Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+9265e754091c2d27ea29@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)
Date: Fri, 23 Jan 2026 03:02:01 -0800	[thread overview]
Message-ID: <69735529.050a0220.1ad174.0339.GAE@google.com> (raw)
In-Reply-To: <20260123102623.2318-1-hdanton@sina.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lock_sock_nested

Oops: general protection fault, probably for non-canonical address 0xdffffc000000004c: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]
CPU: 1 UID: 0 PID: 6843 Comm: kworker/1:8 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
Workqueue: events l2cap_info_timeout
RIP: 0010:kasan_byte_accessible+0x15/0x30 mm/kasan/generic.c:210
Code: 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 e9 ce 86 08 09 66 66 2e 0f 1f 84 00 00 00
RSP: 0018:ffffc90004717978 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff89422bb1 RDI: dffffc000000004c
RBP: 0000000000000260 R08: 0000000000000001 R09: 0000000000000000
R10: 00000000ffffff80 R11: 0000000000000000 R12: ffffffff89422bb1
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881246dc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f80dadab940 CR3: 000000007cc38000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __kasan_check_byte+0x13/0x50 mm/kasan/common.c:573
 kasan_check_byte include/linux/kasan.h:402 [inline]
 lock_acquire kernel/locking/lockdep.c:5842 [inline]
 lock_acquire+0xf5/0x330 kernel/locking/lockdep.c:5825
 lock_sock_nested+0x41/0xf0 net/core/sock.c:3780
 lock_sock include/net/sock.h:1700 [inline]
 l2cap_sock_ready_cb+0x43/0x1a0 net/bluetooth/l2cap_sock.c:1679
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1247 [inline]
 l2cap_conn_start+0x123/0xb20 net/bluetooth/l2cap_core.c:1513
 l2cap_info_timeout+0x81/0xa0 net/bluetooth/l2cap_core.c:1670
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x15/0x30 mm/kasan/generic.c:210
Code: 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 e9 ce 86 08 09 66 66 2e 0f 1f 84 00 00 00
RSP: 0018:ffffc90004717978 EFLAGS: 00010282

RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff89422bb1 RDI: dffffc000000004c
RBP: 0000000000000260 R08: 0000000000000001 R09: 0000000000000000
R10: 00000000ffffff80 R11: 0000000000000000 R12: ffffffff89422bb1
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881246dc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f005ec17dac CR3: 0000000026311000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	0f 1f 00             	nopl   (%rax)
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	0f 1f 40 d6          	nopl   -0x2a(%rax)
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 c1 ef 03          	shr    $0x3,%rdi
  27:	48 01 c7             	add    %rax,%rdi
* 2a:	0f b6 07             	movzbl (%rdi),%eax <-- trapping instruction
  2d:	3c 07                	cmp    $0x7,%al
  2f:	0f 96 c0             	setbe  %al
  32:	e9 ce 86 08 09       	jmp    0x9088705
  37:	66                   	data16
  38:	66                   	data16
  39:	2e                   	cs
  3a:	0f                   	.byte 0xf
  3b:	1f                   	(bad)
  3c:	84 00                	test   %al,(%rax)


Tested on:

commit:         c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b35f9a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10a38452580000

next prev parent reply	other threads:[~2026-01-23 11:02 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-01 10:15 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2) syzbot
2026-01-22 21:45 ` syzbot
2026-01-23  6:38   ` Hillf Danton
2026-01-23  6:57     ` syzbot
2026-01-23 10:26   ` Hillf Danton
2026-01-23 11:02     ` syzbot [this message]
2026-01-23 22:21   ` Hillf Danton
2026-01-23 23:44     ` syzbot
     [not found] <CAHiZj8jFpERHN8xUkMibnpjjAbROC8KN=TBfD4veJCPdWTk8jg@mail.gmail.com>
2024-10-01 13:17 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69735529.050a0220.1ad174.0339.GAE@google.com \
    --to=syzbot+9265e754091c2d27ea29@syzkaller.appspotmail.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.