From: bugzilla-daemon@kernel.org
To: linux-bluetooth@vger.kernel.org
Subject: [Bug 217581] Bluetooth L2CAP use-after-free
Date: Thu, 29 Jun 2023 08:40:00 +0000 [thread overview]
Message-ID: <bug-217581-62941-jpvEHC45Bf@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-217581-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=217581
--- Comment #8 from Mohamed Yassine JEBABLI (mohamed-yassine.jebabli@witbe.net) ---
(In reply to Bagas Sanjaya from comment #6)
> On 6/27/23 20:23, bugzilla-daemon@kernel.org wrote:
> > https://bugzilla.kernel.org/show_bug.cgi?id=217581
> >
> > --- Comment #5 from Mohamed Yassine JEBABLI
> > (mohamed-yassine.jebabli@witbe.net) ---
> > (In reply to Bagas Sanjaya from comment #4)
> >> (In reply to Mohamed Yassine JEBABLI from comment #0)
> >>> In reconnect slave mode, I start direct advertising. After establishing
> the
> >>> connection with the central device, we begin ATT exchanges over the L2CAP
> >>> socket, and then I receive a disconnect with L2CAP traces. This issue is
> >>> observed across different kernel versions such as 5.17, 6.2, 6.3, 6.3.7,
> >> etc.
> >>>
> >>
> >> Do you have this issue on v5.15?
> >
> > Not tested on v5.15. I started with 5.17 version.
> >
>
> Again: Do you have this issue on v5.15?
Tested on kernel v5.15 with l2cap_core traces enabled.
==> The same scenario from reconnecr to disconnect and I think the same bug
related to rfcount which goes to NULL in the other versions > v5.15.
Jun 28 14:41:36 buildroot kernel: chan 7942e3b3 orig refcnt 1
Jun 28 14:41:36 buildroot kernel: hcon 5a56584a bdaddr 48:b0:2d:02:81:0a status
0
Jun 28 14:41:36 buildroot kernel: hcon 5a56584a conn d7202d29 hchan 981967be
Jun 28 14:41:36 buildroot kernel: chan 7942e3b3 orig refcnt 2
Jun 28 14:41:36 buildroot kernel: chan e8221202
Jun 28 14:41:36 buildroot kernel: chan e8221202 orig refcnt 1
Jun 28 14:41:36 buildroot kernel: conn d7202d29, psm 0x00, dcid 0x0004
Jun 28 14:41:36 buildroot kernel: chan e8221202 orig refcnt 2
Jun 28 14:41:36 buildroot kernel: chan e5e549e1 orig refcnt 1
Jun 28 14:41:36 buildroot kernel: chan 7942e3b3 orig refcnt 3
Jun 28 14:41:36 buildroot kernel: chan 05ee00c1
Jun 28 14:41:36 buildroot kernel: conn d7202d29, psm 0x00, dcid 0x0006
Jun 28 14:41:36 buildroot kernel: chan 05ee00c1 orig refcnt 1
Jun 28 14:41:36 buildroot kernel: chan e5e549e1 orig refcnt 2
Jun 28 14:41:36 buildroot kernel: conn d7202d29
Jun 28 14:41:36 buildroot kernel: chan 05ee00c1 len 2
Jun 28 14:41:36 buildroot kernel: chan 05ee00c1, skb 62f90460 len 6 priority 7
Jun 28 14:41:36 buildroot kernel: hci1 conn d7202d29
Jun 28 14:41:36 buildroot kernel:
Jun 28 14:41:37 buildroot kernel: hcon 5a56584a reason 19
Jun 28 14:41:37 buildroot kernel: hcon 5a56584a conn d7202d29, err 104
Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 orig refcnt 2
Jun 28 14:41:37 buildroot kernel: chan 05ee00c1, conn d7202d29, err 104, state
BT_CONNECTED
Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 orig refcnt 3
Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 orig refcnt 2
Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 orig refcnt 1
Jun 28 14:41:37 buildroot kernel: chan 05ee00c1
Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 3
Jun 28 14:41:37 buildroot kernel: chan e8221202, conn d7202d29, err 104, state
BT_OPEN
Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 4
Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 3
Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 2
Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 2
Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 state BT_LISTEN
Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 1
Jun 28 14:41:37 buildroot kernel: chan e8221202
Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 0
Jun 28 14:41:37 buildroot kernel: ------------[ cut here ]------------
Jun 28 14:41:37 buildroot kernel: WARNING: CPU: 1 PID: 476 at lib/refcount.c:25
l2cap_sock_teardown_cb+0x13c/0x23c
Jun 28 14:41:37 buildroot kernel: refcount_t: addition on 0; use-after-free.
