[syzbot] [bluetooth?] KASAN: slab-use-after-free Write in mgmt_device_connected

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+ea704362ec2bbf4ddcca@syzkaller.appspotmail.com>
To: johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org,
	 linux-kernel@vger.kernel.org, luiz.dentz@gmail.com,
	marcel@holtmann.org,  syzkaller-bugs@googlegroups.com
Subject: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in mgmt_device_connected
Date: Fri, 27 Sep 2024 08:10:26 -0700	[thread overview]
Message-ID: <66f6cae2.050a0220.46d20.001f.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    df54f4a16f82 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1201531f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dde5a5ba8d41ee9e
dashboard link: https://syzkaller.appspot.com/bug?extid=ea704362ec2bbf4ddcca
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aa2eb06e0aea/disk-df54f4a1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/14728733d385/vmlinux-df54f4a1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/99816271407d/Image-df54f4a1.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ea704362ec2bbf4ddcca@syzkaller.appspotmail.com

Bluetooth: Wrong link type (-22)
Bluetooth: Unknown BR/EDR signaling command 0x0f
Bluetooth: Wrong link type (-22)
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
BUG: KASAN: slab-use-after-free in mgmt_device_connected+0x48/0x524 net/bluetooth/mgmt.c:9650
Write of size 8 at addr ffff0000fa89c838 by task kworker/u9:2/6409

CPU: 0 UID: 0 PID: 6409 Comm: kworker/u9:2 Not tainted 6.11.0-rc5-syzkaller-gdf54f4a16f82 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci3 hci_rx_work
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:317
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189
 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
 mgmt_device_connected+0x48/0x524 net/bluetooth/mgmt.c:9650
 l2cap_connect_req net/bluetooth/l2cap_core.c:4077 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
 l2cap_recv_frame+0x1324/0xc914 net/bluetooth/l2cap_core.c:6825
 l2cap_recv_acldata+0x4ac/0x15f0 net/bluetooth/l2cap_core.c:7514
 hci_acldata_packet net/bluetooth/hci_core.c:3785 [inline]
 hci_rx_work+0x2b8/0xa80 net/bluetooth/hci_core.c:4022
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Allocated by task 6409:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __kmalloc_cache_noprof+0x244/0x374 mm/slub.c:4189
 kmalloc_noprof include/linux/slab.h:681 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 __hci_conn_add+0x25c/0x13cc net/bluetooth/hci_conn.c:934
 hci_conn_add_unset+0x78/0xf8 net/bluetooth/hci_conn.c:1043
 hci_conn_request_evt+0x4fc/0xb08 net/bluetooth/hci_event.c:3288
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x8dc/0x106c net/bluetooth/hci_event.c:7498
 hci_rx_work+0x318/0xa80 net/bluetooth/hci_core.c:4017
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Freed by task 6412:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579
 poison_slab_object+0x128/0x180 mm/kasan/common.c:240
 __kasan_slab_free+0x3c/0x70 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2252 [inline]
 slab_free mm/slub.c:4473 [inline]
 kfree+0x154/0x3e0 mm/slub.c:4594
 bt_link_release+0x20/0x30 net/bluetooth/hci_sysfs.c:16
 device_release+0x8c/0x1ac
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x2a8/0x41c lib/kobject.c:737
 put_device drivers/base/core.c:3790 [inline]
 device_unregister+0x3c/0xcc drivers/base/core.c:3913
 hci_conn_del_sysfs+0xf0/0x170 net/bluetooth/hci_sysfs.c:86
 hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
 hci_conn_del+0x72c/0xaa0 net/bluetooth/hci_conn.c:1162
 hci_conn_failed+0x244/0x350 net/bluetooth/hci_conn.c:1266
 hci_abort_conn_sync+0x500/0xbb0 net/bluetooth/hci_sync.c:5545
 abort_conn_sync+0x224/0x25c net/bluetooth/hci_conn.c:2917
 hci_cmd_sync_work+0x1cc/0x34c net/bluetooth/hci_sync.c:328
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 __kasan_record_aux_stack+0xd0/0xec mm/kasan/generic.c:541
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:551
 insert_work+0x54/0x2d4 kernel/workqueue.c:2185
 __queue_work+0xe20/0x1308 kernel/workqueue.c:2341
 delayed_work_timer_fn+0x74/0x90 kernel/workqueue.c:2487
 call_timer_fn+0x1b4/0x8e8 kernel/time/timer.c:1792
 expire_timers kernel/time/timer.c:1838 [inline]
 __run_timers kernel/time/timer.c:2417 [inline]
 __run_timer_base+0x59c/0x7b4 kernel/time/timer.c:2428
 run_timer_base kernel/time/timer.c:2437 [inline]
 run_timer_softirq+0xcc/0x194 kernel/time/timer.c:2447
 handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554
 __do_softirq+0x14/0x20 kernel/softirq.c:588

The buggy address belongs to the object at ffff0000fa89c000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2104 bytes inside of
 freed 8192-byte region [ffff0000fa89c000, ffff0000fa89e000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13a898
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 05ffc00000000040 ffff0000c0002280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
head: 05ffc00000000040 ffff0000c0002280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
head: 05ffc00000000003 fffffdffc3ea2601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000fa89c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000fa89c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000fa89c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff0000fa89c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000fa89c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Unable to handle kernel paging request at virtual address dfff800000000064
KASAN: null-ptr-deref in range [0x0000000000000320-0x0000000000000327]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000064] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 6409 Comm: kworker/u9:2 Tainted: G    B              6.11.0-rc5-syzkaller-gdf54f4a16f82 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci3 hci_rx_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : l2cap_send_cmd+0x484/0x770 net/bluetooth/l2cap_core.c:964
lr : l2cap_send_cmd+0x478/0x770 net/bluetooth/l2cap_core.c:964
sp : ffff8000ab0c71a0
x29: ffff8000ab0c71c0 x28: dfff800000000000 x27: ffff0000ccc2c90e
x26: ffff0000ccc2c90c x25: 0000000000000010 x24: 0000000000000000
x23: ffff0000ce726010 x22: ffff0000c8eec000 x21: 0000000000000322
x20: ffff0000c5fd7640 x19: ffff0000ce726000 x18: 1fffe00036799fe6
x17: ffff80008a4ba0fc x16: ffff800080a863f4 x15: 0000000000000001
x14: 1fffe00019985922 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000100000 x10: 0000000000032ad3 x9 : ffff800093f02100
x8 : 0000000000000064 x7 : 0000000200090000 x6 : 0000000200090000
x5 : ffff0000ccc2c918 x4 : ffff8000ab0c7888 x3 : ffff80008a4ab374
x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000
Call trace:
 l2cap_send_cmd+0x484/0x770 net/bluetooth/l2cap_core.c:964
 l2cap_connect net/bluetooth/l2cap_core.c:4034 [inline]
 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
 l2cap_recv_frame+0x25c8/0xc914 net/bluetooth/l2cap_core.c:6825
 l2cap_recv_acldata+0x4ac/0x15f0 net/bluetooth/l2cap_core.c:7514
 hci_acldata_packet net/bluetooth/hci_core.c:3785 [inline]
 hci_rx_work+0x2b8/0xa80 net/bluetooth/hci_core.c:4022
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: 9769fc8a f94002a8 910c8915 d343fea8 (38fc6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	9769fc8a 	bl	0xfffffffffda7f228
   4:	f94002a8 	ldr	x8, [x21]
   8:	910c8915 	add	x21, x8, #0x322
   c:	d343fea8 	lsr	x8, x21, #3
* 10:	38fc6908 	ldrsb	w8, [x8, x28] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

                 reply	other threads:[~2024-09-27 15:10 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=66f6cae2.050a0220.46d20.001f.GAE@google.com \
    --to=syzbot+ea704362ec2bbf4ddcca@syzkaller.appspotmail.com \
    --cc=johan.hedberg@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --cc=marcel@holtmann.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.