Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+cdae834448ec8c3602fe@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb
Date: Tue, 25 Nov 2025 06:54:01 -0800	[thread overview]
Message-ID: <6925c309.a70a0220.d98e3.00ac.GAE@google.com> (raw)
In-Reply-To: <tencent_9C4CA9A7E806CD12C3867FC9AFEEC86EDE06@qq.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lock_sock_nested

 </TASK>
kobject: kobject_add_internal failed for hci3:201 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci3: failed to register connection device
Oops: general protection fault, probably for non-canonical address 0xdffffc000000006b: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000358-0x000000000000035f]
CPU: 1 UID: 0 PID: 5116 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci3 hci_rx_work
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc900106072e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff889d1fbe RCX: 562ba08c8e500400
RDX: 0000000000000000 RSI: ffffffff889d1fbe RDI: 000000000000006b
RBP: ffffffff89ca6065 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff89ca6020 R12: 0000000000000000
R13: 0000000000000358 R14: 0000000000000358 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff888126ef4000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555572fa15c8 CR3: 000000000d3a6000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __kasan_check_byte+0x12/0x40 mm/kasan/common.c:579
 kasan_check_byte include/linux/kasan.h:401 [inline]
 lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842
 lock_sock_nested+0x3e/0x130 net/core/sock.c:3720
 lock_sock include/net/sock.h:1679 [inline]
 l2cap_sock_ready_cb+0x45/0x140 net/bluetooth/l2cap_sock.c:1680
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1264 [inline]
 l2cap_le_start+0xb0d/0x13b0 net/bluetooth/l2cap_core.c:1376
 l2cap_conn_ready net/bluetooth/l2cap_core.c:1629 [inline]
 l2cap_connect_cfm+0x6be/0x1040 net/bluetooth/l2cap_core.c:7305
 hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2107
 le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
 hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
 hci_event_func net/bluetooth/hci_event.c:7586 [inline]
 hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc900106072e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff889d1fbe RCX: 562ba08c8e500400
RDX: 0000000000000000 RSI: ffffffff889d1fbe RDI: 000000000000006b
RBP: ffffffff89ca6065 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff89ca6020 R12: 0000000000000000
R13: 0000000000000358 R14: 0000000000000358 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff888126ef4000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555572fa15c8 CR3: 000000000d3a6000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	0f 1f 84 00 00 00 00 	nopl   0x0(%rax,%rax,1)
   7:	00
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	0f 1f 40 d6          	nopl   -0x2a(%rax)
  1c:	48 c1 ef 03          	shr    $0x3,%rdi
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df
* 2a:	0f b6 04 07          	movzbl (%rdi,%rax,1),%eax <-- trapping instruction
  2e:	3c 08                	cmp    $0x8,%al
  30:	0f 92 c0             	setb   %al
  33:	c3                   	ret
  34:	cc                   	int3
  35:	cc                   	int3
  36:	cc                   	int3
  37:	cc                   	int3
  38:	cc                   	int3
  39:	66                   	data16
  3a:	66                   	data16
  3b:	66                   	data16
  3c:	66                   	data16
  3d:	66                   	data16
  3e:	66                   	data16
  3f:	2e                   	cs


Tested on:

commit:         ac3fd01e Linux 6.18-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10f578b4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=38a0c4cddc846161
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11e46e92580000

     prev parent reply	other threads:[~2025-11-25 14:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-21  8:46 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb syzbot
2025-11-24  4:01 ` syzbot
2025-11-25 12:13   ` Edward Adam Davis
2025-11-25 12:50     ` syzbot
2025-11-25 13:07   ` Edward Adam Davis
2025-11-25 13:46     ` syzbot
2025-11-25 13:55   ` Edward Adam Davis
2025-11-25 14:54     ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6925c309.a70a0220.d98e3.00ac.GAE@google.com \
    --to=syzbot+cdae834448ec8c3602fe@syzkaller.appspotmail.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.