[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7271b2a53042 Add linux-next specific files for 20230818
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13404b6ba80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13506923a80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=147569efa80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d81109bc02c1/disk-7271b2a5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4b3bf8e2a4f7/vmlinux-7271b2a5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6404cd473c1e/bzImage-7271b2a5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in hci_send_acl+0xdf4/0xf30 net/bluetooth/hci_core.c:3228
Read of size 8 at addr ffff888025635618 by task kworker/1:1/27

CPU: 1 PID: 27 Comm: kworker/1:1 Not tainted 6.5.0-rc6-next-20230818-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events l2cap_info_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 hci_send_acl+0xdf4/0xf30 net/bluetooth/hci_core.c:3228
 l2cap_send_cmd+0x6dd/0x920 net/bluetooth/l2cap_core.c:977
 l2cap_send_conn_req+0x1e5/0x260 net/bluetooth/l2cap_core.c:1286
 l2cap_start_connection+0x11e/0x420 net/bluetooth/l2cap_core.c:1514
 l2cap_conn_start+0x7ae/0xa40 net/bluetooth/l2cap_core.c:1661
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>

Allocated by task 5046:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 hci_chan_create+0xa6/0x3a0 net/bluetooth/hci_conn.c:2691
 l2cap_conn_add.part.0+0x1a/0xdf0 net/bluetooth/l2cap_core.c:7841
 l2cap_conn_add include/net/bluetooth/l2cap.h:866 [inline]
 l2cap_chan_connect+0x15b9/0x2140 net/bluetooth/l2cap_core.c:8053
 bt_6lowpan_connect net/bluetooth/6lowpan.c:894 [inline]
 lowpan_control_write+0x3d6/0x730 net/bluetooth/6lowpan.c:1129
 full_proxy_write+0x124/0x190 fs/debugfs/file.c:236
 vfs_write+0x2a4/0xe40 fs/read_write.c:582
 ksys_write+0x12f/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 50:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
 hci_chan_list_flush+0x81/0xf0 net/bluetooth/hci_conn.c:2731
 hci_conn_cleanup net/bluetooth/hci_conn.c:152 [inline]
 hci_conn_del+0x1fc/0xd10 net/bluetooth/hci_conn.c:1140
 hci_abort_conn_sync+0xacb/0xe20 net/bluetooth/hci_sync.c:5432
 abort_conn_sync+0x18e/0x3a0 net/bluetooth/hci_conn.c:2878
 hci_cmd_sync_work+0x1a4/0x3c0 net/bluetooth/hci_sync.c:306
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

Last potentially related work creation:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492
 kvfree_call_rcu+0x70/0xbe0 kernel/rcu/tree.c:3373
 kernfs_unlink_open_file+0x3b6/0x4b0 fs/kernfs/file.c:633
 kernfs_fop_release+0xec/0x1e0 fs/kernfs/file.c:805
 __fput+0x3f7/0xa70 fs/file_table.c:384
 __fput_sync+0x47/0x50 fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __x64_sys_close+0x87/0xf0 fs/open.c:1557
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492
 kvfree_call_rcu+0x70/0xbe0 kernel/rcu/tree.c:3373
 kernfs_unlink_open_file+0x3b6/0x4b0 fs/kernfs/file.c:633
 kernfs_fop_release+0xec/0x1e0 fs/kernfs/file.c:805
 __fput+0x3f7/0xa70 fs/file_table.c:384
 __fput_sync+0x47/0x50 fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __x64_sys_close+0x87/0xf0 fs/open.c:1557
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888025635600
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 freed 128-byte region [ffff888025635600, ffff888025635680)

The buggy address belongs to the physical page:
page:ffffea0000958d40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25635
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888012c418c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4500, tgid 4500 (udevd), ts 28013160887, free_ts 27864795775
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3219
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4475
 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab+0x251/0x380 mm/slub.c:2017
 new_slab mm/slub.c:2070 [inline]
 ___slab_alloc+0x8be/0x1570 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517
 kmalloc_trace+0x25/0xe0 mm/slab_common.c:1095
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 kernfs_get_open_node fs/kernfs/file.c:572 [inline]
 kernfs_fop_open+0xad1/0xe00 fs/kernfs/file.c:740
 do_dentry_open+0x88b/0x1730 fs/open.c:929
 do_open fs/namei.c:3636 [inline]
 path_openat+0x19af/0x29c0 fs/namei.c:3793
 do_filp_open+0x1de/0x430 fs/namei.c:3820
 do_sys_openat2+0x176/0x1e0 fs/open.c:1422
 do_sys_open fs/open.c:1437 [inline]
 __do_sys_openat fs/open.c:1453 [inline]
 __se_sys_openat fs/open.c:1448 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1448
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2348
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2441
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x18b/0x1d0 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 slab_alloc mm/slub.c:3486 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
 kmem_cache_alloc+0x172/0x3b0 mm/slub.c:3502
 getname_flags.part.0+0x50/0x4d0 fs/namei.c:140
 getname_flags include/linux/audit.h:319 [inline]
 getname+0x90/0xe0 fs/namei.c:219
 do_sys_openat2+0x100/0x1e0 fs/open.c:1416
 do_sys_open fs/open.c:1437 [inline]
 __do_sys_openat fs/open.c:1453 [inline]
 __se_sys_openat fs/open.c:1448 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1448
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888025635500: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
 ffff888025635580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888025635600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888025635680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888025635700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in hci_send_acl

