From: syzbot <syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl
Date: Thu, 24 Aug 2023 18:08:34 -0700 [thread overview]
Message-ID: <000000000000dfaa110603b4fbda@google.com> (raw)
In-Reply-To: <20230824225837.3040-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in l2cap_chan_del
------------[ cut here ]------------
WARNING: CPU: 0 PID: 780 at kernel/workqueue.c:1725 __queue_work+0xb52/0x1060 kernel/workqueue.c:1724
Modules linked in:
CPU: 0 PID: 780 Comm: kworker/0:2 Not tainted 6.5.0-rc6-next-20230818-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events l2cap_chan_timeout
RIP: 0010:__queue_work+0xb52/0x1060 kernel/workqueue.c:1724
Code: 03 38 d0 7c 09 84 d2 74 05 e8 ea 54 87 00 8b 5b 2c 31 ff 83 e3 20 89 de e8 5b cf 31 00 85 db 0f 85 7f 01 00 00 e8 de d3 31 00 <0f> 0b e9 ca fa ff ff e8 d2 d3 31 00 0f 0b e9 76 fa ff ff e8 c6 d3
RSP: 0018:ffffc900046d7ac8 EFLAGS: 00010093
RAX: 0000000000000000 RBX: ffff888013650000 RCX: 0000000000000000
RDX: ffff88801d4d1dc0 RSI: ffffffff8155ff92 RDI: ffff888013650008
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000200000 R11: 0000000000000000 R12: ffff88806a634270
R13: ffffffff81dd2d93 R14: ffff88806a6342b8 R15: ffffffff81dd2d93
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f98dec6b6c0 CR3: 000000000c976000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__queue_delayed_work+0x1bf/0x260 kernel/workqueue.c:1950
queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1986
queue_delayed_work include/linux/workqueue.h:569 [inline]
hci_conn_drop include/net/bluetooth/hci_core.h:1549 [inline]
hci_conn_drop include/net/bluetooth/hci_core.h:1519 [inline]
l2cap_chan_del+0x389/0x9b0 net/bluetooth/l2cap_core.c:659
l2cap_chan_close+0xff/0xa20 net/bluetooth/l2cap_core.c:842
l2cap_chan_timeout+0x17d/0x2f0 net/bluetooth/l2cap_core.c:452
process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
kthread+0x33a/0x430 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
Tested on:
commit: 7271b2a5 Add linux-next specific files for 20230818
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1333e4dfa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1936af09cdef7dd6
dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1361735ba80000
next parent reply other threads:[~2023-08-25 1:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230824225837.3040-1-hdanton@sina.com>
2023-08-25 1:08 ` syzbot [this message]
2023-09-30 12:53 [PATCH v2 2/2] Bluetooth: hci_conn: verify connection is to be aborted before doing it Pauli Virtanen
2023-09-30 13:28 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl syzbot
[not found] <20230827014138.3473-1-hdanton@sina.com>
2023-08-27 2:44 ` syzbot
[not found] <20230826080830.3403-1-hdanton@sina.com>
2023-08-26 9:02 ` syzbot
[not found] <20230826035531.3320-1-hdanton@sina.com>
2023-08-26 4:29 ` syzbot
[not found] <20230826011201.3252-1-hdanton@sina.com>
2023-08-26 2:35 ` syzbot
-- strict thread matches above, loose matches on Subject: below --
2023-08-25 19:01 [PATCH] Bluetooth: hci_conn: verify connection is to be aborted before doing it Pauli Virtanen
2023-08-25 19:34 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in hci_send_acl syzbot
[not found] <20230825111931.3182-1-hdanton@sina.com>
2023-08-25 12:56 ` syzbot
[not found] <20230823140836.2923-1-hdanton@sina.com>
2023-08-23 14:32 ` syzbot
[not found] <20230822112701.2655-1-hdanton@sina.com>
2023-08-22 12:15 ` syzbot
2023-08-21 16:26 syzbot
2023-08-31 18:07 ` syzbot
2024-01-14 14:37 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000dfaa110603b4fbda@google.com \
--to=syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.