| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_send_cmd | 0 (1) | 2024/02/26 09:32 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_send_cmd | 0 (1) | 2024/02/26 09:32 |
Bluetooth: Unknown BR/EDR signaling command 0x0e Bluetooth: Wrong link type (-22) Bluetooth: Unknown BR/EDR signaling command 0x0f Bluetooth: Wrong link type (-22) ================================================================== BUG: KASAN: slab-use-after-free in l2cap_build_cmd net/bluetooth/l2cap_core.c:2951 [inline] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x67b/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 4 at addr ffff8880244b3010 by task kworker/u9:0/55 CPU: 1 UID: 0 PID: 55 Comm: kworker/u9:0 Not tainted 6.11.0-syzkaller-11728-gad46e8f95e93 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci7 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 l2cap_build_cmd net/bluetooth/l2cap_core.c:2951 [inline] l2cap_send_cmd+0x67b/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5510 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5546 [inline] l2cap_recv_frame+0x22f1/0x10850 net/bluetooth/l2cap_core.c:6825 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] hci_rx_work+0x50f/0xca0 net/bluetooth/hci_core.c:4028 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5237: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4296 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6868 l2cap_connect_cfm+0x136/0x1220 net/bluetooth/l2cap_core.c:7245 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_remote_features_evt+0x538/0xaf0 net/bluetooth/hci_event.c:3721 hci_event_func net/bluetooth/hci_event.c:7446 [inline] hci_event_packet+0xac4/0x1540 net/bluetooth/hci_event.c:7498 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4023 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 5245: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2343 [inline] slab_free mm/slub.c:4580 [inline] kfree+0x1a0/0x440 mm/slub.c:4728 l2cap_connect_cfm+0x11f/0x1220 net/bluetooth/l2cap_core.c:7241 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1d0/0x300 net/bluetooth/hci_conn.c:1262 hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5586 hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:328 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 insert_work+0x3e/0x330 kernel/workqueue.c:2183 __queue_work+0xc8b/0xf50 kernel/workqueue.c:2339 call_timer_fn+0x190/0x650 kernel/time/timer.c:1794 expire_timers kernel/time/timer.c:1840 [inline] __run_timers kernel/time/timer.c:2419 [inline] __run_timer_base+0x695/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2c7/0x980 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1037 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 Second to last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 insert_work+0x3e/0x330 kernel/workqueue.c:2183 __queue_work+0xb66/0xf50 kernel/workqueue.c:2343 queue_work_on+0x1c2/0x380 kernel/workqueue.c:2390 queue_work include/linux/workqueue.h:662 [inline] l2cap_conn_ready net/bluetooth/l2cap_core.c:1640 [inline] l2cap_connect_cfm+0xec2/0x1220 net/bluetooth/l2cap_core.c:7286 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_remote_features_evt+0x538/0xaf0 net/bluetooth/hci_event.c:3721 hci_event_func net/bluetooth/hci_event.c:7446 [inline] hci_event_packet+0xac4/0x1540 net/bluetooth/hci_event.c:7498 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4023 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff8880244b3000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff8880244b3000, ffff8880244b3400) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x244b0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801ac41dc0 ffffea0000929e00 dead000000000002 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 00fff00000000040 ffff88801ac41dc0 ffffea0000929e00 dead000000000002 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea0000912c01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5503, tgid 5503 (kworker/u8:12), ts 117144820382, free_ts 115755390668 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 alloc_slab_page+0x6a/0x120 mm/slub.c:2413 allocate_slab+0x5a/0x2f0 mm/slub.c:2579 new_slab mm/slub.c:2632 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819 __slab_alloc+0x58/0xa0 mm/slub.c:3909 __slab_alloc_node mm/slub.c:3962 [inline] slab_alloc_node mm/slub.c:4123 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_noprof+0x25a/0x400 mm/slub.c:4277 kmalloc_noprof include/linux/slab.h:882 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] ieee802_11_parse_elems_full+0xdb/0x2880 net/mac80211/parse.c:958 ieee802_11_parse_elems_crc net/mac80211/ieee80211_i.h:2383 [inline] ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2390 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline] ieee80211_ibss_rx_queued_mgmt+0x4c8/0x2d70 net/mac80211/ibss.c:1606 ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline] ieee80211_iface_work+0x8a5/0xf20 net/mac80211/iface.c:1657 cfg80211_wiphy_work+0x2dd/0x490 net/wireless/core.c:440 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 page last free pid 5234 tgid 5234 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638 discard_slab mm/slub.c:2678 [inline] __put_partials+0xeb/0x130 mm/slub.c:3146 put_cpu_partial+0x17c/0x250 mm/slub.c:3221 __slab_free+0x2ea/0x3d0 mm/slub.c:4450 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4142 getname_flags+0xb7/0x540 fs/namei.c:139 user_path_at+0x24/0x60 fs/namei.c:3015 ksys_umount fs/namespace.c:2033 [inline] __do_sys_umount fs/namespace.c:2041 [inline] __se_sys_umount fs/namespace.c:2039 [inline] __x64_sys_umount+0xf1/0x170 fs/namespace.c:2039 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff8880244b2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880244b2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880244b3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880244b3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880244b3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/09/28 12:57 | upstream | ad46e8f95e93 | 440b26ec | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/09/19 21:16 | upstream | a430d95c5efa | 6f888b75 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/09/19 20:27 | upstream | 2a17bb8c204f | 6f888b75 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/09/19 20:00 | upstream | 2a17bb8c204f | 6f888b75 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/09/08 03:10 | upstream | b31c44928842 | 9750182a | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/09/02 09:54 | upstream | c9f016e72b5c | 1eda0d14 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/08/25 16:54 | upstream | 5be63fc19fca | d7d32352 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/08/23 11:21 | upstream | aa0743a22936 | ce8a9099 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/08/16 23:30 | upstream | 670c12ce09a8 | 76120936 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/31 01:10 | upstream | 22f546873149 | a4e01e1e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/17 04:27 | upstream | 408323581b72 | 215bec2d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/13 03:18 | upstream | e091caf99f3a | eaeb5c15 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/11 22:30 | upstream | 9d9a2f29aefd | c699c2eb | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/11 12:00 | upstream | 9d9a2f29aefd | c699c2eb | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/05 13:24 | upstream | 661e504db04c | 2a40360c | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/06/26 16:21 | upstream | 55027e689933 | 880c1ca1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/06/24 02:42 | upstream | 7c16f0a4ed1c | edc5149a | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/06/18 02:00 | upstream | 2ccbdf43d5e7 | 1f11cfd7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/06/15 13:12 | upstream | 2ccbdf43d5e7 | f429ab00 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/06/12 16:36 | upstream | 2ef5971ff345 | 4d75f4f7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/03/02 14:01 | upstream | 5ad3cb0ed525 | 25905f5d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/02/19 23:04 | upstream | b401b621758e | 3af7dd65 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/08/06 14:43 | upstream | b446a2dae984 | e1bdb00a | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-386 | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/04/06 18:20 | upstream | fe46a7dd189e | ca620dd8 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-386 | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/24 04:44 | linux-next | 9ec6ec93f2c1 | 57b2edb1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/15 09:05 | linux-next | 3fe121b62282 | c605e6a2 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/07/15 00:11 | linux-next | 3fe121b62282 | eaeb5c15 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd | ||
| 2024/04/16 17:39 | linux-next | 66e4190e92ce | 0d592ce4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_send_cmd |