e32aa4e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=3e6feaeda5dcbc27
dashboard link: https://syzkaller.appspot.com/bug?extid=60bfed6b415fbd1fbb87
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=12d17aa4e80000
next parent reply other threads:[~2023-11-23 3:06 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <tencent_D3FF464CC98C2ED92ED18C9367E746E65206@qq.com>
2023-11-23 3:06 ` syzbot [this message]
[not found] <tencent_148DEA923ADD925D92193DCF888DACA5B807@qq.com>
2023-11-25 3:47 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in __lock_sock syzbot
[not found] <tencent_10DE52D4065BC98B6EC92ECCCCB3E7C34606@qq.com>
2023-11-25 1:58 ` syzbot
[not found] <tencent_8E3BCF900DCF25FA0DA212145DC45DDF1907@qq.com>
2023-11-24 14:36 ` syzbot
[not found] <tencent_38DDEF5DB0192CCFD60D8BA5AA8DA1924107@qq.com>
2023-11-24 12:22 ` syzbot
[not found] <tencent_ABBB2A33F49E801B384B7B1BC02538BA4A08@qq.com>
2023-11-24 11:56 ` syzbot
[not found] <tencent_93DC466109A02ECE6EC20CAE67D5C6CCD206@qq.com>
2023-11-23 14:27 ` syzbot
[not found] <tencent_370274657663662E3C37373E97B236864A09@qq.com>
2023-11-23 1:35 ` syzbot
2023-11-23 2:06 ` syzbot
2023-11-23 3:19 ` syzbot
2023-11-24 11:29 ` syzbot
2023-11-24 11:41 ` syzbot
2023-11-24 13:54 ` syzbot
2023-11-25 1:31 ` syzbot
2023-11-25 3:20 ` syzbot
2023-11-23 1:14 syzbot
-- strict thread matches above, loose matches on Subject: below --
2023-11-22 15:43 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000d53b43060ac91d56@google.com \
--to=syzbot+60bfed6b415fbd1fbb87@syzkaller.appspotmail.com \
--cc=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.