==================================================================
BUG: KASAN: slab-use-after-free in hci_send_acl+0xdf4/0xf30 net/bluetooth/hci_core.c:3228
Read of size 8 at addr ffff888069713618 by task kworker/0:4/5435

CPU: 0 PID: 5435 Comm: kworker/0:4 Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events l2cap_info_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 hci_send_acl+0xdf4/0xf30 net/bluetooth/hci_core.c:3228
 l2cap_send_cmd+0x6dd/0x920 net/bluetooth/l2cap_core.c:977
 l2cap_send_conn_req+0x1e5/0x260 net/bluetooth/l2cap_core.c:1286
 l2cap_start_connection+0x11e/0x420 net/bluetooth/l2cap_core.c:1514
 l2cap_conn_start+0x7ae/0xa40 net/bluetooth/l2cap_core.c:1661
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>

Allocated by task 5466:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 hci_chan_create+0xa6/0x3a0 net/bluetooth/hci_conn.c:2691
 l2cap_conn_add.part.0+0x1a/0xdf0 net/bluetooth/l2cap_core.c:7839
 l2cap_conn_add include/net/bluetooth/l2cap.h:866 [inline]
 l2cap_chan_connect+0x15b9/0x2140 net/bluetooth/l2cap_core.c:8051
 bt_6lowpan_connect net/bluetooth/6lowpan.c:894 [inline]
 lowpan_control_write+0x3d6/0x730 net/bluetooth/6lowpan.c:1129
 full_proxy_write+0x124/0x190 fs/debugfs/file.c:236
 vfs_write+0x2a4/0xe40 fs/read_write.c:582
 ksys_write+0x12f/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5045:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
 hci_chan_list_flush+0x81/0xf0 net/bluetooth/hci_conn.c:2731
 hci_conn_cleanup net/bluetooth/hci_conn.c:152 [inline]
 hci_conn_del+0x1fc/0xd10 net/bluetooth/hci_conn.c:1140
 hci_abort_conn_sync+0xacb/0xe20 net/bluetooth/hci_sync.c:5432
 abort_conn_sync+0x18e/0x3a0 net/bluetooth/hci_conn.c:2878
 hci_cmd_sync_work+0x1a4/0x3c0 net/bluetooth/hci_sync.c:306
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

The buggy address belongs to the object at ffff888069713600
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 freed 128-byte region [ffff888069713600, ffff888069713680)

The buggy address belongs to the physical page:
page:ffffea0001a5c4c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x69713
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888012c418c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 5400, tgid 5400 (syz-executor.0), ts 92397723620, free_ts 92397302327
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3219
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4475
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_slab_page mm/slub.c:1872 [inline]
 allocate_slab+0xa1/0x380 mm/slub.c:2017
 new_slab mm/slub.c:2070 [inline]
 ___slab_alloc+0x8be/0x1570 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1003 [inline]
 __kmalloc_node+0x52/0x110 mm/slab_common.c:1011
 kmalloc_array_node include/linux/slab.h:698 [inline]
 kcalloc_node include/linux/slab.h:703 [inline]
 memcg_alloc_slab_cgroups+0xa9/0x170 mm/memcontrol.c:2895
 memcg_slab_post_alloc_hook+0xaa/0x390 mm/slab.h:530
 slab_post_alloc_hook mm/slab.h:770 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 slab_alloc mm/slub.c:3486 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
 kmem_cache_alloc+0x1a7/0x3b0 mm/slub.c:3502
 prepare_creds+0x43/0x7b0 kernel/cred.c:263
 copy_creds+0xa7/0xe50 kernel/cred.c:368
 copy_process+0xeb6/0x7400 kernel/fork.c:2368
 kernel_clone+0xfd/0x930 kernel/fork.c:2916
 __do_sys_clone+0xba/0x100 kernel/fork.c:3059
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2348
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2441
 vfree+0x181/0x7a0 mm/vmalloc.c:2842
 __do_replace+0x7bf/0x9c0 net/ipv4/netfilter/arp_tables.c:937
 do_replace net/ipv6/netfilter/ip6_tables.c:1154 [inline]
 do_ip6t_set_ctl+0x93a/0xbd0 net/ipv6/netfilter/ip6_tables.c:1636
 nf_setsockopt+0x87/0xe0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x12b/0x190 net/ipv6/ipv6_sockglue.c:1017
 tcp_setsockopt+0x9d/0x100 net/ipv4/tcp.c:3677
 __sys_setsockopt+0x2cd/0x5b0 net/socket.c:2307
 __do_sys_setsockopt net/socket.c:2318 [inline]
 __se_sys_setsockopt net/socket.c:2315 [inline]
 __x64_sys_setsockopt+0xbd/0x150 net/socket.c:2315
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888069713500: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
 ffff888069713580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888069713600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888069713680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888069713700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


Tested on:

commit:         7271b2a5 Add linux-next specific files for 20230818
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1555b1bba80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1766e9bba80000

