[Bug 215245] New: KASAN: slab-out-of-bounds in hci_event

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [Bug 215245] New: KASAN: slab-out-of-bounds in hci_event_packet+0x2d8c/0x4e90 [bluetooth]
@ 2021-12-07  1:27 bugzilla-daemon
  0 siblings, 0 replies; only message in thread
From: bugzilla-daemon @ 2021-12-07  1:27 UTC (permalink / raw)
  To: linux-bluetooth

https://bugzilla.kernel.org/show_bug.cgi?id=215245

            Bug ID: 215245
           Summary: KASAN: slab-out-of-bounds in
                    hci_event_packet+0x2d8c/0x4e90 [bluetooth]
           Product: Drivers
           Version: 2.5
    Kernel Version: 4.19
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: high
          Priority: P1
         Component: Bluetooth
          Assignee: linux-bluetooth@vger.kernel.org
          Reporter: gouhao@uniontech.com
        Regression: No

Unknown ioctl -1072131215
Unknown ioctl -1073191904
Unknown ioctl 35123
Bluetooth: hci0: hardware error 0xff
==================================================================
BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x2d8c/0x4e90 [bluetooth]
Read of size 3 at addr ffff88817262a77f by task kworker/u17:1/222831
CPU: 1 PID: 222831 Comm: kworker/u17:1 Not tainted
4.19.90-2108.8.0.0106.up5.uel20.x86_64 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: hci0 hci_rx_work [bluetooth]
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xab/0xee lib/dump_stack.c:118
 print_address_description+0x65/0x270 mm/kasan/report.c:253
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x146/0x290 mm/kasan/report.c:409
 hci_event_packet+0x2d8c/0x4e90 [bluetooth]
 hci_rx_work+0x288/0x510 [bluetooth]
 process_one_work+0x4ca/0x870 kernel/workqueue.c:2148
 worker_thread+0x6e/0x790 kernel/workqueue.c:2303
 kthread+0x1dd/0x200 kernel/kthread.c:275
 ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:415
Allocated by task 222894:
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:553
 slab_post_alloc_hook mm/slab.h:441 [inline]
 slab_alloc_node mm/slub.c:2740 [inline]
 __kmalloc_node_track_caller+0xcb/0x1a0 mm/slub.c:4364
 __kmalloc_reserve.isra.50+0x37/0xa0 net/core/skbuff.c:137
 __alloc_skb+0xd1/0x320 net/core/skbuff.c:205
 vhci_write+0x70/0x265 [hci_vhci]
 call_write_iter include/linux/fs.h:1886 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x2f4/0x430 fs/read_write.c:487
 vfs_write+0x10a/0x290 fs/read_write.c:549
 ksys_write+0xb4/0x190 fs/read_write.c:599
 do_syscall_64+0x96/0x410 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 221695:
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/kasan.c:521
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1416 [inline]
 slab_free mm/slub.c:2989 [inline]
 kfree+0x7d/0x140 mm/slub.c:3950
 drm_release+0xf3/0x140 [drm]
 __fput+0x198/0x3f0 fs/file_table.c:278
 task_work_run+0xc0/0x100 kernel/task_work.c:135
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x121/0x130 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x359/0x410 arch/x86/entry/common.c:303
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88817262a580
The buggy address is located 511 bytes inside of
The buggy address belongs to the page:
page:ffffea0005c98a00 count:1 mapcount:0 mapping:ffff888107c0ec00 index:0x0
compound_mapcount: 0
flags: 0x17ffffc0008100(slab|head)
raw: 0017ffffc0008100 ffffea000494cc00 0000000800000008 ffff888107c0ec00
raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 ffff88817262a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88817262a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88817262a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88817262a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88817262a880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Unknown ioctl -1072667619
Bluetooth: hci0: wrong event for mode 0
Unknown ioctl 19314
Unknown ioctl -1070571007
Unknown ioctl 1074304026
Unknown ioctl 19314

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-12-07  1:27 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-07  1:27 [Bug 215245] New: KASAN: slab-out-of-bounds in hci_event_packet+0x2d8c/0x4e90 [bluetooth] bugzilla-daemon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox