* [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
@ 2023-11-16 11:20 syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2023-11-16 11:20 UTC (permalink / raw)
To: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 8de1e7afcc1c Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1126f190e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=3e6feaeda5dcbc27
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122a2560e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e08df680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0f00907f9764/disk-8de1e7af.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0502fe78c60d/vmlinux-8de1e7af.xz
kernel image: https://storage.googleapis.com/syzbot-assets/192135168cc0/Image-8de1e7af.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:777 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x64/0x25c net/bluetooth/sco.c:88
Write of size 4 at addr ffff0000dba59080 by task kworker/0:1/10
CPU: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.6.0-rc7-syzkaller-g8de1e7afcc1c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: events sco_sock_timeout
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x174/0x514 mm/kasan/report.c:475
kasan_report+0xd8/0x138 mm/kasan/report.c:588
kasan_check_range+0x254/0x294 mm/kasan/generic.c:187
__kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:193 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
sock_hold include/net/sock.h:777 [inline]
sco_sock_timeout+0x64/0x25c net/bluetooth/sco.c:88
process_one_work+0x694/0x1204 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2784
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:857
Allocated by task 6180:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:511
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1026 [inline]
__kmalloc+0xcc/0x1b8 mm/slab_common.c:1039
kmalloc include/linux/slab.h:603 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2090
sk_alloc+0x44/0x3f4 net/core/sock.c:2143
bt_sock_alloc+0x4c/0x32c net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:495 [inline]
sco_sock_create+0xbc/0x31c net/bluetooth/sco.c:526
bt_sock_create+0x14c/0x248 net/bluetooth/af_bluetooth.c:132
__sock_create+0x43c/0x884 net/socket.c:1569
sock_create net/socket.c:1620 [inline]
__sys_socket_create net/socket.c:1657 [inline]
__sys_socket+0x134/0x340 net/socket.c:1708
__do_sys_socket net/socket.c:1722 [inline]
__se_sys_socket net/socket.c:1720 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1720
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
Freed by task 6179:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:522
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x2ac/0x480 mm/slub.c:3822
kfree+0xb8/0x19c mm/slab_common.c:1075
sk_prot_free net/core/sock.c:2126 [inline]
__sk_destruct+0x4c0/0x770 net/core/sock.c:2218
sk_destruct net/core/sock.c:2233 [inline]
__sk_free+0x37c/0x4e8 net/core/sock.c:2244
sk_free+0x60/0xc8 net/core/sock.c:2255
sock_put include/net/sock.h:1989 [inline]
sco_sock_kill+0xfc/0x1b4 net/bluetooth/sco.c:426
sco_sock_release+0x1fc/0x2c0 net/bluetooth/sco.c:1256
__sock_release net/socket.c:659 [inline]
sock_close+0xa4/0x1e8 net/socket.c:1419
__fput+0x324/0x7f8 fs/file_table.c:384
__fput_sync+0x60/0x9c fs/file_table.c:465
__do_sys_close fs/open.c:1572 [inline]
__se_sys_close fs/open.c:1557 [inline]
__arm64_sys_close+0x150/0x1e0 fs/open.c:1557
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
The buggy address belongs to the object at ffff0000dba59000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff0000dba59000, ffff0000dba59800)
The buggy address belongs to the physical page:
page:00000000f24a79df refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ba58
head:00000000f24a79df order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000840 ffff0000c0002000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dba58f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000dba59000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000dba59080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000dba59100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000dba59180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 10 at lib/refcount.c:25 refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 10 Comm: kworker/0:1 Tainted: G B 6.6.0-rc7-syzkaller-g8de1e7afcc1c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: events sco_sock_timeout
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25
lr : refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25
sp : ffff800092d57af0
x29: ffff800092d57af0 x28: 1fffe0001a9b5a4a x27: dfff800000000000
x26: ffff0000c1084008 x25: ffff0000d4dad250 x24: ffff0001b418b500
x23: dfff800000000000 x22: 0000000000000000 x21: 0000000000000002
x20: ffff0000dba59080 x19: ffff8000910a2000 x18: ffff800092d57800
x17: 0000000000000000 x16: ffff80008a71b23c x15: 0000000000000001
x14: 1ffff000125aaeb0 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000001 x10: 0000000000000000 x9 : c0b0806111008b00
x8 : c0b0806111008b00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800092d573d8 x4 : ffff80008e4210a0 x3 : ffff800082b180c4
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
sock_hold include/net/sock.h:777 [inline]
sco_sock_timeout+0x19c/0x25c net/bluetooth/sco.c:88
process_one_work+0x694/0x1204 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2784
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:857
irq event stamp: 29659
hardirqs last enabled at (29659): [<ffff80008a719090>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:84 [inline]
hardirqs last enabled at (29659): [<ffff80008a719090>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:94
hardirqs last disabled at (29658): [<ffff800080021724>] __do_softirq+0x950/0xd54 kernel/softirq.c:569
softirqs last enabled at (19646): [<ffff800080021894>] softirq_handle_end kernel/softirq.c:399 [inline]
softirqs last enabled at (19646): [<ffff800080021894>] __do_softirq+0xac0/0xd54 kernel/softirq.c:582
softirqs last disabled at (19597): [<ffff80008002aadc>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 10 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 10 Comm: kworker/0:1 Tainted: G B W 6.6.0-rc7-syzkaller-g8de1e7afcc1c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: events sco_sock_timeout
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
lr : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
sp : ffff800092d57af0
x29: ffff800092d57af0 x28: 1fffe0001a9b5a4a x27: dfff800000000000
x26: ffff0000c1084008 x25: ffff0000d4dad250 x24: ffff0001b418b500
x23: dfff800000000000 x22: 0000000000000000 x21: 0000000000000003
x20: ffff0000dba59080 x19: ffff8000910a2000 x18: ffff800092d57800
x17: 0000000000000000 x16: ffff80008a71b23c x15: 0000000000000001
x14: 1fffe0003682f032 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : c0b0806111008b00
x8 : c0b0806111008b00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800092d573d8 x4 : ffff80008e4210a0 x3 : ffff8000805a359c
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
__refcount_sub_and_test include/linux/refcount.h:283 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
sock_put include/net/sock.h:1988 [inline]
sco_sock_timeout+0x1b0/0x25c net/bluetooth/sco.c:100
process_one_work+0x694/0x1204 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2784
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:857
irq event stamp: 29659
hardirqs last enabled at (29659): [<ffff80008a719090>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:84 [inline]
hardirqs last enabled at (29659): [<ffff80008a719090>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:94
hardirqs last disabled at (29658): [<ffff800080021724>] __do_softirq+0x950/0xd54 kernel/softirq.c:569
softirqs last enabled at (19646): [<ffff800080021894>] softirq_handle_end kernel/softirq.c:399 [inline]
softirqs last enabled at (19646): [<ffff800080021894>] __do_softirq+0xac0/0xd54 kernel/softirq.c:582
softirqs last disabled at (19597): [<ffff80008002aadc>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 17+ messages in thread[parent not found: <000000000000797bd1060a457c08@google.com>]
* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
[not found] <000000000000797bd1060a457c08@google.com>
@ 2023-12-06 3:58 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2023-12-06 3:58 UTC (permalink / raw)
To: davem, eadavis, edumazet, hdanton, johan.hedberg, kuba,
linux-bluetooth, linux-kernel, lizhi.xu, luiz.dentz,
luiz.von.dentz, marcel, netdev, pabeni, syzkaller-bugs,
yuran.pereira
syzbot has bisected this issue to:
commit 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu Mar 30 21:15:50 2023 +0000
Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=179a65d2e80000
start commit: bee0e7762ad2 Merge tag 'for-linus-iommufd' of git://git.ke..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=145a65d2e80000
console output: https://syzkaller.appspot.com/x/log.txt?x=105a65d2e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b50bd31249191be8
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1504504ae80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14685f54e80000
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v1] Bluetooth: SCO: Use disable_delayed_work_sync
@ 2024-10-01 19:49 Luiz Augusto von Dentz
2024-10-01 20:13 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-01 19:49 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]
#syz test
On Tue, Oct 1, 2024 at 3:48 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This makes use of disable_delayed_work_sync instead
> cancel_delayed_work_sync as it not only cancel the ongoing work but also
> disables new submit which is disarable since the object holding the work
> is about to be freed.
>
> Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/sco.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> index a5ac160c592e..f0604d7834df 100644
> --- a/net/bluetooth/sco.c
> +++ b/net/bluetooth/sco.c
> @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> }
>
> /* Ensure no more work items will run before freeing conn. */
> - cancel_delayed_work_sync(&conn->timeout_work);
> + disable_delayed_work_sync(&conn->timeout_work);
>
> hcon->sco_data = NULL;
> kfree(conn);
> --
> 2.46.1
>
--
Luiz Augusto von Dentz
[-- Attachment #2: v1-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 1180 bytes --]
From a41875885eb7fee3d65479a71e85676699afb820 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v1] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..f0604d7834df 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
}
/* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
+ disable_delayed_work_sync(&conn->timeout_work);
hcon->sco_data = NULL;
kfree(conn);
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-01 19:49 [PATCH v1] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-01 20:13 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-01 20:13 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff888022136080 by task kworker/1:0/25
CPU: 1 UID: 0 PID: 25 Comm: kworker/1:0 Not tainted 6.12.0-rc1-syzkaller-ge32cde8d2bd7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 4550:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x255/0x500 security/tomoyo/file.c:771
security_file_open+0x777/0x990 security/security.c:3107
do_dentry_open+0x369/0x1460 fs/open.c:945
vfs_open+0x3e/0x330 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x2c84/0x3590 fs/namei.c:3933
do_filp_open+0x235/0x490 fs/namei.c:3960
do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 4550:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
tomoyo_realpath_from_path+0x5a9/0x5e0 security/tomoyo/realpath.c:286
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x255/0x500 security/tomoyo/file.c:771
security_file_open+0x777/0x990 security/security.c:3107
do_dentry_open+0x369/0x1460 fs/open.c:945
vfs_open+0x3e/0x330 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x2c84/0x3590 fs/namei.c:3933
do_filp_open+0x235/0x490 fs/namei.c:3960
do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888022136000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 128 bytes inside of
freed 4096-byte region [ffff888022136000, ffff888022137000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22130
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0000884c01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4550, tgid 4550 (udevd), ts 121918980453, free_ts 121043303487
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
kernfs_iop_get_link+0x67/0x5a0 fs/kernfs/symlink.c:135
vfs_readlink+0x170/0x3b0 fs/namei.c:5267
do_readlinkat+0x249/0x3a0 fs/stat.c:551
__do_sys_readlink fs/stat.c:574 [inline]
__se_sys_readlink fs/stat.c:571 [inline]
__x64_sys_readlink+0x7f/0x90 fs/stat.c:571
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 54 tgid 54 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4491
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__kmalloc_cache_noprof+0x132/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
hci_cmd_sync_submit+0xcb/0x2f0 net/bluetooth/hci_sync.c:710
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff888022135f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888022136000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888022136080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888022136100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888022136180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e32cde8d Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14e62580580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5997f8b13c390e73
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12698927980000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] Bluetooth: SCO: Use disable_delayed_work_sync
@ 2024-10-02 18:26 Luiz Augusto von Dentz
2024-10-02 18:46 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-02 18:26 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 2002 bytes --]
#syz test
On Wed, Oct 2, 2024 at 11:40 AM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This makes use of disable_delayed_work_sync instead
> cancel_delayed_work_sync as it not only cancel the ongoing work but also
> disables new submit which is disarable since the object holding the work
> is about to be freed.
>
> In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> since at that point it is useless to set a timer as the sk will be freed
> there is nothing to be done in sco_sock_timeout.