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in l2cap_chan_del

==================================================================
BUG: KASAN: slab-out-of-bounds in hci_conn_drop include/net/bluetooth/hci_core.h:1549 [inline]
BUG: KASAN: slab-out-of-bounds in hci_conn_drop include/net/bluetooth/hci_core.h:1519 [inline]
BUG: KASAN: slab-out-of-bounds in l2cap_chan_del+0xa0b/0xa70 net/bluetooth/l2cap_core.c:668
Read of size 8 at addr ffff888068778718 by task kworker/0:0/8

CPU: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 hci_conn_drop include/net/bluetooth/hci_core.h:1549 [inline]
 hci_conn_drop include/net/bluetooth/hci_core.h:1519 [inline]
 l2cap_chan_del+0xa0b/0xa70 net/bluetooth/l2cap_core.c:668
 l2cap_chan_close+0xff/0xa20 net/bluetooth/l2cap_core.c:851
 l2cap_chan_timeout+0x17d/0x2f0 net/bluetooth/l2cap_core.c:452
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>

Allocated by task 4708:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1004 [inline]
 __kmalloc_node_track_caller+0x61/0x100 mm/slab_common.c:1024
 kmalloc_reserve+0xef/0x270 net/core/skbuff.c:575
 __alloc_skb+0x12b/0x330 net/core/skbuff.c:644
 alloc_skb include/linux/skbuff.h:1286 [inline]
 alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6274
 sock_alloc_send_pskb+0x7c8/0x950 net/core/sock.c:2794
 unix_dgram_sendmsg+0x455/0x1c30 net/unix/af_unix.c:1953
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:753
 sock_write_iter+0x29b/0x3d0 net/socket.c:1140
 call_write_iter include/linux/fs.h:1983 [inline]
 do_iter_readv_writev+0x21e/0x3c0 fs/read_write.c:735
 do_iter_write+0x17f/0x830 fs/read_write.c:860
 vfs_writev+0x221/0x700 fs/read_write.c:933
 do_writev+0x285/0x370 fs/read_write.c:976
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 4707:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
 skb_kfree_head net/core/skbuff.c:939 [inline]
 skb_free_head+0x110/0x1b0 net/core/skbuff.c:951
 skb_release_data+0x5ba/0x870 net/core/skbuff.c:981
 skb_release_all net/core/skbuff.c:1047 [inline]
 __kfree_skb net/core/skbuff.c:1061 [inline]
 consume_skb net/core/skbuff.c:1277 [inline]
 consume_skb+0xd2/0x170 net/core/skbuff.c:1271
 __unix_dgram_recvmsg+0x814/0xe50 net/unix/af_unix.c:2442
 unix_dgram_recvmsg+0xc3/0xf0 net/unix/af_unix.c:2459
 sock_recvmsg_nosec net/socket.c:1026 [inline]
 sock_recvmsg+0xe2/0x170 net/socket.c:1048
 sock_read_iter+0x2c3/0x3c0 net/socket.c:1118
 call_read_iter include/linux/fs.h:1977 [inline]
 do_iter_readv_writev+0x2f2/0x3c0 fs/read_write.c:733
 do_iter_read+0x315/0x870 fs/read_write.c:795
 vfs_readv+0x12d/0x1a0 fs/read_write.c:915
 do_readv+0x285/0x370 fs/read_write.c:952
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888068778400
 which belongs to the cache kmalloc-cg-512 of size 512
The buggy address is located 280 bytes to the right of
 allocated 512-byte region [ffff888068778400, ffff888068778600)

The buggy address belongs to the physical page:
page:ffffea0001a1de00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x68778
head:ffffea0001a1de00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88801937bc01
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012c4f140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffffff ffff88801937bc01
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4708, tgid 4708 (dhcpcd), ts 448399025420, free_ts 448388778101
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3219
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4475
 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab+0x251/0x380 mm/slub.c:2017
 new_slab mm/slub.c:2070 [inline]
 ___slab_alloc+0x8be/0x1570 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1003 [inline]
 __kmalloc_node_track_caller+0x50/0x100 mm/slab_common.c:1024
 kmalloc_reserve+0xef/0x270 net/core/skbuff.c:575
 __alloc_skb+0x12b/0x330 net/core/skbuff.c:644
 alloc_skb include/linux/skbuff.h:1286 [inline]
 alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6274
 sock_alloc_send_pskb+0x7c8/0x950 net/core/sock.c:2794
 unix_dgram_sendmsg+0x455/0x1c30 net/unix/af_unix.c:1953
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:753
 sock_write_iter+0x29b/0x3d0 net/socket.c:1140
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2348
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2441
 skb_kfree_head net/core/skbuff.c:939 [inline]
 skb_free_head+0x110/0x1b0 net/core/skbuff.c:951
 skb_release_data+0x5ba/0x870 net/core/skbuff.c:981
 skb_release_all net/core/skbuff.c:1047 [inline]
 __kfree_skb net/core/skbuff.c:1061 [inline]
 consume_skb net/core/skbuff.c:1277 [inline]
 consume_skb+0xd2/0x170 net/core/skbuff.c:1271
 __unix_dgram_recvmsg+0x814/0xe50 net/unix/af_unix.c:2442
 unix_dgram_recvmsg+0xc3/0xf0 net/unix/af_unix.c:2459
 sock_recvmsg_nosec net/socket.c:1026 [inline]
 sock_recvmsg+0xe2/0x170 net/socket.c:1048
 sock_read_iter+0x2c3/0x3c0 net/socket.c:1118
 call_read_iter include/linux/fs.h:1977 [inline]
 do_iter_readv_writev+0x2f2/0x3c0 fs/read_write.c:733
 do_iter_read+0x315/0x870 fs/read_write.c:795
 vfs_readv+0x12d/0x1a0 fs/read_write.c:915
 do_readv+0x285/0x370 fs/read_write.c:952
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888068778600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888068778680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888068778700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff888068778780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888068778800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         7271b2a5 Add linux-next specific files for 20230818
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=142e2cbda80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12838e5ba80000

