From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B36A198E6F for ; Fri, 17 Jan 2025 17:16:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.69 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737134183; cv=none; b=Ei5RH7xR/X2yNimhEKjBK4iuS8dc+s4KS7AmjYuLXsobgIWz7GDHAdeqLMZ41aClG6vJwOwEo5CzgiCX/AhlIqEUnxSHFLXdkcFsrxe5LdJz2eJoNY1HsJ9x6uNNkE0yGHb3ed656IyAGde0mvMJMz3OKN787/4Kz1DspikkxWc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737134183; c=relaxed/simple; bh=wWoJw3icZcIDg+2fJ5xOYdYH+dc9RUtswncPCNOY9qQ=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=MZVvmj5ClVkQ4Kt9rkcP+eqG2vr0NWAi6zVGDB0Jfn0zRghc91Y7hiSd3r6HKPYOzDWsEnngkV6WB1OMAIwl+SjpCTQzDAwHeBH4aXSIcuUDzDaHbqeuujKxJhLh5vBeZ1I1gnYd6oKBLnt0JS8aa6zkukCDTfPpRGBEIZ474gw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.166.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-io1-f69.google.com with SMTP id ca18e2360f4ac-844cffcb685so173895539f.0 for ; Fri, 17 Jan 2025 09:16:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737134180; x=1737738980; h=content-transfer-encoding:to:from:subject:message-id:in-reply-to :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=SwW0UA3QgscrSoCg1tBZFLh+gaam84Yd+MSm17mAx7Y=; b=G76RmCekPR7GAasKfEkd2iB+ctpSF+4fSj+n4f4FJwKeR7QUxVtVAumIMgg8Tjuvbn z+q9CkpdovRwTL985KFgGwJhjT+6NpC+U1/y5PptvRUQiLqyIxCbn7yCKENy4qUmGh4K jwq2FMSdBK5/799MS5ishhqTjDfQUR68rLGps2xFlL+LwS48zmqcjU/s4gOFem+FH6wZ n+SdEho/DgW3QAYz3Y8/EBCgO+wf/QdKcFdex3OM5qMgzvkAlBkJ0XBuGL1yvrPZcwtn LDc66wlU8egynF9LazrAtN9DbR8GDDWZoacfXN0pq+gMbg2j59crRUIBFHz1UT/mDpOz 4rig== X-Gm-Message-State: AOJu0Yw5XUhoOCdMc8ihBSLlAiZUa5KsNZfvGy77n9cF5b4eMy+wkpXe e1V8ojT+CQ1kzhbubos04w+l6ceOdVgghsHZ81ZN9DZJzrKxQPCNKNhYQlveNwYB5Fde9KMATSt ICaYwagR5lcJP5rAJ1wWHrmRNscTOjQD2RK3bTRAciuoeOuAavgfjnxA= X-Google-Smtp-Source: AGHT+IEhBcWXWJQ3yJ1AinvHv5RB//OqTptY9bSXJW5svbUBNn/c4VtiL2CwcokUKuCWQfkad1yVqI5zlyYlQRp/taX7IuqEycUs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6e02:1d9e:b0:3bc:be0f:edcd with SMTP id e9e14a558f8ab-3cf74433282mr21433595ab.11.1737134180658; Fri, 17 Jan 2025 09:16:20 -0800 (PST) Date: Fri, 17 Jan 2025 09:16:20 -0800 In-Reply-To: <00000000000070784806124596ec@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <678a9064.050a0220.303755.0010.GAE@google.com> Subject: Re: [syzbot] Re: [PATCH v3] Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [PATCH v3] Bluetooth: L2CAP: Fix slab-use-after-free Read in l= 2cap_send_cmd Author: luiz.dentz@gmail.com #syz test On Fri, Jan 17, 2025 at 12:14=E2=80=AFPM Luiz Augusto von Dentz wrote: > > From: Luiz Augusto von Dentz > > After the hci sync command releases l2cap_conn, the hci receive data work > queue references the released l2cap_conn when sending to the upper layer. > Add hci dev lock to the hci receive data work queue to synchronize the tw= o. > > [1] > BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetoo= th/l2cap_core.c:954 > Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 > > CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkall= er-00163-gab75170520d4 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 09/13/2024 > Workqueue: hci1 hci_rx_work > Call Trace: > > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0x169/0x550 mm/kasan/report.c:489 > kasan_report+0x143/0x180 mm/kasan/report.c:602 > l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] > l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 > l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] > l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] > l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 > hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] > hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f0/0x390 kernel/kthread.c:389 > ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > > Allocated by task 5837: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:377 [inline] > __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 > kasan_kmalloc include/linux/kasan.h:260 [inline] > __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 > kmalloc_noprof include/linux/slab.h:901 [inline] > kzalloc_noprof include/linux/slab.h:1037 [inline] > l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 > l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 > hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] > hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 > hci_event_func net/bluetooth/hci_event.c:7473 [inline] > hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 > hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f0/0x390 kernel/kthread.c:389 > ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Freed by task 54: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 > poison_slab_object mm/kasan/common.c:247 [inline] > __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 > kasan_slab_free include/linux/kasan.h:233 [inline] > slab_free_hook mm/slub.c:2353 [inline] > slab_free mm/slub.c:4613 [inline] > kfree+0x196/0x430 mm/slub.c:4761 > l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 > hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] > hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 > hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 > hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f0/0x390 kernel/kthread.c:389 > ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Reported-by: syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=3D31c2f641b850a348a734 > Tested-by: syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis > Signed-off-by: Luiz Augusto von Dentz > --- > net/bluetooth/l2cap_core.c | 38 ++++++++++++++++++++++++++++++++++++-- > 1 file changed, 36 insertions(+), 2 deletions(-) > > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c > index 27b4c4a2ba1f..cf3597682011 100644 > --- a/net/bluetooth/l2cap_core.c > +++ b/net/bluetooth/l2cap_core.c > @@ -951,11 +951,18 @@ static u8 l2cap_get_ident(struct l2cap_conn *conn) > static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u= 16 len, > void *data) > { > - struct sk_buff *skb =3D l2cap_build_cmd(conn, code, ident, len, d= ata); > + struct sk_buff *skb; > u8 flags; > > + /* Check if hchan has been dropped since it means hci_chan_del ha= s > + * been called. > + */ > + if (!conn->hchan) > + return; > + > BT_DBG("code 0x%2.2x", code); > > + skb =3D l2cap_build_cmd(conn, code, ident, len, data); > if (!skb) > return; > > @@ -6785,6 +6792,12 @@ static void l2cap_recv_frame(struct l2cap_conn *co= nn, struct sk_buff *skb) > u16 cid, len; > __le16 psm; > > + /* Check if hchan has been dropped then drop any packets as well = */ > + if (!conn->hchan) { > + kfree_skb(skb); > + return; > + } > + > if (hcon->state !=3D BT_CONNECTED) { > BT_DBG("queueing pending rx skb"); > skb_queue_tail(&conn->pending_rx, skb); > @@ -7466,14 +7479,33 @@ static void l2cap_recv_reset(struct l2cap_conn *c= onn) > conn->rx_len =3D 0; > } > > +static struct l2cap_conn *l2cap_conn_hold_unless_zero(struct l2cap_conn = *c) > +{ > + BT_DBG("conn %p orig refcnt %u", c, kref_read(&c->ref)); > + > + if (!kref_get_unless_zero(&c->ref)) > + return NULL; > + > + return c; > +} > + > void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 = flags) > { > - struct l2cap_conn *conn =3D hcon->l2cap_data; > + struct l2cap_conn *conn; > int len; > > + /* Lock hdev to access l2cap_data to avoid race with l2cap_conn_d= el */ > + hci_dev_lock(hcon->hdev); > + > + conn =3D hcon->l2cap_data; > + > if (!conn) > conn =3D l2cap_conn_add(hcon); > > + conn =3D l2cap_conn_hold_unless_zero(conn); > + > + hci_dev_unlock(hcon->hdev); > + > if (!conn) > goto drop; > > @@ -7565,6 +7597,8 @@ void l2cap_recv_acldata(struct hci_conn *hcon, stru= ct sk_buff *skb, u16 flags) > break; > } > > + l2cap_conn_put(conn); > + > drop: > kfree_skb(skb); > } > -- > 2.47.1 > --=20 Luiz Augusto von Dentz