>
> Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/sco.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> index a5ac160c592e..8dfb53dabbd7 100644
> --- a/net/bluetooth/sco.c
> +++ b/net/bluetooth/sco.c
> @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> }
>
> /* Ensure no more work items will run before freeing conn. */
> - cancel_delayed_work_sync(&conn->timeout_work);
> + disable_delayed_work_sync(&conn->timeout_work);
>
> hcon->sco_data = NULL;
> kfree(conn);
> @@ -444,7 +444,6 @@ static void __sco_sock_close(struct sock *sk)
> case BT_CONFIG:
> if (sco_pi(sk)->conn->hcon) {
> sk->sk_state = BT_DISCONN;
> - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> sco_conn_lock(sco_pi(sk)->conn);
> hci_conn_drop(sco_pi(sk)->conn->hcon);
> sco_pi(sk)->conn->hcon = NULL;
> --
> 2.46.1
>
--
Luiz Augusto von Dentz
[-- Attachment #2: v2-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 1764 bytes --]
From a2dbe18d66307323851d19acdae0ed10c6edb72a Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v2] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
In addition to it remove call to sco_sock_set_timer on __sco_sock_close
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in sco_sock_timeout.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..8dfb53dabbd7 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
}
/* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
+ disable_delayed_work_sync(&conn->timeout_work);
hcon->sco_data = NULL;
kfree(conn);
@@ -444,7 +444,6 @@ static void __sco_sock_close(struct sock *sk)
case BT_CONFIG:
if (sco_pi(sk)->conn->hcon) {
sk->sk_state = BT_DISCONN;
- sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
sco_conn_lock(sco_pi(sk)->conn);
hci_conn_drop(sco_pi(sk)->conn->hcon);
sco_pi(sk)->conn->hcon = NULL;
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-02 18:26 [PATCH v2] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-02 18:46 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-02 18:46 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_conn_del
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_del+0xa5/0x310 net/bluetooth/sco.c:199
Write of size 4 at addr ffff88802ad8c080 by task kworker/u9:2/5106
CPU: 0 UID: 0 PID: 5106 Comm: kworker/u9:2 Not tainted 6.12.0-rc1-syzkaller-ge32cde8d2bd7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_conn_del+0xa5/0x310 net/bluetooth/sco.c:199
sco_connect_cfm+0xe6/0xb40 net/bluetooth/sco.c:1363
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_conn_failed+0x1d0/0x300 net/bluetooth/hci_conn.c:1262
hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5586
hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:328
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5633:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:499 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:530
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5634:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1258
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88802ad8c000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff88802ad8c000, ffff88802ad8c800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2ad88
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442000 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442000 0000000000000000 0000000000000001
head: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0000ab6201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4761, tgid 4761 (dhcpcd), ts 68514784369, free_ts 68293337708
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
rtnl_newlink+0xf2/0x20a0 net/core/rtnetlink.c:3739
rtnetlink_rcv_msg+0x741/0xcf0 net/core/rtnetlink.c:6646
netlink_rcv_skb+0x1e5/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f8/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x223/0x270 net/socket.c:744
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2602
page last free pid 5174 tgid 5174 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4142
vm_area_alloc+0x24/0x1d0 kernel/fork.c:472
mmap_region+0x1132/0x2990 mm/mmap.c:1424
do_mmap+0x8f0/0x1000 mm/mmap.c:496
vm_mmap_pgoff+0x1dd/0x3d0 mm/util.c:588
ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:542
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88802ad8bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802ad8c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802ad8c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802ad8c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802ad8c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e32cde8d Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13bb23d0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5997f8b13c390e73
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14ebd39f980000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
@ 2024-10-02 19:19 Luiz Augusto von Dentz
2024-10-02 19:37 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-02 19:19 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
#syz test
On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This makes use of disable_delayed_work_sync instead
> cancel_delayed_work_sync as it not only cancel the ongoing work but also
> disables new submit which is disarable since the object holding the work
> is about to be freed.
>
> In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> since at that point it is useless to set a timer as the sk will be freed
> there is nothing to be done in sco_sock_timeout.
>
> Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/sco.c | 13 +------------
> 1 file changed, 1 insertion(+), 12 deletions(-)
>
> diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> index a5ac160c592e..2b1e66976068 100644
> --- a/net/bluetooth/sco.c
> +++ b/net/bluetooth/sco.c
> @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> }
>
> /* Ensure no more work items will run before freeing conn. */
> - cancel_delayed_work_sync(&conn->timeout_work);
> + disable_delayed_work_sync(&conn->timeout_work);
>
> hcon->sco_data = NULL;
> kfree(conn);
> @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
>
> case BT_CONNECTED:
> case BT_CONFIG:
> - if (sco_pi(sk)->conn->hcon) {
> - sk->sk_state = BT_DISCONN;
> - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> - sco_conn_lock(sco_pi(sk)->conn);
> - hci_conn_drop(sco_pi(sk)->conn->hcon);
> - sco_pi(sk)->conn->hcon = NULL;
> - sco_conn_unlock(sco_pi(sk)->conn);
> - } else
> - sco_chan_del(sk, ECONNRESET);
> - break;
> -
> case BT_CONNECT2:
> case BT_CONNECT:
> case BT_DISCONN:
> --
> 2.46.1
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-02 19:19 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-02 19:37 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-02 19:37 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff88807e2d5080 by task kworker/1:1/47
CPU: 1 UID: 0 PID: 47 Comm: kworker/1:1 Not tainted 6.12.0-rc1-syzkaller-ge32cde8d2bd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5759:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:500 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:531
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5760:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1259
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807e2d5000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff88807e2d5000, ffff88807e2d5800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e2d0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442000 ffffea0000a07800 dead000000000002
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442000 ffffea0000a07800 dead000000000002
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f8b401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4533, tgid 4533 (acpid), ts 19751533769, free_ts 17515017965
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
__netlink_create+0x65/0x260 net/netlink/af_netlink.c:646
netlink_create+0x3ab/0x560 net/netlink/af_netlink.c:704
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
free_contig_range+0x152/0x550 mm/page_alloc.c:6748
destroy_args+0x8a/0x840 mm/debug_vm_pgtable.c:1017
debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1397
do_one_initcall+0x24a/0x880 init/main.c:1269
do_initcall_level+0x157/0x210 init/main.c:1331
do_initcalls+0x3f/0x80 init/main.c:1347
kernel_init_freeable+0x435/0x5d0 init/main.c:1580
kernel_init+0x1d/0x2b0 init/main.c:1469
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff88807e2d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807e2d5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807e2d5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807e2d5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807e2d5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e32cde8d Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174f23d0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5997f8b13c390e73
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-02 19:19 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-02 19:46 Luiz Augusto von Dentz
2024-10-02 20:05 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-02 19:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 2567 bytes --]
#syz test
On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > This makes use of disable_delayed_work_sync instead
> > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > disables new submit which is disarable since the object holding the work
> > is about to be freed.
> >
> > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > since at that point it is useless to set a timer as the sk will be freed
> > there is nothing to be done in sco_sock_timeout.
> >
> > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > ---
> > net/bluetooth/sco.c | 13 +------------
> > 1 file changed, 1 insertion(+), 12 deletions(-)
> >
> > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > index a5ac160c592e..2b1e66976068 100644
> > --- a/net/bluetooth/sco.c
> > +++ b/net/bluetooth/sco.c
> > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > }
> >
> > /* Ensure no more work items will run before freeing conn. */
> > - cancel_delayed_work_sync(&conn->timeout_work);
> > + disable_delayed_work_sync(&conn->timeout_work);
> >
> > hcon->sco_data = NULL;
> > kfree(conn);
> > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> >
> > case BT_CONNECTED:
> > case BT_CONFIG:
> > - if (sco_pi(sk)->conn->hcon) {
> > - sk->sk_state = BT_DISCONN;
> > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > - sco_conn_lock(sco_pi(sk)->conn);
> > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > - sco_pi(sk)->conn->hcon = NULL;
> > - sco_conn_unlock(sco_pi(sk)->conn);
> > - } else
> > - sco_chan_del(sk, ECONNRESET);
> > - break;
> > -
> > case BT_CONNECT2:
> > case BT_CONNECT:
> > case BT_DISCONN:
> > --
> > 2.46.1
> >
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v3-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 1953 bytes --]
From 0d8909030c2d82967efc93a008b92610a3d77b0d Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
In addition to it remove call to sco_sock_set_timer on __sco_sock_close
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in sco_sock_timeout.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..2b1e66976068 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
}
/* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
+ disable_delayed_work_sync(&conn->timeout_work);
hcon->sco_data = NULL;
kfree(conn);
@@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
case BT_CONNECTED:
case BT_CONFIG:
- if (sco_pi(sk)->conn->hcon) {
- sk->sk_state = BT_DISCONN;
- sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
- sco_conn_lock(sco_pi(sk)->conn);
- hci_conn_drop(sco_pi(sk)->conn->hcon);
- sco_pi(sk)->conn->hcon = NULL;
- sco_conn_unlock(sco_pi(sk)->conn);
- } else
- sco_chan_del(sk, ECONNRESET);
- break;
-
case BT_CONNECT2:
case BT_CONNECT:
case BT_DISCONN:
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-02 19:46 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-02 20:05 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-02 20:05 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff8881436fb080 by task kworker/0:3/1150
CPU: 0 UID: 0 PID: 1150 Comm: kworker/0:3 Not tainted 6.12.0-rc1-syzkaller-ge32cde8d2bd7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5769:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:489 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:520
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5770:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1248
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8881436fb000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff8881436fb000, ffff8881436fb800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1436f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea00050dbe01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2322085089, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
acpi_add_single_object+0xe5/0x1e00 drivers/acpi/scan.c:1876
acpi_bus_check_add+0x32b/0x980 drivers/acpi/scan.c:2181
acpi_ns_walk_namespace+0x296/0x4f0
acpi_walk_namespace+0xeb/0x130 drivers/acpi/acpica/nsxfeval.c:606
acpi_bus_scan+0x4c1/0x560 drivers/acpi/scan.c:2595
acpi_scan_init+0x267/0x730 drivers/acpi/scan.c:2747
acpi_init+0x159/0x240 drivers/acpi/bus.c:1466
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881436faf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881436fb000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881436fb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881436fb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881436fb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e32cde8d Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13299927980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5997f8b13c390e73
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=121f23d0580000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-02 19:46 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-02 20:46 Luiz Augusto von Dentz
2024-10-02 23:16 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-02 20:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 2845 bytes --]
#syz test
On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > >
> > > This makes use of disable_delayed_work_sync instead
> > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > disables new submit which is disarable since the object holding the work
> > > is about to be freed.
> > >
> > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > since at that point it is useless to set a timer as the sk will be freed
> > > there is nothing to be done in sco_sock_timeout.
> > >
> > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > ---
> > > net/bluetooth/sco.c | 13 +------------
> > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > >
> > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > index a5ac160c592e..2b1e66976068 100644
> > > --- a/net/bluetooth/sco.c
> > > +++ b/net/bluetooth/sco.c
> > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > }
> > >
> > > /* Ensure no more work items will run before freeing conn. */
> > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > + disable_delayed_work_sync(&conn->timeout_work);
> > >
> > > hcon->sco_data = NULL;
> > > kfree(conn);
> > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > >
> > > case BT_CONNECTED:
> > > case BT_CONFIG:
> > > - if (sco_pi(sk)->conn->hcon) {
> > > - sk->sk_state = BT_DISCONN;
> > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > - sco_conn_lock(sco_pi(sk)->conn);
> > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > - sco_pi(sk)->conn->hcon = NULL;
> > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > - } else
> > > - sco_chan_del(sk, ECONNRESET);
> > > - break;
> > > -
> > > case BT_CONNECT2:
> > > case BT_CONNECT:
> > > case BT_DISCONN:
> > > --
> > > 2.46.1
> > >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v4-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 2293 bytes --]
From 85b438673dd4f1bb68676294d5674d20a0d47c09 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v4] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
In addition to it remove call to sco_sock_set_timer on __sco_sock_close
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in sco_sock_timeout.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 20 +++++---------------
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..cee87c6c9194 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -169,10 +169,11 @@ static void sco_chan_del(struct sock *sk, int err)
sco_conn_lock(conn);
conn->sk = NULL;
sco_pi(sk)->conn = NULL;
- sco_conn_unlock(conn);
-
- if (conn->hcon)
+ if (conn->hcon) {
hci_conn_drop(conn->hcon);
+ conn->hcon = NULL;
+ }
+ sco_conn_unlock(conn);
}
sk->sk_state = BT_CLOSED;
@@ -208,7 +209,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
}
/* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
+ disable_delayed_work_sync(&conn->timeout_work);
hcon->sco_data = NULL;
kfree(conn);
@@ -442,17 +443,6 @@ static void __sco_sock_close(struct sock *sk)
case BT_CONNECTED:
case BT_CONFIG:
- if (sco_pi(sk)->conn->hcon) {
- sk->sk_state = BT_DISCONN;
- sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
- sco_conn_lock(sco_pi(sk)->conn);
- hci_conn_drop(sco_pi(sk)->conn->hcon);
- sco_pi(sk)->conn->hcon = NULL;
- sco_conn_unlock(sco_pi(sk)->conn);
- } else
- sco_chan_del(sk, ECONNRESET);
- break;
-
case BT_CONNECT2:
case BT_CONNECT:
case BT_DISCONN:
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-02 20:46 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-02 23:16 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-02 23:16 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff8881442d6080 by task kworker/1:3/5112
CPU: 1 UID: 0 PID: 5112 Comm: kworker/1:3 Not tainted 6.12.0-rc1-syzkaller-gf23aa4c0761a-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5785:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:490 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:521
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5786:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1249
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8881442d6000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff8881442d6000, ffff8881442d6800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1442d0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea000510b401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2464151042, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
acpi_ds_create_walk_state+0x103/0x2a0 drivers/acpi/acpica/dswstate.c:518
acpi_ps_execute_method+0x245/0x880 drivers/acpi/acpica/psxface.c:134
acpi_ns_evaluate+0x5df/0xa40 drivers/acpi/acpica/nseval.c:205
acpi_evaluate_object+0x59b/0xaf0 drivers/acpi/acpica/nsxfeval.c:354
map_mat_entry drivers/acpi/processor_core.c:241 [inline]
acpi_get_phys_id+0xa5/0xd00 drivers/acpi/processor_core.c:274
acpi_get_cpuid+0x28/0x1f0 drivers/acpi/processor_core.c:332
processor_physically_present+0x29a/0x380 drivers/acpi/acpi_processor.c:565
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881442d5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881442d6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881442d6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881442d6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881442d6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: f23aa4c0 Merge tag 'hid-for-linus-2024090201' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12d02307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14559927980000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-02 20:46 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-03 15:38 Luiz Augusto von Dentz
2024-10-03 15:55 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-03 15:38 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 3143 bytes --]
#syz test
On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > >
> > > > This makes use of disable_delayed_work_sync instead
> > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > disables new submit which is disarable since the object holding the work
> > > > is about to be freed.
