| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_recv_frame | 0 (1) | 2024/04/27 07:44 |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [1033] ≡ Subsystems 🐞 Fixed [5265] 🐞 Invalid [12592] ⬇ Missing Backports [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_recv_frame | 0 (1) | 2024/04/27 07:44 |
================================================================== BUG: KASAN: slab-use-after-free in l2cap_connect net/bluetooth/l2cap_core.c:3920 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect_req net/bluetooth/l2cap_core.c:4061 [inline] BUG: KASAN: slab-use-after-free in l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4759 [inline] BUG: KASAN: slab-use-after-free in l2cap_sig_channel net/bluetooth/l2cap_core.c:5533 [inline] BUG: KASAN: slab-use-after-free in l2cap_recv_frame+0x19ca/0x107c0 net/bluetooth/l2cap_core.c:6793 Read of size 8 at addr ffff88802ab26000 by task kworker/u9:7/5103 CPU: 0 PID: 5103 Comm: kworker/u9:7 Not tainted 6.9.0-rc5-syzkaller-00007-g4d2008430ce8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: hci3 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 l2cap_connect net/bluetooth/l2cap_core.c:3920 [inline] l2cap_connect_req net/bluetooth/l2cap_core.c:4061 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4759 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5533 [inline] l2cap_recv_frame+0x19ca/0x107c0 net/bluetooth/l2cap_core.c:6793 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x50f/0xca0 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5096: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace+0x1db/0x360 mm/slub.c:3997 kmalloc include/linux/slab.h:628 [inline] kzalloc include/linux/slab.h:749 [inline] l2cap_conn_add+0xa9/0x9c0 net/bluetooth/l2cap_core.c:6836 l2cap_connect_cfm+0x136/0x1220 net/bluetooth/l2cap_core.c:7227 hci_connect_cfm include/net/bluetooth/hci_core.h:2007 [inline] hci_remote_features_evt+0x68b/0xa70 net/bluetooth/hci_event.c:3778 hci_event_func net/bluetooth/hci_event.c:7542 [inline] hci_event_packet+0xac0/0x1540 net/bluetooth/hci_event.c:7594 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 5102: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xa6/0xe0 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2106 [inline] slab_free mm/slub.c:4280 [inline] kfree+0x153/0x3a0 mm/slub.c:4390 l2cap_connect_cfm+0x11f/0x1220 net/bluetooth/l2cap_core.c:7223 hci_connect_cfm include/net/bluetooth/hci_core.h:2007 [inline] hci_conn_failed+0x1f6/0x340 net/bluetooth/hci_conn.c:1230 hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5567 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:310 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 insert_work+0x3e/0x330 kernel/workqueue.c:2248 __queue_work+0xc24/0xef0 kernel/workqueue.c:2400 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1839 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x695/0x8e0 kernel/time/timer.c:2429 run_timer_base kernel/time/timer.c:2438 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 __do_softirq+0x2c6/0x980 kernel/softirq.c:554 Second to last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 insert_work+0x3e/0x330 kernel/workqueue.c:2248 __queue_work+0xb00/0xef0 kernel/workqueue.c:2404 queue_work_on+0x14f/0x250 kernel/workqueue.c:2435 queue_work include/linux/workqueue.h:605 [inline] l2cap_conn_ready net/bluetooth/l2cap_core.c:1613 [inline] l2cap_connect_cfm+0xec2/0x1220 net/bluetooth/l2cap_core.c:7268 hci_connect_cfm include/net/bluetooth/hci_core.h:2007 [inline] hci_remote_features_evt+0x68b/0xa70 net/bluetooth/hci_event.c:3778 hci_event_func net/bluetooth/hci_event.c:7542 [inline] hci_event_packet+0xac0/0x1540 net/bluetooth/hci_event.c:7594 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff88802ab26000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 0 bytes inside of freed 1024-byte region [ffff88802ab26000, ffff88802ab26400) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802ab27000 pfn:0x2ab20 head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff80000000a40(workingset|slab|head|node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffffff() raw: 00fff80000000a40 ffff888015041dc0 ffffea0000b7c210 ffffea00008af410 raw: ffff88802ab27000 000000000010000e 00000001ffffffff 0000000000000000 head: 00fff80000000a40 ffff888015041dc0 ffffea0000b7c210 ffffea00008af410 head: ffff88802ab27000 000000000010000e 00000001ffffffff 0000000000000000 head: 00fff80000000003 ffffea0000aac801 ffffea0000aac848 00000000ffffffff head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid -1362480974 (swapper/0), ts 1, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1534 prep_new_page mm/page_alloc.c:1541 [inline] get_page_from_freelist+0x3410/0x35b0 mm/page_alloc.c:3317 __alloc_pages+0x256/0x6c0 mm/page_alloc.c:4575 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page+0x5f/0x160 mm/slub.c:2175 allocate_slab mm/slub.c:2338 [inline] new_slab+0x84/0x2f0 mm/slub.c:2391 ___slab_alloc+0xc73/0x1260 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmalloc_trace+0x269/0x360 mm/slub.c:3992 kmalloc include/linux/slab.h:628 [inline] kzalloc include/linux/slab.h:749 [inline] fqdir_init+0x59/0x170 net/ipv4/inet_fragment.c:192 lowpan_frags_init_net+0x33/0x310 net/ieee802154/6lowpan/reassembly.c:453 ops_init+0x352/0x610 net/core/net_namespace.c:136 __register_pernet_operations net/core/net_namespace.c:1243 [inline] register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1312 register_pernet_subsys+0x28/0x40 net/core/net_namespace.c:1353 lowpan_net_frag_init+0xb2/0x100 net/ieee802154/6lowpan/reassembly.c:538 lowpan_init_module+0x10/0x90 net/ieee802154/6lowpan/core.c:250 do_one_initcall+0x248/0x880 init/main.c:1245 do_initcall_level+0x157/0x210 init/main.c:1307 page_owner free stack trace missing Memory state around the buggy address: ffff88802ab25f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802ab25f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88802ab26000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802ab26080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802ab26100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/04/23 07:37 | upstream | 4d2008430ce8 | 21339d7b | .config | console log | report | syz | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Read in l2cap_recv_frame |