Jun 28 14:41:37 buildroot kernel: Modules linked in: algif_hash algif_skcipher
af_alg stm32_adc stm32_timer_trigger stm32_lptimer_trigger galcore(O)
stm32_crc32 stm32_cryp stm32_hash libdes crypto_engine stm32_adc_core stm32_cec
Jun 28 14:41:37 buildroot kernel: CPU: 1 PID: 476 Comm: HCIManager Tainted: G
O 5.15.67 #2
Jun 28 14:41:37 buildroot kernel: Hardware name: STM32 (Device Tree Support)
Jun 28 14:41:37 buildroot kernel: [<c0110c54>] (unwind_backtrace) from
[<c010c61c>] (show_stack+0x10/0x14)
Jun 28 14:41:37 buildroot kernel: [<c010c61c>] (show_stack) from [<c0ca2f50>]
(dump_stack_lvl+0x40/0x4c)
Jun 28 14:41:37 buildroot kernel: [<c0ca2f50>] (dump_stack_lvl) from
[<c0120fc0>] (__warn+0xec/0x104)
Jun 28 14:41:37 buildroot kernel: [<c0120fc0>] (__warn) from [<c0c9e214>]
(warn_slowpath_fmt+0x98/0xc4)
Jun 28 14:41:37 buildroot kernel: [<c0c9e214>] (warn_slowpath_fmt) from
[<c0b67748>] (l2cap_sock_teardown_cb+0x13c/0x23c)
Jun 28 14:41:37 buildroot kernel: [<c0b67748>] (l2cap_sock_teardown_cb) from
[<c0b5f584>] (l2cap_chan_close+0x138/0x2f4)
Jun 28 14:41:37 buildroot kernel: [<c0b5f584>] (l2cap_chan_close) from
[<c0b67a60>] (l2cap_sock_shutdown+0x218/0x5ac)
Jun 28 14:41:37 buildroot kernel: [<c0b67a60>] (l2cap_sock_shutdown) from
[<c0b67e44>] (l2cap_sock_release+0x50/0xe8)
Jun 28 14:41:37 buildroot kernel: [<c0b67e44>] (l2cap_sock_release) from
[<c09b7f10>] (__sock_release+0x40/0xb8)
Jun 28 14:41:37 buildroot kernel: [<c09b7f10>] (__sock_release) from
[<c09b7f98>] (sock_close+0x10/0x18)
Jun 28 14:41:37 buildroot kernel: [<c09b7f98>] (sock_close) from [<c02a6e84>]
(__fput+0x74/0x240)
Jun 28 14:41:37 buildroot kernel: [<c02a6e84>] (__fput) from [<c0141ac0>]
(task_work_run+0x90/0xbc)
Jun 28 14:41:37 buildroot kernel: [<c0141ac0>] (task_work_run) from
[<c010c048>] (do_work_pending+0x498/0x594)
Jun 28 14:41:37 buildroot kernel: [<c010c048>] (do_work_pending) from
[<c01000c0>] (slow_work_pending+0xc/0x20)
Jun 28 14:41:37 buildroot kernel: Exception stack(0xc3fe1fb0 to 0xc3fe1ff8)
Jun 28 14:41:37 buildroot kernel: 1fa0:
00000000 00000002 00000000 00000000
Jun 28 14:41:37 buildroot kernel: 1fc0: 00000006 b4dfd8c0 00000005 00000006
b4dfd400 b4dfd470 00000000 b4dfcb7c
Jun 28 14:41:37 buildroot kernel: 1fe0: 00000006 b4dfcb58 b6b96bf9 b6b98b26
80030030 00000006
Jun 28 14:41:37 buildroot kernel: ---[ end trace b1ffe2b440acbd97 ]---
Jun 28 14:41:37 buildroot kernel: chan e8221202 state BT_OPEN
Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 3221225472
Jun 28 14:41:37 buildroot kernel: ------------[ cut here ]------------
Jun 28 14:41:37 buildroot kernel: WARNING: CPU: 1 PID: 476 at lib/refcount.c:28
l2cap_sock_kill.part.0+0x28/0xc0
Jun 28 14:41:37 buildroot kernel: refcount_t: underflow; use-after-free.