> > > >
> > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > since at that point it is useless to set a timer as the sk will be freed
> > > > there is nothing to be done in sco_sock_timeout.
> > > >
> > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > ---
> > > > net/bluetooth/sco.c | 13 +------------
> > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > >
> > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > index a5ac160c592e..2b1e66976068 100644
> > > > --- a/net/bluetooth/sco.c
> > > > +++ b/net/bluetooth/sco.c
> > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > }
> > > >
> > > > /* Ensure no more work items will run before freeing conn. */
> > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > >
> > > > hcon->sco_data = NULL;
> > > > kfree(conn);
> > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > >
> > > > case BT_CONNECTED:
> > > > case BT_CONFIG:
> > > > - if (sco_pi(sk)->conn->hcon) {
> > > > - sk->sk_state = BT_DISCONN;
> > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > - } else
> > > > - sco_chan_del(sk, ECONNRESET);
> > > > - break;
> > > > -
> > > > case BT_CONNECT2:
> > > > case BT_CONNECT:
> > > > case BT_DISCONN:
> > > > --
> > > > 2.46.1
> > > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v4-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 3708 bytes --]
From 600534815b145102456b0f2eada005bd3e89ea6b Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v4] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
In addition to it remove call to sco_sock_set_timer on __sco_sock_close
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in sco_sock_timeout.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 66 ++++++++++++++++++++++-----------------------
1 file changed, 33 insertions(+), 33 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..6aa08e709391 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -155,6 +155,28 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
return conn;
}
+static void sco_conn_destruct(struct sco_conn *conn)
+{
+ if (!conn)
+ return;
+
+ BT_DBG("conn %p", conn);
+
+ if (conn->hcon) {
+ hci_conn_drop(conn->hcon);
+
+ sco_conn_lock(conn);
+ conn->hcon->sco_data = NULL;
+ conn->hcon = NULL;
+ sco_conn_unlock(conn);
+ }
+
+ /* Ensure no more work items will run before freeing conn. */
+ disable_delayed_work_sync(&conn->timeout_work);
+
+ kfree(conn);
+}
+
/* Delete channel.
* Must be called on the locked socket. */
static void sco_chan_del(struct sock *sk, int err)
@@ -165,16 +187,6 @@ static void sco_chan_del(struct sock *sk, int err)
BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
- if (conn) {
- sco_conn_lock(conn);
- conn->sk = NULL;
- sco_pi(sk)->conn = NULL;
- sco_conn_unlock(conn);
-
- if (conn->hcon)
- hci_conn_drop(conn->hcon);
- }
-
sk->sk_state = BT_CLOSED;
sk->sk_err = err;
sk->sk_state_change(sk);
@@ -192,26 +204,23 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
- /* Kill socket */
sco_conn_lock(conn);
sk = conn->sk;
if (sk)
sock_hold(sk);
sco_conn_unlock(conn);
- if (sk) {
- lock_sock(sk);
- sco_sock_clear_timer(sk);
- sco_chan_del(sk, err);
- release_sock(sk);
- sock_put(sk);
+ if (!sk) {
+ sco_conn_destruct(conn);
+ return;
}
- /* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
-
- hcon->sco_data = NULL;
- kfree(conn);
+ /* Kill socket */
+ lock_sock(sk);
+ sco_sock_clear_timer(sk);
+ sco_chan_del(sk, err);
+ release_sock(sk);
+ sock_put(sk);
}
static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
@@ -395,6 +404,8 @@ static void sco_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ sco_conn_destruct(sco_pi(sk)->conn);
+
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
}
@@ -442,17 +453,6 @@ static void __sco_sock_close(struct sock *sk)
case BT_CONNECTED:
case BT_CONFIG:
- if (sco_pi(sk)->conn->hcon) {
- sk->sk_state = BT_DISCONN;
- sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
- sco_conn_lock(sco_pi(sk)->conn);
- hci_conn_drop(sco_pi(sk)->conn->hcon);
- sco_pi(sk)->conn->hcon = NULL;
- sco_conn_unlock(sco_pi(sk)->conn);
- } else
- sco_chan_del(sk, ECONNRESET);
- break;
-
case BT_CONNECT2:
case BT_CONNECT:
case BT_DISCONN:
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-03 15:38 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-03 15:55 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-03 15:55 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in hci_conn_drop
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x280 include/net/bluetooth/hci_core.h:1548
Write of size 4 at addr ffff88801ea58010 by task syz-executor.0/5537
CPU: 0 UID: 0 PID: 5537 Comm: syz-executor.0 Not tainted 6.12.0-rc1-syzkaller-g7ec462100ef9-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
hci_conn_drop+0x34/0x280 include/net/bluetooth/hci_core.h:1548
sco_conn_destruct+0x57/0x100 net/bluetooth/sco.c:166
sco_sock_destruct+0x43/0x90 net/bluetooth/sco.c:407
__sk_destruct+0x5a/0x5f0 net/core/sock.c:2259
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1259
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
__do_sys_close fs/open.c:1565 [inline]
__se_sys_close fs/open.c:1550 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1550
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa71cc7cd5a
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007ffc91af2860 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007fa71cc7cd5a
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007fa71cdad980 R08: 0000001b2d160000 R09: 7fffffffffffffff
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000016f8e
R13: ffffffffffffffff R14: 00007fa71c800000 R15: 0000000000016c4d
</TASK>
Allocated by task 5455:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4296
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
__hci_conn_add+0x2f9/0x1850 net/bluetooth/hci_conn.c:932
hci_conn_add_unset net/bluetooth/hci_conn.c:1041 [inline]
hci_connect_sco+0xd0/0x370 net/bluetooth/hci_conn.c:1689
sco_connect net/bluetooth/sco.c:279 [inline]
sco_sock_connect+0x2fc/0x990 net/bluetooth/sco.c:596
__sys_connect_file net/socket.c:2066 [inline]
__sys_connect+0x2d3/0x300 net/socket.c:2083
__do_sys_connect net/socket.c:2093 [inline]
__se_sys_connect net/socket.c:2090 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2090
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 4494:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
device_release+0x9b/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x231/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:174 [inline]
hci_conn_del+0x8c4/0xc40 net/bluetooth/hci_conn.c:1160
hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5586
hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:328
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
insert_work+0x3e/0x330 kernel/workqueue.c:2183
__queue_work+0xc8b/0xf50 kernel/workqueue.c:2339
queue_delayed_work_on+0x1ca/0x390 kernel/workqueue.c:2552
sco_conn_destruct+0x57/0x100 net/bluetooth/sco.c:166
sco_sock_destruct+0x43/0x90 net/bluetooth/sco.c:407
__sk_destruct+0x5a/0x5f0 net/core/sock.c:2259
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1259
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801ea58000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 16 bytes inside of
freed 8192-byte region [ffff88801ea58000, ffff88801ea5a000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ea58
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442280 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442280 0000000000000000 dead000000000001
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00007a9601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4772, tgid 4772 (dhcpcd-run-hook), ts 33884825404, free_ts 32631813811
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x11cd/0x2050 security/tomoyo/audit.c:264
tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2099
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
tomoyo_bprm_check_security+0x114/0x180 security/tomoyo/hooks.h:76
security_bprm_check+0x86/0x250 security/security.c:1296
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xa56/0x1770 fs/exec.c:1845
page last free pid 4743 tgid 4743 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__kmalloc_cache_noprof+0x132/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x1ca/0x2050 security/tomoyo/audit.c:255
tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2099
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x243/0x360 security/tomoyo/file.c:587
tomoyo_path_perm+0x480/0x740 security/tomoyo/file.c:838
security_inode_getattr+0x130/0x330 security/security.c:2371
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_fstat fs/stat.c:229 [inline]
vfs_fstatat+0xe4/0x190 fs/stat.c:338
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
Memory state around the buggy address:
ffff88801ea57f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801ea57f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801ea58000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801ea58080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801ea58100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 7ec46210 Merge tag 'pull-work.unaligned' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=114d5527980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15355527980000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-03 15:38 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-03 16:32 Luiz Augusto von Dentz
2024-10-03 16:53 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-03 16:32 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 3462 bytes --]
#syz test
On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > #syz test
> > > >
> > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > >
> > > > > This makes use of disable_delayed_work_sync instead
> > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > > disables new submit which is disarable since the object holding the work
> > > > > is about to be freed.
> > > > >
> > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > > since at that point it is useless to set a timer as the sk will be freed
> > > > > there is nothing to be done in sco_sock_timeout.
> > > > >
> > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > ---
> > > > > net/bluetooth/sco.c | 13 +------------
> > > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > > >
> > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > > index a5ac160c592e..2b1e66976068 100644
> > > > > --- a/net/bluetooth/sco.c
> > > > > +++ b/net/bluetooth/sco.c
> > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > > }
> > > > >
> > > > > /* Ensure no more work items will run before freeing conn. */
> > > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > > >
> > > > > hcon->sco_data = NULL;
> > > > > kfree(conn);
> > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > > >
> > > > > case BT_CONNECTED:
> > > > > case BT_CONFIG:
> > > > > - if (sco_pi(sk)->conn->hcon) {
> > > > > - sk->sk_state = BT_DISCONN;
> > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > > - } else
> > > > > - sco_chan_del(sk, ECONNRESET);
> > > > > - break;
> > > > > -
> > > > > case BT_CONNECT2:
> > > > > case BT_CONNECT:
> > > > > case BT_DISCONN:
> > > > > --
> > > > > 2.46.1
> > > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v4-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 3733 bytes --]
From 369c62c6d6f243177ce0b1261c6eeda6ff81d097 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v4] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
In addition to it remove call to sco_sock_set_timer on __sco_sock_close
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in sco_sock_timeout.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 66 +++++++++++++++++++++++----------------------
1 file changed, 34 insertions(+), 32 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..52f7382b1fcc 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -155,6 +155,26 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
return conn;
}
+static void sco_conn_destruct(struct sco_conn *conn)
+{
+ if (!conn)
+ return;
+
+ BT_DBG("conn %p", conn);
+
+ if (conn->hcon) {
+ sco_conn_lock(conn);
+ conn->hcon->sco_data = NULL;
+ conn->hcon = NULL;
+ sco_conn_unlock(conn);
+ }
+
+ /* Ensure no more work items will run before freeing conn. */
+ disable_delayed_work_sync(&conn->timeout_work);
+
+ kfree(conn);
+}
+
/* Delete channel.
