From: bugzilla-daemon@kernel.org
To: linux-bluetooth@vger.kernel.org
Subject: [Bug 217581] Bluetooth L2CAP use-after-free
Date: Wed, 21 Jun 2023 10:43:49 +0000 [thread overview]
Message-ID: <bug-217581-62941-Tt0m8ZCg1Z@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-217581-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=217581
--- Comment #2 from Mohamed Yassine JEBABLI (mohamed-yassine.jebabli@witbe.net) ---
Kernel LOG
[ 2415.213175] chan 00000000a604c117
[ 2415.213191] chan 00000000a604c117 orig refcnt 1
[ 2415.320464] hcon 00000000f362d481 bdaddr 48:b0:2d:02:81:0a status 0
[ 2415.320494] hcon 00000000f362d481 conn 000000001363748a hchan
0000000081571a4f
[ 2415.320505] chan 00000000a604c117 orig refcnt 2
[ 2415.320523] chan 00000000128f5e36
[ 2415.320528] chan 00000000128f5e36 orig refcnt 1
[ 2415.320536] conn 000000001363748a, psm 0x00, dcid 0x0004
[ 2415.320543] chan 00000000128f5e36 orig refcnt 2
[ 2415.320548] chan 000000009ddada5b orig refcnt 1
[ 2415.320553] chan 00000000a604c117 orig refcnt 3
[ 2415.320558] chan 00000000d0b20736
[ 2415.320562] conn 000000001363748a, psm 0x00, dcid 0x0006
[ 2415.320567] chan 00000000d0b20736 orig refcnt 1
[ 2415.320573] chan 000000009ddada5b orig refcnt 2
[ 2415.320578] conn 000000001363748a
[ 2415.320628] chan 00000000d0b20736 len 2
[ 2415.320639] chan 00000000d0b20736, skb 0000000099ea3217 len 6 priority 7
[ 2415.320660] hci1 conn 000000001363748a
[ 2415.614466] conn 000000001363748a status 0x00 encrypt 2
[ 2415.614480] chan 00000000d0b20736 scid 0x0006 state BT_CONNECTED
[ 2415.614495] chan 00000000128f5e36 scid 0x0004 state BT_OPEN
[ 2415.710469] hcon 00000000f362d481 reason 19
[ 2415.710495] hcon 00000000f362d481 conn 000000001363748a, err 104
[ 2415.710505] chan 00000000d0b20736 orig refcnt 2
[ 2415.710512] chan 00000000d0b20736, conn 000000001363748a, err 104, state
BT_CONNECTED
[ 2415.710519] chan 00000000d0b20736 orig refcnt 3
[ 2415.710523] chan 00000000d0b20736 orig refcnt 2
[ 2415.710527] chan 00000000d0b20736 orig refcnt 1
[ 2415.710531] chan 00000000d0b20736
[ 2415.710536] chan 00000000128f5e36 orig refcnt 3
[ 2415.710540] chan 00000000128f5e36, conn 000000001363748a, err 104, state
BT_OPEN
[ 2415.710548] chan 00000000128f5e36 orig refcnt 4
[ 2415.710558] chan 00000000128f5e36 orig refcnt 3
[ 2415.710562] chan 00000000128f5e36 orig refcnt 2
[ 2415.815007] chan 00000000a604c117 orig refcnt 2
[ 2415.815018] chan 00000000a604c117 state BT_LISTEN
[ 2415.815022] chan 00000000128f5e36 orig refcnt 1
[ 2415.815024] chan 00000000128f5e36
[ 2415.815030] chan 00000000128f5e36 orig refcnt 0
[ 2415.815031] ------------[ cut here ]------------
[ 2415.815033] refcount_t: addition on 0; use-after-free.