Jun 28 14:41:37 buildroot kernel: Modules linked in: algif_hash algif_skcipher
af_alg stm32_adc stm32_timer_trigger stm32_lptimer_trigger galcore(O)
stm32_crc32 stm32_cryp stm32_hash libdes crypto_engine stm32_adc_core stm32_cec
Jun 28 14:41:37 buildroot kernel: CPU: 1 PID: 476 Comm: HCIManager Tainted: G
W O 5.15.67 #2
Jun 28 14:41:37 buildroot kernel: Hardware name: STM32 (Device Tree Support)
Jun 28 14:41:37 buildroot kernel: [<c0110c54>] (unwind_backtrace) from
[<c010c61c>] (show_stack+0x10/0x14)
Jun 28 14:41:37 buildroot kernel: [<c010c61c>] (show_stack) from [<c0ca2f50>]
(dump_stack_lvl+0x40/0x4c)
Jun 28 14:41:37 buildroot kernel: [<c0ca2f50>] (dump_stack_lvl) from
[<c0120fc0>] (__warn+0xec/0x104)
Jun 28 14:41:37 buildroot kernel: [<c0120fc0>] (__warn) from [<c0c9e214>]
(warn_slowpath_fmt+0x98/0xc4)
Jun 28 14:41:37 buildroot kernel: [<c0c9e214>] (warn_slowpath_fmt) from
[<c0b6754c>] (l2cap_sock_kill.part.0+0x28/0xc0)
Jun 28 14:41:37 buildroot kernel: [<c0b6754c>] (l2cap_sock_kill.part.0) from
[<c0b67708>] (l2cap_sock_teardown_cb+0xfc/0x23c)
Jun 28 14:41:37 buildroot kernel: [<c0b67708>] (l2cap_sock_teardown_cb) from
[<c0b5f584>] (l2cap_chan_close+0x138/0x2f4)
Jun 28 14:41:37 buildroot kernel: [<c0b5f584>] (l2cap_chan_close) from
[<c0b67a60>] (l2cap_sock_shutdown+0x218/0x5ac)
Jun 28 14:41:37 buildroot kernel: [<c0b67a60>] (l2cap_sock_shutdown) from
[<c0b67e44>] (l2cap_sock_release+0x50/0xe8)
Jun 28 14:41:37 buildroot kernel: [<c0b67e44>] (l2cap_sock_release) from
[<c09b7f10>] (__sock_release+0x40/0xb8)
Jun 28 14:41:37 buildroot kernel: [<c09b7f10>] (__sock_release) from
[<c09b7f98>] (sock_close+0x10/0x18)
Jun 28 14:41:37 buildroot kernel: [<c09b7f98>] (sock_close) from [<c02a6e84>]
(__fput+0x74/0x240)
Jun 28 14:41:37 buildroot kernel: [<c02a6e84>] (__fput) from [<c0141ac0>]
(task_work_run+0x90/0xbc)
Jun 28 14:41:37 buildroot kernel: [<c0141ac0>] (task_work_run) from
[<c010c048>] (do_work_pending+0x498/0x594)
Jun 28 14:41:37 buildroot kernel: [<c010c048>] (do_work_pending) from
[<c01000c0>] (slow_work_pending+0xc/0x20)
Jun 28 14:41:37 buildroot kernel: Exception stack(0xc3fe1fb0 to 0xc3fe1ff8)
Jun 28 14:41:37 buildroot kernel: 1fa0:
00000000 00000002 00000000 00000000
Jun 28 14:41:37 buildroot kernel: 1fc0: 00000006 b4dfd8c0 00000005 00000006
b4dfd400 b4dfd470 00000000 b4dfcb7c
Jun 28 14:41:37 buildroot kernel: 1fe0: 00000006 b4dfcb58 b6b96bf9 b6b98b26
80030030 00000006
Jun 28 14:41:37 buildroot kernel: ---[ end trace b1ffe2b440acbd98 ]---
Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 3221225472
Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 3
Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 2
Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 3
Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 2
Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 1
Jun 28 14:41:37 buildroot kernel: chan 7942e3b3
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
next prev parent reply other threads:[~2023-06-29 8:42 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-21 10:18 [Bug 217581] New: Bluetooth L2CAP use-after-free bugzilla-daemon
2023-06-21 10:19 ` [Bug 217581] " bugzilla-daemon
2023-06-21 10:43 ` bugzilla-daemon
2023-06-21 10:44 ` bugzilla-daemon
2023-06-27 13:08 ` bugzilla-daemon
2023-06-27 13:23 ` bugzilla-daemon
2023-06-27 13:35 ` bugzilla-daemon
2023-06-28 12:09 ` bugzilla-daemon
2023-06-29 8:40 ` bugzilla-daemon [this message]
2023-06-29 14:14 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-217581-62941-jpvEHC45Bf@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.