* Must be called on the locked socket. */
static void sco_chan_del(struct sock *sk, int err)
@@ -165,15 +185,9 @@ static void sco_chan_del(struct sock *sk, int err)
BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
- if (conn) {
- sco_conn_lock(conn);
- conn->sk = NULL;
- sco_pi(sk)->conn = NULL;
- sco_conn_unlock(conn);
-
- if (conn->hcon)
- hci_conn_drop(conn->hcon);
- }
+ /* Drop HCI connection */
+ if (conn && conn->hcon)
+ hci_conn_drop(conn->hcon);
sk->sk_state = BT_CLOSED;
sk->sk_err = err;
@@ -192,26 +206,23 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
- /* Kill socket */
sco_conn_lock(conn);
sk = conn->sk;
if (sk)
sock_hold(sk);
sco_conn_unlock(conn);
- if (sk) {
- lock_sock(sk);
- sco_sock_clear_timer(sk);
- sco_chan_del(sk, err);
- release_sock(sk);
- sock_put(sk);
+ if (!sk) {
+ sco_conn_destruct(conn);
+ return;
}
- /* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
-
- hcon->sco_data = NULL;
- kfree(conn);
+ /* Kill socket */
+ lock_sock(sk);
+ sco_sock_clear_timer(sk);
+ sco_chan_del(sk, err);
+ release_sock(sk);
+ sock_put(sk);
}
static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
@@ -395,6 +406,8 @@ static void sco_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ sco_conn_destruct(sco_pi(sk)->conn);
+
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
}
@@ -442,17 +455,6 @@ static void __sco_sock_close(struct sock *sk)
case BT_CONNECTED:
case BT_CONFIG:
- if (sco_pi(sk)->conn->hcon) {
- sk->sk_state = BT_DISCONN;
- sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
- sco_conn_lock(sco_pi(sk)->conn);
- hci_conn_drop(sco_pi(sk)->conn->hcon);
- sco_pi(sk)->conn->hcon = NULL;
- sco_conn_unlock(sco_pi(sk)->conn);
- } else
- sco_chan_del(sk, ECONNRESET);
- break;
-
case BT_CONNECT2:
case BT_CONNECT:
case BT_DISCONN:
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-03 16:32 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-03 16:53 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-03 16:53 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_destruct
==================================================================
BUG: KASAN: slab-use-after-free in sco_conn_destruct net/bluetooth/sco.c:167 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_destruct+0xb9/0x170 net/bluetooth/sco.c:409
Write of size 8 at addr ffff88807926cfe8 by task syz-executor.0/5580
CPU: 0 UID: 0 PID: 5580 Comm: syz-executor.0 Not tainted 6.12.0-rc1-syzkaller-g7ec462100ef9-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
sco_conn_destruct net/bluetooth/sco.c:167 [inline]
sco_sock_destruct+0xb9/0x170 net/bluetooth/sco.c:409
__sk_destruct+0x5a/0x5f0 net/core/sock.c:2259
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1261
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f16c9a7de69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f16ca8910c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 00007f16c9babf80 RCX: 00007f16c9a7de69
RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000005
RBP: 00007f16c9aca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f16c9babf80 R15: 00007ffceef62378
</TASK>
Allocated by task 5580:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4296
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
__hci_conn_add+0x2f9/0x1850 net/bluetooth/hci_conn.c:932
hci_conn_add_unset net/bluetooth/hci_conn.c:1041 [inline]
hci_connect_sco+0xd0/0x370 net/bluetooth/hci_conn.c:1689
sco_connect net/bluetooth/sco.c:281 [inline]
sco_sock_connect+0x2fc/0x990 net/bluetooth/sco.c:598
__sys_connect_file net/socket.c:2066 [inline]
__sys_connect+0x2d3/0x300 net/socket.c:2083
__do_sys_connect net/socket.c:2093 [inline]
__se_sys_connect net/socket.c:2090 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2090
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 54:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
device_release+0x9b/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x231/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:174 [inline]
hci_conn_del+0x8c4/0xc40 net/bluetooth/hci_conn.c:1160
hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5586
hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:328
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
insert_work+0x3e/0x330 kernel/workqueue.c:2183
__queue_work+0xc8b/0xf50 kernel/workqueue.c:2339
queue_delayed_work_on+0x1ca/0x390 kernel/workqueue.c:2552
sco_chan_del net/bluetooth/sco.c:190 [inline]
__sco_sock_close+0x22b/0x430 net/bluetooth/sco.c:461
sco_sock_close net/bluetooth/sco.c:476 [inline]
sco_sock_release+0xb3/0x320 net/bluetooth/sco.c:1251
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807926c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4072 bytes inside of
freed 8192-byte region [ffff88807926c000, ffff88807926e000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79268
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442280 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442280 0000000000000000 0000000000000001
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001e49a01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4757, tgid 4757 (start-stop-daem), ts 32264510159, free_ts 32243341192
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x11cd/0x2050 security/tomoyo/audit.c:264
tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2099
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
tomoyo_bprm_check_security+0x114/0x180 security/tomoyo/hooks.h:76
security_bprm_check+0x86/0x250 security/security.c:1296
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xa56/0x1770 fs/exec.c:1845
page last free pid 4757 tgid 4757 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
load_elf_phdrs fs/binfmt_elf.c:526 [inline]
load_elf_binary+0x2eb/0x2710 fs/binfmt_elf.c:855
search_binary_handler fs/exec.c:1752 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xafa/0x1770 fs/exec.c:1845
do_execveat_common+0x55f/0x6f0 fs/exec.c:1952
do_execve fs/exec.c:2026 [inline]
__do_sys_execve fs/exec.c:2102 [inline]
__se_sys_execve fs/exec.c:2097 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2097
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807926ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807926cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807926cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807926d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807926d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 7ec46210 Merge tag 'pull-work.unaligned' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e97580580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11f17580580000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-03 16:32 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-03 19:21 Luiz Augusto von Dentz
2024-10-03 19:44 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-03 19:21 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 3801 bytes --]
#syz test
On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > #syz test
> > > >
> > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > #syz test
> > > > >
> > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > > > <luiz.dentz@gmail.com> wrote:
> > > > > >
> > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > >
> > > > > > This makes use of disable_delayed_work_sync instead
> > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > > > disables new submit which is disarable since the object holding the work
> > > > > > is about to be freed.
> > > > > >
> > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > > > since at that point it is useless to set a timer as the sk will be freed
> > > > > > there is nothing to be done in sco_sock_timeout.
> > > > > >
> > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > ---
> > > > > > net/bluetooth/sco.c | 13 +------------
> > > > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > > > >
> > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > > > index a5ac160c592e..2b1e66976068 100644
> > > > > > --- a/net/bluetooth/sco.c
> > > > > > +++ b/net/bluetooth/sco.c
> > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > > > }
> > > > > >
> > > > > > /* Ensure no more work items will run before freeing conn. */
> > > > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > > > >
> > > > > > hcon->sco_data = NULL;
> > > > > > kfree(conn);
> > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > > > >
> > > > > > case BT_CONNECTED:
> > > > > > case BT_CONFIG:
> > > > > > - if (sco_pi(sk)->conn->hcon) {
> > > > > > - sk->sk_state = BT_DISCONN;
> > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > > > - } else
> > > > > > - sco_chan_del(sk, ECONNRESET);
> > > > > > - break;
> > > > > > -
> > > > > > case BT_CONNECT2:
> > > > > > case BT_CONNECT:
> > > > > > case BT_DISCONN:
> > > > > > --
> > > > > > 2.46.1
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Luiz Augusto von Dentz
> > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v4-0002-Bluetooth-ISO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 3405 bytes --]
From 87b1ba6a0644ada293d1687eb382d94ae8269f3b Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 16:15:51 -0400
Subject: [PATCH v4 2/2] Bluetooth: ISO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancels the ongoing work but also
disables new submissions which is disarable since the object holding the
work is about to be freed.
In addition to it remove call to iso_sock_set_timer on iso_sock_disconn
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in iso_sock_timeout.
Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/iso.c | 55 +++++++++++++++++++++++++++++++++------------
1 file changed, 41 insertions(+), 14 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index d5e00d0dd1a0..cff04efc59f7 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -163,6 +163,21 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
return conn;
}
+static void iso_conn_drop(struct iso_conn *conn)
+{
+ if (!conn || !conn->hcon)
+ return;
+
+ BT_DBG("conn %p hcon %p", conn, conn->hcon);
+
+ hci_conn_drop(conn->hcon);
+
+ iso_conn_lock(conn);
+ conn->hcon->iso_data = NULL;
+ conn->hcon = NULL;
+ iso_conn_unlock(conn);
+}
+
/* Delete channel. Must be called on the locked socket. */
static void iso_chan_del(struct sock *sk, int err)
{
@@ -179,8 +194,7 @@ static void iso_chan_del(struct sock *sk, int err)
iso_pi(sk)->conn = NULL;
iso_conn_unlock(conn);
- if (conn->hcon)
- hci_conn_drop(conn->hcon);
+ iso_conn_drop(conn);
}
sk->sk_state = BT_CLOSED;
@@ -197,6 +211,21 @@ static void iso_chan_del(struct sock *sk, int err)
sock_set_flag(sk, SOCK_ZAPPED);
}
+static void iso_conn_destruct(struct iso_conn *conn)
+{
+ if (!conn)
+ return;
+
+ BT_DBG("conn %p", conn);
+
+ iso_conn_drop(conn);
+
+ /* Ensure no more work items will run before freeing conn. */
+ disable_delayed_work_sync(&conn->timeout_work);
+
+ kfree(conn);
+}
+
static void iso_conn_del(struct hci_conn *hcon, int err)
{
struct iso_conn *conn = hcon->iso_data;
@@ -214,19 +243,16 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
sock_hold(sk);
iso_conn_unlock(conn);
- if (sk) {
- lock_sock(sk);
- iso_sock_clear_timer(sk);
- iso_chan_del(sk, err);
- release_sock(sk);
- sock_put(sk);
+ if (!sk) {
+ iso_conn_destruct(conn);
+ return;
}
- /* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
-
- hcon->iso_data = NULL;
- kfree(conn);
+ lock_sock(sk);
+ iso_sock_clear_timer(sk);
+ iso_chan_del(sk, err);
+ release_sock(sk);
+ sock_put(sk);
}
static int __iso_chan_add(struct iso_conn *conn, struct sock *sk,
@@ -646,6 +672,8 @@ static void iso_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ iso_conn_destruct(iso_pi(sk)->conn);
+
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
}
@@ -714,7 +742,6 @@ static void iso_sock_disconn(struct sock *sk)
}
sk->sk_state = BT_DISCONN;
- iso_sock_set_timer(sk, ISO_DISCONN_TIMEOUT);
iso_conn_lock(iso_pi(sk)->conn);
hci_conn_drop(iso_pi(sk)->conn->hcon);
iso_pi(sk)->conn->hcon = NULL;
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-03 19:21 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-03 19:44 ` syzbot
2024-10-03 20:06 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 17+ messages in thread
From: syzbot @ 2024-10-03 19:44 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff88802639a080 by task kworker/1:2/1808
CPU: 1 UID: 0 PID: 1808 Comm: kworker/1:2 Not tainted 6.12.0-rc1-syzkaller-00113-g8c245fe7dde3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 25:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4284
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 25:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
skb_kfree_head net/core/skbuff.c:1086 [inline]
skb_free_head net/core/skbuff.c:1098 [inline]
skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
consume_skb+0x9f/0xf0 net/core/skbuff.c:1436
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x765/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff88802639a000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 128 bytes inside of
freed 4096-byte region [ffff88802639a000, ffff88802639b000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26398
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000098e601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5398, tgid 5398 (udevd), ts 123333990998, free_ts 123322335448
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path2_perm+0x3eb/0xbb0 security/tomoyo/file.c:923
tomoyo_path_rename+0x198/0x1e0 security/tomoyo/hooks.h:274
security_path_rename+0x266/0x4e0 security/security.c:2020
do_renameat2+0x94a/0x13f0 fs/namei.c:5157
__do_sys_rename fs/namei.c:5217 [inline]
__se_sys_rename fs/namei.c:5215 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5215
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
page last free pid 4548 tgid 4548 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4491
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
security_inode_getattr+0x130/0x330 security/security.c:2371
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_fstat fs/stat.c:229 [inline]
vfs_fstatat+0xe4/0x190 fs/stat.c:338
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888026399f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802639a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802639a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802639a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802639a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 8c245fe7 Merge tag 'net-6.12-rc2' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13156307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17377580580000
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-03 19:44 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
@ 2024-10-03 20:06 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-03 20:06 UTC (permalink / raw)
To: syzbot; +Cc: linux-bluetooth, linux-kernel, syzkaller-bugs
On Thu, Oct 3, 2024 at 3:44 PM syzbot
<syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-use-after-free Write in sco_sock_timeout
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
> BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
> BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
> BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
> BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
> BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
> Write of size 4 at addr ffff88802639a080 by task kworker/1:2/1808
This really doesn't make much sense, it seems this is catching a UAF
on sock_hold but the backtrace shows it was freed with skb_free, even
if the memory was reclaimed and then reallocated that would just it
more difficult to find out why this is happening.
