* bluetooth: use-after-free in vhci_send_frame
@ 2016-01-29 8:50 Dmitry Vyukov
2016-03-04 9:15 ` Dmitry Vyukov
0 siblings, 1 reply; 9+ messages in thread
From: Dmitry Vyukov @ 2016-01-29 8:50 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo Padovan, Johan Hedberg, linux-bluetooth,
LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
Hello,
I've got the following use-after-free reports while running syzkaller
fuzzer. Unfortunately no reproducer. But this happened when system was
busy reacting on sysrq t, so probably some unexpected delay happended.
On commit 92e963f50fc74041b5e9e744c330dca48e04f08d.
==================================================================
BUG: KASAN: use-after-free in do_raw_spin_unlock+0x228/0x240 at addr
ffff88003a8a9ed8
Write of size 8 by task kworker/u12:2/10322
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in vhci_open+0x50/0x350 age=6743 cpu=0 pid=10397
[< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
[< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
[< inline >] slab_alloc_node mm/slub.c:2562
[< inline >] slab_alloc mm/slub.c:2604
[< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
[< inline >] kmalloc include/linux/slab.h:463
[< inline >] kzalloc include/linux/slab.h:607
[< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
[< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
[< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
[< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
[< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
[< inline >] do_last fs/namei.c:3254
[< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
[< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
[< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
[< inline >] SYSC_open fs/open.c:1040
[< none >] SyS_open+0x2d/0x40 fs/open.c:1035
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in vhci_release+0xae/0xe0 age=2072 cpu=2 pid=10397
[< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
[< inline >] slab_free mm/slub.c:2835
[< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
[< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
[< none >] __fput+0x236/0x780 fs/file_table.c:208
[< none >] ____fput+0x15/0x20 fs/file_table.c:244
[< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
[< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
[< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
[< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[< none >] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[< none >] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[< none >] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
INFO: Slab 0xffffea0000ea2a00 objects=16 used=14 fp=0xffff88003a8a9ec0
flags=0x1fffc0000004080
INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9ae8
CPU: 1 PID: 10322 Comm: kworker/u12:2 Tainted: G B 4.5.0-rc1+ #300
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: hci0 hci_cmd_work
00000000ffffffff ffff88003634f9f8 ffffffff82be118d ffff88003e804f00
ffff88003a8a9ec0 ffff88003a8a8000 ffff88003634fa28 ffffffff8175b434
ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000001
Call Trace:
[< inline >] kasan_report mm/kasan/report.c:274
[<ffffffff81764f9e>] __asan_report_store8_noabort+0x3e/0x40
mm/kasan/report.c:300
[< inline >] debug_spin_unlock kernel/locking/spinlock_debug.c:102
[<ffffffff81466608>] do_raw_spin_unlock+0x228/0x240
kernel/locking/spinlock_debug.c:158
[< inline >] __raw_spin_unlock_irqrestore
include/linux/spinlock_api_smp.h:161
[<ffffffff86652cf7>] _raw_spin_unlock_irqrestore+0x27/0xc0
kernel/locking/spinlock.c:191
[< inline >] spin_unlock_irqrestore include/linux/spinlock.h:362
[<ffffffff8143975f>] __wake_up+0x3f/0x50 kernel/sched/wait.c:96
[<ffffffff8484b983>] vhci_send_frame+0xc3/0x100 drivers/bluetooth/hci_vhci.c:86
[<ffffffff85d38315>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
[<ffffffff85d385bf>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4196
[<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
[<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
[<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
==================================================================
==================================================================
BUG: KASAN: use-after-free in do_raw_spin_lock+0x281/0x2b0 at addr
ffff88003a8a9f2c
Read of size 4 by task kworker/u12:0/3554
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in vhci_open+0x50/0x350 age=16305 cpu=0 pid=10397
[< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
[< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
[< inline >] slab_alloc_node mm/slub.c:2562
[< inline >] slab_alloc mm/slub.c:2604
[< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
[< inline >] kmalloc include/linux/slab.h:463
[< inline >] kzalloc include/linux/slab.h:607
[< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
[< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
[< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
[< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
[< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
[< inline >] do_last fs/namei.c:3254
[< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
[< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
[< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
[< inline >] SYSC_open fs/open.c:1040
[< none >] SyS_open+0x2d/0x40 fs/open.c:1035
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in vhci_release+0xae/0xe0 age=11634 cpu=2 pid=10397
[< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
[< inline >] slab_free mm/slub.c:2835
[< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
[< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
[< none >] __fput+0x236/0x780 fs/file_table.c:208
[< none >] ____fput+0x15/0x20 fs/file_table.c:244
[< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
[< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
[< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
[< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[< none >] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[< none >] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[< none >] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
flags=0x1fffc0000004080
INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: hci0 hci_power_on
00000000ffffffff ffff880036abf838 ffffffff82be118d ffff88003e804f00
ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf868 ffffffff8175b434
ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 ffff880036abfb30
Call Trace:
[< inline >] kasan_report mm/kasan/report.c:274
[<ffffffff81764e1e>] __asan_report_load4_noabort+0x3e/0x40
mm/kasan/report.c:294
[< inline >] debug_spin_lock_before kernel/locking/spinlock_debug.c:83
[<ffffffff814662e1>] do_raw_spin_lock+0x281/0x2b0
kernel/locking/spinlock_debug.c:135
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:119
[<ffffffff86652bd7>] _raw_spin_lock_irqsave+0xa7/0xd0
kernel/locking/spinlock.c:159
[<ffffffff854da1b2>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2333
[<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
[<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
[<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
[<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
[<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
[<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
[<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
==================================================================
==================================================================
BUG: KASAN: use-after-free in skb_dequeue+0x153/0x180 at addr ffff88003a8a9f10
Read of size 8 by task kworker/u12:0/3554
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in vhci_open+0x50/0x350 age=16913 cpu=0 pid=10397
[< inline >] slab_alloc_node mm/slub.c:2562
[< inline >] slab_alloc mm/slub.c:2604
[< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
[< inline >] kmalloc include/linux/slab.h:463
[< inline >] kzalloc include/linux/slab.h:607
[< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
[< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
[< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
[< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
[< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
[< inline >] do_last fs/namei.c:3254
[< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
[< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
[< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
[< inline >] SYSC_open fs/open.c:1040
[< none >] SyS_open+0x2d/0x40 fs/open.c:1035
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in vhci_release+0xae/0xe0 age=12241 cpu=2 pid=10397
[< inline >] slab_free mm/slub.c:2835
[< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
[< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
[< none >] __fput+0x236/0x780 fs/file_table.c:208
[< none >] ____fput+0x15/0x20 fs/file_table.c:244
[< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
[< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
[< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
[< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[< none >] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[< none >] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[< none >] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
flags=0x1fffc0000004080
INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: hci0 hci_power_on
00000000ffffffff ffff880036abf898 ffffffff82be118d ffff88003e804f00
ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf8c8 ffffffff8175b434
ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000282
Call Trace:
[< inline >] kasan_report mm/kasan/report.c:274
[<ffffffff81764e5e>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:295
[< inline >] skb_peek include/linux/skbuff.h:1453
[< inline >] __skb_dequeue include/linux/skbuff.h:1735
[<ffffffff854da2e3>] skb_dequeue+0x153/0x180 net/core/skbuff.c:2334
[<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
[<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
[<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
[<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
[<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
[<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
[<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
==================================================================
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: bluetooth: use-after-free in vhci_send_frame
2016-01-29 8:50 bluetooth: use-after-free in vhci_send_frame Dmitry Vyukov
@ 2016-03-04 9:15 ` Dmitry Vyukov
2016-03-07 16:27 ` Jiri Slaby
0 siblings, 1 reply; 9+ messages in thread
From: Dmitry Vyukov @ 2016-03-04 9:15 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo Padovan, Johan Hedberg, linux-bluetooth,
LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
On Fri, Jan 29, 2016 at 9:50 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> Hello,
>
> I've got the following use-after-free reports while running syzkaller
> fuzzer. Unfortunately no reproducer. But this happened when system was
> busy reacting on sysrq t, so probably some unexpected delay happended.
>
> On commit 92e963f50fc74041b5e9e744c330dca48e04f08d.
