syzbot


KASAN: use-after-free Read in skb_dequeue (2)

Status: fixed on 2021/10/15 14:38
Reported-by: syzbot+0be1a2e39756cde33649@syzkaller.appspotmail.com
Fix commit: f7bffefa322a tty: Fix data race between tiocsti() and flush_to_ldisc()
First crash: 1193d, last: 1163d
Fix bisection: fixed by (bisect log) :
commit f7bffefa322a3d5a292c0b7a9b93302b392928f6
Author: Nguyen Dinh Phi <phind.uet@gmail.com>
Date: Mon Aug 23 00:06:41 2021 +0000

  tty: Fix data race between tiocsti() and flush_to_ldisc()

  
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in skb_dequeue syz 1 1192d 1192d 0/2 auto-obsoleted due to no activity on 2023/04/23 02:47
android-49 KASAN: use-after-free Read in skb_dequeue (2) 8 2303d 2469d 0/3 auto-closed as invalid on 2019/02/22 12:37
upstream general protection fault in skb_dequeue (2) bluetooth C inconclusive done 9 1138d 1222d 0/28 auto-closed as invalid on 2022/10/03 17:36
upstream KASAN: use-after-free Read in skb_dequeue net C 4 2345d 2345d 8/28 fixed on 2018/07/09 18:05
linux-4.19 KASAN: use-after-free Read in skb_dequeue syz done 1 1366d 1570d 1/1 fixed on 2021/03/29 19:17
android-44 KASAN: use-after-free Read in skb_dequeue 1 2275d 2275d 0/2 auto-closed as invalid on 2019/02/25 16:09
upstream general protection fault in skb_dequeue (3) wireless C done 6 649d 659d 22/28 fixed on 2023/06/08 14:41
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2021/10/15 07:51 3h44m bisect fix linux-4.19.y OK (1) job log
2021/09/15 06:21 33m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
Bluetooth: hci10: Frame reassembly failed (-84)
Bluetooth: hci10: Received unexpected HCI Event 00000000
Bluetooth: hci11: Frame reassembly failed (-84)
Bluetooth: hci11: Received unexpected HCI Event 00000000
==================================================================
BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:1916 [inline]
BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:1936 [inline]
BUG: KASAN: use-after-free in skb_dequeue+0x15f/0x180 net/core/skbuff.c:2838
Read of size 8 at addr ffff8880a154ee80 by task kworker/u5:3/8166

CPU: 0 PID: 8166 Comm: kworker/u5:3 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci11 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 __skb_unlink include/linux/skbuff.h:1916 [inline]
 __skb_dequeue include/linux/skbuff.h:1936 [inline]
 skb_dequeue+0x15f/0x180 net/core/skbuff.c:2838
 hci_rx_work+0x6d/0xc70 net/bluetooth/hci_core.c:4331
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 9547:
 kmem_cache_alloc_node+0x146/0x3b0 mm/slab.c:3649
 __alloc_skb+0x71/0x560 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:995 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 h4_recv_buf+0x57c/0xda0 drivers/bluetooth/hci_h4.c:197
 h4_recv+0xdf/0x1f0 drivers/bluetooth/hci_h4.c:131
 hci_uart_tty_receive+0x221/0x530 drivers/bluetooth/hci_ldisc.c:621
 tiocsti drivers/tty/tty_io.c:2194 [inline]
 tty_ioctl+0xff8/0x15c0 drivers/tty/tty_io.c:2580
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8166:
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x7f/0x260 mm/slab.c:3765
 kfree_skbmem+0xc1/0x140 net/core/skbuff.c:595
 __kfree_skb net/core/skbuff.c:655 [inline]
 kfree_skb+0x127/0x3d0 net/core/skbuff.c:672
 hci_event_packet+0x32c/0x7e20 net/bluetooth/hci_event.c:5963
 hci_rx_work+0x4ad/0xc70 net/bluetooth/hci_core.c:4366
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff8880a154ee80
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 0 bytes inside of
 232-byte region [ffff8880a154ee80, ffff8880a154ef68)
The buggy address belongs to the page:
page:ffffea0002855380 count:1 mapcount:0 mapping:ffff8880b5b8fd80 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002662908 ffffea000266a808 ffff8880b5b8fd80
raw: 0000000000000000 ffff8880a154e0c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a154ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a154ee00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a154ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880a154ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff8880a154ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/08/16 06:05 linux-4.19.y 59456c9cc40c 2489ab88 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in skb_dequeue
2021/08/16 06:21 linux-4.19.y 59456c9cc40c 2489ab88 .config console log report syz ci2-linux-4-19 KASAN: use-after-free Read in skb_dequeue
* Struck through repros no longer work on HEAD.