5.4.y missing upstream commit 5c4c8c95, causing: BUG: KASAN: use-after-free in hci_send

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* 5.4.y missing upstream commit 5c4c8c95, causing: BUG: KASAN: use-after-free in hci_send_acl
@ 2021-05-11 16:29 George Kennedy
  2021-05-12  8:19 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 2+ messages in thread
From: George Kennedy @ 2021-05-11 16:29 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: stable, Dhaval Giani, dmitry Vyukov

Hello Greg,

During Syzkaller reproducer testing on 5.4.y (5.4.118-rc1) the following 
crash occurred:

BUG: KASAN: use-after-free in hci_send_acl
https://syzkaller.appspot.com/bug?extid=98228e7407314d2d4ba2

We cherry-pick'd upstream commit 5c4c8c95 to 5.4.y and the crash no 
longer occurs (rebooted 10 times with the fix commit - no failures).
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5c4c8c9544099bb9043a10a5318130a943e32fc3 


The cherry-pick of upstream commit 5c4c8c95 was clean.

[  104.800617] BUG: KASAN: use-after-free in hci_send_acl+0x947/0xa30
[  104.802209] Read of size 8 at addr ffff8881023fed18 by task 
kworker/u9:2/16208
[  104.803769]
[  104.804141] CPU: 1 PID: 16208 Comm: kworker/u9:2 Not tainted 
5.4.118-rc1-syzk #1
[  104.805738] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
BIOS ?-20190213_084539-x86-ol7-builder-03.us.oracle.com-1.oci.el7 
04/01/2014
[  104.809735] Workqueue: hci0 hci_rx_work
[  104.811394] Call Trace:
[  104.825804]  dump_stack+0xd4/0x119
[  104.827555]  ? hci_send_acl+0x947/0xa30
[  104.828424]  print_address_description.constprop.6+0x20/0x220
[  104.829745]  ? hci_send_acl+0x947/0xa30
[  104.830610]  ? hci_send_acl+0x947/0xa30
[  104.831480]  __kasan_report.cold.9+0x37/0x77
[  104.832581]  ? hci_send_acl+0x947/0xa30
[  104.833420]  kasan_report+0x14/0x20
[  104.834206]  __asan_report_load8_noabort+0x14/0x20
[  104.835145]  hci_send_acl+0x947/0xa30
[  104.835867]  ? __kmalloc_reserve.isra.54+0xf0/0xf0
[  104.836813]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  104.839089]  l2cap_send_cmd+0x726/0x960
[  104.840753]  l2cap_send_move_chan_cfm_icid+0xae/0x110
[  104.843036]  ? l2cap_send_move_chan_rsp+0x1a0/0x1a0
[  104.845255]  ? l2cap_get_chan_by_scid+0x158/0x1c0
[  104.847264]  l2cap_sig_channel+0x2f3f/0x3cf0
[  104.849131]  ? l2cap_config_rsp+0x1220/0x1220
[  104.850955]  ? probe_sched_wakeup+0x7e/0x90
[  104.852778]  ? ttwu_do_wakeup+0x35a/0x4f0
[  104.854493]  ? hci_cmd_status_evt+0x4ec0/0x4ec0
[  104.856410]  ? __kasan_check_write+0x14/0x20
[  104.858381]  ? _raw_spin_lock_irqsave+0x8e/0xf0
[  104.860429]  ? _raw_write_lock_irqsave+0xe0/0xe0
[  104.862386]  ? __kasan_check_write+0x14/0x20
[  104.864200]  ? __mutex_lock.isra.5+0x486/0xaf0
[  104.866108]  ? try_to_wake_up+0xe0/0x1640
[  104.867786]  ? ww_mutex_lock_interruptible+0xf0/0xf0
[  104.870011]  ? migrate_swap_stop+0x950/0x950
[  104.871814]  l2cap_recv_frame+0x6f7/0xc60
[  104.873603]  ? l2cap_sig_channel+0x3cf0/0x3cf0
[  104.875575]  ? __mutex_unlock_slowpath.isra.16+0x1db/0x310
[  104.877998]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  104.880202]  ? hci_conn_enter_active_mode+0x179/0x360
[  104.882466]  ? __ww_mutex_check_waiters+0x220/0x220
[  104.884529]  l2cap_recv_acldata+0x924/0xa50
[  104.885994]  hci_rx_work+0x824/0x970
[  104.887425]  process_one_work+0x791/0x10b0
[  104.889207]  worker_thread+0x90/0xcf0
[  104.890759]  kthread+0x332/0x3f0
[  104.892269]  ? create_worker+0x5f0/0x5f0
[  104.894132]  ? kthread_parkme+0xb0/0xb0
[  104.895774]  ret_from_fork+0x22/0x40
[  104.897513]
[  104.898224] Allocated by task 16208:
[  104.899856]  save_stack+0x21/0x90
[  104.901411]  __kasan_kmalloc.constprop.11+0xc1/0xd0
[  104.903538]  kasan_kmalloc+0x9/0x10
[  104.905124]  kmem_cache_alloc_trace+0x113/0x270
[  104.907061]  hci_chan_create+0xb8/0x3e0
[  104.908654]  l2cap_conn_add.part.40+0x26/0xd50
[  104.910623]  l2cap_connect_cfm+0x9b3/0xfc0
[  104.912532]  hci_connect_cfm+0x9c/0x140
[  104.914205]  hci_event_packet+0x5f91/0xa150
[  104.915981]  hci_rx_work+0x48a/0x970
[  104.917651]  process_one_work+0x791/0x10b0
[  104.919419]  worker_thread+0x90/0xcf0
[  104.921055]  kthread+0x332/0x3f0
[  104.922533]  ret_from_fork+0x22/0x40
[  104.924075]
[  104.924708] Freed by task 16208:
[  104.926182]  save_stack+0x21/0x90
[  104.927677]  __kasan_slab_free+0x131/0x180
[  104.929379]  kasan_slab_free+0xe/0x10
[  104.930990]  kfree+0x98/0x270
[  104.932194]  hci_chan_del+0x161/0x210
[  104.933805]  amp_destroy_logical_link+0x29/0x60
[  104.935817]  hci_event_packet+0x1f56/0xa150
[  104.937677]  hci_rx_work+0x48a/0x970
[  104.939162]  process_one_work+0x791/0x10b0
[  104.941092]  worker_thread+0x90/0xcf0
[  104.942816]  kthread+0x332/0x3f0
[  104.944241]  ret_from_fork+0x22/0x40
[  104.945839]
[  104.946554] The buggy address belongs to the object at ffff8881023fed00
[  104.946554]  which belongs to the cache kmalloc-64 of size 64
[  104.951778] The buggy address is located 24 bytes inside of
[  104.951778]  64-byte region [ffff8881023fed00, ffff8881023fed40)
[  104.956948] The buggy address belongs to the page:
[  104.959184] page:ffffea000408ff80 refcount:1 mapcount:0 
mapping:ffff888107c03600 index:0x0
[  104.962973] flags: 0x17ffffc0000200(slab)
[  104.964724] raw: 0017ffffc0000200 ffffea0004125b00 0000000a00000009 
ffff888107c03600
[  104.968106] raw: 0000000000000000 0000000080200020 00000001ffffffff 
0000000000000000
[  104.971453] page dumped because: kasan: bad access detected
[  104.973813]
[  104.974490] Memory state around the buggy address:
[  104.976750]  ffff8881023fec00: fb fb fb fb fb fb fb fb fc fc fc fc fc 
fc fc fc
[  104.979901]  ffff8881023fec80: fb fb fb fb fb fb fb fb fc fc fc fc fc 
fc fc fc
[  104.983056] >ffff8881023fed00: fb fb fb fb fb fb fb fb fc fc fc fc fc 
fc fc fc
[  104.986316]                             ^
[  104.988049]  ffff8881023fed80: fb fb fb fb fb fb fb fb fc fc fc fc fc 
fc fc fc
[  104.991889]  ffff8881023fee00: fb fb fb fb fb fb fb fb fc fc fc fc fc 
fc fc fc
[  104.995247] 
==================================================================

