| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in full_proxy_write | 0 (1) | 2024/12/29 04:30 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in full_proxy_write | 0 (1) | 2024/12/29 04:30 |
================================================================== BUG: KASAN: slab-use-after-free in force_wakeup_write+0x14d/0x170 drivers/bluetooth/hci_vhci.c:188 Read of size 1 at addr ffff888027041a31 by task syz.3.1344/10628 CPU: 1 UID: 0 PID: 10628 Comm: syz.3.1344 Not tainted 6.13.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 force_wakeup_write+0x14d/0x170 drivers/bluetooth/hci_vhci.c:188 full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356 vfs_write+0x24c/0x1150 fs/read_write.c:677 ksys_write+0x12b/0x250 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6006185d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6006fac038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f6006375fa0 RCX: 00007f6006185d29 RDX: 0000000000000001 RSI: 0000000020001780 RDI: 0000000000000000 RBP: 00007f6006201b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f6006375fa0 R15: 00007ffe36c277e8 </TASK> Allocated by task 6610: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_track_caller_noprof+0x21d/0x520 mm/slub.c:4317 kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:609 __alloc_skb+0x164/0x380 net/core/skbuff.c:678 __netdev_alloc_skb+0x76/0x980 net/core/skbuff.c:742 __netdev_alloc_skb_ip_align include/linux/skbuff.h:3422 [inline] netdev_alloc_skb_ip_align include/linux/skbuff.h:3432 [inline] batadv_iv_ogm_aggregate_new+0x104/0x4a0 net/batman-adv/bat_iv_ogm.c:558 batadv_iv_ogm_queue_add net/batman-adv/bat_iv_ogm.c:670 [inline] batadv_iv_ogm_schedule_buff+0x99b/0x14d0 net/batman-adv/bat_iv_ogm.c:833 batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:868 [inline] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:861 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x31e/0x8d0 net/batman-adv/bat_iv_ogm.c:1712 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 6602: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x14f/0x4b0 mm/slub.c:4761 skb_kfree_head net/core/skbuff.c:1086 [inline] skb_free_head+0x108/0x1d0 net/core/skbuff.c:1098 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] consume_skb net/core/skbuff.c:1436 [inline] consume_skb+0xbf/0x100 net/core/skbuff.c:1430 batadv_forw_packet_free+0x217/0x250 net/batman-adv/send.c:471 batadv_iv_send_outstanding_bat_ogm_packet+0x262/0x8d0 net/batman-adv/bat_iv_ogm.c:1718 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff888027041800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 561 bytes inside of freed 1024-byte region [ffff888027041800, ffff888027041c00) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888027047000 pfn:0x27040 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000240 ffff88801ac41dc0 ffffea000090ca10 ffffea0001ee8e10 raw: ffff888027047000 000000000010000c 00000001f5000000 0000000000000000 head: 00fff00000000240 ffff88801ac41dc0 ffffea000090ca10 ffffea0001ee8e10 head: ffff888027047000 000000000010000c 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea00009c1001 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 11, tgid 11 (kworker/u8:0), ts 9316205122, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558 prep_new_page mm/page_alloc.c:1566 [inline] get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_slab_page mm/slub.c:2425 [inline] allocate_slab mm/slub.c:2589 [inline] new_slab+0xca/0x410 mm/slub.c:2642 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920 __slab_alloc_node mm/slub.c:3995 [inline] slab_alloc_node mm/slub.c:4156 [inline] __kmalloc_cache_node_noprof+0xfb/0x3f0 mm/slub.c:4337 kmalloc_node_noprof include/linux/slab.h:924 [inline] blk_mq_alloc_hctx block/blk-mq.c:3935 [inline] blk_mq_alloc_and_init_hctx+0x639/0x11b0 block/blk-mq.c:4443 blk_mq_realloc_hw_ctxs+0x8e0/0xbe0 block/blk-mq.c:4476 blk_mq_init_allocated_queue+0x39e/0x11f0 block/blk-mq.c:4530 blk_mq_alloc_queue+0x1ef/0x2e0 block/blk-mq.c:4343 scsi_alloc_sdev+0x890/0xd80 drivers/scsi/scsi_scan.c:337 scsi_probe_and_add_lun+0x789/0xda0 drivers/scsi/scsi_scan.c:1210 __scsi_scan_target+0x1ea/0x580 drivers/scsi/scsi_scan.c:1757 scsi_scan_channel drivers/scsi/scsi_scan.c:1845 [inline] scsi_scan_channel+0x149/0x1e0 drivers/scsi/scsi_scan.c:1821 scsi_scan_host_selected+0x302/0x400 drivers/scsi/scsi_scan.c:1874 page_owner free stack trace missing Memory state around the buggy address: ffff888027041900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888027041980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888027041a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888027041a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888027041b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/12/30 15:36 | upstream | fc033cf25e61 | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in full_proxy_write | ||
| 2024/12/29 04:29 | upstream | 059dd502b263 | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in full_proxy_write | ||
| 2024/12/28 19:15 | upstream | fd0584d220fe | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in full_proxy_write | ||
| 2024/12/28 13:54 | upstream | fd0584d220fe | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in full_proxy_write | ||
| 2024/12/24 15:16 | upstream | f07044dd0df0 | 444551c4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in full_proxy_write | ||
| 2024/12/24 11:45 | upstream | f07044dd0df0 | 444551c4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in full_proxy_write |