From: syzbot <syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com>
To: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
luiz.dentz@gmail.com, marcel@holtmann.org,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in skb_queue_purge_reason (2)
Date: Tue, 04 Feb 2025 06:48:26 -0800 [thread overview]
Message-ID: <67a228ba.050a0220.d7c5a.00b9.GAE@google.com> (raw)
In-Reply-To: <000000000000cbc8670618a25b24@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 40b8e93e17bf Add linux-next specific files for 20250204
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=113d5d18580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ec880188a87c6aad
dashboard link: https://syzkaller.appspot.com/bug?extid=683f8cb11b94b1824c77
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b7eeb0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f74f64580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ccdfef06f59f/disk-40b8e93e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b339eaf8dcfd/vmlinux-40b8e93e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ae1a0f1c3c80/bzImage-40b8e93e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 5833 Comm: syz-executor346 Not tainted 6.14.0-rc1-next-20250204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
RIP: 0010:skb_queue_purge_reason+0xaa/0x500 net/core/skbuff.c:3936
Code: 89 44 24 78 42 c6 44 30 13 f3 e8 81 76 05 f8 48 8d bc 24 b0 00 00 00 ba 48 00 00 00 31 f6 e8 0d f2 6b f8 4d 89 ef 49 c1 ef 03 <43> 80 3c 37 00 74 08 4c 89 ef e8 27 ef 6b f8 49 8b 45 00 4c 39 e8
RSP: 0018:ffffc90003d17880 EFLAGS: 00010202
RAX: ffffc90003d17930 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003d17978
RBP: ffffc90003d179f0 R08: ffffc90003d17977 R09: 0000000000000000
R10: ffffc90003d17930 R11: fffff520007a2f2f R12: dffffc0000000000
R13: 0000000000000008 R14: dffffc0000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055867393d608 CR3: 000000000e738000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
skb_queue_purge include/linux/skbuff.h:3364 [inline]
mrvl_close+0x8e/0x120 drivers/bluetooth/hci_mrvl.c:100
hci_uart_tty_close+0x205/0x290 drivers/bluetooth/hci_ldisc.c:557
tty_ldisc_kill+0xa3/0x1a0 drivers/tty/tty_ldisc.c:613
tty_ldisc_release+0x1a1/0x200 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x2b/0xe0 drivers/tty/tty_io.c:1690
tty_release+0xd06/0x12c0 drivers/tty/tty_io.c:1861
__fput+0x3e9/0x9f0 fs/file_table.c:448
task_work_run+0x24f/0x310 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xa2a/0x28e0 kernel/exit.c:938
do_group_exit+0x207/0x2c0 kernel/exit.c:1087
__do_sys_exit_group kernel/exit.c:1098 [inline]
__se_sys_exit_group kernel/exit.c:1096 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1096
x64_sys_call+0x26a8/0x26b0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f794f6cfc79
Code: Unable to access opcode bytes at 0x7f794f6cfc4f.
RSP: 002b:00007fff04322488 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f794f6cfc79
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007f794f74a270 R08: ffffffffffffffb8 R09: 00007fff043226a8
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f794f74a270
R13: 0000000000000000 R14: 00007f794f74acc0 R15: 00007f794f6a1a60
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
RIP: 0010:skb_queue_purge_reason+0xaa/0x500 net/core/skbuff.c:3936
Code: 89 44 24 78 42 c6 44 30 13 f3 e8 81 76 05 f8 48 8d bc 24 b0 00 00 00 ba 48 00 00 00 31 f6 e8 0d f2 6b f8 4d 89 ef 49 c1 ef 03 <43> 80 3c 37 00 74 08 4c 89 ef e8 27 ef 6b f8 49 8b 45 00 4c 39 e8
RSP: 0018:ffffc90003d17880 EFLAGS: 00010202
RAX: ffffc90003d17930 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003d17978
RBP: ffffc90003d179f0 R08: ffffc90003d17977 R09: 0000000000000000
R10: ffffc90003d17930 R11: fffff520007a2f2f R12: dffffc0000000000
R13: 0000000000000008 R14: dffffc0000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055867393d608 CR3: 000000000e738000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 44 24 78 mov %eax,0x78(%rsp)
4: 42 c6 44 30 13 f3 movb $0xf3,0x13(%rax,%r14,1)
a: e8 81 76 05 f8 call 0xf8057690
f: 48 8d bc 24 b0 00 00 lea 0xb0(%rsp),%rdi
16: 00
17: ba 48 00 00 00 mov $0x48,%edx
1c: 31 f6 xor %esi,%esi
1e: e8 0d f2 6b f8 call 0xf86bf230
23: 4d 89 ef mov %r13,%r15
26: 49 c1 ef 03 shr $0x3,%r15
* 2a: 43 80 3c 37 00 cmpb $0x0,(%r15,%r14,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 ef mov %r13,%rdi
34: e8 27 ef 6b f8 call 0xf86bef60
39: 49 8b 45 00 mov 0x0(%r13),%rax
3d: 4c 39 e8 cmp %r13,%rax
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
next prev parent reply other threads:[~2025-02-04 14:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-17 8:44 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in skb_queue_purge_reason (2) syzbot
2025-02-04 14:48 ` syzbot [this message]
2025-02-05 11:05 ` Hillf Danton
2025-02-05 11:31 ` syzbot
2025-02-10 11:26 ` syzbot
2025-02-11 14:16 ` [DMARC error] " Arseniy Krasnov
2025-02-11 16:22 ` Arseniy Krasnov
2025-02-11 16:51 ` Luiz Augusto von Dentz
2025-02-12 6:05 ` Arseniy Krasnov
2025-02-12 6:49 ` [syzbot] " syzbot
[not found] <0cc53c2e-a7cc-74ea-a5f0-928af997ecf7@salutedevices.com>
2025-02-12 7:14 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67a228ba.050a0220.d7c5a.00b9.GAE@google.com \
--to=syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.