>
> ==================================================================
> BUG: KASAN: use-after-free in do_raw_spin_unlock+0x228/0x240 at addr
> ffff88003a8a9ed8
> Write of size 8 by task kworker/u12:2/10322
> =============================================================================
> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> INFO: Allocated in vhci_open+0x50/0x350 age=6743 cpu=0 pid=10397
> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
> [< inline >] slab_alloc_node mm/slub.c:2562
> [< inline >] slab_alloc mm/slub.c:2604
> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
> [< inline >] kmalloc include/linux/slab.h:463
> [< inline >] kzalloc include/linux/slab.h:607
> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
> [< inline >] do_last fs/namei.c:3254
> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
> [< inline >] SYSC_open fs/open.c:1040
> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>
> INFO: Freed in vhci_release+0xae/0xe0 age=2072 cpu=2 pid=10397
> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
> [< inline >] slab_free mm/slub.c:2835
> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
> [< none >] __fput+0x236/0x780 fs/file_table.c:208
> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
> [< inline >] exit_task_work include/linux/task_work.h:21
> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
> [< none >] exit_to_usermode_loop+0x1a5/0x210
> arch/x86/entry/common.c:247
> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
> [< none >] syscall_return_slowpath+0x2ba/0x340
> arch/x86/entry/common.c:344
> [< none >] int_ret_from_sys_call+0x25/0x9f
> arch/x86/entry/entry_64.S:281
>
> INFO: Slab 0xffffea0000ea2a00 objects=16 used=14 fp=0xffff88003a8a9ec0
> flags=0x1fffc0000004080
> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9ae8
> CPU: 1 PID: 10322 Comm: kworker/u12:2 Tainted: G B 4.5.0-rc1+ #300
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: hci0 hci_cmd_work
> 00000000ffffffff ffff88003634f9f8 ffffffff82be118d ffff88003e804f00
> ffff88003a8a9ec0 ffff88003a8a8000 ffff88003634fa28 ffffffff8175b434
> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000001
>
> Call Trace:
> [< inline >] kasan_report mm/kasan/report.c:274
> [<ffffffff81764f9e>] __asan_report_store8_noabort+0x3e/0x40
> mm/kasan/report.c:300
> [< inline >] debug_spin_unlock kernel/locking/spinlock_debug.c:102
> [<ffffffff81466608>] do_raw_spin_unlock+0x228/0x240
> kernel/locking/spinlock_debug.c:158
> [< inline >] __raw_spin_unlock_irqrestore
> include/linux/spinlock_api_smp.h:161
> [<ffffffff86652cf7>] _raw_spin_unlock_irqrestore+0x27/0xc0
> kernel/locking/spinlock.c:191
> [< inline >] spin_unlock_irqrestore include/linux/spinlock.h:362
> [<ffffffff8143975f>] __wake_up+0x3f/0x50 kernel/sched/wait.c:96
> [<ffffffff8484b983>] vhci_send_frame+0xc3/0x100 drivers/bluetooth/hci_vhci.c:86
> [<ffffffff85d38315>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
> [<ffffffff85d385bf>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4196
> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
> ==================================================================
>
> ==================================================================
> BUG: KASAN: use-after-free in do_raw_spin_lock+0x281/0x2b0 at addr
> ffff88003a8a9f2c
> Read of size 4 by task kworker/u12:0/3554
> =============================================================================
> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> INFO: Allocated in vhci_open+0x50/0x350 age=16305 cpu=0 pid=10397
> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
> [< inline >] slab_alloc_node mm/slub.c:2562
> [< inline >] slab_alloc mm/slub.c:2604
> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
> [< inline >] kmalloc include/linux/slab.h:463
> [< inline >] kzalloc include/linux/slab.h:607
> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
> [< inline >] do_last fs/namei.c:3254
> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
> [< inline >] SYSC_open fs/open.c:1040
> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>
> INFO: Freed in vhci_release+0xae/0xe0 age=11634 cpu=2 pid=10397
> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
> [< inline >] slab_free mm/slub.c:2835
> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
> [< none >] __fput+0x236/0x780 fs/file_table.c:208
> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
> [< inline >] exit_task_work include/linux/task_work.h:21
> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
> [< none >] exit_to_usermode_loop+0x1a5/0x210
> arch/x86/entry/common.c:247
> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
> [< none >] syscall_return_slowpath+0x2ba/0x340
> arch/x86/entry/common.c:344
> [< none >] int_ret_from_sys_call+0x25/0x9f
> arch/x86/entry/entry_64.S:281
>
> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
> flags=0x1fffc0000004080
> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: hci0 hci_power_on
> 00000000ffffffff ffff880036abf838 ffffffff82be118d ffff88003e804f00
> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf868 ffffffff8175b434
> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 ffff880036abfb30
>
> Call Trace:
> [< inline >] kasan_report mm/kasan/report.c:274
> [<ffffffff81764e1e>] __asan_report_load4_noabort+0x3e/0x40
> mm/kasan/report.c:294
> [< inline >] debug_spin_lock_before kernel/locking/spinlock_debug.c:83
> [<ffffffff814662e1>] do_raw_spin_lock+0x281/0x2b0
> kernel/locking/spinlock_debug.c:135
> [< inline >] __raw_spin_lock_irqsave
> include/linux/spinlock_api_smp.h:119
> [<ffffffff86652bd7>] _raw_spin_lock_irqsave+0xa7/0xd0
> kernel/locking/spinlock.c:159
> [<ffffffff854da1b2>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2333
> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
> ==================================================================
> ==================================================================
> BUG: KASAN: use-after-free in skb_dequeue+0x153/0x180 at addr ffff88003a8a9f10
> Read of size 8 by task kworker/u12:0/3554
> =============================================================================
> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> INFO: Allocated in vhci_open+0x50/0x350 age=16913 cpu=0 pid=10397
> [< inline >] slab_alloc_node mm/slub.c:2562
> [< inline >] slab_alloc mm/slub.c:2604
> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
> [< inline >] kmalloc include/linux/slab.h:463
> [< inline >] kzalloc include/linux/slab.h:607
> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
> [< inline >] do_last fs/namei.c:3254
> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
> [< inline >] SYSC_open fs/open.c:1040
> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>
> INFO: Freed in vhci_release+0xae/0xe0 age=12241 cpu=2 pid=10397
> [< inline >] slab_free mm/slub.c:2835
> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
> [< none >] __fput+0x236/0x780 fs/file_table.c:208
> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
> [< inline >] exit_task_work include/linux/task_work.h:21
> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
> [< none >] exit_to_usermode_loop+0x1a5/0x210
> arch/x86/entry/common.c:247
> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
> [< none >] syscall_return_slowpath+0x2ba/0x340
> arch/x86/entry/common.c:344
> [< none >] int_ret_from_sys_call+0x25/0x9f
> arch/x86/entry/entry_64.S:281
>
> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
> flags=0x1fffc0000004080
> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: hci0 hci_power_on
> 00000000ffffffff ffff880036abf898 ffffffff82be118d ffff88003e804f00
> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf8c8 ffffffff8175b434
> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000282
>
> Call Trace:
> [< inline >] kasan_report mm/kasan/report.c:274
> [<ffffffff81764e5e>] __asan_report_load8_noabort+0x3e/0x40
> mm/kasan/report.c:295
> [< inline >] skb_peek include/linux/skbuff.h:1453
> [< inline >] __skb_dequeue include/linux/skbuff.h:1735
> [<ffffffff854da2e3>] skb_dequeue+0x153/0x180 net/core/skbuff.c:2334
> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
> ==================================================================
Ping.