> CPU: 1 UID: 0 PID: 1808 Comm: kworker/1:2 Not tainted 6.12.0-rc1-syzkaller-00113-g8c245fe7dde3-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> Workqueue: events sco_sock_timeout
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
> __refcount_add include/linux/refcount.h:184 [inline]
> __refcount_inc include/linux/refcount.h:241 [inline]
> refcount_inc include/linux/refcount.h:258 [inline]
> sock_hold include/net/sock.h:781 [inline]
> sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
> process_one_work kernel/workqueue.c:3229 [inline]
> process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
> worker_thread+0x870/0xd30 kernel/workqueue.c:3391
> kthread+0x2f2/0x390 kernel/kthread.c:389
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> </TASK>
>
> Allocated by task 25:
> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
> kasan_kmalloc include/linux/kasan.h:257 [inline]
> __do_kmalloc_node mm/slub.c:4265 [inline]
> __kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4284
> kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
> __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
> alloc_skb include/linux/skbuff.h:1322 [inline]
> nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
> nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
> nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850
> process_one_work kernel/workqueue.c:3229 [inline]
> process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
> worker_thread+0x870/0xd30 kernel/workqueue.c:3391
> kthread+0x2f2/0x390 kernel/kthread.c:389
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
>
> Freed by task 25:
> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
> kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
> poison_slab_object mm/kasan/common.c:247 [inline]
> __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
> kasan_slab_free include/linux/kasan.h:230 [inline]
> slab_free_hook mm/slub.c:2343 [inline]
> slab_free mm/slub.c:4580 [inline]
> kfree+0x1a0/0x440 mm/slub.c:4728
> skb_kfree_head net/core/skbuff.c:1086 [inline]
> skb_free_head net/core/skbuff.c:1098 [inline]
> skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125
> skb_release_all net/core/skbuff.c:1190 [inline]
> __kfree_skb net/core/skbuff.c:1204 [inline]
> consume_skb+0x9f/0xf0 net/core/skbuff.c:1436
> nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
> nsim_dev_trap_report_work+0x765/0xaa0 drivers/net/netdevsim/dev.c:850
> process_one_work kernel/workqueue.c:3229 [inline]
> process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
> worker_thread+0x870/0xd30 kernel/workqueue.c:3391
> kthread+0x2f2/0x390 kernel/kthread.c:389
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
>
> The buggy address belongs to the object at ffff88802639a000
> which belongs to the cache kmalloc-4k of size 4096
> The buggy address is located 128 bytes inside of
> freed 4096-byte region [ffff88802639a000, ffff88802639b000)
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26398
> head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
> raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
> head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
> head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
> head: 00fff00000000003 ffffea000098e601 ffffffffffffffff 0000000000000000
> head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5398, tgid 5398 (udevd), ts 123333990998, free_ts 123322335448
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
> prep_new_page mm/page_alloc.c:1545 [inline]
> get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
> __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
> alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
> alloc_slab_page+0x6a/0x120 mm/slub.c:2413
> allocate_slab+0x5a/0x2f0 mm/slub.c:2579
> new_slab mm/slub.c:2632 [inline]
> ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
> __slab_alloc+0x58/0xa0 mm/slub.c:3909
> __slab_alloc_node mm/slub.c:3962 [inline]
> slab_alloc_node mm/slub.c:4123 [inline]
> __do_kmalloc_node mm/slub.c:4264 [inline]
> __kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
> kmalloc_noprof include/linux/slab.h:882 [inline]
> tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
> tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
> tomoyo_path2_perm+0x3eb/0xbb0 security/tomoyo/file.c:923
> tomoyo_path_rename+0x198/0x1e0 security/tomoyo/hooks.h:274
> security_path_rename+0x266/0x4e0 security/security.c:2020
> do_renameat2+0x94a/0x13f0 fs/namei.c:5157
> __do_sys_rename fs/namei.c:5217 [inline]
> __se_sys_rename fs/namei.c:5215 [inline]
> __x64_sys_rename+0x82/0x90 fs/namei.c:5215
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> page last free pid 4548 tgid 4548 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1108 [inline]
> free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
> __slab_free+0x31b/0x3d0 mm/slub.c:4491
> qlink_free mm/kasan/quarantine.c:163 [inline]
> qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
> kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
> __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
> kasan_slab_alloc include/linux/kasan.h:247 [inline]
> slab_post_alloc_hook mm/slub.c:4086 [inline]
> slab_alloc_node mm/slub.c:4135 [inline]
> __do_kmalloc_node mm/slub.c:4264 [inline]
> __kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277
> kmalloc_noprof include/linux/slab.h:882 [inline]
> tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
> tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
> tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
> security_inode_getattr+0x130/0x330 security/security.c:2371
> vfs_getattr+0x45/0x430 fs/stat.c:204
> vfs_fstat fs/stat.c:229 [inline]
> vfs_fstatat+0xe4/0x190 fs/stat.c:338
> __do_sys_newfstatat fs/stat.c:505 [inline]
> __se_sys_newfstatat fs/stat.c:499 [inline]
> __x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffff888026399f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88802639a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff88802639a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88802639a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88802639a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> Tested on:
>
> commit: 8c245fe7 Merge tag 'net-6.12-rc2' of git://git.kernel...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13156307980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
> dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> patch: https://syzkaller.appspot.com/x/patch.diff?x=17377580580000
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-03 19:21 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-04 16:06 Luiz Augusto von Dentz
2024-10-04 16:34 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-04 16:06 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 4159 bytes --]
#syz test
On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > #syz test
> > > >
> > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > #syz test
> > > > >
> > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > > > > <luiz.dentz@gmail.com> wrote:
> > > > > >
> > > > > > #syz test
> > > > > >
> > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > >
> > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > >
> > > > > > > This makes use of disable_delayed_work_sync instead
> > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > > > > disables new submit which is disarable since the object holding the work
> > > > > > > is about to be freed.
> > > > > > >
> > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > > > > since at that point it is useless to set a timer as the sk will be freed
> > > > > > > there is nothing to be done in sco_sock_timeout.
> > > > > > >
> > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > ---
> > > > > > > net/bluetooth/sco.c | 13 +------------
> > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > > > > >
> > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > > > > index a5ac160c592e..2b1e66976068 100644
> > > > > > > --- a/net/bluetooth/sco.c
> > > > > > > +++ b/net/bluetooth/sco.c
> > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > > > > }
> > > > > > >
> > > > > > > /* Ensure no more work items will run before freeing conn. */
> > > > > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > > > > >
> > > > > > > hcon->sco_data = NULL;
> > > > > > > kfree(conn);
> > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > > > > >
> > > > > > > case BT_CONNECTED:
> > > > > > > case BT_CONFIG:
> > > > > > > - if (sco_pi(sk)->conn->hcon) {
> > > > > > > - sk->sk_state = BT_DISCONN;
> > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > > > > - } else
> > > > > > > - sco_chan_del(sk, ECONNRESET);
> > > > > > > - break;
> > > > > > > -
> > > > > > > case BT_CONNECT2:
> > > > > > > case BT_CONNECT:
> > > > > > > case BT_DISCONN:
> > > > > > > --
> > > > > > > 2.46.1
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Luiz Augusto von Dentz
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Luiz Augusto von Dentz
> > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v4-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 3726 bytes --]
From 4122dbcb847ebbc4ae72620230bbc8b926cd44f5 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v4 1/2] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
In addition to it remove call to sco_sock_set_timer on __sco_sock_close
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in sco_sock_timeout.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 67 ++++++++++++++++++++++++++++-----------------
1 file changed, 42 insertions(+), 25 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..19af148bbaf8 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -155,6 +155,36 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
return conn;
}
+static void sco_conn_drop(struct sco_conn *conn)
+{
+ if (!conn || !conn->hcon)
+ return;
+
+ BT_DBG("conn %p hcon %p", conn, conn->hcon);
+
+ hci_conn_drop(conn->hcon);
+
+ sco_conn_lock(conn);
+ conn->hcon->sco_data = NULL;
+ conn->hcon = NULL;
+ sco_conn_unlock(conn);
+
+ /* Ensure no more work items will run since hci_conn has been dropped */
+ disable_delayed_work_sync(&conn->timeout_work);
+}
+
+static void sco_conn_destruct(struct sco_conn *conn)
+{
+ if (!conn)
+ return;
+
+ BT_DBG("conn %p", conn);
+
+ sco_conn_drop(conn);
+
+ kfree(conn);
+}
+
/* Delete channel.
* Must be called on the locked socket. */
static void sco_chan_del(struct sock *sk, int err)
@@ -171,8 +201,7 @@ static void sco_chan_del(struct sock *sk, int err)
sco_pi(sk)->conn = NULL;
sco_conn_unlock(conn);
- if (conn->hcon)
- hci_conn_drop(conn->hcon);
+ sco_conn_drop(conn);
}
sk->sk_state = BT_CLOSED;
@@ -192,26 +221,23 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
- /* Kill socket */
sco_conn_lock(conn);
sk = conn->sk;
if (sk)
sock_hold(sk);
sco_conn_unlock(conn);
- if (sk) {
- lock_sock(sk);
- sco_sock_clear_timer(sk);
- sco_chan_del(sk, err);
- release_sock(sk);
- sock_put(sk);
+ if (!sk) {
+ sco_conn_destruct(conn);
+ return;
}
- /* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
-
- hcon->sco_data = NULL;
- kfree(conn);
+ /* Kill socket */
+ lock_sock(sk);
+ sco_sock_clear_timer(sk);
+ sco_chan_del(sk, err);
+ release_sock(sk);
+ sock_put(sk);
}
static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
@@ -395,6 +421,8 @@ static void sco_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ sco_conn_destruct(sco_pi(sk)->conn);
+
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
}
@@ -442,17 +470,6 @@ static void __sco_sock_close(struct sock *sk)
case BT_CONNECTED:
case BT_CONFIG:
- if (sco_pi(sk)->conn->hcon) {
- sk->sk_state = BT_DISCONN;
- sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
- sco_conn_lock(sco_pi(sk)->conn);
- hci_conn_drop(sco_pi(sk)->conn->hcon);
- sco_pi(sk)->conn->hcon = NULL;
- sco_conn_unlock(sco_pi(sk)->conn);
- } else
- sco_chan_del(sk, ECONNRESET);
- break;
-
case BT_CONNECT2:
case BT_CONNECT:
case BT_DISCONN:
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-04 16:06 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-04 16:34 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-04 16:34 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_conn_del
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_del+0x9a/0x2c0 net/bluetooth/sco.c:227
Write of size 4 at addr ffff88801f485080 by task kworker/u9:1/4491
CPU: 0 UID: 0 PID: 4491 Comm: kworker/u9:1 Not tainted 6.12.0-rc1-syzkaller-00125-g0c559323bbaa-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_conn_del+0x9a/0x2c0 net/bluetooth/sco.c:227
sco_connect_cfm+0xe6/0xb40 net/bluetooth/sco.c:1381
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_conn_failed+0x1d0/0x300 net/bluetooth/hci_conn.c:1262
hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5586
hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:328
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5576:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:517 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:548
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5577:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1276
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801f485000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff88801f485000, ffff88801f485800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f480
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442000 ffffea00007d4800 0000000000000002
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442000 ffffea00007d4800 0000000000000002
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00007d2001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5098, tgid 5098 (syz-executor.0), ts 63096504293, free_ts 61414295203
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
kmalloc_array_noprof include/linux/slab.h:923 [inline]
cache_create_net+0x83/0x270 net/sunrpc/cache.c:1743
nfsd_idmap_init+0xe8/0x1e0 fs/nfsd/nfs4idmap.c:476
nfsd_net_init+0x4b/0x450 fs/nfsd/nfsctl.c:2242
ops_init+0x320/0x590 net/core/net_namespace.c:139
setup_net+0x287/0x9e0 net/core/net_namespace.c:356
copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494
create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110
page last free pid 5088 tgid 5085 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_add_entry security/tomoyo/common.c:2033 [inline]
tomoyo_supervisor+0xe0d/0x11f0 security/tomoyo/common.c:2105
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x243/0x360 security/tomoyo/file.c:587
tomoyo_path_perm+0x480/0x740 security/tomoyo/file.c:838
security_inode_getattr+0x130/0x330 security/security.c:2371
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_statx_path fs/stat.c:251 [inline]
vfs_statx+0x199/0x490 fs/stat.c:315
vfs_fstatat+0x145/0x190 fs/stat.c:341
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
Memory state around the buggy address:
ffff88801f484f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801f485000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801f485080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801f485100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801f485180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0c559323 Merge tag 'rust-fixes-6.12' of https://github..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13fdb3d0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=160db3d0580000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-04 16:06 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-04 17:24 Luiz Augusto von Dentz
2024-10-04 17:40 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-04 17:24 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 4538 bytes --]
#syz test
On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > #syz test
> > > >
> > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > #syz test
> > > > >
> > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> > > > > <luiz.dentz@gmail.com> wrote:
> > > > > >
> > > > > > #syz test
> > > > > >
> > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > >
> > > > > > > #syz test
> > > > > > >
> > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > >
> > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > >
> > > > > > > > This makes use of disable_delayed_work_sync instead
> > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > > > > > disables new submit which is disarable since the object holding the work
> > > > > > > > is about to be freed.
> > > > > > > >
> > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > > > > > since at that point it is useless to set a timer as the sk will be freed
> > > > > > > > there is nothing to be done in sco_sock_timeout.