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in l2cap_chan_del

------------[ cut here ]------------
WARNING: CPU: 0 PID: 780 at kernel/workqueue.c:1725 __queue_work+0xb52/0x1060 kernel/workqueue.c:1724
Modules linked in:
CPU: 0 PID: 780 Comm: kworker/0:2 Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events l2cap_chan_timeout
RIP: 0010:__queue_work+0xb52/0x1060 kernel/workqueue.c:1724
Code: 03 38 d0 7c 09 84 d2 74 05 e8 ea 54 87 00 8b 5b 2c 31 ff 83 e3 20 89 de e8 5b cf 31 00 85 db 0f 85 7f 01 00 00 e8 de d3 31 00 <0f> 0b e9 ca fa ff ff e8 d2 d3 31 00 0f 0b e9 76 fa ff ff e8 c6 d3
RSP: 0018:ffffc900046d7ac8 EFLAGS: 00010093
RAX: 0000000000000000 RBX: ffff888013650000 RCX: 0000000000000000
RDX: ffff88801d4d1dc0 RSI: ffffffff8155ff92 RDI: ffff888013650008
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000200000 R11: 0000000000000000 R12: ffff88806a634270
R13: ffffffff81dd2d93 R14: ffff88806a6342b8 R15: ffffffff81dd2d93
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f98dec6b6c0 CR3: 000000000c976000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __queue_delayed_work+0x1bf/0x260 kernel/workqueue.c:1950
 queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1986
 queue_delayed_work include/linux/workqueue.h:569 [inline]
 hci_conn_drop include/net/bluetooth/hci_core.h:1549 [inline]
 hci_conn_drop include/net/bluetooth/hci_core.h:1519 [inline]
 l2cap_chan_del+0x389/0x9b0 net/bluetooth/l2cap_core.c:659
 l2cap_chan_close+0xff/0xa20 net/bluetooth/l2cap_core.c:842
 l2cap_chan_timeout+0x17d/0x2f0 net/bluetooth/l2cap_core.c:452
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>


Tested on:

commit:         7271b2a5 Add linux-next specific files for 20230818
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1333e4dfa80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1361735ba80000

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in l2cap_chan_timeout

INFO: task kworker/0:0:8 blocked for more than 143 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:0     state:D stack:26488 pid:8     ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_timeout+0x68/0x2f0 net/bluetooth/l2cap_core.c:438
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/0:1:9 blocked for more than 143 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1     state:D stack:28784 pid:9     ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_timeout+0x68/0x2f0 net/bluetooth/l2cap_core.c:438
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/1:0:23 blocked for more than 143 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:0     state:D stack:25448 pid:23    ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_timeout+0x68/0x2f0 net/bluetooth/l2cap_core.c:438
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/1:1:27 blocked for more than 143 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:1     state:D stack:25880 pid:27    ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_timeout+0x68/0x2f0 net/bluetooth/l2cap_core.c:438
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/u5:0:50 blocked for more than 144 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u5:0    state:D stack:27704 pid:50    ppid:2      flags:0x00004000
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_del+0x2b3/0xaa0 net/bluetooth/l2cap_core.c:659
 l2cap_conn_del+0x3ce/0x870 net/bluetooth/l2cap_core.c:1918
 l2cap_connect_cfm+0xa10/0xf90 net/bluetooth/l2cap_core.c:8232
 hci_connect_cfm include/net/bluetooth/hci_core.h:1933 [inline]
 hci_conn_failed+0x196/0x320 net/bluetooth/hci_conn.c:1235
 hci_abort_conn_sync+0xacb/0xe20 net/bluetooth/hci_sync.c:5432
 abort_conn_sync+0x18e/0x3a0 net/bluetooth/hci_conn.c:2878
 hci_cmd_sync_work+0x1a4/0x3c0 net/bluetooth/hci_sync.c:306
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/0:2:54 blocked for more than 144 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:2     state:D stack:25568 pid:54    ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_del+0x2b3/0xaa0 net/bluetooth/l2cap_core.c:659
 l2cap_chan_close+0xff/0xa20 net/bluetooth/l2cap_core.c:844
 l2cap_chan_timeout+0x17d/0x2f0 net/bluetooth/l2cap_core.c:452
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/1:2:780 blocked for more than 144 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:2     state:D stack:26504 pid:780   ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_timeout+0x68/0x2f0 net/bluetooth/l2cap_core.c:438
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/1:3:4456 blocked for more than 144 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:3     state:D stack:28128 pid:4456  ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_timeout+0x68/0x2f0 net/bluetooth/l2cap_core.c:438
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/1:4:5053 blocked for more than 145 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:4     state:D stack:25112 pid:5053  ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_timeout+0x68/0x2f0 net/bluetooth/l2cap_core.c:438
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
INFO: task kworker/0:4:5059 blocked for more than 145 seconds.
      Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:4     state:D stack:27920 pid:5059  ppid:2      flags:0x00004000
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0xee1/0x59f0 kernel/sched/core.c:6695
 schedule+0xe7/0x1b0 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x967/0x1340 kernel/locking/mutex.c:747
 l2cap_chan_timeout+0x68/0x2f0 net/bluetooth/l2cap_core.c:438
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: lockdep is turned off.
NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x277/0x380 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x299/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
 watchdog+0xfac/0x1230 kernel/hung_task.c:379
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
NMI backtrace for cpu 1 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
NMI backtrace for cpu 1 skipped: idling at acpi_safe_halt+0x1b/0x20 drivers/acpi/processor_idle.c:112


