[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in sco_sock_connect

[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in sco_sock_connect

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    228a1157fb9f Merge tag '6.13-rc-part1-SMB3-client-fixes' o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=173469c0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2406be795e8a5f4
dashboard link: https://syzkaller.appspot.com/bug?extid=489f78df4709ac2bfdd3
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=179db6e8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/02a2c8cad502/disk-228a1157.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ad0cba81ae3f/vmlinux-228a1157.xz
kernel image: https://storage.googleapis.com/syzbot-assets/325bd791039e/bzImage-228a1157.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+489f78df4709ac2bfdd3@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2d90/0x3c40 kernel/locking/lockdep.c:5089
Read of size 8 at addr ffff88802e36fc20 by task syz.4.5353/17208

CPU: 0 UID: 0 PID: 17208 Comm: syz.4.5353 Not tainted 6.12.0-syzkaller-08446-g228a1157fb9f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 __lock_acquire+0x2d90/0x3c40 kernel/locking/lockdep.c:5089
 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 sco_chan_add net/bluetooth/sco.c:292 [inline]
 sco_connect net/bluetooth/sco.c:345 [inline]
 sco_sock_connect+0x351/0xbd0 net/bluetooth/sco.c:645
 __sys_connect_file+0x13e/0x1a0 net/socket.c:2055
 __sys_connect+0x14f/0x170 net/socket.c:2074
 __do_sys_connect net/socket.c:2080 [inline]
 __se_sys_connect net/socket.c:2077 [inline]
 __x64_sys_connect+0x72/0xb0 net/socket.c:2077
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0ec497e819
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0ec5705038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f0ec4b35fa0 RCX: 00007f0ec497e819
RDX: 0000000000000008 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007f0ec49f175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f0ec4b35fa0 R15: 00007fffedcfae08
 </TASK>

Allocated by task 17048:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:879 [inline]
 kzalloc_noprof include/linux/slab.h:1015 [inline]
 sco_conn_add net/bluetooth/sco.c:199 [inline]
 sco_conn_add+0xc8/0x410 net/bluetooth/sco.c:184
 sco_connect net/bluetooth/sco.c:336 [inline]
 sco_sock_connect+0x325/0xbd0 net/bluetooth/sco.c:645
 __sys_connect_file+0x13e/0x1a0 net/socket.c:2055
 __sys_connect+0x14f/0x170 net/socket.c:2074
 __do_sys_connect net/socket.c:2080 [inline]
 __se_sys_connect net/socket.c:2077 [inline]
 __x64_sys_connect+0x72/0xb0 net/socket.c:2077
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 17208:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4727
 sco_conn_free net/bluetooth/sco.c:97 [inline]
 kref_put include/linux/kref.h:65 [inline]
 sco_conn_put+0x2cd/0x4c0 net/bluetooth/sco.c:107
 sco_conn_add+0x7b/0x410 net/bluetooth/sco.c:195
 sco_connect net/bluetooth/sco.c:336 [inline]
 sco_sock_connect+0x325/0xbd0 net/bluetooth/sco.c:645
 __sys_connect_file+0x13e/0x1a0 net/socket.c:2055
 __sys_connect+0x14f/0x170 net/socket.c:2074
 __do_sys_connect net/socket.c:2080 [inline]
 __se_sys_connect net/socket.c:2077 [inline]
 __x64_sys_connect+0x72/0xb0 net/socket.c:2077
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802e36fc00
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 32 bytes inside of
 freed 256-byte region [ffff88802e36fc00, ffff88802e36fd00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2e36e
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b041b40 ffffea0001f05700 dead000000000003
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b041b40 ffffea0001f05700 dead000000000003
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000001 ffffea0000b8db81 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 8168075657, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
 alloc_slab_page mm/slub.c:2412 [inline]
 allocate_slab mm/slub.c:2578 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2631
 ___slab_alloc+0xdac/0x1880 mm/slub.c:3818
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
 __slab_alloc_node mm/slub.c:3961 [inline]
 slab_alloc_node mm/slub.c:4122 [inline]
 __do_kmalloc_node mm/slub.c:4263 [inline]
 __kmalloc_node_noprof+0x357/0x430 mm/slub.c:4270
 __kvmalloc_node_noprof+0xad/0x1a0 mm/util.c:658
 v4l2_ctrl_new+0x99a/0x2090 drivers/media/v4l2-core/v4l2-ctrls-core.c:1931
 v4l2_ctrl_new_std+0x1b3/0x280 drivers/media/v4l2-core/v4l2-ctrls-core.c:2068
 handler_new_ref+0x828/0xc60 drivers/media/v4l2-core/v4l2-ctrls-core.c:1689
 v4l2_ctrl_add_handler drivers/media/v4l2-core/v4l2-ctrls-core.c:2212 [inline]
 v4l2_ctrl_add_handler+0x22a/0x310 drivers/media/v4l2-core/v4l2-ctrls-core.c:2186
 vivid_create_controls+0x2eaf/0x3e00 drivers/media/test-drivers/vivid/vivid-ctrls.c:1993
 vivid_create_instance drivers/media/test-drivers/vivid/vivid-core.c:1931 [inline]
 vivid_probe drivers/media/test-drivers/vivid/vivid-core.c:2093 [inline]
 vivid_probe+0x47df/0xae90 drivers/media/test-drivers/vivid/vivid-core.c:2078
 platform_probe+0xff/0x1f0 drivers/base/platform.c:1404
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88802e36fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802e36fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802e36fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88802e36fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802e36fd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in sco_sock_connect

[Edward Adam Davis]

add conn should not put. timeout handler miss a put when !hcon.

#syz test

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 1b8e468d24cf..78f7bca24487 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -143,6 +143,7 @@ static void sco_sock_timeout(struct work_struct *work)
 	sco_conn_lock(conn);
 	if (!conn->hcon) {
 		sco_conn_unlock(conn);
+		sco_conn_put(conn);
 		return;
 	}
 	sk = sco_sock_hold(conn);
@@ -192,7 +193,6 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
 			conn->hcon = hcon;
 			sco_conn_unlock(conn);
 		}
-		sco_conn_put(conn);
 		return conn;
 	}
 

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in sco_sock_connect

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+489f78df4709ac2bfdd3@syzkaller.appspotmail.com
Tested-by: syzbot+489f78df4709ac2bfdd3@syzkaller.appspotmail.com

Tested on:

commit:         9f16d5e6 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=101b775f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7393f07275e8e571
dashboard link: https://syzkaller.appspot.com/bug?extid=489f78df4709ac2bfdd3
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=119edee8580000

Note: testing is done by a robot and is best-effort only.

[PATCH] Bluetooth: SCO: remove the redundant sco_conn_put

[Edward Adam Davis]

When adding conn, it is necessary to increase and retain the conn reference
count at the same time.

Another problem was fixed along the way, conn_put is missing when hcon is NULL
in the timeout routine.

Fixes: e6720779ae61 ("Bluetooth: SCO: Use kref to track lifetime of sco_conn")
Reported-and-tested-by: syzbot+489f78df4709ac2bfdd3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=489f78df4709ac2bfdd3
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 net/bluetooth/sco.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 1b8e468d24cf..78f7bca24487 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -143,6 +143,7 @@ static void sco_sock_timeout(struct work_struct *work)
 	sco_conn_lock(conn);
 	if (!conn->hcon) {
 		sco_conn_unlock(conn);
+		sco_conn_put(conn);
 		return;
 	}
 	sk = sco_sock_hold(conn);
@@ -192,7 +193,6 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
 			conn->hcon = hcon;
 			sco_conn_unlock(conn);
 		}
-		sco_conn_put(conn);
 		return conn;
 	}
 
-- 
2.43.0

RE: Bluetooth: SCO: remove the redundant sco_conn_put

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2402 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=912374

---Test result---

Test Summary:
CheckPatch                    PENDING   0.31 seconds
GitLint                       PENDING   0.16 seconds
SubjectPrefix                 PASS      0.11 seconds
BuildKernel                   PASS      24.63 seconds
CheckAllWarning               PASS      27.21 seconds
CheckSparse                   WARNING   30.61 seconds
BuildKernel32                 PASS      24.95 seconds
TestRunnerSetup               PASS      437.91 seconds
TestRunner_l2cap-tester       PASS      20.52 seconds
TestRunner_iso-tester         FAIL      26.26 seconds
TestRunner_bnep-tester        PASS      4.87 seconds
TestRunner_mgmt-tester        FAIL      120.55 seconds
TestRunner_rfcomm-tester      PASS      7.66 seconds
TestRunner_sco-tester         PASS      9.54 seconds
TestRunner_ioctl-tester       PASS      8.25 seconds
TestRunner_mesh-tester        PASS      6.12 seconds
TestRunner_smp-tester         PASS      7.15 seconds
TestRunner_userchan-tester    PASS      5.14 seconds
IncrementalBuild              PENDING   0.58 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:147:35: warning: array of flexible structures
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
Total: 124, Passed: 120 (96.8%), Failed: 0, Not Run: 4
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 492, Passed: 487 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
LL Privacy - Start Discovery 2 (Disable RL)          Failed       0.174 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH] Bluetooth: SCO: remove the redundant sco_conn_put

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 26 Nov 2024 07:58:43 +0800 you wrote:
> When adding conn, it is necessary to increase and retain the conn reference
> count at the same time.
> 
> Another problem was fixed along the way, conn_put is missing when hcon is NULL
> in the timeout routine.
> 
> Fixes: e6720779ae61 ("Bluetooth: SCO: Use kref to track lifetime of sco_conn")
> Reported-and-tested-by: syzbot+489f78df4709ac2bfdd3@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=489f78df4709ac2bfdd3
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> 
> [...]

Here is the summary with links:
  - Bluetooth: SCO: remove the redundant sco_conn_put
    https://git.kernel.org/bluetooth/bluetooth-next/c/ad0d88dc33bb

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html