From: syzbot <syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_send_cmd
Date: Tue, 14 Jan 2025 21:53:05 -0800 [thread overview]
Message-ID: <67874d41.050a0220.20d369.0006.GAE@google.com> (raw)
In-Reply-To: <20250115052851.1857-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in hci_send_acl
Bluetooth: Wrong link type (-22)
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 UID: 0 PID: 8192 Comm: kworker/u9:7 Not tainted 6.13.0-rc7-syzkaller-g619f0b6fad52-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: hci5 hci_rx_work
RIP: 0010:hci_send_acl+0x3e/0xd00 net/bluetooth/hci_core.c:3232
Code: 00 89 54 24 04 49 89 f5 48 89 fb 49 bf 00 00 00 00 00 fc ff df e8 a2 93 e6 f6 48 89 5c 24 18 4c 8d 73 18 4c 89 f3 48 c1 eb 03 <42> 80 3c 3b 00 74 08 4c 89 f7 e8 c3 fd 4c f7 bd f8 0f 00 00 49 03
RSP: 0018:ffffc900057e72b8 EFLAGS: 00010206
RAX: ffffffff8ab8eece RBX: 0000000000000003 RCX: ffff8880304dbc00
RDX: 0000000000000000 RSI: ffff8880578f5c80 RDI: 0000000000000000
RBP: ffffc900057e7a98 R08: ffffffff8ac38d24 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed100dbd7003 R12: ffff88802d5c0f4b
R13: ffff8880578f5c80 R14: 0000000000000018 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c005688000 CR3: 0000000032a00000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5508 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5544 [inline]
l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6823
l2cap_recv_acldata+0x51f/0x1530 net/bluetooth/l2cap_core.c:7518
hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline]
hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
worker_thread+0x870/0xd30 kernel/workqueue.c:3398
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hci_send_acl+0x3e/0xd00 net/bluetooth/hci_core.c:3232
Code: 00 89 54 24 04 49 89 f5 48 89 fb 49 bf 00 00 00 00 00 fc ff df e8 a2 93 e6 f6 48 89 5c 24 18 4c 8d 73 18 4c 89 f3 48 c1 eb 03 <42> 80 3c 3b 00 74 08 4c 89 f7 e8 c3 fd 4c f7 bd f8 0f 00 00 49 03
RSP: 0018:ffffc900057e72b8 EFLAGS: 00010206
RAX: ffffffff8ab8eece RBX: 0000000000000003 RCX: ffff8880304dbc00
RDX: 0000000000000000 RSI: ffff8880578f5c80 RDI: 0000000000000000
RBP: ffffc900057e7a98 R08: ffffffff8ac38d24 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed100dbd7003 R12: ffff88802d5c0f4b
R13: ffff8880578f5c80 R14: 0000000000000018 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c005688000 CR3: 000000000e736000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 89 54 24 04 49 add %cl,0x49042454(%rcx)
6: 89 f5 mov %esi,%ebp
8: 48 89 fb mov %rdi,%rbx
b: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
12: fc ff df
15: e8 a2 93 e6 f6 call 0xf6e693bc
1a: 48 89 5c 24 18 mov %rbx,0x18(%rsp)
1f: 4c 8d 73 18 lea 0x18(%rbx),%r14
23: 4c 89 f3 mov %r14,%rbx
26: 48 c1 eb 03 shr $0x3,%rbx
* 2a: 42 80 3c 3b 00 cmpb $0x0,(%rbx,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 f7 mov %r14,%rdi
34: e8 c3 fd 4c f7 call 0xf74cfdfc
39: bd f8 0f 00 00 mov $0xff8,%ebp
3e: 49 rex.WB
3f: 03 .byte 0x3
Tested on:
commit: 619f0b6f Merge tag 'seccomp-v6.13-rc8' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=145ebcb0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=aadf89e2f6db86cc
dashboard link: https://syzkaller.appspot.com/bug?extid=31c2f641b850a348a734
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1276bcb0580000
next prev parent reply other threads:[~2025-01-15 5:53 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-26 9:32 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_send_cmd syzbot
2025-01-06 9:04 ` syzbot
2025-01-14 10:54 ` Hillf Danton
2025-01-14 15:16 ` syzbot
2025-01-15 5:28 ` Hillf Danton
2025-01-15 5:53 ` syzbot [this message]
2025-01-15 8:12 ` Edward Adam Davis
2025-01-15 9:11 ` syzbot
2025-01-15 9:46 ` [PATCH] Bluetooth: hci_core: sync hci rx and cmd sync work Edward Adam Davis
2025-01-15 10:31 ` bluez.test.bot
2025-01-15 16:13 ` [PATCH] " Luiz Augusto von Dentz
2025-01-16 10:42 ` Hillf Danton
2025-01-16 15:31 ` Luiz Augusto von Dentz
2025-01-16 22:44 ` Hillf Danton
2025-01-15 10:25 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_send_cmd Hillf Danton
2025-01-15 11:29 ` syzbot
2025-01-14 14:09 ` syzbot
2025-01-16 16:55 ` [syzbot] Re: [PATCH v1] Bluetooth: L2CAP: Fix " syzbot
2025-01-17 15:59 ` [syzbot] Re: [PATCH v2] " syzbot
2025-01-17 17:16 ` [syzbot] Re: [PATCH v3] " syzbot
2025-01-17 20:48 ` [syzbot] Re: [PATCH v4] " syzbot
2025-01-21 18:08 ` syzbot
2025-01-22 17:04 ` syzbot
-- strict thread matches above, loose matches on Subject: below --
2025-01-16 16:54 [PATCH v1] " Luiz Augusto von Dentz
2025-01-17 1:24 ` [syzbot] [bluetooth?] KASAN: " syzbot
2025-01-17 15:59 [PATCH v2] Bluetooth: L2CAP: Fix " Luiz Augusto von Dentz
2025-01-17 16:54 ` [syzbot] [bluetooth?] KASAN: " syzbot
2025-01-17 17:16 [PATCH v3] Bluetooth: L2CAP: Fix " Luiz Augusto von Dentz
2025-01-17 17:56 ` [syzbot] [bluetooth?] KASAN: " syzbot
2025-01-17 20:48 [PATCH v4] Bluetooth: L2CAP: Fix " Luiz Augusto von Dentz
2025-01-17 21:15 ` [syzbot] [bluetooth?] KASAN: " syzbot
2025-01-21 18:08 [PATCH v4] Bluetooth: L2CAP: Fix " Luiz Augusto von Dentz
2025-01-22 3:17 ` [syzbot] [bluetooth?] KASAN: " syzbot
2025-01-22 17:04 [PATCH v4] Bluetooth: L2CAP: Fix " Luiz Augusto von Dentz
2025-01-22 17:52 ` [syzbot] [bluetooth?] KASAN: " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67874d41.050a0220.20d369.0006.GAE@google.com \
--to=syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.