Tested on:

commit:         7271b2a5 Add linux-next specific files for 20230818
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=109b2797a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=146ec7cfa80000

[PATCH] Bluetooth: hci_conn: verify connection is to be aborted before doing it

[Pauli Virtanen]

There is a race condition where a connection handle is reused, after
hci_abort_conn but before abort_conn_sync is processed in hci_sync. In
this case, hci_abort_conn_sync ends up calling hci_connect_cfm with
success status and then delete the connection, which causes
use-after-free.

Fix by checking abort_reason before calling hci_abort_conn_sync.

Also fix some theoretical UAF / races, where something frees the conn
while hci_abort_conn_sync is working on it.

Fixes: a13f316e90fd ("Bluetooth: hci_conn: Consolidate code for aborting connections")
Reported-by: syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/0000000000005ab984060371583e@google.com/
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---

Notes:
    Not sure how you'd hit this condition in real controller, but syzbot
    does end up calling hci_abort_conn_sync with reason == 0 which then
    causes havoc.

    This can be verified: with a patch that changes abort_conn_sync to

        2874	conn = hci_conn_hash_lookup_handle(hdev, handle);
        2875	if (!conn || WARN_ON(!conn->abort_reason))
        2876		return 0;

    https://syzkaller.appspot.com/text?tag=Patch&x=16eff740680000

    it hits that WARN_ON:

    https://syzkaller.appspot.com/x/log.txt?x=10affb97a80000

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master

 net/bluetooth/hci_conn.c | 17 ++++++++++++++++-
 net/bluetooth/hci_sync.c |  2 ++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 9d5057cef30a..8622eddb946a 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -2886,12 +2886,25 @@ static int abort_conn_sync(struct hci_dev *hdev, void *data)
 {
 	struct hci_conn *conn;
 	u16 handle = PTR_UINT(data);
+	u8 reason;
+	int err;
+
+	rcu_read_lock();
 
 	conn = hci_conn_hash_lookup_handle(hdev, handle);
+	if (conn) {
+		reason = READ_ONCE(conn->abort_reason);
+		conn = reason ? hci_conn_get(conn) : NULL;
+	}
+
+	rcu_read_unlock();
+
 	if (!conn)
 		return 0;
 
-	return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
+	err = hci_abort_conn_sync(hdev, conn, reason);
+	hci_conn_put(conn);
+	return err;
 }
 
 int hci_abort_conn(struct hci_conn *conn, u8 reason)
@@ -2903,6 +2916,8 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
 	 */
 	if (conn->abort_reason)
 		return 0;
+	if (WARN_ON(!reason))
+		reason = HCI_ERROR_UNSPECIFIED;
 
 	bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
 
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 9b93653c6197..a93096c5cbfd 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5375,6 +5375,8 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
 	u16 handle = conn->handle;
 	struct hci_conn *c;
 
+	WARN_ON(!reason);
+
 	switch (conn->state) {
 	case BT_CONNECTED:
 	case BT_CONFIG:
-- 
2.41.0

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com

Tested on:

commit:         2a05334d Bluetooth: btusb: Do not call kfree_skb() und..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1521e55ba80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e532e371ba4b65ca
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11eaff5ba80000

Note: testing is done by a robot and is best-effort only.

RE: Bluetooth: hci_conn: verify connection is to be aborted before doing it

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2367 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=779464

---Test result---

Test Summary:
CheckPatch                    PASS      0.89 seconds
GitLint                       FAIL      0.59 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      32.03 seconds
CheckAllWarning               PASS      35.29 seconds
CheckSparse                   PASS      40.36 seconds
CheckSmatch                   PASS      113.12 seconds
BuildKernel32                 PASS      31.07 seconds
TestRunnerSetup               PASS      475.05 seconds
TestRunner_l2cap-tester       PASS      27.01 seconds
TestRunner_iso-tester         PASS      47.85 seconds
TestRunner_bnep-tester        PASS      10.34 seconds
TestRunner_mgmt-tester        PASS      217.79 seconds
TestRunner_rfcomm-tester      PASS      15.84 seconds
TestRunner_sco-tester         PASS      19.02 seconds
TestRunner_ioctl-tester       PASS      17.82 seconds
TestRunner_mesh-tester        PASS      12.97 seconds
TestRunner_smp-tester         PASS      14.03 seconds
TestRunner_userchan-tester    PASS      10.94 seconds
IncrementalBuild              PASS      29.67 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: hci_conn: verify connection is to be aborted before doing it

