syzbot


KASAN: slab-use-after-free Read in l2cap_send_cmd

Status: upstream: reported on 2024/02/26 09:32
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com
First crash: 287d, last: 8d00h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_send_cmd 0 (1) 2024/02/26 09:32

Sample crash report:
Bluetooth: Wrong link type (-71)
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]
BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954
Read of size 8 at addr ffff88805982c000 by task kworker/u9:4/5854

CPU: 0 UID: 0 PID: 5854 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci3 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]
 l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954
 l2cap_recv_frame+0x91b9/0x10db0
 hci_acldata_packet net/bluetooth/hci_core.c:3801 [inline]
 hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4044
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5848:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
 kmalloc_noprof include/linux/slab.h:879 [inline]
 kzalloc_noprof include/linux/slab.h:1015 [inline]
 l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860
 l2cap_connect_cfm+0x136/0x1220 net/bluetooth/l2cap_core.c:7237
 hci_connect_cfm+0xa2/0x150 include/net/bluetooth/hci_core.h:2035
 le_conn_complete_evt+0xd3e/0x12e0 net/bluetooth/hci_event.c:5763
 hci_le_conn_complete_evt+0x18c/0x420 net/bluetooth/hci_event.c:5789
 hci_event_func net/bluetooth/hci_event.c:7481 [inline]
 hci_event_packet+0xa55/0x1540 net/bluetooth/hci_event.c:7536
 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4039
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 4663:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x1a0/0x440 mm/slub.c:4727
 l2cap_connect_cfm+0x11f/0x1220 net/bluetooth/l2cap_core.c:7233
 hci_connect_cfm include/net/bluetooth/hci_core.h:2035 [inline]
 hci_conn_failed+0x1ce/0x300 net/bluetooth/hci_conn.c:1266
 hci_abort_conn_sync+0x583/0xe00 net/bluetooth/hci_sync.c:5603
 hci_disconnect_all_sync+0x264/0x460 net/bluetooth/hci_sync.c:5626
 hci_suspend_sync+0x41a/0xca0 net/bluetooth/hci_sync.c:6103
 hci_suspend_dev+0x203/0x3e0 net/bluetooth/hci_core.c:2832
 hci_suspend_notifier+0xf2/0x2b0 net/bluetooth/hci_core.c:2412
 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
 notifier_call_chain_robust kernel/notifier.c:128 [inline]
 blocking_notifier_call_chain_robust+0xe8/0x1e0 kernel/notifier.c:353
 pm_notifier_call_chain_robust+0x2c/0x60 kernel/power/main.c:102
 snapshot_open+0x19b/0x280 kernel/power/user.c:77
 misc_open+0x2cc/0x340 drivers/char/misc.c:165
 chrdev_open+0x521/0x600 fs/char_dev.c:414
 do_dentry_open+0xbe1/0x1b70 fs/open.c:945
 vfs_open+0x3e/0x330 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x2c84/0x3590 fs/namei.c:3987
 do_filp_open+0x27f/0x4e0 fs/namei.c:4014
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 insert_work+0x3e/0x330 kernel/workqueue.c:2183
 __queue_work+0xb66/0xf50 kernel/workqueue.c:2343
 queue_work_on+0x1c2/0x380 kernel/workqueue.c:2390
 queue_work include/linux/workqueue.h:662 [inline]
 l2cap_conn_ready net/bluetooth/l2cap_core.c:1640 [inline]
 l2cap_connect_cfm+0xec2/0x1220 net/bluetooth/l2cap_core.c:7278
 hci_connect_cfm+0xa2/0x150 include/net/bluetooth/hci_core.h:2035
 le_conn_complete_evt+0xd3e/0x12e0 net/bluetooth/hci_event.c:5763
 hci_le_conn_complete_evt+0x18c/0x420 net/bluetooth/hci_event.c:5789
 hci_event_func net/bluetooth/hci_event.c:7481 [inline]
 hci_event_packet+0xa55/0x1540 net/bluetooth/hci_event.c:7536
 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4039
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88805982c000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff88805982c000, ffff88805982c400)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x59828
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac41dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001660a01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5864, tgid 5864 (syz-executor), ts 65722361023, free_ts 15833123875
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 alloc_slab_page+0x6a/0x140 mm/slub.c:2412
 allocate_slab+0x5a/0x2f0 mm/slub.c:2578
 new_slab mm/slub.c:2631 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
 __slab_alloc+0x58/0xa0 mm/slub.c:3908
 __slab_alloc_node mm/slub.c:3961 [inline]
 slab_alloc_node mm/slub.c:4122 [inline]