Just got another one on 4.5-rc6
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x4864/0x49c0 at addr
ffff8800353b8c08
Read of size 8 by task kworker/u12:2/1443
=============================================================================
BUG kmalloc-512 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in vhci_open+0x50/0x350 age=1048 cpu=0 pid=1394
[< none >] ___slab_alloc+0x574/0x5c0 mm/slub.c:2464
[< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2493
[< inline >] slab_alloc_node mm/slub.c:2556
[< inline >] slab_alloc mm/slub.c:2598
[< none >] kmem_cache_alloc_trace+0x27c/0x350 mm/slub.c:2615
[< inline >] kmalloc include/linux/slab.h:463
[< inline >] kzalloc include/linux/slab.h:607
[< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
[< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
[< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
[< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
[< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
[< inline >] do_last fs/namei.c:3258
[< none >] path_openat+0x4849/0x5840 fs/namei.c:3394
[< none >] do_filp_open+0x18e/0x250 fs/namei.c:3429
[< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
[< inline >] SYSC_open fs/open.c:1040
[< none >] SyS_open+0x2d/0x40 fs/open.c:1035
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in vhci_release+0xae/0xe0 age=23 cpu=2 pid=1394
[< none >] __slab_free+0x1fc/0x320 mm/slub.c:2674
[< inline >] slab_free mm/slub.c:2829
[< none >] kfree+0x303/0x320 mm/slub.c:3660
[< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
[< none >] __fput+0x236/0x780 fs/file_table.c:208
[< none >] ____fput+0x15/0x20 fs/file_table.c:244
[< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[< none >] do_exit+0xaf0/0x2d20 kernel/exit.c:748
[< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
[< none >] get_signal+0x628/0x1560 kernel/signal.c:2307
[< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[< none >] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[< none >] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[< none >] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
INFO: Slab 0xffffea0000d4ee00 objects=16 used=15 fp=0xffff8800353b8b88
flags=0x1fffc0000004080
INFO: Object 0xffff8800353b8b88 @offset=2952 fp=0x (null)
CPU: 0 PID: 1443 Comm: kworker/u12:2 Tainted: G B 4.5.0-rc6+ #335
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: hci0 hci_cmd_work
ffffffff87b4d480 ffff880031427800 ffffffff82c0664f ffffffff00d4ee00
fffffbfff0f69a90 ffff88003e804f00 ffff8800353b8b88 ffff8800353b8000
ffffea0000d4ee00 0000000000000000 ffff880031427830 ffffffff81767194
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82c0664f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
[<ffffffff81767194>] print_trailer+0xf4/0x150 mm/slub.c:661
[<ffffffff8176e46f>] object_err+0x2f/0x40 mm/slub.c:691
[< inline >] print_address_description mm/kasan/report.c:138
[<ffffffff81770d96>] kasan_report_error+0x256/0x550 mm/kasan/report.c:251
[< inline >] kasan_report mm/kasan/report.c:274
[<ffffffff8177118e>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:295
[<ffffffff81460c04>] __lock_acquire+0x4864/0x49c0 kernel/locking/lockdep.c:3096
[<ffffffff81463269>] lock_acquire+0x1f9/0x460 kernel/locking/lockdep.c:3589
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
[<ffffffff866a1eaf>] _raw_spin_lock_irqsave+0x9f/0xd0
kernel/locking/spinlock.c:159
[<ffffffff85516c76>] skb_queue_tail+0x26/0x150 net/core/skbuff.c:2414
[<ffffffff84881fee>] vhci_send_frame+0xae/0x100 drivers/bluetooth/hci_vhci.c:84
[<ffffffff85d769b5>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
[<ffffffff85d76c5f>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4198
[<ffffffff813abf3b>] process_one_work+0x79b/0x1510 kernel/workqueue.c:2096
[<ffffffff813acd8b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2230
[<ffffffff813bdd3f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff866a28af>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
==================================================================
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: bluetooth: use-after-free in vhci_send_frame
2016-03-04 9:15 ` Dmitry Vyukov
@ 2016-03-07 16:27 ` Jiri Slaby
2016-03-07 20:10 ` Marcel Holtmann
2016-03-18 16:13 ` Jiri Slaby
0 siblings, 2 replies; 9+ messages in thread
From: Jiri Slaby @ 2016-03-07 16:27 UTC (permalink / raw)
To: Dmitry Vyukov, Marcel Holtmann, Gustavo Padovan, Johan Hedberg,
linux-bluetooth, LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
On 03/04/2016, 10:15 AM, Dmitry Vyukov wrote:
> On Fri, Jan 29, 2016 at 9:50 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>> Hello,
>>
>> I've got the following use-after-free reports while running syzkaller
>> fuzzer. Unfortunately no reproducer. But this happened when system was
>> busy reacting on sysrq t, so probably some unexpected delay happended.
>>
>> On commit 92e963f50fc74041b5e9e744c330dca48e04f08d.
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in do_raw_spin_unlock+0x228/0x240 at addr
>> ffff88003a8a9ed8
>> Write of size 8 by task kworker/u12:2/10322
>> =============================================================================
>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>> -----------------------------------------------------------------------------
>>
>> INFO: Allocated in vhci_open+0x50/0x350 age=6743 cpu=0 pid=10397
>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>> [< inline >] slab_alloc_node mm/slub.c:2562
>> [< inline >] slab_alloc mm/slub.c:2604
>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>> [< inline >] kmalloc include/linux/slab.h:463
>> [< inline >] kzalloc include/linux/slab.h:607
>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>> [< inline >] do_last fs/namei.c:3254
>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>> [< inline >] SYSC_open fs/open.c:1040
>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>> arch/x86/entry/entry_64.S:185
>>
>> INFO: Freed in vhci_release+0xae/0xe0 age=2072 cpu=2 pid=10397
>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>> [< inline >] slab_free mm/slub.c:2835
>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>> [< inline >] exit_task_work include/linux/task_work.h:21
>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>> arch/x86/entry/common.c:247
>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>> [< none >] syscall_return_slowpath+0x2ba/0x340
>> arch/x86/entry/common.c:344
>> [< none >] int_ret_from_sys_call+0x25/0x9f
>> arch/x86/entry/entry_64.S:281
>>
>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=14 fp=0xffff88003a8a9ec0
>> flags=0x1fffc0000004080
>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9ae8
>> CPU: 1 PID: 10322 Comm: kworker/u12:2 Tainted: G B 4.5.0-rc1+ #300
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Workqueue: hci0 hci_cmd_work
>> 00000000ffffffff ffff88003634f9f8 ffffffff82be118d ffff88003e804f00
>> ffff88003a8a9ec0 ffff88003a8a8000 ffff88003634fa28 ffffffff8175b434
>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000001
>>
>> Call Trace:
>> [< inline >] kasan_report mm/kasan/report.c:274
>> [<ffffffff81764f9e>] __asan_report_store8_noabort+0x3e/0x40
>> mm/kasan/report.c:300
>> [< inline >] debug_spin_unlock kernel/locking/spinlock_debug.c:102
>> [<ffffffff81466608>] do_raw_spin_unlock+0x228/0x240
>> kernel/locking/spinlock_debug.c:158
>> [< inline >] __raw_spin_unlock_irqrestore
>> include/linux/spinlock_api_smp.h:161
>> [<ffffffff86652cf7>] _raw_spin_unlock_irqrestore+0x27/0xc0
>> kernel/locking/spinlock.c:191
>> [< inline >] spin_unlock_irqrestore include/linux/spinlock.h:362
>> [<ffffffff8143975f>] __wake_up+0x3f/0x50 kernel/sched/wait.c:96
>> [<ffffffff8484b983>] vhci_send_frame+0xc3/0x100 drivers/bluetooth/hci_vhci.c:86
>> [<ffffffff85d38315>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
>> [<ffffffff85d385bf>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4196
>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>> ==================================================================
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in do_raw_spin_lock+0x281/0x2b0 at addr
>> ffff88003a8a9f2c
>> Read of size 4 by task kworker/u12:0/3554
>> =============================================================================
>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>> -----------------------------------------------------------------------------
>>
>> INFO: Allocated in vhci_open+0x50/0x350 age=16305 cpu=0 pid=10397
>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>> [< inline >] slab_alloc_node mm/slub.c:2562
>> [< inline >] slab_alloc mm/slub.c:2604
>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>> [< inline >] kmalloc include/linux/slab.h:463
>> [< inline >] kzalloc include/linux/slab.h:607
>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>> [< inline >] do_last fs/namei.c:3254
>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>> [< inline >] SYSC_open fs/open.c:1040
>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>> arch/x86/entry/entry_64.S:185
>>
>> INFO: Freed in vhci_release+0xae/0xe0 age=11634 cpu=2 pid=10397
>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>> [< inline >] slab_free mm/slub.c:2835
>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>> [< inline >] exit_task_work include/linux/task_work.h:21
>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>> arch/x86/entry/common.c:247
>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>> [< none >] syscall_return_slowpath+0x2ba/0x340
>> arch/x86/entry/common.c:344
>> [< none >] int_ret_from_sys_call+0x25/0x9f
>> arch/x86/entry/entry_64.S:281
>>
>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>> flags=0x1fffc0000004080
>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Workqueue: hci0 hci_power_on
>> 00000000ffffffff ffff880036abf838 ffffffff82be118d ffff88003e804f00
>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf868 ffffffff8175b434
>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 ffff880036abfb30
>>
>> Call Trace:
>> [< inline >] kasan_report mm/kasan/report.c:274
>> [<ffffffff81764e1e>] __asan_report_load4_noabort+0x3e/0x40
>> mm/kasan/report.c:294
>> [< inline >] debug_spin_lock_before kernel/locking/spinlock_debug.c:83
>> [<ffffffff814662e1>] do_raw_spin_lock+0x281/0x2b0
>> kernel/locking/spinlock_debug.c:135
>> [< inline >] __raw_spin_lock_irqsave
>> include/linux/spinlock_api_smp.h:119
>> [<ffffffff86652bd7>] _raw_spin_lock_irqsave+0xa7/0xd0
>> kernel/locking/spinlock.c:159
>> [<ffffffff854da1b2>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2333
>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>> ==================================================================
>> ==================================================================
>> BUG: KASAN: use-after-free in skb_dequeue+0x153/0x180 at addr ffff88003a8a9f10
>> Read of size 8 by task kworker/u12:0/3554
>> =============================================================================
>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>> -----------------------------------------------------------------------------
>>
>> INFO: Allocated in vhci_open+0x50/0x350 age=16913 cpu=0 pid=10397
>> [< inline >] slab_alloc_node mm/slub.c:2562
>> [< inline >] slab_alloc mm/slub.c:2604
>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>> [< inline >] kmalloc include/linux/slab.h:463
>> [< inline >] kzalloc include/linux/slab.h:607
>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>> [< inline >] do_last fs/namei.c:3254
>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>> [< inline >] SYSC_open fs/open.c:1040
>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>> arch/x86/entry/entry_64.S:185
>>
>> INFO: Freed in vhci_release+0xae/0xe0 age=12241 cpu=2 pid=10397
>> [< inline >] slab_free mm/slub.c:2835
>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>> [< inline >] exit_task_work include/linux/task_work.h:21
>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>> arch/x86/entry/common.c:247
>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>> [< none >] syscall_return_slowpath+0x2ba/0x340
>> arch/x86/entry/common.c:344
>> [< none >] int_ret_from_sys_call+0x25/0x9f
>> arch/x86/entry/entry_64.S:281
>>
>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>> flags=0x1fffc0000004080
>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Workqueue: hci0 hci_power_on
>> 00000000ffffffff ffff880036abf898 ffffffff82be118d ffff88003e804f00
>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf8c8 ffffffff8175b434
>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000282
>>
>> Call Trace:
>> [< inline >] kasan_report mm/kasan/report.c:274
>> [<ffffffff81764e5e>] __asan_report_load8_noabort+0x3e/0x40
>> mm/kasan/report.c:295
>> [< inline >] skb_peek include/linux/skbuff.h:1453
>> [< inline >] __skb_dequeue include/linux/skbuff.h:1735
>> [<ffffffff854da2e3>] skb_dequeue+0x153/0x180 net/core/skbuff.c:2334
>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>> ==================================================================
>
>
>
> Ping.
> Just got another one on 4.5-rc6
FWIW I've just hit that too right now.
But I haven't hit it with 4.4 which I am fuzzing by the orders of
magnitude longer. But take it with grain of salt -- it could be a
coincidence, of course.
thanks,
--
js
suse labs
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: bluetooth: use-after-free in vhci_send_frame
2016-03-07 16:27 ` Jiri Slaby
@ 2016-03-07 20:10 ` Marcel Holtmann
2016-03-07 20:16 ` Dmitry Vyukov
2016-03-18 16:13 ` Jiri Slaby
1 sibling, 1 reply; 9+ messages in thread
From: Marcel Holtmann @ 2016-03-07 20:10 UTC (permalink / raw)
To: Jiri Slaby
Cc: Dmitry Vyukov, Gustavo F. Padovan, Johan Hedberg, linux-bluetooth,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
Sasha Levin
Hi Jiri,
>>> I've got the following use-after-free reports while running syzkaller
>>> fuzzer. Unfortunately no reproducer. But this happened when system was
>>> busy reacting on sysrq t, so probably some unexpected delay happended.
>>>
>>> On commit 92e963f50fc74041b5e9e744c330dca48e04f08d.
>>>
>>> ==================================================================
>>> BUG: KASAN: use-after-free in do_raw_spin_unlock+0x228/0x240 at addr
>>> ffff88003a8a9ed8
>>> Write of size 8 by task kworker/u12:2/10322
>>> =============================================================================
>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>> -----------------------------------------------------------------------------
>>>
>>> INFO: Allocated in vhci_open+0x50/0x350 age=6743 cpu=0 pid=10397
>>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>> [< inline >] slab_alloc mm/slub.c:2604
>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>> [< inline >] kmalloc include/linux/slab.h:463
>>> [< inline >] kzalloc include/linux/slab.h:607
>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>> [< inline >] do_last fs/namei.c:3254
>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>> [< inline >] SYSC_open fs/open.c:1040
>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>> arch/x86/entry/entry_64.S:185
>>>
>>> INFO: Freed in vhci_release+0xae/0xe0 age=2072 cpu=2 pid=10397
>>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>>> [< inline >] slab_free mm/slub.c:2835
>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>> arch/x86/entry/common.c:247
>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>> arch/x86/entry/common.c:344
>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>> arch/x86/entry/entry_64.S:281
>>>
>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=14 fp=0xffff88003a8a9ec0
>>> flags=0x1fffc0000004080
>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9ae8
>>> CPU: 1 PID: 10322 Comm: kworker/u12:2 Tainted: G B 4.5.0-rc1+ #300
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>> Workqueue: hci0 hci_cmd_work
>>> 00000000ffffffff ffff88003634f9f8 ffffffff82be118d ffff88003e804f00
>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff88003634fa28 ffffffff8175b434
>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000001
>>>
>>> Call Trace:
>>> [< inline >] kasan_report mm/kasan/report.c:274
>>> [<ffffffff81764f9e>] __asan_report_store8_noabort+0x3e/0x40
>>> mm/kasan/report.c:300
>>> [< inline >] debug_spin_unlock kernel/locking/spinlock_debug.c:102
>>> [<ffffffff81466608>] do_raw_spin_unlock+0x228/0x240
>>> kernel/locking/spinlock_debug.c:158
>>> [< inline >] __raw_spin_unlock_irqrestore
>>> include/linux/spinlock_api_smp.h:161
>>> [<ffffffff86652cf7>] _raw_spin_unlock_irqrestore+0x27/0xc0
>>> kernel/locking/spinlock.c:191
>>> [< inline >] spin_unlock_irqrestore include/linux/spinlock.h:362
>>> [<ffffffff8143975f>] __wake_up+0x3f/0x50 kernel/sched/wait.c:96
>>> [<ffffffff8484b983>] vhci_send_frame+0xc3/0x100 drivers/bluetooth/hci_vhci.c:86
>>> [<ffffffff85d38315>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
>>> [<ffffffff85d385bf>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4196
>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>> ==================================================================
>>>
>>> ==================================================================
>>> BUG: KASAN: use-after-free in do_raw_spin_lock+0x281/0x2b0 at addr
>>> ffff88003a8a9f2c
>>> Read of size 4 by task kworker/u12:0/3554
>>> =============================================================================
>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>> -----------------------------------------------------------------------------
>>>
>>> INFO: Allocated in vhci_open+0x50/0x350 age=16305 cpu=0 pid=10397
>>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>> [< inline >] slab_alloc mm/slub.c:2604
>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>> [< inline >] kmalloc include/linux/slab.h:463
>>> [< inline >] kzalloc include/linux/slab.h:607
>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>> [< inline >] do_last fs/namei.c:3254
>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>> [< inline >] SYSC_open fs/open.c:1040
>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>> arch/x86/entry/entry_64.S:185
>>>
>>> INFO: Freed in vhci_release+0xae/0xe0 age=11634 cpu=2 pid=10397
>>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>>> [< inline >] slab_free mm/slub.c:2835
>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>> arch/x86/entry/common.c:247
>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>> arch/x86/entry/common.c:344
>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>> arch/x86/entry/entry_64.S:281
>>>
>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>>> flags=0x1fffc0000004080
>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>> Workqueue: hci0 hci_power_on
>>> 00000000ffffffff ffff880036abf838 ffffffff82be118d ffff88003e804f00
>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf868 ffffffff8175b434
>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 ffff880036abfb30
>>>
>>> Call Trace:
>>> [< inline >] kasan_report mm/kasan/report.c:274
>>> [<ffffffff81764e1e>] __asan_report_load4_noabort+0x3e/0x40
>>> mm/kasan/report.c:294
>>> [< inline >] debug_spin_lock_before kernel/locking/spinlock_debug.c:83
>>> [<ffffffff814662e1>] do_raw_spin_lock+0x281/0x2b0
>>> kernel/locking/spinlock_debug.c:135
>>> [< inline >] __raw_spin_lock_irqsave
>>> include/linux/spinlock_api_smp.h:119
>>> [<ffffffff86652bd7>] _raw_spin_lock_irqsave+0xa7/0xd0
>>> kernel/locking/spinlock.c:159
>>> [<ffffffff854da1b2>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2333
>>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>> ==================================================================
>>> ==================================================================
>>> BUG: KASAN: use-after-free in skb_dequeue+0x153/0x180 at addr ffff88003a8a9f10
>>> Read of size 8 by task kworker/u12:0/3554
>>> =============================================================================
>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>> -----------------------------------------------------------------------------
>>>
>>> INFO: Allocated in vhci_open+0x50/0x350 age=16913 cpu=0 pid=10397
>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>> [< inline >] slab_alloc mm/slub.c:2604
>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>> [< inline >] kmalloc include/linux/slab.h:463
>>> [< inline >] kzalloc include/linux/slab.h:607
>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>> [< inline >] do_last fs/namei.c:3254
>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>> [< inline >] SYSC_open fs/open.c:1040
>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>> arch/x86/entry/entry_64.S:185
>>>
>>> INFO: Freed in vhci_release+0xae/0xe0 age=12241 cpu=2 pid=10397
>>> [< inline >] slab_free mm/slub.c:2835
>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>> arch/x86/entry/common.c:247
>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>> arch/x86/entry/common.c:344
>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>> arch/x86/entry/entry_64.S:281
>>>
>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>>> flags=0x1fffc0000004080
>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>> Workqueue: hci0 hci_power_on
>>> 00000000ffffffff ffff880036abf898 ffffffff82be118d ffff88003e804f00
>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf8c8 ffffffff8175b434
>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000282
>>>
>>> Call Trace:
>>> [< inline >] kasan_report mm/kasan/report.c:274
>>> [<ffffffff81764e5e>] __asan_report_load8_noabort+0x3e/0x40
>>> mm/kasan/report.c:295
>>> [< inline >] skb_peek include/linux/skbuff.h:1453
>>> [< inline >] __skb_dequeue include/linux/skbuff.h:1735
>>> [<ffffffff854da2e3>] skb_dequeue+0x153/0x180 net/core/skbuff.c:2334
>>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>> ==================================================================
>>
>>
>>
>> Ping.
