syzbot

 sign-in | mailing list | source | docs
🐞 Open [671]
🐞 Fixed [94]
🐞 Invalid [486]
Missing Backports [36]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in set_powered_sync

Status: upstream: reported on 2024/08/28 07:12
Reported-by: syzbot+2fa6ee3e737c3d3ba163@syzkaller.appspotmail.com
First crash: 67d, last: 3d19h
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-use-after-free Read in set_powered_sync bluetooth C done 118 15h14m 111d 0/28 upstream: reported C repro on 2024/07/15 09:36

Sample crash report:
Bluetooth: hci0: Opcode 0x0c03 failed: -110
==================================================================
BUG: KASAN: use-after-free in set_powered_sync+0x40/0xdc net/bluetooth/mgmt.c:1365
Read of size 8 at addr ffff0000f0d32118 by task kworker/u5:1/4298

CPU: 0 PID: 4298 Comm: kworker/u5:1 Not tainted 6.1.114-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci0 hci_cmd_sync_work
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x174/0x4c0 mm/kasan/report.c:395
 kasan_report+0xd4/0x130 mm/kasan/report.c:495
 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
 set_powered_sync+0x40/0xdc net/bluetooth/mgmt.c:1365
 hci_cmd_sync_work+0x1cc/0x34c net/bluetooth/hci_sync.c:322
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

Allocated by task 5349:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 kmalloc_trace+0x7c/0x94 mm/slab_common.c:1031
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:693 [inline]
 mgmt_pending_new+0x70/0x248 net/bluetooth/mgmt_util.c:269
 mgmt_pending_add+0x48/0x124 net/bluetooth/mgmt_util.c:296
 set_powered+0x240/0x44c net/bluetooth/mgmt.c:1398
 hci_mgmt_cmd+0x7c4/0xbf8 net/bluetooth/hci_sock.c:1652
 hci_sock_sendmsg+0x58c/0xd08 net/bluetooth/hci_sock.c:1772
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg net/socket.c:730 [inline]
 sock_write_iter+0x2d8/0x414 net/socket.c:1143
 call_write_iter include/linux/fs.h:2265 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x610/0x91c fs/read_write.c:584
 ksys_write+0x15c/0x26c fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Freed by task 4298:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
 ____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook mm/slub.c:1750 [inline]
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674
 kfree+0xcc/0x1b8 mm/slab_common.c:988
 mgmt_pending_free+0xc8/0x118 net/bluetooth/mgmt_util.c:309
 settings_rsp+0x274/0x35c net/bluetooth/mgmt.c:1447
 mgmt_pending_foreach+0xd4/0x148 net/bluetooth/mgmt_util.c:259
 __mgmt_power_off+0x114/0x3dc net/bluetooth/mgmt.c:9481
 hci_dev_close_sync+0x478/0xf6c net/bluetooth/hci_sync.c:5062
 hci_dev_do_close net/bluetooth/hci_core.c:510 [inline]
 hci_error_reset+0x108/0x35c net/bluetooth/hci_core.c:1021
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

The buggy address belongs to the object at ffff0000f0d32100
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 128-byte region [ffff0000f0d32100, ffff0000f0d32180)

The buggy address belongs to the physical page:
page:000000003f3ae885 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x130d32
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 fffffc0003c96440 dead000000000004 ffff0000c0002300
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000f0d32000: 05 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000f0d32080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000f0d32100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff0000f0d32180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000f0d32200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/30 16:14 linux-6.1.y 7ec6f9fa3d97 fb888278 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in set_powered_sync
2024/10/07 04:51 linux-6.1.y aa4cd140bba5 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in set_powered_sync
2024/10/01 06:02 linux-6.1.y aa4cd140bba5 bbd4e0a4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in set_powered_sync
2024/08/28 07:12 linux-6.1.y ee5e09825b81 6c853ff9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in set_powered_sync
* Struck through repros no longer work on HEAD.