> > > > > > > >
> > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > ---
> > > > > > > > net/bluetooth/sco.c | 13 +------------
> > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > > > > > >
> > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > > > > > index a5ac160c592e..2b1e66976068 100644
> > > > > > > > --- a/net/bluetooth/sco.c
> > > > > > > > +++ b/net/bluetooth/sco.c
> > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > > > > > }
> > > > > > > >
> > > > > > > > /* Ensure no more work items will run before freeing conn. */
> > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > > > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > > > > > >
> > > > > > > > hcon->sco_data = NULL;
> > > > > > > > kfree(conn);
> > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > > > > > >
> > > > > > > > case BT_CONNECTED:
> > > > > > > > case BT_CONFIG:
> > > > > > > > - if (sco_pi(sk)->conn->hcon) {
> > > > > > > > - sk->sk_state = BT_DISCONN;
> > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > > > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > > > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > > > > > - } else
> > > > > > > > - sco_chan_del(sk, ECONNRESET);
> > > > > > > > - break;
> > > > > > > > -
> > > > > > > > case BT_CONNECT2:
> > > > > > > > case BT_CONNECT:
> > > > > > > > case BT_DISCONN:
> > > > > > > > --
> > > > > > > > 2.46.1
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Luiz Augusto von Dentz
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Luiz Augusto von Dentz
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Luiz Augusto von Dentz
> > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v4-0002-Bluetooth-ISO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 3468 bytes --]
From 0534aba3c6e0f8bebb003516e433dcbddd3e2014 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 16:15:51 -0400
Subject: [PATCH v4 2/2] Bluetooth: ISO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancels the ongoing work but also
disables new submissions which is disarable since the object holding the
work is about to be freed.
In addition to it remove call to iso_sock_set_timer on iso_sock_disconn
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in iso_sock_timeout.
Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/iso.c | 58 ++++++++++++++++++++++++++++++++++-----------
1 file changed, 44 insertions(+), 14 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index d5e00d0dd1a0..030d402cc9bd 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -163,6 +163,24 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
return conn;
}
+static void iso_conn_drop(struct iso_conn *conn)
+{
+ if (!conn || !conn->hcon)
+ return;
+
+ BT_DBG("conn %p hcon %p", conn, conn->hcon);
+
+ hci_conn_drop(conn->hcon);
+
+ iso_conn_lock(conn);
+ conn->hcon->iso_data = NULL;
+ conn->hcon = NULL;
+ iso_conn_unlock(conn);
+
+ /* Ensure no more work items will run since hci_conn has been dropped */
+ disable_delayed_work_sync(&conn->timeout_work);
+}
+
/* Delete channel. Must be called on the locked socket. */
static void iso_chan_del(struct sock *sk, int err)
{
@@ -179,8 +197,7 @@ static void iso_chan_del(struct sock *sk, int err)
iso_pi(sk)->conn = NULL;
iso_conn_unlock(conn);
- if (conn->hcon)
- hci_conn_drop(conn->hcon);
+ iso_conn_drop(conn);
}
sk->sk_state = BT_CLOSED;
@@ -197,6 +214,21 @@ static void iso_chan_del(struct sock *sk, int err)
sock_set_flag(sk, SOCK_ZAPPED);
}
+static void iso_conn_destruct(struct iso_conn *conn)
+{
+ if (!conn)
+ return;
+
+ BT_DBG("conn %p", conn);
+
+ if (conn->sk)
+ iso_pi(conn->sk)->conn = NULL;
+
+ iso_conn_drop(conn);
+
+ kfree(conn);
+}
+
static void iso_conn_del(struct hci_conn *hcon, int err)
{
struct iso_conn *conn = hcon->iso_data;
@@ -214,19 +246,16 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
sock_hold(sk);
iso_conn_unlock(conn);
- if (sk) {
- lock_sock(sk);
- iso_sock_clear_timer(sk);
- iso_chan_del(sk, err);
- release_sock(sk);
- sock_put(sk);
+ if (!sk) {
+ iso_conn_destruct(conn);
+ return;
}
- /* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
-
- hcon->iso_data = NULL;
- kfree(conn);
+ lock_sock(sk);
+ iso_sock_clear_timer(sk);
+ iso_chan_del(sk, err);
+ release_sock(sk);
+ sock_put(sk);
}
static int __iso_chan_add(struct iso_conn *conn, struct sock *sk,
@@ -646,6 +675,8 @@ static void iso_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ iso_conn_destruct(iso_pi(sk)->conn);
+
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
}
@@ -714,7 +745,6 @@ static void iso_sock_disconn(struct sock *sk)
}
sk->sk_state = BT_DISCONN;
- iso_sock_set_timer(sk, ISO_DISCONN_TIMEOUT);
iso_conn_lock(iso_pi(sk)->conn);
hci_conn_drop(iso_pi(sk)->conn->hcon);
iso_pi(sk)->conn->hcon = NULL;
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-04 17:24 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-04 17:40 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-04 17:40 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff88802719a080 by task kworker/1:3/5509
CPU: 1 UID: 0 PID: 5509 Comm: kworker/1:3 Not tainted 6.12.0-rc1-syzkaller-00125-g0c559323bbaa-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5115:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4284
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 5115:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
skb_kfree_head net/core/skbuff.c:1086 [inline]
skb_free_head net/core/skbuff.c:1098 [inline]
skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
consume_skb+0x9f/0xf0 net/core/skbuff.c:1436
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x765/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff88802719a000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 128 bytes inside of
freed 4096-byte region [ffff88802719a000, ffff88802719b000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27198
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00009c6601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5115, tgid 5115 (kworker/0:4), ts 122322399972, free_ts 122095257880
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_node_track_caller_noprof+0x281/0x440 mm/slub.c:4284
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
page last free pid 5425 tgid 5425 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4491
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4142
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888027199f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802719a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802719a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802719a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802719a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0c559323 Merge tag 'rust-fixes-6.12' of https://github..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=152e9307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12d69307980000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-04 17:24 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-07 17:16 Luiz Augusto von Dentz
2024-10-07 17:33 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-07 17:16 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 4936 bytes --]
#syz test
On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > #syz test
> > > >
> > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > #syz test
> > > > >
> > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
> > > > > <luiz.dentz@gmail.com> wrote:
> > > > > >
> > > > > > #syz test
> > > > > >
> > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > >
> > > > > > > #syz test
> > > > > > >
> > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > >
> > > > > > > > #syz test
> > > > > > > >
> > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > >
> > > > > > > > > This makes use of disable_delayed_work_sync instead
> > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > > > > > > disables new submit which is disarable since the object holding the work
> > > > > > > > > is about to be freed.
> > > > > > > > >
> > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > > > > > > since at that point it is useless to set a timer as the sk will be freed
> > > > > > > > > there is nothing to be done in sco_sock_timeout.
> > > > > > > > >
> > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > > ---
> > > > > > > > > net/bluetooth/sco.c | 13 +------------
> > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > > > > > > >
> > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > > > > > > index a5ac160c592e..2b1e66976068 100644
> > > > > > > > > --- a/net/bluetooth/sco.c
> > > > > > > > > +++ b/net/bluetooth/sco.c
> > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > > > > > > }
> > > > > > > > >
> > > > > > > > > /* Ensure no more work items will run before freeing conn. */
> > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > > > > > > >
> > > > > > > > > hcon->sco_data = NULL;
> > > > > > > > > kfree(conn);
> > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > > > > > > >
> > > > > > > > > case BT_CONNECTED:
> > > > > > > > > case BT_CONFIG:
> > > > > > > > > - if (sco_pi(sk)->conn->hcon) {
> > > > > > > > > - sk->sk_state = BT_DISCONN;
> > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > > > > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > > > > > > - } else
> > > > > > > > > - sco_chan_del(sk, ECONNRESET);
> > > > > > > > > - break;
> > > > > > > > > -
> > > > > > > > > case BT_CONNECT2:
> > > > > > > > > case BT_CONNECT:
> > > > > > > > > case BT_DISCONN:
> > > > > > > > > --
> > > > > > > > > 2.46.1
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Luiz Augusto von Dentz
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Luiz Augusto von Dentz
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Luiz Augusto von Dentz
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Luiz Augusto von Dentz
> > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v4-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 4031 bytes --]
From af236b58a3bcb25aa15d1fcc977fdbe9ad265cdf Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v4 1/2] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
In addition to it remove call to sco_sock_set_timer on __sco_sock_close
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in sco_sock_timeout.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 85 ++++++++++++++++++++++++++++-----------------
1 file changed, 53 insertions(+), 32 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..fab68cb60371 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -155,6 +155,46 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
return conn;
}
+static void sco_conn_drop(struct sco_conn *conn)
+{
+ if (!conn || (!conn->hcon && !conn->sk))
+ return;
+
+ BT_DBG("conn %p hcon %p", conn, conn->hcon);
+
+ sco_conn_lock(conn);
+
+ if (conn->sk) {
+ sco_pi(conn->sk)->conn = NULL;
+ conn->sk = NULL;
+ }
+
+ if (conn->hcon) {
+ struct hci_conn *hcon = conn->hcon;
+
+ conn->hcon->sco_data = NULL;
+ conn->hcon = NULL;
+ hci_conn_drop(hcon);
+ }
+
+ sco_conn_unlock(conn);
+
+ /* Ensure no more work items will run since hci_conn has been dropped */
+ disable_delayed_work_sync(&conn->timeout_work);
+}
+
+static void sco_conn_destruct(struct sco_conn *conn)
+{
+ if (!conn)
+ return;
+
+ BT_DBG("conn %p", conn);
+
+ sco_conn_drop(conn);
+
+ kfree(conn);
+}
+
/* Delete channel.
* Must be called on the locked socket. */
static void sco_chan_del(struct sock *sk, int err)
@@ -165,15 +205,8 @@ static void sco_chan_del(struct sock *sk, int err)
BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
- if (conn) {
- sco_conn_lock(conn);
- conn->sk = NULL;
- sco_pi(sk)->conn = NULL;
- sco_conn_unlock(conn);
-
- if (conn->hcon)
- hci_conn_drop(conn->hcon);
- }
+ if (conn)
+ sco_conn_drop(conn);
sk->sk_state = BT_CLOSED;
sk->sk_err = err;
@@ -192,26 +225,23 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
- /* Kill socket */
sco_conn_lock(conn);
sk = conn->sk;
if (sk)
sock_hold(sk);
sco_conn_unlock(conn);
- if (sk) {
- lock_sock(sk);
- sco_sock_clear_timer(sk);
- sco_chan_del(sk, err);
- release_sock(sk);
- sock_put(sk);
+ if (!sk) {
+ sco_conn_destruct(conn);
+ return;
}
- /* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
-
- hcon->sco_data = NULL;
- kfree(conn);
+ /* Kill socket */
+ lock_sock(sk);
+ sco_sock_clear_timer(sk);
+ sco_chan_del(sk, err);
+ release_sock(sk);
+ sock_put(sk);
}
static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
@@ -395,6 +425,8 @@ static void sco_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ sco_conn_destruct(sco_pi(sk)->conn);
+
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
}
@@ -442,17 +474,6 @@ static void __sco_sock_close(struct sock *sk)
case BT_CONNECTED:
case BT_CONFIG:
- if (sco_pi(sk)->conn->hcon) {
- sk->sk_state = BT_DISCONN;
- sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
- sco_conn_lock(sco_pi(sk)->conn);
- hci_conn_drop(sco_pi(sk)->conn->hcon);
- sco_pi(sk)->conn->hcon = NULL;
- sco_conn_unlock(sco_pi(sk)->conn);
- } else
- sco_chan_del(sk, ECONNRESET);
- break;
-
case BT_CONNECT2:
case BT_CONNECT:
case BT_DISCONN:
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-07 17:16 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-07 17:33 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-07 17:33 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff8880237b3080 by task kworker/0:1/9
CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-rc2-syzkaller-g8cf0b93919e1-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5742:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:521 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:552
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5743:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x1a0/0x440 mm/slub.c:4727
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1280
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880237b3000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff8880237b3000, ffff8880237b3800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880237b5000 pfn:0x237b0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff888015442000 ffffea00008c6a10 ffffea0001f13610
raw: ffff8880237b5000 0000000000080005 00000001f5000000 0000000000000000
head: 00fff00000000240 ffff888015442000 ffffea00008c6a10 ffffea0001f13610
head: ffff8880237b5000 0000000000080005 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00008dec01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4550, tgid 4550 (udevd), ts 62011136939, free_ts 61932137647
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
__netlink_create+0x65/0x260 net/netlink/af_netlink.c:646
netlink_create+0x3ab/0x560 net/netlink/af_netlink.c:704
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
page last free pid 4539 tgid 4539 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2677 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3145
put_cpu_partial+0x17c/0x250 mm/slub.c:3220
__slab_free+0x2ea/0x3d0 mm/slub.c:4449
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4186
__alloc_skb+0x1c3/0x440 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1322 [inline]
alloc_skb_with_frags+0xc3/0x820 net/core/skbuff.c:6612
sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2883
unix_dgram_sendmsg+0x6d3/0x1f80 net/unix/af_unix.c:2027
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x223/0x270 net/socket.c:744
__sys_sendto+0x39b/0x4f0 net/socket.c:2209
__do_sys_sendto net/socket.c:2221 [inline]
__se_sys_sendto net/socket.c:2217 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2217
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
Memory state around the buggy address:
ffff8880237b2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880237b3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880237b3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880237b3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880237b3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 8cf0b939 Linux 6.12-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11e7db80580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5119ec8290b5433
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=150b2707980000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-07 17:16 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-07 20:54 Luiz Augusto von Dentz
2024-10-07 21:15 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-07 20:54 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 5354 bytes --]
#syz test
On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > #syz test
> > > >
> > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > #syz test
> > > > >
> > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz
> > > > > <luiz.dentz@gmail.com> wrote:
> > > > > >
> > > > > > #syz test
> > > > > >
> > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
> > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > >
> > > > > > > #syz test
> > > > > > >
> > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > >
> > > > > > > > #syz test
> > > > > > > >
> > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > #syz test
> > > > > > > > >
> > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > > >
> > > > > > > > > > This makes use of disable_delayed_work_sync instead
> > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > > > > > > > disables new submit which is disarable since the object holding the work
> > > > > > > > > > is about to be freed.
> > > > > > > > > >
> > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed
> > > > > > > > > > there is nothing to be done in sco_sock_timeout.
> > > > > > > > > >
> > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > > > ---
> > > > > > > > > > net/bluetooth/sco.c | 13 +------------
> > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > > > > > > > >
> > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > > > > > > > index a5ac160c592e..2b1e66976068 100644
> > > > > > > > > > --- a/net/bluetooth/sco.c
> > > > > > > > > > +++ b/net/bluetooth/sco.c
> > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > > > > > > > }
> > > > > > > > > >
> > > > > > > > > > /* Ensure no more work items will run before freeing conn. */
> > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > > > > > > > >
> > > > > > > > > > hcon->sco_data = NULL;
> > > > > > > > > > kfree(conn);
> > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > > > > > > > >
> > > > > > > > > > case BT_CONNECTED:
> > > > > > > > > > case BT_CONFIG:
> > > > > > > > > > - if (sco_pi(sk)->conn->hcon) {
> > > > > > > > > > - sk->sk_state = BT_DISCONN;
> > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > > > > > > > - } else
> > > > > > > > > > - sco_chan_del(sk, ECONNRESET);
> > > > > > > > > > - break;
> > > > > > > > > > -
> > > > > > > > > > case BT_CONNECT2:
> > > > > > > > > > case BT_CONNECT:
> > > > > > > > > > case BT_DISCONN:
> > > > > > > > > > --
> > > > > > > > > > 2.46.1
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Luiz Augusto von Dentz
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Luiz Augusto von Dentz
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Luiz Augusto von Dentz
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Luiz Augusto von Dentz
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Luiz Augusto von Dentz
> > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v4-0001-Bluetooth-SCO-Use-disable_delayed_work_sync.patch --]
[-- Type: text/x-patch, Size: 5495 bytes --]
From 1202ae4e16c042a149725e30b3e8857120f0f2a7 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 1 Oct 2024 15:46:10 -0400
Subject: [PATCH v4 1/2] Bluetooth: SCO: Use disable_delayed_work_sync
This makes use of disable_delayed_work_sync instead
cancel_delayed_work_sync as it not only cancel the ongoing work but also
disables new submit which is disarable since the object holding the work
is about to be freed.
In addition to it remove call to sco_sock_set_timer on __sco_sock_close
since at that point it is useless to set a timer as the sk will be freed
there is nothing to be done in sco_sock_timeout.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 99 ++++++++++++++++++++++++++++++++-------------
1 file changed, 71 insertions(+), 28 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..a937c3b9d639 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -51,6 +51,7 @@ struct sco_conn {
struct delayed_work timeout_work;
unsigned int mtu;
+ struct kref ref;
};
#define sco_conn_lock(c) spin_lock(&c->lock)
@@ -76,12 +77,59 @@ struct sco_pinfo {
#define SCO_CONN_TIMEOUT (HZ * 40)
#define SCO_DISCONN_TIMEOUT (HZ * 2)
+static void sco_conn_free(struct kref *ref)
+{
+ struct sco_conn *conn = container_of(ref, struct sco_conn, ref);
+
+ BT_DBG("conn %p", conn);
+
+ if (conn->sk)
+ sco_pi(conn->sk)->conn = NULL;
+
+ if (conn->hcon) {
+ conn->hcon->sco_data = NULL;
+ hci_conn_drop(conn->hcon);
+ }
+
+ /* Ensure no more work items will run since hci_conn has been dropped */
+ disable_delayed_work_sync(&conn->timeout_work);
+
+ kfree(conn);
+}
+
+static void sco_conn_put(struct sco_conn *conn)
+{
+ if (!conn)
+ return;
+
+ BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref));
+
+ kref_put(&conn->ref, sco_conn_free);
+}
+
+static struct sco_conn *sco_conn_hold_unless_zero(struct sco_conn *conn)
+{
+ if (!conn)
+ return NULL;
+
+ BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref));
+
+ if (!kref_get_unless_zero(&conn->ref))
+ return NULL;
+
+ return conn;
+}
+
static void sco_sock_timeout(struct work_struct *work)
{
struct sco_conn *conn = container_of(work, struct sco_conn,
timeout_work.work);
struct sock *sk;
+ conn = sco_conn_hold_unless_zero(conn);
+ if (!conn)
+ return;
+
sco_conn_lock(conn);
if (!conn->hcon) {
sco_conn_unlock(conn);
@@ -91,6 +139,7 @@ static void sco_sock_timeout(struct work_struct *work)
if (sk)
sock_hold(sk);
sco_conn_unlock(conn);
+ sco_conn_put(conn);
if (!sk)
return;
@@ -128,9 +177,14 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
{
struct sco_conn *conn = hcon->sco_data;
+ conn = sco_conn_hold_unless_zero(conn);
if (conn) {
- if (!conn->hcon)
+ if (!conn->hcon) {
+ sco_conn_lock(conn);
conn->hcon = hcon;
+ sco_conn_unlock(conn);
+ }
+ sco_conn_put(conn);
return conn;
}
@@ -138,6 +192,7 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
if (!conn)
return NULL;
+ kref_init(&conn->ref);
spin_lock_init(&conn->lock);
INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);
@@ -162,17 +217,15 @@ static void sco_chan_del(struct sock *sk, int err)
struct sco_conn *conn;
conn = sco_pi(sk)->conn;
+ sco_pi(sk)->conn = NULL;
BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
if (conn) {
sco_conn_lock(conn);
conn->sk = NULL;
- sco_pi(sk)->conn = NULL;
sco_conn_unlock(conn);
-
- if (conn->hcon)
- hci_conn_drop(conn->hcon);
+ sco_conn_put(conn);
}
sk->sk_state = BT_CLOSED;
@@ -187,31 +240,30 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
struct sco_conn *conn = hcon->sco_data;
struct sock *sk;
+ conn = sco_conn_hold_unless_zero(conn);
if (!conn)
return;
BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
- /* Kill socket */
sco_conn_lock(conn);
sk = conn->sk;
if (sk)
sock_hold(sk);
sco_conn_unlock(conn);
+ sco_conn_put(conn);
- if (sk) {
- lock_sock(sk);
- sco_sock_clear_timer(sk);
- sco_chan_del(sk, err);
- release_sock(sk);
- sock_put(sk);
+ if (!sk) {
+ sco_conn_put(conn);
+ return;
}
- /* Ensure no more work items will run before freeing conn. */
- cancel_delayed_work_sync(&conn->timeout_work);
-
- hcon->sco_data = NULL;
- kfree(conn);
+ /* Kill socket */
+ lock_sock(sk);
+ sco_sock_clear_timer(sk);
+ sco_chan_del(sk, err);
+ release_sock(sk);
+ sock_put(sk);
}
static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
@@ -395,6 +447,8 @@ static void sco_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ sco_conn_put(sco_pi(sk)->conn);
+
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_write_queue);
}
@@ -442,17 +496,6 @@ static void __sco_sock_close(struct sock *sk)
case BT_CONNECTED:
case BT_CONFIG:
- if (sco_pi(sk)->conn->hcon) {
- sk->sk_state = BT_DISCONN;
- sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
- sco_conn_lock(sco_pi(sk)->conn);
- hci_conn_drop(sco_pi(sk)->conn->hcon);
- sco_pi(sk)->conn->hcon = NULL;
- sco_conn_unlock(sco_pi(sk)->conn);
- } else
- sco_chan_del(sk, ECONNRESET);
- break;
-
case BT_CONNECT2:
case BT_CONNECT:
case BT_DISCONN:
--
2.46.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-07 20:54 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-07 21:15 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-07 21:15 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0xa2/0x2d0 net/bluetooth/sco.c:140
Write of size 4 at addr ffff888140eac080 by task kworker/0:2/921
CPU: 0 UID: 0 PID: 921 Comm: kworker/0:2 Not tainted 6.12.0-rc2-syzkaller-g87d6aab2389e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0xa2/0x2d0 net/bluetooth/sco.c:140
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5764:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:543 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:574
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5765:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x1a0/0x440 mm/slub.c:4727
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1302
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888140eac000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff888140eac000, ffff888140eac800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888140eab000 pfn:0x140ea8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000240(workingset|head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000240 ffff888015442000 ffffea000515b410 ffffea000510e610
raw: ffff888140eab000 0000000000080006 00000001f5000000 0000000000000000
head: 057ff00000000240 ffff888015442000 ffffea000515b410 ffffea000510e610
head: ffff888140eab000 0000000000080006 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea000503aa01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2263006817, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
acpi_ds_create_walk_state+0x103/0x2a0 drivers/acpi/acpica/dswstate.c:518
acpi_ds_auto_serialize_method+0xe7/0x240 drivers/acpi/acpica/dsmethod.c:81
acpi_ds_init_one_object+0x1bb/0x370 drivers/acpi/acpica/dsinit.c:110
acpi_ns_walk_namespace+0x296/0x4f0
acpi_ds_initialize_objects+0x199/0x2b0 drivers/acpi/acpica/dsinit.c:189
acpi_ns_load_table+0xfd/0x120 drivers/acpi/acpica/nsload.c:106
acpi_tb_load_namespace+0x291/0x6d0 drivers/acpi/acpica/tbxfload.c:158
page_owner free stack trace missing
Memory state around the buggy address:
ffff888140eabf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888140eac000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888140eac080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888140eac100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888140eac180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 87d6aab2 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=101aa707980000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5119ec8290b5433
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=124a3b80580000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-07 20:54 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-22 16:44 Luiz Augusto von Dentz
2024-10-22 17:15 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-22 16:44 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 5792 bytes --]
#syz test
On Mon, Oct 7, 2024 at 4:54 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > #syz test
> > > >
> > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > #syz test
> > > > >
> > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz
> > > > > <luiz.dentz@gmail.com> wrote:
> > > > > >
> > > > > > #syz test
> > > > > >
> > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz
> > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > >
> > > > > > > #syz test
> > > > > > >
> > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
> > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > >
> > > > > > > > #syz test
> > > > > > > >
> > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > #syz test
> > > > > > > > >
> > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > #syz test
> > > > > > > > > >
> > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > > > >
> > > > > > > > > > > This makes use of disable_delayed_work_sync instead
> > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > > > > > > > > disables new submit which is disarable since the object holding the work
> > > > > > > > > > > is about to be freed.
> > > > > > > > > > >
> > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed
> > > > > > > > > > > there is nothing to be done in sco_sock_timeout.