>> Just got another one on 4.5-rc6
>
> FWIW I've just hit that too right now.
>
> But I haven't hit it with 4.4 which I am fuzzing by the orders of
> magnitude longer. But take it with grain of salt -- it could be a
> coincidence, of course.
do you know what the fuzzer was doing at this point. Is the fuzzer opening /dev/vhci device node? Since that would be the only way to actually get into that driver.
Regards
Marcel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: bluetooth: use-after-free in vhci_send_frame
2016-03-07 20:10 ` Marcel Holtmann
@ 2016-03-07 20:16 ` Dmitry Vyukov
2016-03-08 18:32 ` Marcel Holtmann
0 siblings, 1 reply; 9+ messages in thread
From: Dmitry Vyukov @ 2016-03-07 20:16 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Jiri Slaby, Gustavo F. Padovan, Johan Hedberg, linux-bluetooth,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
Sasha Levin
On Mon, Mar 7, 2016 at 9:10 PM, Marcel Holtmann <marcel@holtmann.org> wrote:
> Hi Jiri,
>
>>>> I've got the following use-after-free reports while running syzkaller
>>>> fuzzer. Unfortunately no reproducer. But this happened when system was
>>>> busy reacting on sysrq t, so probably some unexpected delay happended.
>>>>
>>>> On commit 92e963f50fc74041b5e9e744c330dca48e04f08d.
>>>>
>>>> ==================================================================
>>>> BUG: KASAN: use-after-free in do_raw_spin_unlock+0x228/0x240 at addr
>>>> ffff88003a8a9ed8
>>>> Write of size 8 by task kworker/u12:2/10322
>>>> =============================================================================
>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>> -----------------------------------------------------------------------------
>>>>
>>>> INFO: Allocated in vhci_open+0x50/0x350 age=6743 cpu=0 pid=10397
>>>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>>>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>> [< inline >] do_last fs/namei.c:3254
>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>> [< inline >] SYSC_open fs/open.c:1040
>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>> arch/x86/entry/entry_64.S:185
>>>>
>>>> INFO: Freed in vhci_release+0xae/0xe0 age=2072 cpu=2 pid=10397
>>>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>>>> [< inline >] slab_free mm/slub.c:2835
>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>> arch/x86/entry/common.c:247
>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>> arch/x86/entry/common.c:344
>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>> arch/x86/entry/entry_64.S:281
>>>>
>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=14 fp=0xffff88003a8a9ec0
>>>> flags=0x1fffc0000004080
>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9ae8
>>>> CPU: 1 PID: 10322 Comm: kworker/u12:2 Tainted: G B 4.5.0-rc1+ #300
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>> Workqueue: hci0 hci_cmd_work
>>>> 00000000ffffffff ffff88003634f9f8 ffffffff82be118d ffff88003e804f00
>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff88003634fa28 ffffffff8175b434
>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000001
>>>>
>>>> Call Trace:
>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>> [<ffffffff81764f9e>] __asan_report_store8_noabort+0x3e/0x40
>>>> mm/kasan/report.c:300
>>>> [< inline >] debug_spin_unlock kernel/locking/spinlock_debug.c:102
>>>> [<ffffffff81466608>] do_raw_spin_unlock+0x228/0x240
>>>> kernel/locking/spinlock_debug.c:158
>>>> [< inline >] __raw_spin_unlock_irqrestore
>>>> include/linux/spinlock_api_smp.h:161
>>>> [<ffffffff86652cf7>] _raw_spin_unlock_irqrestore+0x27/0xc0
>>>> kernel/locking/spinlock.c:191
>>>> [< inline >] spin_unlock_irqrestore include/linux/spinlock.h:362
>>>> [<ffffffff8143975f>] __wake_up+0x3f/0x50 kernel/sched/wait.c:96
>>>> [<ffffffff8484b983>] vhci_send_frame+0xc3/0x100 drivers/bluetooth/hci_vhci.c:86
>>>> [<ffffffff85d38315>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
>>>> [<ffffffff85d385bf>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4196
>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>> ==================================================================
>>>>
>>>> ==================================================================
>>>> BUG: KASAN: use-after-free in do_raw_spin_lock+0x281/0x2b0 at addr
>>>> ffff88003a8a9f2c
>>>> Read of size 4 by task kworker/u12:0/3554
>>>> =============================================================================
>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>> -----------------------------------------------------------------------------
>>>>
>>>> INFO: Allocated in vhci_open+0x50/0x350 age=16305 cpu=0 pid=10397
>>>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>>>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>> [< inline >] do_last fs/namei.c:3254
>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>> [< inline >] SYSC_open fs/open.c:1040
>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>> arch/x86/entry/entry_64.S:185
>>>>
>>>> INFO: Freed in vhci_release+0xae/0xe0 age=11634 cpu=2 pid=10397
>>>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>>>> [< inline >] slab_free mm/slub.c:2835
>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>> arch/x86/entry/common.c:247
>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>> arch/x86/entry/common.c:344
>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>> arch/x86/entry/entry_64.S:281
>>>>
>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>>>> flags=0x1fffc0000004080
>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>>>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>> Workqueue: hci0 hci_power_on
>>>> 00000000ffffffff ffff880036abf838 ffffffff82be118d ffff88003e804f00
>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf868 ffffffff8175b434
>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 ffff880036abfb30
>>>>
>>>> Call Trace:
>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>> [<ffffffff81764e1e>] __asan_report_load4_noabort+0x3e/0x40
>>>> mm/kasan/report.c:294
>>>> [< inline >] debug_spin_lock_before kernel/locking/spinlock_debug.c:83
>>>> [<ffffffff814662e1>] do_raw_spin_lock+0x281/0x2b0
>>>> kernel/locking/spinlock_debug.c:135
>>>> [< inline >] __raw_spin_lock_irqsave
>>>> include/linux/spinlock_api_smp.h:119
>>>> [<ffffffff86652bd7>] _raw_spin_lock_irqsave+0xa7/0xd0
>>>> kernel/locking/spinlock.c:159
>>>> [<ffffffff854da1b2>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2333
>>>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>>>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>>>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>>>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>> ==================================================================
>>>> ==================================================================
>>>> BUG: KASAN: use-after-free in skb_dequeue+0x153/0x180 at addr ffff88003a8a9f10
>>>> Read of size 8 by task kworker/u12:0/3554
>>>> =============================================================================
>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>> -----------------------------------------------------------------------------
>>>>
>>>> INFO: Allocated in vhci_open+0x50/0x350 age=16913 cpu=0 pid=10397
>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>> [< inline >] do_last fs/namei.c:3254
>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>> [< inline >] SYSC_open fs/open.c:1040
>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>> arch/x86/entry/entry_64.S:185
>>>>
>>>> INFO: Freed in vhci_release+0xae/0xe0 age=12241 cpu=2 pid=10397
>>>> [< inline >] slab_free mm/slub.c:2835
>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>> arch/x86/entry/common.c:247
>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>> arch/x86/entry/common.c:344
>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>> arch/x86/entry/entry_64.S:281
>>>>
>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>>>> flags=0x1fffc0000004080
>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>>>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>> Workqueue: hci0 hci_power_on
>>>> 00000000ffffffff ffff880036abf898 ffffffff82be118d ffff88003e804f00
>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf8c8 ffffffff8175b434
>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000282
>>>>
>>>> Call Trace:
>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>> [<ffffffff81764e5e>] __asan_report_load8_noabort+0x3e/0x40
>>>> mm/kasan/report.c:295
>>>> [< inline >] skb_peek include/linux/skbuff.h:1453
>>>> [< inline >] __skb_dequeue include/linux/skbuff.h:1735
>>>> [<ffffffff854da2e3>] skb_dequeue+0x153/0x180 net/core/skbuff.c:2334
>>>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>>>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>>>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>>>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>> ==================================================================
>>>
>>>
>>>
>>> Ping.
>>> Just got another one on 4.5-rc6
>>
>> FWIW I've just hit that too right now.
>>
>> But I haven't hit it with 4.4 which I am fuzzing by the orders of
>> magnitude longer. But take it with grain of salt -- it could be a
>> coincidence, of course.