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
15: B1 Line exceeds max length (88>80): "Closes: https://lore.kernel.org/linux-bluetooth/0000000000005ab984060371583e@google.com/"
26: B3 Line contains hard tab characters (\t): "        2874	conn = hci_conn_hash_lookup_handle(hdev, handle);"
27: B3 Line contains hard tab characters (\t): "        2875	if (!conn || WARN_ON(!conn->abort_reason))"
28: B3 Line contains hard tab characters (\t): "        2876		return 0;"


---
Regards,
Linux Bluetooth

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hci_cmd_sync_queue

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in hci_cmd_sync_queue+0x31/0xa0 net/bluetooth/hci_sync.c:736
Read of size 8 at addr ffff88806a2f00a8 by task kworker/u4:3/48

CPU: 0 PID: 48 Comm: kworker/u4:3 Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events_unbound hci_conn_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 check_region_inline mm/kasan/generic.c:181 [inline]
 kasan_check_range+0xef/0x190 mm/kasan/generic.c:187
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 hci_cmd_sync_queue+0x31/0xa0 net/bluetooth/hci_sync.c:736
 hci_abort_conn+0x15b/0x330 net/bluetooth/hci_conn.c:2912
 hci_conn_timeout+0x1a9/0x210 net/bluetooth/hci_conn.c:631
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001a8bc00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6a2f0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001957c08 ffffea0001a25708 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x5c2cc0(GFP_USER|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_ACCOUNT), pid 4708, tgid 4708 (dhcpcd), ts 454062019777, free_ts 454066820991
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3219
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4475
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x87/0x1c0 mm/slab_common.c:1145
 __do_kmalloc_node mm/slab_common.c:992 [inline]
 __kmalloc_node_track_caller.cold+0x5/0xdd mm/slab_common.c:1024
 kmalloc_reserve+0xef/0x270 net/core/skbuff.c:575
 __alloc_skb+0x12b/0x330 net/core/skbuff.c:644
 alloc_skb include/linux/skbuff.h:1286 [inline]
 alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6274
 sock_alloc_send_pskb+0x7c8/0x950 net/core/sock.c:2794
 unix_dgram_sendmsg+0x455/0x1c30 net/unix/af_unix.c:1953
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:753
 sock_write_iter+0x29b/0x3d0 net/socket.c:1140
 call_write_iter include/linux/fs.h:1983 [inline]
 do_iter_readv_writev+0x21e/0x3c0 fs/read_write.c:735
 do_iter_write+0x17f/0x830 fs/read_write.c:860
 vfs_writev+0x221/0x700 fs/read_write.c:933
 do_writev+0x285/0x370 fs/read_write.c:976
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2348
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2441
 skb_kfree_head net/core/skbuff.c:939 [inline]
 skb_free_head+0x110/0x1b0 net/core/skbuff.c:951
 skb_release_data+0x5ba/0x870 net/core/skbuff.c:981
 skb_release_all net/core/skbuff.c:1047 [inline]
 __kfree_skb net/core/skbuff.c:1061 [inline]
 consume_skb net/core/skbuff.c:1277 [inline]
 consume_skb+0xd2/0x170 net/core/skbuff.c:1271
 __unix_dgram_recvmsg+0x814/0xe50 net/unix/af_unix.c:2442
 unix_dgram_recvmsg+0xc3/0xf0 net/unix/af_unix.c:2459
 sock_recvmsg_nosec net/socket.c:1026 [inline]
 sock_recvmsg+0xe2/0x170 net/socket.c:1048
 sock_read_iter+0x2c3/0x3c0 net/socket.c:1118
 call_read_iter include/linux/fs.h:1977 [inline]
 do_iter_readv_writev+0x2f2/0x3c0 fs/read_write.c:733
 do_iter_read+0x315/0x870 fs/read_write.c:795
 vfs_readv+0x12d/0x1a0 fs/read_write.c:915
 do_readv+0x285/0x370 fs/read_write.c:952
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff88806a2eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806a2f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806a2f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffff88806a2f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806a2f0180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit:         7271b2a5 Add linux-next specific files for 20230818
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1005e760680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=145e5f5ba80000

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hci_get_route

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in hci_get_route+0x1cc/0x510 net/bluetooth/hci_conn.c:1156
Read of size 8 at addr ffff888068d1c0a8 by task syz-executor.0/5857

