From: syzbot <syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)
Date: Sun, 08 Sep 2024 01:52:01 -0700 [thread overview]
Message-ID: <000000000000fac115062197c099@google.com> (raw)
In-Reply-To: <20240908083246.2329-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in hci_send_acl
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 UID: 0 PID: 7269 Comm: kworker/u9:8 Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci2 hci_rx_work
RIP: 0010:hci_send_acl+0x35/0xd30 net/bluetooth/hci_core.c:3230
Code: 41 55 41 54 55 49 8d 6f 18 53 48 89 f3 48 83 ec 70 89 14 24 e8 1c 18 83 f7 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 bc 0b 00 00 49 8b 47 18 48 8d b8 e0 0f 00 00 48
RSP: 0018:ffffc9000ae676e0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888030adc500 RCX: ffffffff8a1303d4
RDX: 0000000000000003 RSI: ffffffff8a08b834 RDI: 0000000000000000
RBP: 0000000000000018 R08: 0000000000000001 R09: 0000000000000080
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888011da0000
R13: 0000000000000002 R14: ffffc9000ae67880 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 00000000781ba000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
l2cap_send_cmd+0x6e5/0x920 net/bluetooth/l2cap_core.c:973
l2cap_connect.constprop.0+0x6f7/0x1270 net/bluetooth/l2cap_core.c:4038
l2cap_connect_req net/bluetooth/l2cap_core.c:4084 [inline]
l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4776 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5547 [inline]
l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6829
l2cap_recv_acldata+0xd58/0xfd0 net/bluetooth/l2cap_core.c:7528
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hci_send_acl+0x35/0xd30 net/bluetooth/hci_core.c:3230
Code: 41 55 41 54 55 49 8d 6f 18 53 48 89 f3 48 83 ec 70 89 14 24 e8 1c 18 83 f7 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 bc 0b 00 00 49 8b 47 18 48 8d b8 e0 0f 00 00 48
RSP: 0018:ffffc9000ae676e0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888030adc500 RCX: ffffffff8a1303d4
RDX: 0000000000000003 RSI: ffffffff8a08b834 RDI: 0000000000000000
RBP: 0000000000000018 R08: 0000000000000001 R09: 0000000000000080
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888011da0000
R13: 0000000000000002 R14: ffffc9000ae67880 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 00000000781ba000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 41 55 push %r13
2: 41 54 push %r12
4: 55 push %rbp
5: 49 8d 6f 18 lea 0x18(%r15),%rbp
9: 53 push %rbx
a: 48 89 f3 mov %rsi,%rbx
d: 48 83 ec 70 sub $0x70,%rsp
11: 89 14 24 mov %edx,(%rsp)
14: e8 1c 18 83 f7 call 0xf7831835
19: 48 89 ea mov %rbp,%rdx
1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
23: fc ff df
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 bc 0b 00 00 jne 0xbf0
34: 49 8b 47 18 mov 0x18(%r15),%rax
38: 48 8d b8 e0 0f 00 00 lea 0xfe0(%rax),%rdi
3f: 48 rex.W
Tested on:
commit: d1f2d51b Merge tag 'clk-fixes-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f51ffb980000
kernel config: https://syzkaller.appspot.com/x/.config?x=57042fe37c7ee7c2
dashboard link: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11651ffb980000
next prev parent reply other threads:[~2024-09-08 8:52 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-24 20:23 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2) syzbot
2024-09-07 14:42 ` syzbot
2024-09-08 0:01 ` Hillf Danton
2024-09-08 0:24 ` syzbot
2024-09-08 1:28 ` Edward Adam Davis
2024-09-08 1:51 ` syzbot
2024-09-08 2:06 ` Edward Adam Davis
2024-09-08 2:29 ` syzbot
2024-09-08 2:41 ` Edward Adam Davis
2024-09-08 3:06 ` syzbot
2024-09-08 3:15 ` Edward Adam Davis
2024-09-08 3:58 ` syzbot
2024-09-08 3:25 ` Hillf Danton
2024-09-08 4:07 ` syzbot
2024-09-08 4:07 ` Edward Adam Davis
2024-09-08 4:37 ` syzbot
2024-09-08 7:22 ` [PATCH] Bluetooth/l2cap: Fix uaf in l2cap_connect Edward Adam Davis
2024-09-10 20:56 ` Luiz Augusto von Dentz
2024-09-20 15:07 ` Luiz Augusto von Dentz
2024-09-21 1:40 ` Edward Adam Davis
2024-09-21 10:56 ` Hillf Danton
2024-09-23 14:32 ` Luiz Augusto von Dentz
2024-09-23 14:37 ` Aleksandr Nogikh
2024-09-23 15:20 ` Luiz Augusto von Dentz
2024-09-23 15:28 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2) syzbot
2024-09-23 15:38 ` [PATCH] Bluetooth/l2cap: Fix uaf in l2cap_connect Aleksandr Nogikh
2024-09-23 15:48 ` Luiz Augusto von Dentz
2024-09-23 16:21 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2) syzbot
2024-09-08 8:32 ` Hillf Danton
2024-09-08 8:52 ` syzbot [this message]
2024-09-08 11:15 ` Hillf Danton
2024-09-08 11:33 ` syzbot
2024-09-08 12:50 ` Hillf Danton
2024-09-08 13:10 ` syzbot
2024-09-08 13:37 ` Hillf Danton
2024-09-08 13:58 ` syzbot
2024-09-09 11:06 ` Hillf Danton
2024-09-09 11:31 ` syzbot
2024-09-11 11:29 ` Hillf Danton
2024-09-11 11:59 ` syzbot
2024-09-12 11:49 ` Hillf Danton
2024-09-12 14:51 ` syzbot
2024-09-10 18:43 ` syzbot
2024-09-23 16:13 ` [syzbot] Re: [PATCH] Bluetooth/l2cap: Fix uaf in l2cap_connect syzbot
[not found] <CABBYNZ+Fj1bDqSG7PkF5OFEx_OWkgm2gEm8640odaQX5EBGxPg@mail.gmail.com>
2024-09-23 16:45 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2) syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000fac115062197c099@google.com \
--to=syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.