[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    5f5673607153 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=12881980580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dedbcb1ff4387972
dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/40172aed5414/disk-5f567360.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/58372f305e9d/vmlinux-5f567360.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d2aae6fa798f/Image-5f567360.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9265e754091c2d27ea29@syzkaller.appspotmail.com

kobject: kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci0: failed to register connection device
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_sock_ready_cb+0xc4/0x130 net/bluetooth/l2cap_sock.c:1670
Read of size 8 at addr ffff0000da74b188 by task kworker/u9:6/6425

CPU: 0 UID: 0 PID: 6425 Comm: kworker/u9:6 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci0 hci_rx_work
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 l2cap_sock_ready_cb+0xc4/0x130 net/bluetooth/l2cap_sock.c:1670
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1256 [inline]
 l2cap_le_start+0xa6c/0x1384 net/bluetooth/l2cap_core.c:1368
 l2cap_conn_ready net/bluetooth/l2cap_core.c:1624 [inline]
 l2cap_connect_cfm+0x57c/0xe24 net/bluetooth/l2cap_core.c:7286
 hci_connect_cfm+0xa0/0x13c include/net/bluetooth/hci_core.h:1960
 le_conn_complete_evt+0xa1c/0xf0c net/bluetooth/hci_event.c:5761
 hci_le_conn_complete_evt+0x114/0x404 net/bluetooth/hci_event.c:5787
 hci_le_meta_evt+0x2a4/0x478 net/bluetooth/hci_event.c:7135
 hci_event_func net/bluetooth/hci_event.c:7443 [inline]
 hci_event_packet+0x890/0x106c net/bluetooth/hci_event.c:7498
 hci_rx_work+0x318/0xa80 net/bluetooth/hci_core.c:4023
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Allocated by task 6795:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4162 [inline]
 __kmalloc_noprof+0x2a4/0x498 mm/slub.c:4174
 kmalloc_noprof include/linux/slab.h:685 [inline]
 sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2096
 sk_alloc+0x44/0x3f0 net/core/sock.c:2149
 bt_sock_alloc+0x4c/0x304 net/bluetooth/af_bluetooth.c:148
 l2cap_sock_alloc net/bluetooth/l2cap_sock.c:1877 [inline]
 l2cap_sock_create+0x140/0x2b8 net/bluetooth/l2cap_sock.c:1917
 bt_sock_create+0x14c/0x248 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x43c/0x884 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x134/0x340 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __arm64_sys_socket+0x7c/0x94 net/socket.c:1718
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Freed by task 6794:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579
 poison_slab_object+0x128/0x180 mm/kasan/common.c:240
 __kasan_slab_free+0x3c/0x70 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2256 [inline]
 slab_free mm/slub.c:4477 [inline]
 kfree+0x154/0x3e0 mm/slub.c:4598
 sk_prot_free net/core/sock.c:2132 [inline]
 __sk_destruct+0x4b8/0x74c net/core/sock.c:2224
 sk_destruct net/core/sock.c:2239 [inline]
 __sk_free+0x388/0x4f4 net/core/sock.c:2250
 sk_free+0x60/0xc8 net/core/sock.c:2261
 sock_put include/net/sock.h:1884 [inline]
 l2cap_sock_kill+0x12c/0x234 net/bluetooth/l2cap_sock.c:1250
 l2cap_sock_release+0x138/0x1b4 net/bluetooth/l2cap_sock.c:1421
 __sock_release net/socket.c:659 [inline]
 sock_close+0xa4/0x1e8 net/socket.c:1421
 __fput+0x1bc/0x774 fs/file_table.c:422
 ____fput+0x20/0x30 fs/file_table.c:450
 task_work_run+0x230/0x2e0 kernel/task_work.c:228
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