CPU: 0 PID: 5857 Comm: syz-executor.0 Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 check_region_inline mm/kasan/generic.c:181 [inline]
 kasan_check_range+0xef/0x190 mm/kasan/generic.c:187
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 hci_get_route+0x1cc/0x510 net/bluetooth/hci_conn.c:1156
 get_l2cap_conn.constprop.0+0xe9/0x6b0 net/bluetooth/6lowpan.c:968
 lowpan_control_write+0x1ba/0x730 net/bluetooth/6lowpan.c:1100
 full_proxy_write+0x124/0x190 fs/debugfs/file.c:236
 vfs_write+0x2a4/0xe40 fs/read_write.c:582
 ksys_write+0x12f/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f728f47cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f72900ee0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f728f59bf80 RCX: 00007f728f47cae9
RDX: 000000000000001b RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f728f4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f728f59bf80 R15: 00007ffd19482978
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001a34700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x68d1c
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea00008a6e08 ffff8880b9842670 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x140dc0(GFP_USER|__GFP_COMP|__GFP_ZERO), pid 5393, tgid 5393 (syz-executor.0), ts 86181654329, free_ts 106465252737
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3219
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4475
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x87/0x1c0 mm/slab_common.c:1145
 __do_kmalloc_node mm/slab_common.c:992 [inline]
 __kmalloc.cold+0xb/0xe0 mm/slab_common.c:1017
 kmalloc include/linux/slab.h:604 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 hci_alloc_dev_priv+0x1d/0x2770 net/bluetooth/hci_core.c:2467
 hci_alloc_dev include/net/bluetooth/hci_core.h:1598 [inline]
 __vhci_create_device+0xf7/0x800 drivers/bluetooth/hci_vhci.c:402
 vhci_create_device drivers/bluetooth/hci_vhci.c:475 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:532 [inline]
 vhci_write+0x2c7/0x470 drivers/bluetooth/hci_vhci.c:612
 call_write_iter include/linux/fs.h:1983 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x650/0xe40 fs/read_write.c:584
 ksys_write+0x12f/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2348
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2441
 bt_host_release+0x87/0xb0 net/bluetooth/hci_sysfs.c:95
 device_release+0xa1/0x240 drivers/base/core.c:2484
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1f7/0x5b0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3731
 hci_dev_put include/net/bluetooth/hci_core.h:1558 [inline]
 hci_conn_timeout+0x215/0x2d0 net/bluetooth/hci_conn.c:633
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

Memory state around the buggy address:
 ffff888068d1bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888068d1c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888068d1c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffff888068d1c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888068d1c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit:         7271b2a5 Add linux-next specific files for 20230818
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11425db7a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=170c63a7a80000

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in l2cap_chan_del

==================================================================
BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1549 [inline]
BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1519 [inline]
BUG: KASAN: slab-use-after-free in l2cap_chan_del+0xa0b/0xa70 net/bluetooth/l2cap_core.c:668
Read of size 8 at addr ffff888073cb0718 by task kworker/1:0/23

CPU: 1 PID: 23 Comm: kworker/1:0 Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 hci_conn_drop include/net/bluetooth/hci_core.h:1549 [inline]
 hci_conn_drop include/net/bluetooth/hci_core.h:1519 [inline]
 l2cap_chan_del+0xa0b/0xa70 net/bluetooth/l2cap_core.c:668
 l2cap_chan_close+0xff/0xa20 net/bluetooth/l2cap_core.c:851
 l2cap_chan_timeout+0x17d/0x2f0 net/bluetooth/l2cap_core.c:452
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>

Allocated by task 78:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x185/0x3f0 mm/slub.c:3523
 kmalloc_reserve+0x167/0x270 net/core/skbuff.c:559
 pskb_expand_head+0x236/0x1170 net/core/skbuff.c:2087
 netlink_trim+0x1eb/0x240 net/netlink/af_netlink.c:1324
 netlink_broadcast_filtered+0xc5/0xf00 net/netlink/af_netlink.c:1531
 netlink_broadcast+0x39/0x50 net/netlink/af_netlink.c:1576
 nlmsg_multicast include/net/netlink.h:1079 [inline]
 genlmsg_multicast_netns include/net/genetlink.h:454 [inline]
 devlink_trap_notify net/devlink/leftover.c:8813 [inline]
 devlink_trap_notify+0x1a9/0x240 net/devlink/leftover.c:8791
 devlink_trap_unregister+0x127/0x3a0 net/devlink/leftover.c:8871
 devl_traps_unregister+0x233/0x2f0 net/devlink/leftover.c:8978
 nsim_dev_traps_exit+0x53/0x170 drivers/net/netdevsim/dev.c:936
 nsim_dev_reload_destroy+0x1e0/0x560 drivers/net/netdevsim/dev.c:1663
 nsim_dev_reload_down+0x6e/0xd0 drivers/net/netdevsim/dev.c:965
 devlink_reload+0x11c/0x450 net/devlink/dev.c:363
 devlink_pernet_pre_exit+0x1ce/0x2a0 net/devlink/core.c:282
 ops_pre_exit_list net/core/net_namespace.c:160 [inline]
 cleanup_net+0x46c/0xb20 net/core/net_namespace.c:602
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

Freed by task 78:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0xf0/0x480 mm/slub.c:3831
 skb_kfree_head net/core/skbuff.c:937 [inline]
 skb_kfree_head net/core/skbuff.c:934 [inline]
 skb_free_head+0x17f/0x1b0 net/core/skbuff.c:951
 skb_release_data+0x5ba/0x870 net/core/skbuff.c:981
 skb_release_all net/core/skbuff.c:1047 [inline]
 __kfree_skb net/core/skbuff.c:1061 [inline]
 consume_skb net/core/skbuff.c:1277 [inline]
 consume_skb+0xd2/0x170 net/core/skbuff.c:1271
 netlink_broadcast_filtered+0x3d4/0xf00 net/netlink/af_netlink.c:1554
 netlink_broadcast+0x39/0x50 net/netlink/af_netlink.c:1576
 nlmsg_multicast include/net/netlink.h:1079 [inline]
 genlmsg_multicast_netns include/net/genetlink.h:454 [inline]
 devlink_trap_notify net/devlink/leftover.c:8813 [inline]
 devlink_trap_notify+0x1a9/0x240 net/devlink/leftover.c:8791
 devlink_trap_unregister+0x127/0x3a0 net/devlink/leftover.c:8871
 devl_traps_unregister+0x233/0x2f0 net/devlink/leftover.c:8978
 nsim_dev_traps_exit+0x53/0x170 drivers/net/netdevsim/dev.c:936
 nsim_dev_reload_destroy+0x1e0/0x560 drivers/net/netdevsim/dev.c:1663
 nsim_dev_reload_down+0x6e/0xd0 drivers/net/netdevsim/dev.c:965
 devlink_reload+0x11c/0x450 net/devlink/dev.c:363
 devlink_pernet_pre_exit+0x1ce/0x2a0 net/devlink/core.c:282
 ops_pre_exit_list net/core/net_namespace.c:160 [inline]
 cleanup_net+0x46c/0xb20 net/core/net_namespace.c:602
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