[ 2415.815045] WARNING: CPU: 0 PID: 10662 at lib/refcount.c:25
refcount_warn_saturate+0x12e/0x150
[ 2415.815056] Modules linked in: algif_hash algif_skcipher af_alg cmac
r8153_ecm cdc_ether usbnet r8152 uas mii usb_storage snd_usb_audio
snd_usbmidi_lib mc ccm snd_seq_dummy snd_hrtimer hid_sensor_als
hid_sensor_trigger industrialio_triggered_buffer kfifo_buf
hid_sensor_iio_common industrialio hid_sensor_custom joydev snd_ctl_led
snd_soc_skl_hda_dsp snd_soc_intel_hda_dsp_common snd_soc_hdac_hdmi
snd_sof_probes btusb btrtl btbcm btintel btmtk bluetooth usbhid ecdh_generic
ecc snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic
ledtrig_audio snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common
soundwire_intel soundwire_generic_allocation soundwire_cadence
snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils
snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi
soundwire_bus iwlmvm snd_soc_core binfmt_misc snd_compress x86_pkg_temp_thermal
ac97_bus intel_powerclamp snd_pcm_dmaengine coretemp snd_hda_intel mac80211
snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec
[ 2415.815127] kvm_intel snd_hda_core libarc4 snd_hwdep kvm snd_pcm
hid_sensor_hub hid_multitouch irqbypass crct10dif_pclmul crc32_pclmul
polyval_clmulni snd_seq_midi snd_seq_midi_event polyval_generic
ghash_clmulni_intel sha512_ssse3 hid_generic snd_rawmidi mei_hdcp mei_pxp
iwlwifi snd_seq aesni_intel cmdlinepart crypto_simd spi_nor snd_seq_device
cryptd ucsi_acpi pmt_telemetry nls_iso8859_1 mtd pmt_class snd_timer
intel_rapl_msr mei_me processor_thermal_device_pci rapl snd i2c_i801
intel_lpss_pci processor_thermal_device spi_intel_pci processor_thermal_rfim
xhci_pci intel_lpss wmi_bmof cfg80211 intel_cstate typec_ucsi soundcore
i2c_smbus mei spi_intel thunderbolt idma64 intel_vsec processor_thermal_mbox
xhci_pci_renesas processor_thermal_rapl intel_skl_int3472_tps68470 typec
intel_rapl_common igen6_edac tps68470_regulator i2c_hid_acpi clk_tps68470
i2c_hid ideapad_laptop hid platform_profile int3403_thermal
int340x_thermal_zone intel_hid int3400_thermal sparse_keymap
intel_skl_int3472_discrete acpi_thermal_rel acpi_tad
[ 2415.815198] acpi_pad msr parport_pc ppdev lp parport efi_pstore dmi_sysfs
ip_tables x_tables autofs4 i915 i2c_algo_bit drm_buddy drm_display_helper
drm_kms_helper syscopyarea sysfillrect sysimgblt cec rc_core ttm nvme drm
psmouse serio_raw nvme_core video nvme_common mac_hid wmi pinctrl_tigerlake
[ 2415.815230] CPU: 0 PID: 10662 Comm: HCIManager Not tainted
6.3.7-060307-generic #202306090936
[ 2415.815234] Hardware name: LENOVO 82T0/LNVNB161216, BIOS J3CN45WW 08/26/2022
[ 2415.815236] RIP: 0010:refcount_warn_saturate+0x12e/0x150
[ 2415.815241] Code: 1d 47 06 e0 01 80 fb 01 0f 87 06 e6 8a 00 83 e3 01 0f 85
52 ff ff ff 48 c7 c7 00 ab d9 89 c6 05 27 06 e0 01 01 e8 c2 5b 93 ff <0f> 0b e9
38 ff ff ff 48 c7 c7 d8 aa d9 89 c6 05 0e 06 e0 01 01 e8
[ 2415.815244] RSP: 0018:ffffba9ac6dcbcf8 EFLAGS: 00010246
[ 2415.815247] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000000000
[ 2415.815249] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 2415.815250] RBP: ffffba9ac6dcbd00 R08: 0000000000000000 R09:
0000000000000000
[ 2415.815251] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff9e6d23f20000
[ 2415.815253] R13: ffff9e6d3a587c00 R14: ffff9e6d3a587000 R15:
ffff9e6d23f236f8
[ 2415.815254] FS: 00007fe9ae5fc6c0(0000) GS:ffff9e7083400000(0000)
knlGS:0000000000000000
[ 2415.815257] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2415.815259] CR2: 0000564028065050 CR3: 0000000126a04000 CR4:
0000000000750ef0
[ 2415.815261] PKRU: 55555554
[ 2415.815262] Call Trace:
[ 2415.815264] <TASK>
[ 2415.815269] ? show_regs+0x6d/0x80
[ 2415.815275] ? __warn+0x89/0x160
[ 2415.815282] ? refcount_warn_saturate+0x12e/0x150
[ 2415.815285] ? report_bug+0x17e/0x1b0
[ 2415.815290] ? handle_bug+0x46/0x90
[ 2415.815295] ? exc_invalid_op+0x18/0x80
[ 2415.815298] ? asm_exc_invalid_op+0x1b/0x20
[ 2415.815307] ? refcount_warn_saturate+0x12e/0x150
[ 2415.815311] ? refcount_warn_saturate+0x12e/0x150
[ 2415.815315] l2cap_chan_hold+0x7f/0xa0 [bluetooth]
[ 2415.815405] l2cap_sock_teardown_cb+0x145/0x1f0 [bluetooth]
[ 2415.815478] l2cap_chan_close+0x9d/0x2d0 [bluetooth]
[ 2415.815543] l2cap_sock_shutdown+0x251/0x340 [bluetooth]
[ 2415.815606] l2cap_sock_release+0x4d/0xf0 [bluetooth]
[ 2415.815665] __sock_release+0x3f/0xc0
[ 2415.815669] sock_close+0x15/0x30
[ 2415.815672] __fput+0x95/0x270
[ 2415.815677] ____fput+0xe/0x20
[ 2415.815680] task_work_run+0x5e/0xa0
[ 2415.815684] exit_to_user_mode_loop+0x100/0x130
[ 2415.815688] exit_to_user_mode_prepare+0xa5/0xb0
[ 2415.815691] syscall_exit_to_user_mode+0x29/0x50
[ 2415.815694] do_syscall_64+0x67/0x90
[ 2415.815699] ? syscall_exit_to_user_mode+0x29/0x50
[ 2415.815702] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 2415.815707] RIP: 0033:0x7fe9aff0c0ca
[ 2415.815759] Code: 00 00 0f 05 48 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec
18 89 7c 24 0c e8 b3 ee f7 ff 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 36 89 d7 89 44 24 0c e8 13 ef f7 ff 8b 44 24
[ 2415.815761] RSP: 002b:00007fe9ae5fb9b0 EFLAGS: 00000293 ORIG_RAX:
0000000000000003
[ 2415.815764] RAX: 0000000000000000 RBX: 000055c4c29366f8 RCX:
00007fe9aff0c0ca
[ 2415.815766] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000006
[ 2415.815767] RBP: 00007fe9ae5fb9e0 R08: 00007fe9a40013f0 R09:
00000000ffffffff
[ 2415.815769] R10: 00007fe9afe134b8 R11: 0000000000000293 R12:
00007fe9a8000c81
[ 2415.815770] R13: 00007fe9a8000c50 R14: 00007fe9afdfe860 R15:
00007fe9addfc000
[ 2415.815773] </TASK>
[ 2415.815775] ---[ end trace 0000000000000000 ]---
[ 2415.815778] chan 00000000128f5e36 state BT_OPEN
[ 2415.815780] chan 00000000128f5e36 orig refcnt 3221225472
[ 2415.815782] ------------[ cut here ]------------
[ 2415.815783] refcount_t: underflow; use-after-free.