 __do_kmalloc_node mm/slub.c:4263 [inline]
 __kmalloc_node_track_caller_noprof+0x281/0x440 mm/slub.c:4283
 kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
 __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
 alloc_skb include/linux/skbuff.h:1323 [inline]
 nlmsg_new include/net/netlink.h:1018 [inline]
 inet6_rt_notify+0xba/0x240 net/ipv6/route.c:6195
 fib6_add_rt2node net/ipv6/ip6_fib.c:1259 [inline]
 fib6_add+0x1e33/0x4420 net/ipv6/ip6_fib.c:1488
 __ip6_ins_rt net/ipv6/route.c:1317 [inline]
 ip6_route_add+0x8b/0x160 net/ipv6/route.c:3857
 addrconf_prefix_route net/ipv6/addrconf.c:2486 [inline]
 addrconf_add_linklocal+0x61a/0xa30 net/ipv6/addrconf.c:3319
 addrconf_addr_gen+0x510/0xbb0
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0xdf9/0x1140 mm/page_alloc.c:2657
 free_contig_range+0x152/0x550 mm/page_alloc.c:6630
 destroy_args+0x92/0x910 mm/debug_vm_pgtable.c:1017
 debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1397
 do_one_initcall+0x248/0x880 init/main.c:1266
 do_initcall_level+0x157/0x210 init/main.c:1328
 do_initcalls+0x3f/0x80 init/main.c:1344
 kernel_init_freeable+0x435/0x5d0 init/main.c:1577
 kernel_init+0x1d/0x2b0 init/main.c:1466
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88805982bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805982bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805982c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88805982c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805982c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (30):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/11/24 20:47 upstream 9f16d5e6f220 68da6d95 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/09/28 12:57 upstream ad46e8f95e93 440b26ec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/09/19 21:16 upstream a430d95c5efa 6f888b75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/09/19 20:27 upstream 2a17bb8c204f 6f888b75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/09/19 20:00 upstream 2a17bb8c204f 6f888b75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/09/08 03:10 upstream b31c44928842 9750182a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/09/02 09:54 upstream c9f016e72b5c 1eda0d14 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/08/25 16:54 upstream 5be63fc19fca d7d32352 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/08/23 11:21 upstream aa0743a22936 ce8a9099 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/08/16 23:30 upstream 670c12ce09a8 76120936 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/31 01:10 upstream 22f546873149 a4e01e1e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/17 04:27 upstream 408323581b72 215bec2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/13 03:18 upstream e091caf99f3a eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/11 22:30 upstream 9d9a2f29aefd c699c2eb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/11 12:00 upstream 9d9a2f29aefd c699c2eb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/05 13:24 upstream 661e504db04c 2a40360c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/06/26 16:21 upstream 55027e689933 880c1ca1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/06/24 02:42 upstream 7c16f0a4ed1c edc5149a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/06/18 02:00 upstream 2ccbdf43d5e7 1f11cfd7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/06/15 13:12 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/06/12 16:36 upstream 2ef5971ff345 4d75f4f7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/03/02 14:01 upstream 5ad3cb0ed525 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/02/19 23:04 upstream b401b621758e 3af7dd65 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/11/25 21:04 upstream 9f16d5e6f220 a84878fc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/08/06 14:43 upstream b446a2dae984 e1bdb00a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/04/06 18:20 upstream fe46a7dd189e ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/24 04:44 linux-next 9ec6ec93f2c1 57b2edb1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/15 09:05 linux-next 3fe121b62282 c605e6a2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/07/15 00:11 linux-next 3fe121b62282 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
2024/04/16 17:39 linux-next 66e4190e92ce 0d592ce4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in l2cap_send_cmd
* Struck through repros no longer work on HEAD.