The buggy address belongs to the object at ffff0000da74b000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 392 bytes inside of
 freed 2048-byte region [ffff0000da74b000, ffff0000da74b800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000da74e000 pfn:0x11a748
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 05ffc00000000240 ffff0000c0002000 fffffdffc369c610 fffffdffc3093810
raw: ffff0000da74e000 0000000000080006 00000001fdffffff 0000000000000000
head: 05ffc00000000240 ffff0000c0002000 fffffdffc369c610 fffffdffc3093810
head: ffff0000da74e000 0000000000080006 00000001fdffffff 0000000000000000
head: 05ffc00000000003 fffffdffc369d201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000da74b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000da74b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000da74b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff0000da74b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000da74b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[syzbot]

> This fix ensures that the parent socket is valid and not marked as dead
> before invoking sk_data_ready, preventing potential slab-use-after-free
> issues. It adds a check for SOCK_DEAD to avoid accessing freed or invalid
> memory.
>
> #syz test

This crash does not have a reproducer. I cannot test it.

>
> Signed-off-by: SurajSonawane2415 <surajsonawane0215@gmail.com>
> ---
>  net/bluetooth/l2cap_sock.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> index ba437c6f6..fa9d6dd7e 100644
> --- a/net/bluetooth/l2cap_sock.c
> +++ b/net/bluetooth/l2cap_sock.c
> @@ -1666,7 +1666,7 @@ static void l2cap_sock_ready_cb(struct l2cap_chan
> *chan)
>   sk->sk_state = BT_CONNECTED;
>   sk->sk_state_change(sk);
>
> - if (parent)
> + if (parent && sock_flag(parent, SOCK_DEAD) == 0)
>   parent->sk_data_ready(parent);
>
>   release_sock(sk);
> -- 
> 2.34.1
>
> On Tue, Oct 1, 2024 at 3:45 PM syzbot <
> syzbot+9265e754091c2d27ea29@syzkaller.appspotmail.com> wrote:
>
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    5f5673607153 Merge branch 'for-next/core' into for-kernelci
>> git tree:       git://
>> git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>> console output: https://syzkaller.appspot.com/x/log.txt?x=12881980580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=dedbcb1ff4387972
>> dashboard link:
>> https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
>> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for
>> Debian) 2.40
>> userspace arch: arm64
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>>
>> Downloadable assets:
>> disk image:
>> https://storage.googleapis.com/syzbot-assets/40172aed5414/disk-5f567360.raw.xz
>> vmlinux:
>> https://storage.googleapis.com/syzbot-assets/58372f305e9d/vmlinux-5f567360.xz
>> kernel image:
>> https://storage.googleapis.com/syzbot-assets/d2aae6fa798f/Image-5f567360.gz.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the
>> commit:
>> Reported-by: syzbot+9265e754091c2d27ea29@syzkaller.appspotmail.com
>>
>> kobject: kobject_add_internal failed for hci0:201 with -EEXIST, don't try
>> to register things with the same name in the same directory.
>> Bluetooth: hci0: failed to register connection device
>> ==================================================================
>> BUG: KASAN: slab-use-after-free in l2cap_sock_ready_cb+0xc4/0x130
>> net/bluetooth/l2cap_sock.c:1670