[ 2415.815789] WARNING: CPU: 0 PID: 10662 at lib/refcount.c:28
refcount_warn_saturate+0xa3/0x150
[ 2415.815794] Modules linked in: algif_hash algif_skcipher af_alg cmac
r8153_ecm cdc_ether usbnet r8152 uas mii usb_storage snd_usb_audio
snd_usbmidi_lib mc ccm snd_seq_dummy snd_hrtimer hid_sensor_als
hid_sensor_trigger industrialio_triggered_buffer kfifo_buf
hid_sensor_iio_common industrialio hid_sensor_custom joydev snd_ctl_led
snd_soc_skl_hda_dsp snd_soc_intel_hda_dsp_common snd_soc_hdac_hdmi
snd_sof_probes btusb btrtl btbcm btintel btmtk bluetooth usbhid ecdh_generic
ecc snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic
ledtrig_audio snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common
soundwire_intel soundwire_generic_allocation soundwire_cadence
snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils
snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi
soundwire_bus iwlmvm snd_soc_core binfmt_misc snd_compress x86_pkg_temp_thermal
ac97_bus intel_powerclamp snd_pcm_dmaengine coretemp snd_hda_intel mac80211
snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec
[ 2415.815843] kvm_intel snd_hda_core libarc4 snd_hwdep kvm snd_pcm
hid_sensor_hub hid_multitouch irqbypass crct10dif_pclmul crc32_pclmul
polyval_clmulni snd_seq_midi snd_seq_midi_event polyval_generic
ghash_clmulni_intel sha512_ssse3 hid_generic snd_rawmidi mei_hdcp mei_pxp
iwlwifi snd_seq aesni_intel cmdlinepart crypto_simd spi_nor snd_seq_device
cryptd ucsi_acpi pmt_telemetry nls_iso8859_1 mtd pmt_class snd_timer
intel_rapl_msr mei_me processor_thermal_device_pci rapl snd i2c_i801
intel_lpss_pci processor_thermal_device spi_intel_pci processor_thermal_rfim
xhci_pci intel_lpss wmi_bmof cfg80211 intel_cstate typec_ucsi soundcore
i2c_smbus mei spi_intel thunderbolt idma64 intel_vsec processor_thermal_mbox
xhci_pci_renesas processor_thermal_rapl intel_skl_int3472_tps68470 typec
intel_rapl_common igen6_edac tps68470_regulator i2c_hid_acpi clk_tps68470
i2c_hid ideapad_laptop hid platform_profile int3403_thermal
int340x_thermal_zone intel_hid int3400_thermal sparse_keymap
intel_skl_int3472_discrete acpi_thermal_rel acpi_tad
[ 2415.815894] acpi_pad msr parport_pc ppdev lp parport efi_pstore dmi_sysfs
ip_tables x_tables autofs4 i915 i2c_algo_bit drm_buddy drm_display_helper
drm_kms_helper syscopyarea sysfillrect sysimgblt cec rc_core ttm nvme drm
psmouse serio_raw nvme_core video nvme_common mac_hid wmi pinctrl_tigerlake
[ 2415.815916] CPU: 0 PID: 10662 Comm: HCIManager Tainted: G W
6.3.7-060307-generic #202306090936
[ 2415.815919] Hardware name: LENOVO 82T0/LNVNB161216, BIOS J3CN45WW 08/26/2022
[ 2415.815920] RIP: 0010:refcount_warn_saturate+0xa3/0x150
[ 2415.815924] Code: cc cc 0f b6 1d cd 06 e0 01 80 fb 01 0f 87 79 e6 8a 00 83
e3 01 75 dd 48 c7 c7 30 ab d9 89 c6 05 b1 06 e0 01 01 e8 4d 5c 93 ff <0f> 0b eb
c6 0f b6 1d a4 06 e0 01 80 fb 01 0f 87 39 e6 8a 00 83 e3
[ 2415.815926] RSP: 0018:ffffba9ac6dcbce0 EFLAGS: 00010246
[ 2415.815928] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000000000
[ 2415.815930] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 2415.815931] RBP: ffffba9ac6dcbce8 R08: 0000000000000000 R09:
0000000000000000
[ 2415.815932] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff9e6d23f20000
[ 2415.815934] R13: ffff9e6d3a587c00 R14: ffff9e6d3a587000 R15:
ffff9e6d23f236f8
[ 2415.815935] FS: 00007fe9ae5fc6c0(0000) GS:ffff9e7083400000(0000)
knlGS:0000000000000000
[ 2415.815937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2415.815939] CR2: 0000564028065050 CR3: 0000000126a04000 CR4:
0000000000750ef0
[ 2415.815941] PKRU: 55555554
[ 2415.815942] Call Trace:
[ 2415.815943] <TASK>
[ 2415.815944] ? show_regs+0x6d/0x80
[ 2415.815948] ? __warn+0x89/0x160
[ 2415.815953] ? refcount_warn_saturate+0xa3/0x150
[ 2415.815956] ? report_bug+0x17e/0x1b0
[ 2415.815959] ? handle_bug+0x46/0x90
[ 2415.815962] ? exc_invalid_op+0x18/0x80
[ 2415.815965] ? asm_exc_invalid_op+0x1b/0x20
[ 2415.815971] ? refcount_warn_saturate+0xa3/0x150
[ 2415.815975] l2cap_chan_put+0x78/0x90 [bluetooth]
[ 2415.816041] l2cap_sock_kill+0x42/0xc0 [bluetooth]
[ 2415.816105] l2cap_sock_teardown_cb+0x10a/0x1f0 [bluetooth]
[ 2415.816167] l2cap_chan_close+0x9d/0x2d0 [bluetooth]
[ 2415.816231] l2cap_sock_shutdown+0x251/0x340 [bluetooth]
[ 2415.816292] l2cap_sock_release+0x4d/0xf0 [bluetooth]
[ 2415.816351] __sock_release+0x3f/0xc0
[ 2415.816354] sock_close+0x15/0x30
[ 2415.816357] __fput+0x95/0x270
[ 2415.816361] ____fput+0xe/0x20
[ 2415.816364] task_work_run+0x5e/0xa0
[ 2415.816367] exit_to_user_mode_loop+0x100/0x130
[ 2415.816370] exit_to_user_mode_prepare+0xa5/0xb0
[ 2415.816372] syscall_exit_to_user_mode+0x29/0x50
[ 2415.816375] do_syscall_64+0x67/0x90
[ 2415.816380] ? syscall_exit_to_user_mode+0x29/0x50
[ 2415.816382] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 2415.816387] RIP: 0033:0x7fe9aff0c0ca
[ 2415.816394] Code: 00 00 0f 05 48 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec
18 89 7c 24 0c e8 b3 ee f7 ff 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 36 89 d7 89 44 24 0c e8 13 ef f7 ff 8b 44 24
[ 2415.816396] RSP: 002b:00007fe9ae5fb9b0 EFLAGS: 00000293 ORIG_RAX:
0000000000000003
[ 2415.816399] RAX: 0000000000000000 RBX: 000055c4c29366f8 RCX:
00007fe9aff0c0ca
[ 2415.816401] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000006
[ 2415.816402] RBP: 00007fe9ae5fb9e0 R08: 00007fe9a40013f0 R09:
00000000ffffffff
[ 2415.816403] R10: 00007fe9afe134b8 R11: 0000000000000293 R12:
00007fe9a8000c81
[ 2415.816405] R13: 00007fe9a8000c50 R14: 00007fe9afdfe860 R15:
00007fe9addfc000
[ 2415.816408] </TASK>
[ 2415.816409] ---[ end trace 0000000000000000 ]---
[ 2415.816411] chan 00000000128f5e36 orig refcnt 3221225472
[ 2415.816413] chan 00000000a604c117 orig refcnt 3
[ 2415.816415] chan 00000000a604c117 orig refcnt 2
[ 2415.816416] chan 00000000a604c117 orig refcnt 3
[ 2415.816418] chan 00000000a604c117 orig refcnt 2
[ 2415.816420] chan 00000000a604c117 orig refcnt 1
[ 2415.816422] chan 00000000a604c117
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
next prev parent reply other threads:[~2023-06-21 10:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-21 10:18 [Bug 217581] New: Bluetooth L2CAP use-after-free bugzilla-daemon
2023-06-21 10:19 ` [Bug 217581] " bugzilla-daemon
2023-06-21 10:43 ` bugzilla-daemon [this message]
2023-06-21 10:44 ` bugzilla-daemon
2023-06-27 13:08 ` bugzilla-daemon
2023-06-27 13:23 ` bugzilla-daemon
2023-06-27 13:35 ` bugzilla-daemon
2023-06-28 12:09 ` bugzilla-daemon
2023-06-29 8:40 ` bugzilla-daemon
2023-06-29 14:14 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-217581-62941-Tt0m8ZCg1Z@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox