Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_unregister_user

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com>
To: davem@davemloft.net, hdanton@sina.com, johan.hedberg@gmail.com,
	 kuba@kernel.org, linux-bluetooth@vger.kernel.org,
	 linux-kernel@vger.kernel.org, luiz.dentz@gmail.com,
	luiz.von.dentz@intel.com,  marcel@holtmann.org,
	netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_unregister_user
Date: Tue, 12 Aug 2025 09:31:35 -0700	[thread overview]
Message-ID: <689b6c67.050a0220.7f033.0134.GAE@google.com> (raw)
In-Reply-To: <67251e01.050a0220.529b6.0162.GAE@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    8f5ae30d69d7 Linux 6.17-rc1
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=15494c34580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8c5ac3d8b8abfcb
dashboard link: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1428caf0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11da19a2580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/18a2e4bd0c4a/disk-8f5ae30d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3b5395881b25/vmlinux-8f5ae30d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e875f4e3b7ff/Image-8f5ae30d.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/cdc3889e34d0/mount_4.gz
  fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1412a842580000)

The issue was bisected to:

commit c8992cffbe7411c6da4c4416d5eecfc6b78e0fec
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Wed Dec 1 18:55:05 2021 +0000

    Bluetooth: hci_event: Use of a function table to handle Command Complete

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14d538c4580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=16d538c4580000
console output: https://syzkaller.appspot.com/x/log.txt?x=12d538c4580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com
Fixes: c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to handle Command Complete")

==================================================================
BUG: KASAN: slab-use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:183 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock_common+0xcb4/0x24ac kernel/locking/mutex.c:678
Read of size 8 at addr ffff0000c99f80a0 by task khidpd_05c25886/6940

CPU: 0 UID: 0 PID: 6940 Comm: khidpd_05c25886 Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/18/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x238 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:482
 kasan_report+0xb0/0x110 mm/kasan/report.c:595
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 __mutex_waiter_is_first kernel/locking/mutex.c:183 [inline]
 __mutex_lock_common+0xcb4/0x24ac kernel/locking/mutex.c:678
 __mutex_lock kernel/locking/mutex.c:760 [inline]
 mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
 l2cap_unregister_user+0x74/0x190 net/bluetooth/l2cap_core.c:1728
 hidp_session_thread+0x3d0/0x46c net/bluetooth/hidp/core.c:1304
 kthread+0x5fc/0x75c kernel/kthread.c:463
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

Allocated by task 6767:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:405
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4365 [inline]
 __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 hci_alloc_dev_priv+0x2c/0x1b84 net/bluetooth/hci_core.c:2448
 hci_alloc_dev include/net/bluetooth/hci_core.h:1706 [inline]
 __vhci_create_device drivers/bluetooth/hci_vhci.c:399 [inline]
 vhci_create_device+0x108/0x6d4 drivers/bluetooth/hci_vhci.c:471
 vhci_get_user drivers/bluetooth/hci_vhci.c:528 [inline]
 vhci_write+0x314/0x3d4 drivers/bluetooth/hci_vhci.c:608
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x540/0xa3c fs/read_write.c:686
 ksys_write+0x120/0x210 fs/read_write.c:738
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:746
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

Freed by task 6984:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x74/0x98 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kfree+0x17c/0x474 mm/slub.c:4879
 hci_release_dev+0xf48/0x1060 net/bluetooth/hci_core.c:2776
 bt_host_release+0x70/0x8c net/bluetooth/hci_sysfs.c:87
 device_release+0x8c/0x1ac drivers/base/core.c:-1
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x2b0/0x438 lib/kobject.c:737
 put_device+0x28/0x40 drivers/base/core.c:3797
 hci_free_dev+0x24/0x34 net/bluetooth/hci_core.c:2579
 vhci_release+0x84/0xd0 drivers/bluetooth/hci_vhci.c:666
 __fput+0x340/0x75c fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x524/0x1a14 kernel/exit.c:961
 do_group_exit+0x194/0x22c kernel/exit.c:1102
 get_signal+0x11dc/0x12f8 kernel/signal.c:3034
 do_signal+0x274/0x4434 arch/arm64/kernel/signal.c:1618
 do_notify_resume+0xb0/0x1f4 arch/arm64/kernel/entry-common.c:152
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:173 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:182 [inline]
 el0_svc+0xb8/0x180 arch/arm64/kernel/entry-common.c:880
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:548
 insert_work+0x54/0x2cc kernel/workqueue.c:2184
 __queue_work+0xc88/0x1210 kernel/workqueue.c:2343
 queue_work_on+0xdc/0x18c kernel/workqueue.c:2390
 queue_work include/linux/workqueue.h:669 [inline]
 hci_cmd_timeout+0x178/0x1c8 net/bluetooth/hci_core.c:1480
 process_one_work+0x7e8/0x155c kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3400
 kthread+0x5fc/0x75c kernel/kthread.c:463
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

Second to last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:548
 insert_work+0x54/0x2cc kernel/workqueue.c:2184
 __queue_work+0xdb0/0x1210 kernel/workqueue.c:2339
 delayed_work_timer_fn+0x74/0x90 kernel/workqueue.c:2485
 call_timer_fn+0x1b4/0x818 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1793 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x54c/0x76c kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xcc/0x194 kernel/time/timer.c:2403
 handle_softirqs+0x328/0xc88 kernel/softirq.c:579
 __do_softirq+0x14/0x20 kernel/softirq.c:613

The buggy address belongs to the object at ffff0000c99f8000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 160 bytes inside of
 freed 8192-byte region [ffff0000c99f8000, ffff0000c99fa000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0002280 fffffdffc374ca00 0000000000000005
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0002280 fffffdffc374ca00 0000000000000005
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc3267e01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000c99f7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000c99f8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000c99f8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff0000c99f8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000c99f8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2025-08-12 16:31 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-01 18:29 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_unregister_user syzbot
2024-11-02  1:27 ` Hillf Danton
2024-11-02  1:46   ` syzbot
2024-12-23 22:29 ` syzbot
2025-08-12 16:31 ` syzbot [this message]
2025-08-13  1:46   ` Hillf Danton
2025-08-13  2:41     ` syzbot
2026-03-07  8:59 ` Forwarded: Re: [RESEND] Bluetooth: L2CAP: Fix use-after-free " syzbot
2026-03-07  9:45 ` syzbot
2026-03-07 10:33 ` syzbot
  -- strict thread matches above, loose matches on Subject: below --
2025-11-05 14:40 [PATCH] " shaurya
2025-11-05 15:32 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read " syzbot
2025-11-05 19:03   ` shaurya
2025-11-05 19:04     ` syzbot
2025-11-05 19:05   ` shaurya
2025-11-05 19:05     ` syzbot
2025-11-05 19:26 [PATCH] Bluetooth: L2CAP: Fix use-after-free " shaurya
2025-11-05 20:14 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read " syzbot
2026-03-07  8:59 [RESEND] Bluetooth: L2CAP: Fix use-after-free " Pauli Virtanen
2026-03-07  9:33 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read " syzbot
2026-03-07  9:45 [RESEND] Bluetooth: L2CAP: Fix use-after-free " Pauli Virtanen
2026-03-07 10:22 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read " syzbot
2026-03-07 10:32 [RESEND] Bluetooth: L2CAP: Fix use-after-free " Pauli Virtanen
2026-03-07 11:00 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read " syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=689b6c67.050a0220.7f033.0134.GAE@google.com \
    --to=syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=hdanton@sina.com \
    --cc=johan.hedberg@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --cc=luiz.von.dentz@intel.com \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.