>
> do you know what the fuzzer was doing at this point. Is the fuzzer opening /dev/vhci device node? Since that would be the only way to actually get into that driver.
Check out the KASAN reports. They should answer your question.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: bluetooth: use-after-free in vhci_send_frame
2016-03-07 20:16 ` Dmitry Vyukov
@ 2016-03-08 18:32 ` Marcel Holtmann
2016-03-10 16:25 ` Dmitry Vyukov
2016-03-18 16:59 ` Jiri Slaby
0 siblings, 2 replies; 9+ messages in thread
From: Marcel Holtmann @ 2016-03-08 18:32 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Jiri Slaby, Gustavo F. Padovan, Johan Hedberg, linux-bluetooth,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
Sasha Levin
Hi Dmitry,
>>>>> I've got the following use-after-free reports while running syzkaller
>>>>> fuzzer. Unfortunately no reproducer. But this happened when system was
>>>>> busy reacting on sysrq t, so probably some unexpected delay happended.
>>>>>
>>>>> On commit 92e963f50fc74041b5e9e744c330dca48e04f08d.
>>>>>
>>>>> ==================================================================
>>>>> BUG: KASAN: use-after-free in do_raw_spin_unlock+0x228/0x240 at addr
>>>>> ffff88003a8a9ed8
>>>>> Write of size 8 by task kworker/u12:2/10322
>>>>> =============================================================================
>>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>>> -----------------------------------------------------------------------------
>>>>>
>>>>> INFO: Allocated in vhci_open+0x50/0x350 age=6743 cpu=0 pid=10397
>>>>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>>>>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>>> [< inline >] do_last fs/namei.c:3254
>>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>>> [< inline >] SYSC_open fs/open.c:1040
>>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>>> arch/x86/entry/entry_64.S:185
>>>>>
>>>>> INFO: Freed in vhci_release+0xae/0xe0 age=2072 cpu=2 pid=10397
>>>>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>>>>> [< inline >] slab_free mm/slub.c:2835
>>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>>> arch/x86/entry/common.c:247
>>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>>> arch/x86/entry/common.c:344
>>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>>> arch/x86/entry/entry_64.S:281
>>>>>
>>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=14 fp=0xffff88003a8a9ec0
>>>>> flags=0x1fffc0000004080
>>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9ae8
>>>>> CPU: 1 PID: 10322 Comm: kworker/u12:2 Tainted: G B 4.5.0-rc1+ #300
>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>>> Workqueue: hci0 hci_cmd_work
>>>>> 00000000ffffffff ffff88003634f9f8 ffffffff82be118d ffff88003e804f00
>>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff88003634fa28 ffffffff8175b434
>>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000001
>>>>>
>>>>> Call Trace:
>>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>>> [<ffffffff81764f9e>] __asan_report_store8_noabort+0x3e/0x40
>>>>> mm/kasan/report.c:300
>>>>> [< inline >] debug_spin_unlock kernel/locking/spinlock_debug.c:102
>>>>> [<ffffffff81466608>] do_raw_spin_unlock+0x228/0x240
>>>>> kernel/locking/spinlock_debug.c:158
>>>>> [< inline >] __raw_spin_unlock_irqrestore
>>>>> include/linux/spinlock_api_smp.h:161
>>>>> [<ffffffff86652cf7>] _raw_spin_unlock_irqrestore+0x27/0xc0
>>>>> kernel/locking/spinlock.c:191
>>>>> [< inline >] spin_unlock_irqrestore include/linux/spinlock.h:362
>>>>> [<ffffffff8143975f>] __wake_up+0x3f/0x50 kernel/sched/wait.c:96
>>>>> [<ffffffff8484b983>] vhci_send_frame+0xc3/0x100 drivers/bluetooth/hci_vhci.c:86
>>>>> [<ffffffff85d38315>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
>>>>> [<ffffffff85d385bf>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4196
>>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>>> ==================================================================
>>>>>
>>>>> ==================================================================
>>>>> BUG: KASAN: use-after-free in do_raw_spin_lock+0x281/0x2b0 at addr
>>>>> ffff88003a8a9f2c
>>>>> Read of size 4 by task kworker/u12:0/3554
>>>>> =============================================================================
>>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>>> -----------------------------------------------------------------------------
>>>>>
>>>>> INFO: Allocated in vhci_open+0x50/0x350 age=16305 cpu=0 pid=10397
>>>>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>>>>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>>> [< inline >] do_last fs/namei.c:3254
>>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>>> [< inline >] SYSC_open fs/open.c:1040
>>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>>> arch/x86/entry/entry_64.S:185
>>>>>
>>>>> INFO: Freed in vhci_release+0xae/0xe0 age=11634 cpu=2 pid=10397
>>>>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>>>>> [< inline >] slab_free mm/slub.c:2835
>>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>>> arch/x86/entry/common.c:247
>>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>>> arch/x86/entry/common.c:344
>>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>>> arch/x86/entry/entry_64.S:281
>>>>>
>>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>>>>> flags=0x1fffc0000004080
>>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>>>>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>>> Workqueue: hci0 hci_power_on
>>>>> 00000000ffffffff ffff880036abf838 ffffffff82be118d ffff88003e804f00
>>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf868 ffffffff8175b434
>>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 ffff880036abfb30
>>>>>
>>>>> Call Trace:
>>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>>> [<ffffffff81764e1e>] __asan_report_load4_noabort+0x3e/0x40
>>>>> mm/kasan/report.c:294
>>>>> [< inline >] debug_spin_lock_before kernel/locking/spinlock_debug.c:83
>>>>> [<ffffffff814662e1>] do_raw_spin_lock+0x281/0x2b0
>>>>> kernel/locking/spinlock_debug.c:135
>>>>> [< inline >] __raw_spin_lock_irqsave
>>>>> include/linux/spinlock_api_smp.h:119
>>>>> [<ffffffff86652bd7>] _raw_spin_lock_irqsave+0xa7/0xd0
>>>>> kernel/locking/spinlock.c:159
>>>>> [<ffffffff854da1b2>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2333
>>>>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>>>>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>>>>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>>>>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>>> ==================================================================
>>>>> ==================================================================
>>>>> BUG: KASAN: use-after-free in skb_dequeue+0x153/0x180 at addr ffff88003a8a9f10
>>>>> Read of size 8 by task kworker/u12:0/3554
>>>>> =============================================================================
>>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>>> -----------------------------------------------------------------------------
>>>>>
>>>>> INFO: Allocated in vhci_open+0x50/0x350 age=16913 cpu=0 pid=10397
>>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>>> [< inline >] do_last fs/namei.c:3254
>>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>>> [< inline >] SYSC_open fs/open.c:1040
>>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>>> arch/x86/entry/entry_64.S:185
>>>>>
>>>>> INFO: Freed in vhci_release+0xae/0xe0 age=12241 cpu=2 pid=10397
>>>>> [< inline >] slab_free mm/slub.c:2835
>>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>>> arch/x86/entry/common.c:247
>>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>>> arch/x86/entry/common.c:344
>>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>>> arch/x86/entry/entry_64.S:281
>>>>>
>>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>>>>> flags=0x1fffc0000004080
>>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>>>>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>>> Workqueue: hci0 hci_power_on
>>>>> 00000000ffffffff ffff880036abf898 ffffffff82be118d ffff88003e804f00
>>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf8c8 ffffffff8175b434
>>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000282
>>>>>
>>>>> Call Trace:
>>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>>> [<ffffffff81764e5e>] __asan_report_load8_noabort+0x3e/0x40
>>>>> mm/kasan/report.c:295
>>>>> [< inline >] skb_peek include/linux/skbuff.h:1453
>>>>> [< inline >] __skb_dequeue include/linux/skbuff.h:1735
>>>>> [<ffffffff854da2e3>] skb_dequeue+0x153/0x180 net/core/skbuff.c:2334
>>>>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>>>>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>>>>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>>>>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>>> ==================================================================
>>>>
>>>>
>>>>
>>>> Ping.
>>>> Just got another one on 4.5-rc6
>>>
>>> FWIW I've just hit that too right now.
>>>
>>> But I haven't hit it with 4.4 which I am fuzzing by the orders of
>>> magnitude longer. But take it with grain of salt -- it could be a
>>> coincidence, of course.
>>
>> do you know what the fuzzer was doing at this point. Is the fuzzer opening /dev/vhci device node? Since that would be the only way to actually get into that driver.
>
> Check out the KASAN reports. They should answer your question.
that means very little to me actually. So is the real issue caused by opening /dev/vhci or is that theoretical one via some internal kernel compile time feature.