The buggy address belongs to the object at ffff888073cb0600
 which belongs to the cache skbuff_small_head of size 640
The buggy address is located 280 bytes inside of
 freed 640-byte region [ffff888073cb0600, ffff888073cb0880)

The buggy address belongs to the physical page:
page:ffffea0001cf2c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73cb0
head:ffffea0001cf2c00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888019a6a8c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 78, tgid 78 (kworker/u4:5), ts 454224323940, free_ts 453753622092
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3219
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4475
 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab+0x251/0x380 mm/slub.c:2017
 new_slab mm/slub.c:2070 [inline]
 ___slab_alloc+0x8be/0x1570 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 kmem_cache_alloc_node+0x137/0x3f0 mm/slub.c:3523
 kmalloc_reserve+0x167/0x270 net/core/skbuff.c:559
 pskb_expand_head+0x236/0x1170 net/core/skbuff.c:2087
 netlink_trim+0x1eb/0x240 net/netlink/af_netlink.c:1324
 netlink_broadcast_filtered+0xc5/0xf00 net/netlink/af_netlink.c:1531
 netlink_broadcast+0x39/0x50 net/netlink/af_netlink.c:1576
 nlmsg_multicast include/net/netlink.h:1079 [inline]
 genlmsg_multicast_netns include/net/genetlink.h:454 [inline]
 devlink_trap_notify net/devlink/leftover.c:8813 [inline]
 devlink_trap_notify+0x1a9/0x240 net/devlink/leftover.c:8791
 devlink_trap_unregister+0x127/0x3a0 net/devlink/leftover.c:8871
 devl_traps_unregister+0x233/0x2f0 net/devlink/leftover.c:8978
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2348
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2441
 __stack_depot_save+0x193/0x510 lib/stackdepot.c:443
 kasan_save_stack+0x43/0x50 mm/kasan/common.c:46
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 nf_nat_masq_schedule.part.0+0x290/0x610 net/netfilter/nf_nat_masquerade.c:118
 nf_nat_masq_schedule net/netfilter/nf_nat_masquerade.c:108 [inline]
 masq_device_event+0xee/0x120 net/netfilter/nf_nat_masquerade.c:162
 notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
 call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:1970
 call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
 call_netdevice_notifiers net/core/dev.c:2022 [inline]
 dev_close_many+0x305/0x640 net/core/dev.c:1563
 unregister_netdevice_many_notify+0x41b/0x1a20 net/core/dev.c:10908
 unregister_netdevice_many net/core/dev.c:10991 [inline]
 unregister_netdevice_queue+0x2e5/0x3c0 net/core/dev.c:10871
 unregister_netdevice include/linux/netdevice.h:3106 [inline]
 __tun_detach+0x116f/0x1470 drivers/net/tun.c:684
 tun_detach drivers/net/tun.c:700 [inline]
 tun_chr_close+0xc8/0x240 drivers/net/tun.c:3496
 __fput+0x3f7/0xa70 fs/file_table.c:384

Memory state around the buggy address:
 ffff888073cb0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888073cb0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888073cb0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888073cb0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888073cb0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         7271b2a5 Add linux-next specific files for 20230818
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1372b89fa80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11e1e55ba80000

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com

Tested on:

commit:         7271b2a5 Add linux-next specific files for 20230818
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1032fd40680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1496adb7a80000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

syzbot has bisected this issue to:

commit 45c37c4e9c9aab5bb1cf5778d8e5ebd9f9ad820a
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Wed Aug 9 23:49:33 2023 +0000

    Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1042c5ffa80000
start commit:   7271b2a53042 Add linux-next specific files for 20230818
git tree:       linux-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1242c5ffa80000
console output: https://syzkaller.appspot.com/x/log.txt?x=1442c5ffa80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13506923a80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=147569efa80000

Reported-by: syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com
Fixes: 45c37c4e9c9a ("Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com

Tested on:

commit:         62dc2425 Bluetooth: ISO: Fix invalid context error
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12897062680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3d83e69abefedb6e
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14a7711a680000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 181a42edddf51d5d9697ecdf365d72ebeab5afb0
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date:   Wed Oct 11 09:57:31 2023 +0000

    Bluetooth: Make handle of hci_conn be unique

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=127944c1e80000
start commit:   4b2b606075e5 ipv4/fib: send notify when delete source addr..
git tree:       net
kernel config:  https://syzkaller.appspot.com/x/.config?x=d594086f139d167
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=138aad9e680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=125e0b92680000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: Bluetooth: Make handle of hci_conn be unique

For information about bisection process see: https://goo.gl/tpsmEJ#bisection