syzbot |
sign-in | mailing list | source | docs |
Bluetooth: hci0: Opcode 0x0c03 failed: -110 ================================================================== BUG: KASAN: use-after-free in set_powered_sync+0x36/0xb0 net/bluetooth/mgmt.c:1365 Read of size 8 at addr ffff88805648b218 by task kworker/u5:7/4261 CPU: 1 PID: 4261 Comm: kworker/u5:7 Not tainted 6.1.119-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:395 kasan_report+0x136/0x160 mm/kasan/report.c:495 set_powered_sync+0x36/0xb0 net/bluetooth/mgmt.c:1365 hci_cmd_sync_work+0x224/0x400 net/bluetooth/hci_sync.c:322 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Allocated by task 13332: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:693 [inline] mgmt_pending_new+0x61/0x240 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x32/0x120 net/bluetooth/mgmt_util.c:296 set_powered+0x315/0x510 net/bluetooth/mgmt.c:1398 hci_mgmt_cmd+0x9f9/0xf00 net/bluetooth/hci_sock.c:1652 hci_sock_sendmsg+0x797/0x1170 net/bluetooth/hci_sock.c:1772 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] sock_write_iter+0x394/0x4e0 net/socket.c:1143 call_write_iter include/linux/fs.h:2265 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x857/0xbc0 fs/read_write.c:584 ksys_write+0x19c/0x2c0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 4261: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x25c/0x3c0 mm/slub.c:3674 settings_rsp+0x2b8/0x380 net/bluetooth/mgmt.c:1447 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x10e/0x410 net/bluetooth/mgmt.c:9494 hci_dev_close_sync+0x5d4/0xfc0 net/bluetooth/hci_sync.c:5057 hci_dev_do_close net/bluetooth/hci_core.c:510 [inline] hci_error_reset+0x12c/0x3c0 net/bluetooth/hci_core.c:1021 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 kvfree_call_rcu+0x116/0x8c0 kernel/rcu/tree.c:3401 cfg80211_update_known_bss+0x16b/0x9e0 cfg80211_bss_update+0x187/0x2280 net/wireless/scan.c:1817 cfg80211_inform_single_bss_frame_data net/wireless/scan.c:2476 [inline] cfg80211_inform_bss_frame_data+0xae4/0x1680 net/wireless/scan.c:2509 ieee80211_bss_info_update+0x847/0xf00 net/mac80211/scan.c:190 ieee80211_rx_bss_info net/mac80211/ibss.c:1120 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline] ieee80211_ibss_rx_queued_mgmt+0x1962/0x2dd0 net/mac80211/ibss.c:1638 ieee80211_iface_process_skb net/mac80211/iface.c:1668 [inline] ieee80211_iface_work+0x7aa/0xce0 net/mac80211/iface.c:1722 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Second to last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 kvfree_call_rcu+0x116/0x8c0 kernel/rcu/tree.c:3401 cfg80211_update_known_bss+0x16b/0x9e0 cfg80211_bss_update+0x187/0x2280 net/wireless/scan.c:1817 cfg80211_inform_single_bss_frame_data net/wireless/scan.c:2476 [inline] cfg80211_inform_bss_frame_data+0xae4/0x1680 net/wireless/scan.c:2509 ieee80211_bss_info_update+0x847/0xf00 net/mac80211/scan.c:190 ieee80211_rx_bss_info net/mac80211/ibss.c:1120 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline] ieee80211_ibss_rx_queued_mgmt+0x1962/0x2dd0 net/mac80211/ibss.c:1638 ieee80211_iface_process_skb net/mac80211/iface.c:1668 [inline] ieee80211_iface_work+0x7aa/0xce0 net/mac80211/iface.c:1722 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff88805648b200 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 24 bytes inside of 96-byte region [ffff88805648b200, ffff88805648b260) The buggy address belongs to the physical page: page:ffffea00015922c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5648b flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea000083cfc0 dead000000000005 ffff888017c41780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 4253, tgid 4253 (kworker/0:3), ts 65376299043, free_ts 12431367553 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2517 prep_new_page mm/page_alloc.c:2524 [inline] get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4313 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5590 alloc_slab_page+0x6a/0x150 mm/slub.c:1794 allocate_slab mm/slub.c:1939 [inline] new_slab+0x84/0x2d0 mm/slub.c:1992 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1026 kmalloc include/linux/slab.h:557 [inline] dst_cow_metrics_generic+0x52/0x1b0 net/core/dst.c:202 dst_metrics_write_ptr include/net/dst.h:119 [inline] dst_metric_set include/net/dst.h:180 [inline] icmp6_dst_alloc+0x2bf/0x470 net/ipv6/route.c:3282 mld_sendpack+0x6b9/0xde0 net/ipv6/mcast.c:1809 ipv6_mc_dad_complete+0x84/0x390 net/ipv6/mcast.c:2247 addrconf_dad_completed+0x72e/0xcb0 net/ipv6/addrconf.c:4260 addrconf_dad_work+0xd8e/0x16b0 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1444 [inline] free_pcp_prepare mm/page_alloc.c:1494 [inline] free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3369 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3464 free_contig_range+0x9a/0x150 mm/page_alloc.c:9550 destroy_args+0xfe/0x997 mm/debug_vm_pgtable.c:1031 debug_vm_pgtable+0x416/0x46b mm/debug_vm_pgtable.c:1354 do_one_initcall+0x265/0x8f0 init/main.c:1298 do_initcall_level+0x157/0x207 init/main.c:1371 do_initcalls+0x49/0x86 init/main.c:1387 kernel_init_freeable+0x45c/0x60f init/main.c:1626 kernel_init+0x19/0x290 init/main.c:1514 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88805648b100: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88805648b180: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff88805648b200: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88805648b280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88805648b300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/12/13 23:45 | linux-6.1.y | e4d90d63d385 | 7cbfbb3a | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in set_powered_sync | ||
| 2024/12/11 20:39 | linux-6.1.y | e4d90d63d385 | ff949d25 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in set_powered_sync | ||
| 2024/10/30 16:14 | linux-6.1.y | 7ec6f9fa3d97 | fb888278 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in set_powered_sync | ||
| 2024/10/07 04:51 | linux-6.1.y | aa4cd140bba5 | d7906eff | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in set_powered_sync | ||
| 2024/10/01 06:02 | linux-6.1.y | aa4cd140bba5 | bbd4e0a4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in set_powered_sync | ||
| 2024/08/28 07:12 | linux-6.1.y | ee5e09825b81 | 6c853ff9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in set_powered_sync |