From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 419D12442C4 for ; Thu, 16 Jan 2025 16:55:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.200 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737046510; cv=none; b=eHYvCmIWHvSgjvGFDJ/ANu1kaci5+c+zHufRSH1QSo9C6ANlEyhAvlOdNuhLE0l6EwreRBwcviWzlxTbVX3gyMuwbfPE57G0TzGgIdxYQEEuD8N4OeL7PrIrFOaVGwSMz2sp0UjCpeqKYMrVrmIVlr22os5fJ17Z7ab2moASRBQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737046510; c=relaxed/simple; bh=Y1GJwXYYiA75Z8Jm2gRXJzRp8c3tsow/woJhCQ4aWI8=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=uinpnl/uQ+fwh6dtbU9fDZvVIZTxz4J+6Tl2RxilFCR4WJm7V8YUYpSx6f1b7y2P9FvI9l4obhUmYlXYE5wC7z7I4t5NyK5IzR6iBe/Fi0IevF5j75I9AoGwAMK+eS2Hv2SS5LtZfYHYaPnuy0KZtBWLwOgPZLgWzCcsm0rOoss= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.166.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-il1-f200.google.com with SMTP id e9e14a558f8ab-3a9d075bdc3so19795275ab.3 for ; Thu, 16 Jan 2025 08:55:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737046507; x=1737651307; h=content-transfer-encoding:to:from:subject:message-id:in-reply-to :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wkcB396WcI9j6b9qcyWi5owz1g5//E5WgQ3mfuXek+g=; b=B4sr5hRhkY8M7qBHcD1Yoexps4CXbbkGhqM7/xBNNIvWetjZ1+9qMb/AthBypDtvPX aC8XBcnUM3MK5iTd/xHAHnKrXU1QB0RW2OrjkMgWtwOCBvS/8WM3gZrLeeLOwrxhq2v+ fikDcUwGJ4Tf3Cyz5P4qMa7UxpH0LB9BMtnZN2IXQ3hy03QVqSTkkJ3zD9LregDLKDi/ 3rlMTR+LCXA4oOEEqZADJjp+XQpPIvkQtxZkdZYU137vBak3CuSzNDJKE/Xl0pNo+8ht a04clfNpTNY8neMAoIT/vtBXHDAFhRKJN3dVymUC8QNxNLbt7y3ihBVCfvGQe0XLOdVI nEkA== X-Gm-Message-State: AOJu0Yzxq0+OAgY0zHAW/5Hae3fRvI/XGS+PgA5avO2XpU9kAXBOb2a0 bKlzrYjX5ykj3s1vao+QqygPsEt7CUkx5QG/WUL4XYhxGATCkTOb0atovvcTD11/hLtUQdQFfeF FPjTa7f+WtHEpxHxPExN1xnkiJNuziIPEA+bwxsh550W2t4/NgZhjHpo= X-Google-Smtp-Source: AGHT+IFX6aqbzOkHYL9COa8CleCerBli2lQND9LO+YPbNGdXD3WTngVtScyuqLB8hg3DR7h6l1Zo+G3pCemLZ0AeH3IBaAlWkMGV Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6e02:1d14:b0:3a7:d792:d6c4 with SMTP id e9e14a558f8ab-3ce3a8df63cmr314731945ab.21.1737046507490; Thu, 16 Jan 2025 08:55:07 -0800 (PST) Date: Thu, 16 Jan 2025 08:55:07 -0800 In-Reply-To: <00000000000070784806124596ec@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <678939eb.050a0220.20d369.003e.GAE@google.com> Subject: Re: [syzbot] Re: [PATCH v1] Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [PATCH v1] Bluetooth: L2CAP: Fix slab-use-after-free Read in l= 2cap_send_cmd Author: luiz.dentz@gmail.com #syz test On Thu, Jan 16, 2025 at 10:36=E2=80=AFAM Luiz Augusto von Dentz wrote: > > From: Luiz Augusto von Dentz > > After the hci sync command releases l2cap_conn, the hci receive data work > queue references the released l2cap_conn when sending to the upper layer. > Add hci dev lock to the hci receive data work queue to synchronize the tw= o. > > [1] > BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetoo= th/l2cap_core.c:954 > Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 > > CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkall= er-00163-gab75170520d4 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 09/13/2024 > Workqueue: hci1 hci_rx_work > Call Trace: > > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0x169/0x550 mm/kasan/report.c:489 > kasan_report+0x143/0x180 mm/kasan/report.c:602 > l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] > l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 > l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] > l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] > l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 > hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] > hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f0/0x390 kernel/kthread.c:389 > ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > > Allocated by task 5837: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:377 [inline] > __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 > kasan_kmalloc include/linux/kasan.h:260 [inline] > __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 > kmalloc_noprof include/linux/slab.h:901 [inline] > kzalloc_noprof include/linux/slab.h:1037 [inline] > l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 > l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 > hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] > hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 > hci_event_func net/bluetooth/hci_event.c:7473 [inline] > hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 > hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f0/0x390 kernel/kthread.c:389 > ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Freed by task 54: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 > poison_slab_object mm/kasan/common.c:247 [inline] > __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 > kasan_slab_free include/linux/kasan.h:233 [inline] > slab_free_hook mm/slub.c:2353 [inline] > slab_free mm/slub.c:4613 [inline] > kfree+0x196/0x430 mm/slub.c:4761 > l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 > hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] > hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 > hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 > hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f0/0x390 kernel/kthread.c:389 > ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Reported-by: syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=3D31c2f641b850a348a734 > Tested-by: syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis > Signed-off-by: Luiz Augusto von Dentz > --- > net/bluetooth/l2cap_core.c | 23 ++++++++++++++++++++++- > 1 file changed, 22 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c > index 27b4c4a2ba1f..00ef61609d49 100644 > --- a/net/bluetooth/l2cap_core.c > +++ b/net/bluetooth/l2cap_core.c > @@ -7466,14 +7466,33 @@ static void l2cap_recv_reset(struct l2cap_conn *c= onn) > conn->rx_len =3D 0; > } > > +static struct l2cap_conn *l2cap_conn_hold_unless_zero(struct l2cap_conn = *c) > +{ > + BT_DBG("conn %p orig refcnt %u", c, kref_read(&c->ref)); > + > + if (!kref_get_unless_zero(&c->ref)) > + return NULL; > + > + return c; > +} > + > void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 = flags) > { > - struct l2cap_conn *conn =3D hcon->l2cap_data; > + struct l2cap_conn *conn; > int len; > > + /* Lock hdev to access l2cap_data to avoid race with l2cap_conn_d= el */ > + hci_dev_lock(hcon->hdev); > + > + conn =3D hcon->l2cap_data; > + > if (!conn) > conn =3D l2cap_conn_add(hcon); > > + conn =3D l2cap_conn_hold_unless_zero(conn); > + > + hci_dev_unlock(hcon->hdev); > + > if (!conn) > goto drop; > > @@ -7565,6 +7584,8 @@ void l2cap_recv_acldata(struct hci_conn *hcon, stru= ct sk_buff *skb, u16 flags) > break; > } > > + l2cap_conn_put(conn); > + > drop: > kfree_skb(skb); > } > -- > 2.47.1 > --=20 Luiz Augusto von Dentz