Thank you,
George

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: 5.4.y missing upstream commit 5c4c8c95, causing: BUG: KASAN: use-after-free in hci_send_acl
  2021-05-11 16:29 5.4.y missing upstream commit 5c4c8c95, causing: BUG: KASAN: use-after-free in hci_send_acl George Kennedy
@ 2021-05-12  8:19 ` Greg Kroah-Hartman
  0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-12  8:19 UTC (permalink / raw)
  To: George Kennedy; +Cc: stable, Dhaval Giani, dmitry Vyukov

On Tue, May 11, 2021 at 12:29:49PM -0400, George Kennedy wrote:
> Hello Greg,
> 
> During Syzkaller reproducer testing on 5.4.y (5.4.118-rc1) the following
> crash occurred:
> 
> BUG: KASAN: use-after-free in hci_send_acl
> https://syzkaller.appspot.com/bug?extid=98228e7407314d2d4ba2
> 
> We cherry-pick'd upstream commit 5c4c8c95 to 5.4.y and the crash no longer
> occurs (rebooted 10 times with the fix commit - no failures).
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5c4c8c9544099bb9043a10a5318130a943e32fc3

Now queued up, thnaks.

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-05-12  8:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-05-11 16:29 5.4.y missing upstream commit 5c4c8c95, causing: BUG: KASAN: use-after-free in hci_send_acl George Kennedy
2021-05-12  8:19 ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox