[Bug 215245] New: KASAN: slab-out-of-bounds in hci_event_packet+0x2d8c/0x4e90 [bluetooth]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: bugzilla-daemon@bugzilla.kernel.org
To: linux-bluetooth@vger.kernel.org
Subject: [Bug 215245] New: KASAN: slab-out-of-bounds in hci_event_packet+0x2d8c/0x4e90 [bluetooth]
Date: Tue, 07 Dec 2021 01:27:35 +0000	[thread overview]
Message-ID: <bug-215245-62941@https.bugzilla.kernel.org/> (raw)

https://bugzilla.kernel.org/show_bug.cgi?id=215245

            Bug ID: 215245
           Summary: KASAN: slab-out-of-bounds in
                    hci_event_packet+0x2d8c/0x4e90 [bluetooth]
           Product: Drivers
           Version: 2.5
    Kernel Version: 4.19
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: high
          Priority: P1
         Component: Bluetooth
          Assignee: linux-bluetooth@vger.kernel.org
          Reporter: gouhao@uniontech.com
        Regression: No

Unknown ioctl -1072131215
Unknown ioctl -1073191904
Unknown ioctl 35123
Bluetooth: hci0: hardware error 0xff
==================================================================
BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x2d8c/0x4e90 [bluetooth]
Read of size 3 at addr ffff88817262a77f by task kworker/u17:1/222831
CPU: 1 PID: 222831 Comm: kworker/u17:1 Not tainted
4.19.90-2108.8.0.0106.up5.uel20.x86_64 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: hci0 hci_rx_work [bluetooth]
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xab/0xee lib/dump_stack.c:118
 print_address_description+0x65/0x270 mm/kasan/report.c:253
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x146/0x290 mm/kasan/report.c:409
 hci_event_packet+0x2d8c/0x4e90 [bluetooth]
 hci_rx_work+0x288/0x510 [bluetooth]
 process_one_work+0x4ca/0x870 kernel/workqueue.c:2148
 worker_thread+0x6e/0x790 kernel/workqueue.c:2303
 kthread+0x1dd/0x200 kernel/kthread.c:275
 ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:415
Allocated by task 222894:
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:553
 slab_post_alloc_hook mm/slab.h:441 [inline]
 slab_alloc_node mm/slub.c:2740 [inline]
 __kmalloc_node_track_caller+0xcb/0x1a0 mm/slub.c:4364
 __kmalloc_reserve.isra.50+0x37/0xa0 net/core/skbuff.c:137
 __alloc_skb+0xd1/0x320 net/core/skbuff.c:205
 vhci_write+0x70/0x265 [hci_vhci]
 call_write_iter include/linux/fs.h:1886 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x2f4/0x430 fs/read_write.c:487
 vfs_write+0x10a/0x290 fs/read_write.c:549
 ksys_write+0xb4/0x190 fs/read_write.c:599
 do_syscall_64+0x96/0x410 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 221695:
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/kasan.c:521
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1416 [inline]
 slab_free mm/slub.c:2989 [inline]
 kfree+0x7d/0x140 mm/slub.c:3950
 drm_release+0xf3/0x140 [drm]
 __fput+0x198/0x3f0 fs/file_table.c:278
 task_work_run+0xc0/0x100 kernel/task_work.c:135
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x121/0x130 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x359/0x410 arch/x86/entry/common.c:303
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88817262a580
The buggy address is located 511 bytes inside of
The buggy address belongs to the page:
page:ffffea0005c98a00 count:1 mapcount:0 mapping:ffff888107c0ec00 index:0x0
compound_mapcount: 0
flags: 0x17ffffc0008100(slab|head)
raw: 0017ffffc0008100 ffffea000494cc00 0000000800000008 ffff888107c0ec00
raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 ffff88817262a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88817262a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88817262a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88817262a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88817262a880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Unknown ioctl -1072667619
Bluetooth: hci0: wrong event for mode 0
Unknown ioctl 19314
Unknown ioctl -1070571007
Unknown ioctl 1074304026
Unknown ioctl 19314

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

                 reply	other threads:[~2021-12-07  1:27 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-215245-62941@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.