> > > > > > > > > > >
> > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > > > > ---
> > > > > > > > > > > net/bluetooth/sco.c | 13 +------------
> > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > > > > > > > > >
> > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644
> > > > > > > > > > > --- a/net/bluetooth/sco.c
> > > > > > > > > > > +++ b/net/bluetooth/sco.c
> > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > > > > > > > > }
> > > > > > > > > > >
> > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */
> > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > > > > > > > > >
> > > > > > > > > > > hcon->sco_data = NULL;
> > > > > > > > > > > kfree(conn);
> > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > > > > > > > > >
> > > > > > > > > > > case BT_CONNECTED:
> > > > > > > > > > > case BT_CONFIG:
> > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) {
> > > > > > > > > > > - sk->sk_state = BT_DISCONN;
> > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > > > > > > > > - } else
> > > > > > > > > > > - sco_chan_del(sk, ECONNRESET);
> > > > > > > > > > > - break;
> > > > > > > > > > > -
> > > > > > > > > > > case BT_CONNECT2:
> > > > > > > > > > > case BT_CONNECT:
> > > > > > > > > > > case BT_DISCONN:
> > > > > > > > > > > --
> > > > > > > > > > > 2.46.1
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Luiz Augusto von Dentz
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Luiz Augusto von Dentz
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Luiz Augusto von Dentz
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Luiz Augusto von Dentz
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Luiz Augusto von Dentz
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Luiz Augusto von Dentz
> > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v1-0001-Bluetooth-SCO-Fix-UAF-on-sco_sock_timeout.patch --]
[-- Type: text/x-patch, Size: 1735 bytes --]
From 4a960d62b95deab698c4e13af036a3f0589add70 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 22 Oct 2024 12:31:08 -0400
Subject: [PATCH v1] Bluetooth: SCO: Fix UAF on sco_sock_timeout
conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
sco_sk_list.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..9a28b2f83e7c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -76,6 +76,27 @@ struct sco_pinfo {
#define SCO_CONN_TIMEOUT (HZ * 40)
#define SCO_DISCONN_TIMEOUT (HZ * 2)
+static bool sco_conn_linked(struct sco_conn *conn)
+{
+ struct sock *sk;
+
+ if (!conn || !conn->sk)
+ return false;
+
+ read_lock(&sco_sk_list.lock);
+
+ sk_for_each(sk, &sco_sk_list.head) {
+ if (sk == conn->sk) {
+ read_unlock(&sco_sk_list.lock);
+ return true;
+ }
+ }
+
+ read_unlock(&sco_sk_list.lock);
+
+ return false;
+}
+
static void sco_sock_timeout(struct work_struct *work)
{
struct sco_conn *conn = container_of(work, struct sco_conn,
@@ -87,7 +108,7 @@ static void sco_sock_timeout(struct work_struct *work)
sco_conn_unlock(conn);
return;
}
- sk = conn->sk;
+ sk = sco_conn_linked(conn) ? conn->sk : NULL;
if (sk)
sock_hold(sk);
sco_conn_unlock(conn);
--
2.47.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
2024-10-22 16:44 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-22 17:15 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-10-22 17:15 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_conn_del
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_del+0xa5/0x310 net/bluetooth/sco.c:220
Write of size 4 at addr ffff88807bd72080 by task syz-executor.0/5406
CPU: 0 UID: 0 PID: 5406 Comm: syz-executor.0 Not tainted 6.12.0-rc4-syzkaller-gc2ee9f594da8-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_conn_del+0xa5/0x310 net/bluetooth/sco.c:220
hci_disconn_cfm include/net/bluetooth/hci_core.h:1975 [inline]
hci_conn_hash_flush+0x101/0x240 net/bluetooth/hci_conn.c:2592
hci_dev_close_sync+0x9ef/0x11a0 net/bluetooth/hci_sync.c:5195
hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
hci_unregister_dev+0x20b/0x510 net/bluetooth/hci_core.c:2698
vhci_release+0x80/0xd0 drivers/bluetooth/hci_vhci.c:664
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f018087de69
Code: Unable to access opcode bytes at 0x7f018087de3f.
RSP: 002b:00007fffa31fb468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f018087de69
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 00007f01808ca45b R08: 00007fffa31f9207 R09: 000000000006d03d
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 000000000006d03d R14: 000000000006ccf5 R15: 0000000000000004
</TASK>
Allocated by task 5400:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
getname fs/namei.c:225 [inline]
__do_sys_unlink fs/namei.c:4581 [inline]
__se_sys_unlink fs/namei.c:4579 [inline]
__x64_sys_unlink+0x3a/0x50 fs/namei.c:4579
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5400:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kmem_cache_free+0x1a2/0x420 mm/slub.c:4681
do_unlinkat+0x7b0/0x830 fs/namei.c:4556
__do_sys_unlink fs/namei.c:4581 [inline]
__se_sys_unlink fs/namei.c:4579 [inline]
__x64_sys_unlink+0x47/0x50 fs/namei.c:4579
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807bd71100
which belongs to the cache names_cache of size 4096
The buggy address is located 3968 bytes inside of
freed 4096-byte region [ffff88807bd71100, ffff88807bd72100)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bd70
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff8880162f4780 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff8880162f4780 dead000000000122 0000000000000000
head: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001ef5c01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5400, tgid 5400 (udevd), ts 432009536360, free_ts 431999575653
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
vfs_fstatat+0x12c/0x190 fs/stat.c:340
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 4552 tgid 4552 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2677 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3145
put_cpu_partial+0x17c/0x250 mm/slub.c:3220
__slab_free+0x2ea/0x3d0 mm/slub.c:4449
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
security_inode_getattr+0x130/0x330 security/security.c:2373
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_fstat fs/stat.c:229 [inline]
vfs_fstatat+0xe4/0x190 fs/stat.c:338
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807bd71f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807bd72000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807bd72080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807bd72100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807bd72180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: c2ee9f59 KVM: selftests: Fix build on on non-x86 archi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103ff430580000
kernel config: https://syzkaller.appspot.com/x/.config?x=346c6d758171538d
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13264a5f980000
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync
2024-10-22 16:44 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
@ 2024-10-22 19:19 Luiz Augusto von Dentz
2024-10-22 19:51 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
0 siblings, 1 reply; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-10-22 19:19 UTC (permalink / raw)
To: linux-bluetooth; +Cc: syzbot+4c0d0c4cde787116d465
[-- Attachment #1: Type: text/plain, Size: 6252 bytes --]
#syz test
On Tue, Oct 22, 2024 at 12:44 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> #syz test
>
> On Mon, Oct 7, 2024 at 4:54 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > #syz test
> >
> > On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > #syz test
> > >
> > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > #syz test
> > > >
> > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > #syz test
> > > > >
> > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz
> > > > > <luiz.dentz@gmail.com> wrote:
> > > > > >
> > > > > > #syz test
> > > > > >
> > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz
> > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > >
> > > > > > > #syz test
> > > > > > >
> > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz
> > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > >
> > > > > > > > #syz test
> > > > > > > >
> > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz
> > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > #syz test
> > > > > > > > >
> > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz
> > > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > #syz test
> > > > > > > > > >
> > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz
> > > > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > #syz test
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz
> > > > > > > > > > > <luiz.dentz@gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > > > > >
> > > > > > > > > > > > This makes use of disable_delayed_work_sync instead
> > > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also
> > > > > > > > > > > > disables new submit which is disarable since the object holding the work
> > > > > > > > > > > > is about to be freed.
> > > > > > > > > > > >
> > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close
> > > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed
> > > > > > > > > > > > there is nothing to be done in sco_sock_timeout.
> > > > > > > > > > > >
> > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
> > > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
> > > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
> > > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > > > > > > > ---
> > > > > > > > > > > > net/bluetooth/sco.c | 13 +------------
> > > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-)
> > > > > > > > > > > >
> > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644
> > > > > > > > > > > > --- a/net/bluetooth/sco.c
> > > > > > > > > > > > +++ b/net/bluetooth/sco.c
> > > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > > > > > > > > > > > }
> > > > > > > > > > > >
> > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */
> > > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work);
> > > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work);
> > > > > > > > > > > >
> > > > > > > > > > > > hcon->sco_data = NULL;
> > > > > > > > > > > > kfree(conn);
> > > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk)
> > > > > > > > > > > >
> > > > > > > > > > > > case BT_CONNECTED:
> > > > > > > > > > > > case BT_CONFIG:
> > > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) {
> > > > > > > > > > > > - sk->sk_state = BT_DISCONN;
> > > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
> > > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn);
> > > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon);
> > > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL;
> > > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn);
> > > > > > > > > > > > - } else
> > > > > > > > > > > > - sco_chan_del(sk, ECONNRESET);
> > > > > > > > > > > > - break;
> > > > > > > > > > > > -
> > > > > > > > > > > > case BT_CONNECT2:
> > > > > > > > > > > > case BT_CONNECT:
> > > > > > > > > > > > case BT_DISCONN:
> > > > > > > > > > > > --
> > > > > > > > > > > > 2.46.1
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > Luiz Augusto von Dentz
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Luiz Augusto von Dentz
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Luiz Augusto von Dentz
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Luiz Augusto von Dentz
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Luiz Augusto von Dentz
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Luiz Augusto von Dentz
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Luiz Augusto von Dentz
> > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
[-- Attachment #2: v1-0001-Bluetooth-SCO-Fix-UAF-on-sco_sock_timeout.patch --]
[-- Type: text/x-patch, Size: 3372 bytes --]
From 018604f4be8f1e769a358b1e7bf93e1c2cc83e28 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 22 Oct 2024 12:31:08 -0400
Subject: [PATCH v1] Bluetooth: SCO: Fix UAF on sco_sock_timeout
conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
sco_sk_list.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
include/net/bluetooth/bluetooth.h | 1 +
net/bluetooth/af_bluetooth.c | 22 ++++++++++++++++++++++
net/bluetooth/sco.c | 18 ++++++++++++------
3 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index 5d655e109b2c..f66bc85c6411 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -403,6 +403,7 @@ int bt_sock_register(int proto, const struct net_proto_family *ops);
void bt_sock_unregister(int proto);
void bt_sock_link(struct bt_sock_list *l, struct sock *s);
void bt_sock_unlink(struct bt_sock_list *l, struct sock *s);
+bool bt_sock_linked(struct bt_sock_list *l, struct sock *s);
struct sock *bt_sock_alloc(struct net *net, struct socket *sock,
struct proto *prot, int proto, gfp_t prio, int kern);
int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index e39fba5565c5..0b4d0a8bd361 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -185,6 +185,28 @@ void bt_sock_unlink(struct bt_sock_list *l, struct sock *sk)
}
EXPORT_SYMBOL(bt_sock_unlink);
+bool bt_sock_linked(struct bt_sock_list *l, struct sock *s)
+{
+ struct sock *sk;
+
+ if (!l || !s)
+ return false;
+
+ read_lock(&l->lock);
+
+ sk_for_each(sk, &l->head) {
+ if (s == sk) {
+ read_unlock(&l->lock);
+ return true;
+ }
+ }
+
+ read_unlock(&l->lock);
+
+ return false;
+}
+EXPORT_SYMBOL(bt_sock_linked);
+
void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh)
{
const struct cred *old_cred;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..1c7252a36866 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -76,6 +76,16 @@ struct sco_pinfo {
#define SCO_CONN_TIMEOUT (HZ * 40)
#define SCO_DISCONN_TIMEOUT (HZ * 2)
+static struct sock *sco_sock_hold(struct sco_conn *conn)
+{
+ if (!conn || !bt_sock_linked(&sco_sk_list, conn->sk))
+ return NULL;
+
+ sock_hold(conn->sk);
+
+ return conn->sk;
+}
+
static void sco_sock_timeout(struct work_struct *work)
{
struct sco_conn *conn = container_of(work, struct sco_conn,
@@ -87,9 +97,7 @@ static void sco_sock_timeout(struct work_struct *work)
sco_conn_unlock(conn);
return;
}
- sk = conn->sk;
- if (sk)
- sock_hold(sk);
+ sk = sco_sock_hold(conn);
sco_conn_unlock(conn);
if (!sk)
@@ -194,9 +202,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
/* Kill socket */
sco_conn_lock(conn);
- sk = conn->sk;
- if (sk)
- sock_hold(sk);
+ sk = sco_sock_hold(conn);
sco_conn_unlock(conn);
if (sk) {
--
2.47.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
end of thread, other threads:[~2024-10-22 19:51 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-16 11:20 [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
[not found] <000000000000797bd1060a457c08@google.com>
2023-12-06 3:58 ` syzbot
-- strict thread matches above, loose matches on Subject: below --
2024-10-01 19:49 [PATCH v1] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-01 20:13 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-02 18:26 [PATCH v2] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-02 18:46 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-02 19:19 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-02 19:37 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-02 19:46 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-02 20:05 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-02 20:46 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-02 23:16 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-03 15:38 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-03 15:55 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-03 16:32 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-03 16:53 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-03 19:21 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-03 19:44 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-03 20:06 ` Luiz Augusto von Dentz
2024-10-04 16:06 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-04 16:34 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-04 17:24 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-04 17:40 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-07 17:16 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-07 17:33 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-07 20:54 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-07 21:15 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-22 16:44 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-22 17:15 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
2024-10-22 19:19 [PATCH v3] Bluetooth: SCO: Use disable_delayed_work_sync Luiz Augusto von Dentz
2024-10-22 19:51 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).