Regards
Marcel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: bluetooth: use-after-free in vhci_send_frame
2016-03-08 18:32 ` Marcel Holtmann
@ 2016-03-10 16:25 ` Dmitry Vyukov
2016-03-18 16:59 ` Jiri Slaby
1 sibling, 0 replies; 9+ messages in thread
From: Dmitry Vyukov @ 2016-03-10 16:25 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Jiri Slaby, Gustavo F. Padovan, Johan Hedberg, linux-bluetooth,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
Sasha Levin
On Tue, Mar 8, 2016 at 7:32 PM, Marcel Holtmann <marcel@holtmann.org> wrote:
> Hi Dmitry,
>
>>>>>> I've got the following use-after-free reports while running syzkaller
>>>>>> fuzzer. Unfortunately no reproducer. But this happened when system was
>>>>>> busy reacting on sysrq t, so probably some unexpected delay happended.
>>>>>>
>>>>>> On commit 92e963f50fc74041b5e9e744c330dca48e04f08d.
>>>>>>
>>>>>> ==================================================================
>>>>>> BUG: KASAN: use-after-free in do_raw_spin_unlock+0x228/0x240 at addr
>>>>>> ffff88003a8a9ed8
>>>>>> Write of size 8 by task kworker/u12:2/10322
>>>>>> =============================================================================
>>>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>>>> -----------------------------------------------------------------------------
>>>>>>
>>>>>> INFO: Allocated in vhci_open+0x50/0x350 age=6743 cpu=0 pid=10397
>>>>>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>>>>>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>>>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>>>> [< inline >] do_last fs/namei.c:3254
>>>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>>>> [< inline >] SYSC_open fs/open.c:1040
>>>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>>>> arch/x86/entry/entry_64.S:185
>>>>>>
>>>>>> INFO: Freed in vhci_release+0xae/0xe0 age=2072 cpu=2 pid=10397
>>>>>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>>>>>> [< inline >] slab_free mm/slub.c:2835
>>>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>>>> arch/x86/entry/common.c:247
>>>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>>>> arch/x86/entry/common.c:344
>>>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>>>> arch/x86/entry/entry_64.S:281
>>>>>>
>>>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=14 fp=0xffff88003a8a9ec0
>>>>>> flags=0x1fffc0000004080
>>>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9ae8
>>>>>> CPU: 1 PID: 10322 Comm: kworker/u12:2 Tainted: G B 4.5.0-rc1+ #300
>>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>>>> Workqueue: hci0 hci_cmd_work
>>>>>> 00000000ffffffff ffff88003634f9f8 ffffffff82be118d ffff88003e804f00
>>>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff88003634fa28 ffffffff8175b434
>>>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000001
>>>>>>
>>>>>> Call Trace:
>>>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>>>> [<ffffffff81764f9e>] __asan_report_store8_noabort+0x3e/0x40
>>>>>> mm/kasan/report.c:300
>>>>>> [< inline >] debug_spin_unlock kernel/locking/spinlock_debug.c:102
>>>>>> [<ffffffff81466608>] do_raw_spin_unlock+0x228/0x240
>>>>>> kernel/locking/spinlock_debug.c:158
>>>>>> [< inline >] __raw_spin_unlock_irqrestore
>>>>>> include/linux/spinlock_api_smp.h:161
>>>>>> [<ffffffff86652cf7>] _raw_spin_unlock_irqrestore+0x27/0xc0
>>>>>> kernel/locking/spinlock.c:191
>>>>>> [< inline >] spin_unlock_irqrestore include/linux/spinlock.h:362
>>>>>> [<ffffffff8143975f>] __wake_up+0x3f/0x50 kernel/sched/wait.c:96
>>>>>> [<ffffffff8484b983>] vhci_send_frame+0xc3/0x100 drivers/bluetooth/hci_vhci.c:86
>>>>>> [<ffffffff85d38315>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
>>>>>> [<ffffffff85d385bf>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4196
>>>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>>>> ==================================================================
>>>>>>
>>>>>> ==================================================================
>>>>>> BUG: KASAN: use-after-free in do_raw_spin_lock+0x281/0x2b0 at addr
>>>>>> ffff88003a8a9f2c
>>>>>> Read of size 4 by task kworker/u12:0/3554
>>>>>> =============================================================================
>>>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>>>> -----------------------------------------------------------------------------
>>>>>>
>>>>>> INFO: Allocated in vhci_open+0x50/0x350 age=16305 cpu=0 pid=10397
>>>>>> [< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
>>>>>> [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
>>>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>>>> [< inline >] do_last fs/namei.c:3254
>>>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>>>> [< inline >] SYSC_open fs/open.c:1040
>>>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>>>> arch/x86/entry/entry_64.S:185
>>>>>>
>>>>>> INFO: Freed in vhci_release+0xae/0xe0 age=11634 cpu=2 pid=10397
>>>>>> [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
>>>>>> [< inline >] slab_free mm/slub.c:2835
>>>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>>>> arch/x86/entry/common.c:247
>>>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>>>> arch/x86/entry/common.c:344
>>>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>>>> arch/x86/entry/entry_64.S:281
>>>>>>
>>>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>>>>>> flags=0x1fffc0000004080
>>>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>>>>>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>>>> Workqueue: hci0 hci_power_on
>>>>>> 00000000ffffffff ffff880036abf838 ffffffff82be118d ffff88003e804f00
>>>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf868 ffffffff8175b434
>>>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 ffff880036abfb30
>>>>>>
>>>>>> Call Trace:
>>>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>>>> [<ffffffff81764e1e>] __asan_report_load4_noabort+0x3e/0x40
>>>>>> mm/kasan/report.c:294
>>>>>> [< inline >] debug_spin_lock_before kernel/locking/spinlock_debug.c:83
>>>>>> [<ffffffff814662e1>] do_raw_spin_lock+0x281/0x2b0
>>>>>> kernel/locking/spinlock_debug.c:135
>>>>>> [< inline >] __raw_spin_lock_irqsave
>>>>>> include/linux/spinlock_api_smp.h:119
>>>>>> [<ffffffff86652bd7>] _raw_spin_lock_irqsave+0xa7/0xd0
>>>>>> kernel/locking/spinlock.c:159
>>>>>> [<ffffffff854da1b2>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2333
>>>>>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>>>>>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>>>>>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>>>>>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>>>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>>>> ==================================================================
>>>>>> ==================================================================
>>>>>> BUG: KASAN: use-after-free in skb_dequeue+0x153/0x180 at addr ffff88003a8a9f10
>>>>>> Read of size 8 by task kworker/u12:0/3554
>>>>>> =============================================================================
>>>>>> BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
>>>>>> -----------------------------------------------------------------------------
>>>>>>
>>>>>> INFO: Allocated in vhci_open+0x50/0x350 age=16913 cpu=0 pid=10397
>>>>>> [< inline >] slab_alloc_node mm/slub.c:2562
>>>>>> [< inline >] slab_alloc mm/slub.c:2604
>>>>>> [< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
>>>>>> [< inline >] kmalloc include/linux/slab.h:463
>>>>>> [< inline >] kzalloc include/linux/slab.h:607
>>>>>> [< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
>>>>>> [< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
>>>>>> [< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
>>>>>> [< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
>>>>>> [< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
>>>>>> [< inline >] do_last fs/namei.c:3254
>>>>>> [< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
>>>>>> [< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>>>>> [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>>>>> [< inline >] SYSC_open fs/open.c:1040
>>>>>> [< none >] SyS_open+0x2d/0x40 fs/open.c:1035
>>>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>>>> arch/x86/entry/entry_64.S:185
>>>>>>
>>>>>> INFO: Freed in vhci_release+0xae/0xe0 age=12241 cpu=2 pid=10397
>>>>>> [< inline >] slab_free mm/slub.c:2835
>>>>>> [< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
>>>>>> [< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
>>>>>> [< none >] __fput+0x236/0x780 fs/file_table.c:208
>>>>>> [< none >] ____fput+0x15/0x20 fs/file_table.c:244
>>>>>> [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
>>>>>> [< inline >] exit_task_work include/linux/task_work.h:21
>>>>>> [< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
>>>>>> [< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
>>>>>> [< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
>>>>>> [< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
>>>>>> [< none >] exit_to_usermode_loop+0x1a5/0x210
>>>>>> arch/x86/entry/common.c:247
>>>>>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>>>>>> [< none >] syscall_return_slowpath+0x2ba/0x340
>>>>>> arch/x86/entry/common.c:344
>>>>>> [< none >] int_ret_from_sys_call+0x25/0x9f
>>>>>> arch/x86/entry/entry_64.S:281
>>>>>>
>>>>>> INFO: Slab 0xffffea0000ea2a00 objects=16 used=12 fp=0xffff88003a8aaa48
>>>>>> flags=0x1fffc0000004080
>>>>>> INFO: Object 0xffff88003a8a9ec0 @offset=7872 fp=0xffff88003a8a9338
>>>>>> CPU: 0 PID: 3554 Comm: kworker/u12:0 Tainted: G B 4.5.0-rc1+ #300
>>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>>>> Workqueue: hci0 hci_power_on
>>>>>> 00000000ffffffff ffff880036abf898 ffffffff82be118d ffff88003e804f00
>>>>>> ffff88003a8a9ec0 ffff88003a8a8000 ffff880036abf8c8 ffffffff8175b434
>>>>>> ffff88003e804f00 ffffea0000ea2a00 ffff88003a8a9ec0 0000000000000282
>>>>>>
>>>>>> Call Trace:
>>>>>> [< inline >] kasan_report mm/kasan/report.c:274
>>>>>> [<ffffffff81764e5e>] __asan_report_load8_noabort+0x3e/0x40
>>>>>> mm/kasan/report.c:295
>>>>>> [< inline >] skb_peek include/linux/skbuff.h:1453
>>>>>> [< inline >] __skb_dequeue include/linux/skbuff.h:1735
>>>>>> [<ffffffff854da2e3>] skb_dequeue+0x153/0x180 net/core/skbuff.c:2334
>>>>>> [<ffffffff854de656>] skb_queue_purge+0x26/0x40 net/core/skbuff.c:2371
>>>>>> [<ffffffff8484b9fb>] vhci_flush+0x3b/0x50 drivers/bluetooth/hci_vhci.c:74
>>>>>> [<ffffffff85d3a02f>] hci_dev_do_open+0x62f/0xf60 net/bluetooth/hci_core.c:1417
>>>>>> [<ffffffff85d42b98>] hci_power_on+0x108/0x4b0 net/bluetooth/hci_core.c:2027
>>>>>> [<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
>>>>>> [<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
>>>>>> [<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
>>>>>> [<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
>>>>>> ==================================================================
>>>>>
>>>>>
>>>>>
>>>>> Ping.
