syzbot


KASAN: null-ptr-deref Read in ida_free (4)

Status: fixed on 2024/02/14 16:17
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+51baee846ddab52d5230@syzkaller.appspotmail.com
Fix commit: af73483f4e8b ida: Fix crash in ida_free when the bitmap is empty
First crash: 202d, last: 152d
Cause bisection: introduced by (bisect log) :
commit 181a42edddf51d5d9697ecdf365d72ebeab5afb0
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date: Wed Oct 11 09:57:31 2023 +0000

  Bluetooth: Make handle of hci_conn be unique

Crash: KASAN: null-ptr-deref Read in ida_free (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit af73483f4e8b6f5c68c9aa63257bdd929a9c194a
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date: Thu Dec 21 16:53:57 2023 +0000

  ida: Fix crash in ida_free when the bitmap is empty

  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bluetooth?] KASAN: null-ptr-deref Read in ida_free (4) 5 (9) 2024/02/12 10:32
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: null-ptr-deref Read in ida_free C error 2 354d 425d 2/2 fixed on 2023/06/16 14:10
upstream KASAN: null-ptr-deref Read in ida_free media 1 1261d 1260d 0/26 auto-closed as invalid on 2021/04/09 00:32
upstream KASAN: null-ptr-deref Read in ida_free (2) usb C done 3 699d 699d 22/26 fixed on 2023/02/24 13:50
upstream KASAN: null-ptr-deref Read in ida_free (3) fs C error 4 425d 421d 22/26 fixed on 2023/06/08 14:41
Last patch testing requests (3)
Created Duration User Patch Repo Result
2024/01/06 18:21 14m retest repro upstream report log
2023/12/23 13:47 20m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/12/23 11:29 17m retest repro linux-next report log

Sample crash report:
Bluetooth: hci0: hardware error 0x00
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: null-ptr-deref in ida_free+0x218/0x2e0 lib/idr.c:511
Read of size 8 at addr 0000000000000078 by task kworker/u5:1/4455

CPU: 1 PID: 4455 Comm: kworker/u5:1 Not tainted 6.7.0-rc2-next-20231124-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Workqueue: hci0 hci_error_reset
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 kasan_report+0xd9/0x110 mm/kasan/report.c:588
 check_region_inline mm/kasan/generic.c:182 [inline]
 kasan_check_range+0xef/0x190 mm/kasan/generic.c:188
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 ida_free+0x218/0x2e0 lib/idr.c:511
 hci_conn_cleanup net/bluetooth/hci_conn.c:157 [inline]
 hci_conn_del+0x78c/0xe10 net/bluetooth/hci_conn.c:1183
 hci_conn_hash_flush+0x189/0x260 net/bluetooth/hci_conn.c:2643
 hci_dev_close_sync+0x5a7/0x1160 net/bluetooth/hci_sync.c:5021
 hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:554
 hci_error_reset+0xa6/0x190 net/bluetooth/hci_core.c:1059
 process_one_work+0x8a4/0x15f0 kernel/workqueue.c:2633
 process_scheduled_works kernel/workqueue.c:2706 [inline]
 worker_thread+0x8b6/0x1290 kernel/workqueue.c:2787
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
==================================================================

Crashes (29):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/11/25 13:17 linux-next 8c9660f65153 5b429f39 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in ida_free
2023/12/08 09:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d46efae31672 28b24332 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in ida_free
2023/11/26 05:23 upstream b46ae77f6787 5b429f39 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: null-ptr-deref Read in ida_free
2023/12/08 23:02 upstream 5e3f5b81de80 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in ida_free
2023/11/30 04:17 upstream 3b47bc037bd4 f819d6f7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/29 18:47 upstream 3b47bc037bd4 6e78f9ce .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/29 13:00 upstream 18d46e76d7c2 6e78f9ce .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/27 16:27 upstream 2cc14f52aeb7 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/27 14:02 upstream 2cc14f52aeb7 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/27 11:21 upstream d2da77f431ac 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: null-ptr-deref Read in ida_free
2023/11/27 11:20 upstream d2da77f431ac 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: null-ptr-deref Read in ida_free
2023/11/26 13:48 upstream 090472ed9c92 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/26 00:18 upstream b46ae77f6787 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/25 11:39 upstream 0f5cc96c367f 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: null-ptr-deref Read in ida_free
2023/11/23 20:16 upstream 9b6de136b5f0 fc59b78e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Read in ida_free
2023/11/23 19:55 upstream 9b6de136b5f0 fc59b78e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in ida_free
2023/11/17 20:54 upstream 6bc40e44f1dd cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/16 16:52 upstream 7475e51b8796 cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/16 01:04 upstream c42d9eeef8e5 cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/15 11:44 upstream 86d11b0e20c0 cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: null-ptr-deref Read in ida_free
2023/11/14 20:09 upstream 9bacdd8996c7 cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in ida_free
2023/11/13 21:24 upstream 9bacdd8996c7 cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in ida_free
2023/11/13 19:13 upstream b85ea95d0864 cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Read in ida_free
2023/11/27 11:16 upstream d2da77f431ac 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: null-ptr-deref Read in ida_free
2023/12/09 08:59 upstream f2e8a57ee903 28b24332 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: null-ptr-deref Read in ida_free
2023/11/03 19:22 upstream 8f6f76a6a29f 500bfdc4 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: null-ptr-deref Read in ida_free
2023/11/27 07:35 linux-next 48bbaf8b793e 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in ida_free
2023/11/25 11:23 linux-next 8c9660f65153 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in ida_free
2023/11/03 18:54 linux-next e27090b1413f c4ac074c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in ida_free
* Struck through repros no longer work on HEAD.