>> Read of size 8 at addr ffff0000da74b188 by task kworker/u9:6/6425
>>
>> CPU: 0 UID: 0 PID: 6425 Comm: kworker/u9:6 Not tainted
>> 6.11.0-rc7-syzkaller-g5f5673607153 #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 08/06/2024
>> Workqueue: hci0 hci_rx_work
>> Call trace:
>>  dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
>>  show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
>>  __dump_stack lib/dump_stack.c:93 [inline]
>>  dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119
>>  print_address_description mm/kasan/report.c:377 [inline]
>>  print_report+0x198/0x538 mm/kasan/report.c:488
>>  kasan_report+0xd8/0x138 mm/kasan/report.c:601
>>  __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
>>  l2cap_sock_ready_cb+0xc4/0x130 net/bluetooth/l2cap_sock.c:1670
>>  l2cap_chan_ready net/bluetooth/l2cap_core.c:1256 [inline]
>>  l2cap_le_start+0xa6c/0x1384 net/bluetooth/l2cap_core.c:1368
>>  l2cap_conn_ready net/bluetooth/l2cap_core.c:1624 [inline]
>>  l2cap_connect_cfm+0x57c/0xe24 net/bluetooth/l2cap_core.c:7286
>>  hci_connect_cfm+0xa0/0x13c include/net/bluetooth/hci_core.h:1960
>>  le_conn_complete_evt+0xa1c/0xf0c net/bluetooth/hci_event.c:5761
>>  hci_le_conn_complete_evt+0x114/0x404 net/bluetooth/hci_event.c:5787
>>  hci_le_meta_evt+0x2a4/0x478 net/bluetooth/hci_event.c:7135
>>  hci_event_func net/bluetooth/hci_event.c:7443 [inline]
>>  hci_event_packet+0x890/0x106c net/bluetooth/hci_event.c:7498
>>  hci_rx_work+0x318/0xa80 net/bluetooth/hci_core.c:4023
>>  process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
>>  process_scheduled_works kernel/workqueue.c:3312 [inline]
>>  worker_thread+0x978/0xec4 kernel/workqueue.c:3389
>>  kthread+0x288/0x310 kernel/kthread.c:389
>>  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
>>
>> Allocated by task 6795:
>>  kasan_save_stack mm/kasan/common.c:47 [inline]
>>  kasan_save_track+0x40/0x78 mm/kasan/common.c:68
>>  kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565
>>  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
>>  __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:387
>>  kasan_kmalloc include/linux/kasan.h:211 [inline]
>>  __do_kmalloc_node mm/slub.c:4162 [inline]
>>  __kmalloc_noprof+0x2a4/0x498 mm/slub.c:4174
>>  kmalloc_noprof include/linux/slab.h:685 [inline]
>>  sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2096
>>  sk_alloc+0x44/0x3f0 net/core/sock.c:2149
>>  bt_sock_alloc+0x4c/0x304 net/bluetooth/af_bluetooth.c:148
>>  l2cap_sock_alloc net/bluetooth/l2cap_sock.c:1877 [inline]
>>  l2cap_sock_create+0x140/0x2b8 net/bluetooth/l2cap_sock.c:1917
>>  bt_sock_create+0x14c/0x248 net/bluetooth/af_bluetooth.c:132
>>  __sock_create+0x43c/0x884 net/socket.c:1571
>>  sock_create net/socket.c:1622 [inline]
>>  __sys_socket_create net/socket.c:1659 [inline]
>>  __sys_socket+0x134/0x340 net/socket.c:1706
>>  __do_sys_socket net/socket.c:1720 [inline]
>>  __se_sys_socket net/socket.c:1718 [inline]
>>  __arm64_sys_socket+0x7c/0x94 net/socket.c:1718
>>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>>  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
>>  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
>>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
>>  el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
>>  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
>>  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
>>
>> Freed by task 6794:
>>  kasan_save_stack mm/kasan/common.c:47 [inline]
>>  kasan_save_track+0x40/0x78 mm/kasan/common.c:68
>>  kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579
>>  poison_slab_object+0x128/0x180 mm/kasan/common.c:240
>>  __kasan_slab_free+0x3c/0x70 mm/kasan/common.c:256
>>  kasan_slab_free include/linux/kasan.h:184 [inline]
>>  slab_free_hook mm/slub.c:2256 [inline]
>>  slab_free mm/slub.c:4477 [inline]
>>  kfree+0x154/0x3e0 mm/slub.c:4598
>>  sk_prot_free net/core/sock.c:2132 [inline]
>>  __sk_destruct+0x4b8/0x74c net/core/sock.c:2224
>>  sk_destruct net/core/sock.c:2239 [inline]
>>  __sk_free+0x388/0x4f4 net/core/sock.c:2250
>>  sk_free+0x60/0xc8 net/core/sock.c:2261
>>  sock_put include/net/sock.h:1884 [inline]
>>  l2cap_sock_kill+0x12c/0x234 net/bluetooth/l2cap_sock.c:1250
>>  l2cap_sock_release+0x138/0x1b4 net/bluetooth/l2cap_sock.c:1421
>>  __sock_release net/socket.c:659 [inline]
>>  sock_close+0xa4/0x1e8 net/socket.c:1421
>>  __fput+0x1bc/0x774 fs/file_table.c:422
>>  ____fput+0x20/0x30 fs/file_table.c:450
>>  task_work_run+0x230/0x2e0 kernel/task_work.c:228
>>  resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
>>  do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151
>>  exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
>>  exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
>>  el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
>>  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
>>  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
>>
>> The buggy address belongs to the object at ffff0000da74b000
>>  which belongs to the cache kmalloc-2k of size 2048
>> The buggy address is located 392 bytes inside of
>>  freed 2048-byte region [ffff0000da74b000, ffff0000da74b800)
>>
>> The buggy address belongs to the physical page:
>> page: refcount:1 mapcount:0 mapping:0000000000000000
>> index:0xffff0000da74e000 pfn:0x11a748
>> head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
>> flags: 0x5ffc00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
>> page_type: 0xfdffffff(slab)
>> raw: 05ffc00000000240 ffff0000c0002000 fffffdffc369c610 fffffdffc3093810
>> raw: ffff0000da74e000 0000000000080006 00000001fdffffff 0000000000000000
>> head: 05ffc00000000240 ffff0000c0002000 fffffdffc369c610 fffffdffc3093810
>> head: ffff0000da74e000 0000000000080006 00000001fdffffff 0000000000000000
>> head: 05ffc00000000003 fffffdffc369d201 ffffffffffffffff 0000000000000000
>> head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>>  ffff0000da74b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>  ffff0000da74b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> >ffff0000da74b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>                       ^
>>  ffff0000da74b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>  ffff0000da74b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>
>> If the report is already addressed, let syzbot know by replying with:
>> #syz fix: exact-commit-title
>>
>> If you want to overwrite report's subsystems, reply with:
>> #syz set subsystems: new-subsystem
>> (See the list of subsystem names on the web dashboard)
>>
>> If the report is a duplicate of another one, reply with:
>> #syz dup: exact-subject-of-another-report
>>
>> If you want to undo deduplication, reply with:
>> #syz undup
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/syzkaller-bugs/66fbcbc0.050a0220.6bad9.0058.GAE%40google.com
>> .
>>

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    a66191c590b3 Merge tag 'hyperv-fixes-signed-20260121' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b467fc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143e7f9a580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-a66191c5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a89b38a5520d/vmlinux-a66191c5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/33e1cf1326b6/bzImage-a66191c5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9265e754091c2d27ea29@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in l2cap_sock_ready_cb+0x191/0x1a0 net/bluetooth/l2cap_sock.c:1687
Read of size 8 at addr ffff888036cc8188 by task kworker/1:7/6201

CPU: 1 UID: 0 PID: 6201 Comm: kworker/1:7 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: events l2cap_info_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x156/0x4c9 mm/kasan/report.c:482
 kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
 l2cap_sock_ready_cb+0x191/0x1a0 net/bluetooth/l2cap_sock.c:1687
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1247 [inline]
 l2cap_conn_start+0x123/0xb20 net/bluetooth/l2cap_core.c:1513
 l2cap_info_timeout+0x81/0xa0 net/bluetooth/l2cap_core.c:1670
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>

Allocated by task 28378:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5657 [inline]
 __kmalloc_noprof+0x347/0x9c0 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 sk_prot_alloc+0x10b/0x2a0 net/core/sock.c:2245
 sk_alloc+0x36/0xe80 net/core/sock.c:2301
 __netlink_create+0x5e/0x2c0 net/netlink/af_netlink.c:626
 netlink_create+0x293/0x610 net/netlink/af_netlink.c:684
 __sock_create+0x339/0x860 net/socket.c:1605
 sock_create net/socket.c:1663 [inline]
 __sys_socket_create net/socket.c:1700 [inline]
 __sys_socket+0x14d/0x260 net/socket.c:1747
 __do_sys_socket net/socket.c:1761 [inline]
 __se_sys_socket net/socket.c:1759 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1759
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 10:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6674 [inline]
 kfree+0x1c7/0x690 mm/slub.c:6882
 sk_prot_free net/core/sock.c:2284 [inline]
 __sk_destruct+0x8ab/0xbb0 net/core/sock.c:2384
 sk_destruct+0xc8/0xf0 net/core/sock.c:2412
 __sk_free+0xf4/0x3e0 net/core/sock.c:2423
 sk_free+0x61/0x90 net/core/sock.c:2434
 deferred_put_nlk_sk+0xbe/0x110 net/netlink/af_netlink.c:714
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0x7c0/0x15c0 kernel/rcu/tree.c:2857
 handle_softirqs+0x1ea/0x910 kernel/softirq.c:622
 do_softirq kernel/softirq.c:523 [inline]
 do_softirq+0xac/0xe0 kernel/softirq.c:510
 __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 __alloc_skb+0x381/0x410 net/core/skbuff.c:674
 alloc_skb include/linux/skbuff.h:1383 [inline]
 mld_newpack.isra.0+0x18e/0xa20 net/ipv6/mcast.c:1775
 add_grhead+0x299/0x340 net/ipv6/mcast.c:1886
 add_grec+0x1380/0x1920 net/ipv6/mcast.c:2025
 mld_send_cr net/ipv6/mcast.c:2148 [inline]
 mld_ifc_work+0x3c5/0xc10 net/ipv6/mcast.c:2693
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Last potentially related work creation:
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:556
 __call_rcu_common.constprop.0+0xa5/0x9b0 kernel/rcu/tree.c:3119
 netlink_release+0xb28/0x1ff0 net/netlink/af_netlink.c:796
 __sock_release+0xb3/0x260 net/socket.c:662
 sock_close+0x1c/0x30 net/socket.c:1455
 __fput+0x3ff/0xb40 fs/file_table.c:468
 fput_close_sync+0x118/0x250 fs/file_table.c:573
 __do_sys_close fs/open.c:1573 [inline]
 __se_sys_close fs/open.c:1558 [inline]
 __x64_sys_close+0x8b/0x120 fs/open.c:1558
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888036cc8000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 392 bytes inside of
 freed 2048-byte region [ffff888036cc8000, ffff888036cc8800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36cc8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b842f00 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b842f00 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000db3201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6062, tgid 6062 (syz-executor), ts 78835027953, free_ts 78732062892
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1e1/0x250 mm/page_alloc.c:1884
 prep_new_page mm/page_alloc.c:1892 [inline]
 get_page_from_freelist+0xe3d/0x2e10 mm/page_alloc.c:3945
 __alloc_frozen_pages_noprof+0x26c/0x2410 mm/page_alloc.c:5240
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2486
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab mm/slub.c:3248 [inline]
 new_slab+0x2c4/0x440 mm/slub.c:3302
 ___slab_alloc+0xda3/0x1ca0 mm/slub.c:4656
 __slab_alloc.isra.0+0x63/0x110 mm/slub.c:4779
 __slab_alloc_node mm/slub.c:4855 [inline]
 slab_alloc_node mm/slub.c:5251 [inline]
 __do_kmalloc_node mm/slub.c:5656 [inline]
 __kmalloc_noprof+0x618/0x9c0 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 sk_prot_alloc+0x10b/0x2a0 net/core/sock.c:2245
 sk_alloc+0x36/0xe80 net/core/sock.c:2301
 __netlink_create+0x5e/0x2c0 net/netlink/af_netlink.c:626
 __netlink_kernel_create+0xed/0x750 net/netlink/af_netlink.c:2018
 netlink_kernel_create include/linux/netlink.h:62 [inline]
 xfrm_user_net_init+0xc6/0x190 net/xfrm/xfrm_user.c:4216
 ops_init+0x1e2/0x5f0 net/core/net_namespace.c:137
 setup_net+0x118/0x3a0 net/core/net_namespace.c:446
 copy_net_ns+0x46f/0x7c0 net/core/net_namespace.c:581
page last free pid 6061 tgid 6061 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x822/0x1130 mm/page_alloc.c:2973
 discard_slab mm/slub.c:3346 [inline]
 __put_partials+0x127/0x160 mm/slub.c:3886
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 __do_kmalloc_node mm/slub.c:5656 [inline]
 __kvmalloc_node_noprof+0x306/0xac0 mm/slub.c:7140
 proc_sys_call_handler+0x2c7/0x5a0 fs/proc/proc_sysctl.c:583
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:686
 ksys_write+0x12a/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888036cc8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888036cc8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888036cc8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888036cc8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888036cc8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[Hillf Danton]