>>>>> Just got another one on 4.5-rc6
>>>>
>>>> FWIW I've just hit that too right now.
>>>>
>>>> But I haven't hit it with 4.4 which I am fuzzing by the orders of
>>>> magnitude longer. But take it with grain of salt -- it could be a
>>>> coincidence, of course.
>>>
>>> do you know what the fuzzer was doing at this point. Is the fuzzer opening /dev/vhci device node? Since that would be the only way to actually get into that driver.
>>
>> Check out the KASAN reports. They should answer your question.
>
> that means very little to me actually. So is the real issue caused by opening /dev/vhci or is that theoretical one via some internal kernel compile time feature.
This is a real use-after-free bug that actually happened on my machine.
The memory was allocated inside of SyS_open syscall which called
vhci_open. So, yes, actual opening of /dev/vhci was definitely
involved:
INFO: Allocated in vhci_open+0x50/0x350 age=6743 cpu=0 pid=10397
[< none >] ___slab_alloc+0x564/0x5b0 mm/slub.c:2470
[< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499
[< inline >] slab_alloc_node mm/slub.c:2562
[< inline >] slab_alloc mm/slub.c:2604
[< none >] kmem_cache_alloc_trace+0x25c/0x300 mm/slub.c:2621
[< inline >] kmalloc include/linux/slab.h:463
[< inline >] kzalloc include/linux/slab.h:607
[< none >] vhci_open+0x50/0x350 drivers/bluetooth/hci_vhci.c:316
[< none >] misc_open+0x388/0x520 drivers/char/misc.c:153
[< none >] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
[< none >] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
[< none >] vfs_open+0x17b/0x1f0 fs/open.c:853
[< inline >] do_last fs/namei.c:3254
[< none >] path_openat+0xde9/0x5e30 fs/namei.c:3386
[< none >] do_filp_open+0x18e/0x250 fs/namei.c:3421
[< none >] do_sys_open+0x1fc/0x420 fs/open.c:1022
[< inline >] SYSC_open fs/open.c:1040
[< none >] SyS_open+0x2d/0x40 fs/open.c:1035
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
Then memory was freed here (by the same task):
INFO: Freed in vhci_release+0xae/0xe0 age=11634 cpu=2 pid=10397
[< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680
[< inline >] slab_free mm/slub.c:2835
[< none >] kfree+0x2ac/0x2c0 mm/slub.c:3664
[< none >] vhci_release+0xae/0xe0 drivers/bluetooth/hci_vhci.c:346
[< none >] __fput+0x236/0x780 fs/file_table.c:208
[< none >] ____fput+0x15/0x20 fs/file_table.c:244
[< none >] task_work_run+0x170/0x210 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[< none >] do_exit+0x8b5/0x2cb0 kernel/exit.c:748
[< none >] do_group_exit+0x108/0x330 kernel/exit.c:878
[< none >] get_signal+0x5e4/0x14f0 kernel/signal.c:2307
[< none >] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[< none >] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[< none >] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[< none >] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
And then a worker thread accessed it here:
Call Trace:
[< inline >] kasan_report mm/kasan/report.c:274
[<ffffffff81764f9e>] __asan_report_store8_noabort+0x3e/0x40
mm/kasan/report.c:300
[< inline >] debug_spin_unlock kernel/locking/spinlock_debug.c:102
[<ffffffff81466608>] do_raw_spin_unlock+0x228/0x240
kernel/locking/spinlock_debug.c:158
[< inline >] __raw_spin_unlock_irqrestore
include/linux/spinlock_api_smp.h:161
[<ffffffff86652cf7>] _raw_spin_unlock_irqrestore+0x27/0xc0
kernel/locking/spinlock.c:191
[< inline >] spin_unlock_irqrestore include/linux/spinlock.h:362
[<ffffffff8143975f>] __wake_up+0x3f/0x50 kernel/sched/wait.c:96
[<ffffffff8484b983>] vhci_send_frame+0xc3/0x100 drivers/bluetooth/hci_vhci.c:86
[<ffffffff85d38315>] hci_send_frame+0x1f5/0x310 net/bluetooth/hci_core.c:3316
[<ffffffff85d385bf>] hci_cmd_work+0x18f/0x2e0 net/bluetooth/hci_core.c:4196
[<ffffffff813a2386>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
[<ffffffff813a310b>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
[<ffffffff813b637f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff866535ef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
So either freeing of the memory must be delayed, or the access must not happen.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: bluetooth: use-after-free in vhci_send_frame
2016-03-07 16:27 ` Jiri Slaby
2016-03-07 20:10 ` Marcel Holtmann
@ 2016-03-18 16:13 ` Jiri Slaby
1 sibling, 0 replies; 9+ messages in thread
From: Jiri Slaby @ 2016-03-18 16:13 UTC (permalink / raw)
To: Dmitry Vyukov, Marcel Holtmann, Gustavo Padovan, Johan Hedberg,
linux-bluetooth, LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
On 03/07/2016, 05:27 PM, Jiri Slaby wrote:
> On 03/04/2016, 10:15 AM, Dmitry Vyukov wrote:
>> Ping.
>> Just got another one on 4.5-rc6
>
> FWIW I've just hit that too right now.
>
> But I haven't hit it with 4.4 which I am fuzzing by the orders of
> magnitude longer.
Scratch that, it happened on 4.4.6 today.
thanks,
--
js
suse labs
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: bluetooth: use-after-free in vhci_send_frame
2016-03-08 18:32 ` Marcel Holtmann
2016-03-10 16:25 ` Dmitry Vyukov
@ 2016-03-18 16:59 ` Jiri Slaby
1 sibling, 0 replies; 9+ messages in thread
From: Jiri Slaby @ 2016-03-18 16:59 UTC (permalink / raw)
To: Marcel Holtmann, Dmitry Vyukov
Cc: Gustavo F. Padovan, Johan Hedberg, linux-bluetooth, LKML,
syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
On 03/08/2016, 07:32 PM, Marcel Holtmann wrote:
> that means very little to me actually. So is the real issue caused by opening /dev/vhci or is that theoretical one via some internal kernel compile time feature.
Hi, what do you think about this one?
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -196,6 +196,11 @@ static inline ssize_t vhci_get_user(stru
cancel_delayed_work_sync(&data->open_timeout);
+ if (data->hdev) {
+ kfree_skb(skb);
+ return -EBADFD;
+ }
+
opcode = *((__u8 *) skb->data);
skb_pull(skb, 1);
open_timeout could be in progress (raced with us) and _sync cancel
waited for vhci_create_device to actually finish and create the device
the second time.
thanks,
--
js
suse labs
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-03-18 16:59 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-29 8:50 bluetooth: use-after-free in vhci_send_frame Dmitry Vyukov
2016-03-04 9:15 ` Dmitry Vyukov
2016-03-07 16:27 ` Jiri Slaby
2016-03-07 20:10 ` Marcel Holtmann
2016-03-07 20:16 ` Dmitry Vyukov
2016-03-08 18:32 ` Marcel Holtmann
2016-03-10 16:25 ` Dmitry Vyukov
2016-03-18 16:59 ` Jiri Slaby
2016-03-18 16:13 ` Jiri Slaby
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).