> Date: Thu, 22 Jan 2026 13:45:34 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    a66191c590b3 Merge tag 'hyperv-fixes-signed-20260121' of g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b467fc580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143e7f9a580000

#syz test

--- x/net/bluetooth/af_bluetooth.c
+++ y/net/bluetooth/af_bluetooth.c
@@ -226,6 +226,7 @@ void bt_accept_enqueue(struct sock *pare
 
 	list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
 	bt_sk(sk)->parent = parent;
+	sock_hold(parent);
 
 	/* Copy credentials from parent since for incoming connections the
 	 * socket is allocated by the kernel.
@@ -258,6 +259,7 @@ void bt_accept_unlink(struct sock *sk)
 
 	list_del_init(&bt_sk(sk)->accept_q);
 	sk_acceptq_removed(bt_sk(sk)->parent);
+	sock_put(bt_sk(sk)->parent);
 	bt_sk(sk)->parent = NULL;
 	sock_put(sk);
 }
--

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lock_sock_nested

Oops: general protection fault, probably for non-canonical address 0xdffffc000000004c: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]
CPU: 1 UID: 0 PID: 6371 Comm: kworker/u33:6 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: hci0 hci_rx_work
RIP: 0010:kasan_byte_accessible+0x15/0x30 mm/kasan/generic.c:210
Code: 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 e9 ce 86 08 09 66 66 2e 0f 1f 84 00 00 00
RSP: 0018:ffffc900036c77d8 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff89422bb1 RDI: dffffc000000004c
RBP: 0000000000000260 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc900036c78c8 R11: 00000000000075a9 R12: ffffffff89422bb1
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880d66dc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01e4fde2f8 CR3: 000000000e392000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 __kasan_check_byte+0x13/0x50 mm/kasan/common.c:573
 kasan_check_byte include/linux/kasan.h:402 [inline]
 lock_acquire kernel/locking/lockdep.c:5842 [inline]
 lock_acquire+0xf5/0x330 kernel/locking/lockdep.c:5825
 lock_sock_nested+0x41/0xf0 net/core/sock.c:3780
 lock_sock include/net/sock.h:1700 [inline]
 l2cap_sock_new_connection_cb+0x4c/0x260 net/bluetooth/l2cap_sock.c:1476
 l2cap_connect_cfm+0x4e2/0x1010 net/bluetooth/l2cap_core.c:7288
 hci_connect_cfm include/net/bluetooth/hci_core.h:2131 [inline]
 hci_remote_features_evt+0x4f4/0x9b0 net/bluetooth/hci_event.c:3729
 hci_event_func net/bluetooth/hci_event.c:7719 [inline]
 hci_event_packet+0xa86/0x11c0 net/bluetooth/hci_event.c:7773
 hci_rx_work+0x451/0xfc0 net/bluetooth/hci_core.c:4076
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x15/0x30 mm/kasan/generic.c:210
Code: 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 e9 ce 86 08 09 66 66 2e 0f 1f 84 00 00 00
RSP: 0018:ffffc900036c77d8 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff89422bb1 RDI: dffffc000000004c
RBP: 0000000000000260 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc900036c78c8 R11: 00000000000075a9 R12: ffffffff89422bb1
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880d66dc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01e4fde2f8 CR3: 000000003084d000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	0f 1f 00             	nopl   (%rax)
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	0f 1f 40 d6          	nopl   -0x2a(%rax)
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 c1 ef 03          	shr    $0x3,%rdi
  27:	48 01 c7             	add    %rax,%rdi
* 2a:	0f b6 07             	movzbl (%rdi),%eax <-- trapping instruction
  2d:	3c 07                	cmp    $0x7,%al
  2f:	0f 96 c0             	setbe  %al
  32:	e9 ce 86 08 09       	jmp    0x9088705
  37:	66                   	data16
  38:	66                   	data16
  39:	2e                   	cs
  3a:	0f                   	.byte 0xf
  3b:	1f                   	(bad)
  3c:	84 00                	test   %al,(%rax)


Tested on:

commit:         c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10c95f9a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16ec813a580000

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[Hillf Danton]

> Date: Thu, 22 Jan 2026 13:45:34 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    a66191c590b3 Merge tag 'hyperv-fixes-signed-20260121' of g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b467fc580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143e7f9a580000

#syz test

--- x/net/bluetooth/af_bluetooth.c
+++ y/net/bluetooth/af_bluetooth.c
@@ -226,6 +226,7 @@ void bt_accept_enqueue(struct sock *pare
 
 	list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
 	bt_sk(sk)->parent = parent;
+	sock_hold(parent);
 
 	/* Copy credentials from parent since for incoming connections the
 	 * socket is allocated by the kernel.
@@ -258,6 +259,7 @@ void bt_accept_unlink(struct sock *sk)
 
 	list_del_init(&bt_sk(sk)->accept_q);
 	sk_acceptq_removed(bt_sk(sk)->parent);
+	sock_put(bt_sk(sk)->parent);
 	bt_sk(sk)->parent = NULL;
 	sock_put(sk);
 }
--- x/net/bluetooth/l2cap_sock.c
+++ y/net/bluetooth/l2cap_sock.c
@@ -1473,6 +1473,8 @@ static struct l2cap_chan *l2cap_sock_new
 {
 	struct sock *sk, *parent = chan->data;
 
+	if (!parent)
+		return NULL;
 	lock_sock(parent);
 
 	/* Check for backlog size */
--

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lock_sock_nested

Oops: general protection fault, probably for non-canonical address 0xdffffc000000004c: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]
CPU: 1 UID: 0 PID: 6843 Comm: kworker/1:8 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
Workqueue: events l2cap_info_timeout
RIP: 0010:kasan_byte_accessible+0x15/0x30 mm/kasan/generic.c:210
Code: 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 e9 ce 86 08 09 66 66 2e 0f 1f 84 00 00 00
RSP: 0018:ffffc90004717978 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff89422bb1 RDI: dffffc000000004c
RBP: 0000000000000260 R08: 0000000000000001 R09: 0000000000000000
R10: 00000000ffffff80 R11: 0000000000000000 R12: ffffffff89422bb1
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881246dc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f80dadab940 CR3: 000000007cc38000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __kasan_check_byte+0x13/0x50 mm/kasan/common.c:573
 kasan_check_byte include/linux/kasan.h:402 [inline]
 lock_acquire kernel/locking/lockdep.c:5842 [inline]
 lock_acquire+0xf5/0x330 kernel/locking/lockdep.c:5825
 lock_sock_nested+0x41/0xf0 net/core/sock.c:3780
 lock_sock include/net/sock.h:1700 [inline]
 l2cap_sock_ready_cb+0x43/0x1a0 net/bluetooth/l2cap_sock.c:1679
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1247 [inline]
 l2cap_conn_start+0x123/0xb20 net/bluetooth/l2cap_core.c:1513
 l2cap_info_timeout+0x81/0xa0 net/bluetooth/l2cap_core.c:1670
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x15/0x30 mm/kasan/generic.c:210
Code: 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 e9 ce 86 08 09 66 66 2e 0f 1f 84 00 00 00
RSP: 0018:ffffc90004717978 EFLAGS: 00010282

RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff89422bb1 RDI: dffffc000000004c
RBP: 0000000000000260 R08: 0000000000000001 R09: 0000000000000000
R10: 00000000ffffff80 R11: 0000000000000000 R12: ffffffff89422bb1
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881246dc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f005ec17dac CR3: 0000000026311000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	0f 1f 00             	nopl   (%rax)
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	0f 1f 40 d6          	nopl   -0x2a(%rax)
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 c1 ef 03          	shr    $0x3,%rdi
  27:	48 01 c7             	add    %rax,%rdi
* 2a:	0f b6 07             	movzbl (%rdi),%eax <-- trapping instruction
  2d:	3c 07                	cmp    $0x7,%al
  2f:	0f 96 c0             	setbe  %al
  32:	e9 ce 86 08 09       	jmp    0x9088705
  37:	66                   	data16
  38:	66                   	data16
  39:	2e                   	cs
  3a:	0f                   	.byte 0xf
  3b:	1f                   	(bad)
  3c:	84 00                	test   %al,(%rax)


Tested on:

commit:         c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b35f9a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10a38452580000

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[Hillf Danton]

> Date: Thu, 22 Jan 2026 13:45:34 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    a66191c590b3 Merge tag 'hyperv-fixes-signed-20260121' of g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b467fc580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143e7f9a580000

#syz test

--- x/net/bluetooth/af_bluetooth.c
+++ y/net/bluetooth/af_bluetooth.c
@@ -226,6 +226,7 @@ void bt_accept_enqueue(struct sock *pare
 
 	list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
 	bt_sk(sk)->parent = parent;
+	sock_hold(parent);
 
 	/* Copy credentials from parent since for incoming connections the
 	 * socket is allocated by the kernel.
@@ -258,6 +259,7 @@ void bt_accept_unlink(struct sock *sk)
 
 	list_del_init(&bt_sk(sk)->accept_q);
 	sk_acceptq_removed(bt_sk(sk)->parent);
+	sock_put(bt_sk(sk)->parent);
 	bt_sk(sk)->parent = NULL;
 	sock_put(sk);
 }
--- x/net/bluetooth/l2cap_sock.c
+++ y/net/bluetooth/l2cap_sock.c
@@ -1473,6 +1473,8 @@ static struct l2cap_chan *l2cap_sock_new
 {
 	struct sock *sk, *parent = chan->data;
 
+	if (!parent)
+		return NULL;
 	lock_sock(parent);
 
 	/* Check for backlog size */
@@ -1674,6 +1676,8 @@ static void l2cap_sock_ready_cb(struct l
 	struct sock *sk = chan->data;
 	struct sock *parent;
 
+	if (!sk)
+		return;
 	lock_sock(sk);
 
 	parent = bt_sk(sk)->parent;
--

Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+9265e754091c2d27ea29@syzkaller.appspotmail.com
Tested-by: syzbot+9265e754091c2d27ea29@syzkaller.appspotmail.com

Tested on:

commit:         62085877 Merge tag 'kbuild-fixes-6.19-2' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14424bfa580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=151e4452580000

Note: testing is done by a robot and is best-effort only.