syzbot


KASAN: use-after-free Read in l2cap_chan_close

Status: fixed on 2020/09/16 22:51
Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
Fix commit: f9c70bdc279b Bluetooth: add a mutex lock to avoid UAF in do_enale_set
First crash: 1710d, last: 1529d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config
  
Discussions (17)
Title Replies (including bot) Last reply
[PATCH 4.4 000/149] 4.4.233-rc1 review 163 (163) 2020/10/31 20:04
Re: [PATCH] 6lowpan: Add missing locking 1 (1) 2020/09/20 20:51
[PATCH] 6lowpan: Add missing locking 1 (1) 2020/09/20 09:08
[PATCH 4.9 000/212] 4.9.233-rc1 review 220 (220) 2020/08/21 09:40
[PATCH 4.19 000/168] 4.19.140-rc1 review 183 (183) 2020/08/21 08:05
[PATCH 4.14 000/228] 4.14.194-rc1 review 234 (234) 2020/08/21 06:59
[PATCH 5.8 000/464] 5.8.2-rc1 review 475 (475) 2020/08/19 06:11
[PATCH 5.4 000/270] 5.4.59-rc1 review 275 (275) 2020/08/18 22:37
[PATCH 5.7 000/393] 5.7.16-rc1 review 398 (398) 2020/08/18 22:36
[PATCH AUTOSEL 5.7 01/60] drm/tilcdc: fix leak & null ref in panel_connector_get_modes 64 (64) 2020/08/15 23:07
[PATCH AUTOSEL 4.4 01/16] drm/tilcdc: fix leak & null ref in panel_connector_get_modes 18 (18) 2020/08/11 13:47
[PATCH AUTOSEL 4.9 01/17] drm/tilcdc: fix leak & null ref in panel_connector_get_modes 17 (17) 2020/08/10 19:14
[PATCH AUTOSEL 4.14 01/22] drm/tilcdc: fix leak & null ref in panel_connector_get_modes 22 (22) 2020/08/10 19:13
[PATCH AUTOSEL 4.19 01/31] drm/tilcdc: fix leak & null ref in panel_connector_get_modes 31 (31) 2020/08/10 19:12
[PATCH AUTOSEL 5.4 01/45] drm/tilcdc: fix leak & null ref in panel_connector_get_modes 45 (45) 2020/08/10 19:11
[PATCH AUTOSEL 5.8 01/64] drm/tilcdc: fix leak & null ref in panel_connector_get_modes 64 (64) 2020/08/10 19:08
KASAN: use-after-free Read in l2cap_chan_close 0 (1) 2020/02/07 17:18
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in l2cap_chan_close C inconclusive 10 1527d 1709d 0/1 upstream: reported C repro on 2020/02/08 02:54
linux-4.19 KASAN: use-after-free Read in l2cap_chan_close C done 8 1528d 1711d 1/1 fixed on 2020/09/09 05:22

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in l2cap_chan_close+0x564/0xb10 net/bluetooth/l2cap_core.c:794
Read of size 1 at addr ffff88809d984020 by task kworker/1:1/23

CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 l2cap_chan_close+0x564/0xb10 net/bluetooth/l2cap_core.c:794
 do_enable_set+0x4ed/0x980 net/bluetooth/6lowpan.c:1082
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 23:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 kmem_cache_alloc_trace+0x14f/0x2d0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 l2cap_chan_create+0x40/0x3a0 net/bluetooth/l2cap_core.c:450
 chan_create net/bluetooth/6lowpan.c:648 [inline]
 bt_6lowpan_listen net/bluetooth/6lowpan.c:967 [inline]
 do_enable_set+0x52f/0x980 net/bluetooth/6lowpan.c:1086
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 2578:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:488 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_chan_put+0x1b2/0x230 net/bluetooth/l2cap_core.c:502
 do_enable_set+0x4f9/0x980 net/bluetooth/6lowpan.c:1083
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff88809d984000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 32 bytes inside of
 2048-byte region [ffff88809d984000, ffff88809d984800)
The buggy address belongs to the page:
page:ffffea0002766100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000276f6c8 ffffea0002a20f88 ffff8880aa000e00
raw: 0000000000000000 ffff88809d984000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809d983f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88809d983f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88809d984000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88809d984080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809d984100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (37):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/06 05:05 upstream fffe3ae0ee84 0487ea6f .config console log report syz C ci-upstream-kasan-gce-root
2020/08/05 17:49 upstream 442489c21923 b7129355 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/05 04:26 upstream c0842fbc1b18 80a06902 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/08/04 20:05 upstream c0842fbc1b18 80a06902 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/04 18:44 upstream c0842fbc1b18 80a06902 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/08/04 12:09 upstream 3208167a865e 196277c4 .config console log report syz C ci-upstream-kasan-gce-root
2020/05/23 23:52 upstream 423b8baf18a8 9682898d .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/05/22 12:29 upstream d2f8825ab78e 5afa2ddd .config console log report syz C ci-upstream-kasan-gce-root
2020/05/18 03:08 upstream b9bbe6ed63b2 37bccd4e .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/05/14 12:51 upstream 24085f70a6e1 2d572622 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/05/04 16:30 upstream 0e698dfa2822 58ae5e18 .config console log report syz C ci-upstream-kasan-gce-root
2020/04/14 04:51 upstream 8f3d9f354286 7c54686a .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/03/03 11:03 upstream 63623fd44972 c88c7b75 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/29 10:52 upstream f8788d86ab28 59b57593 .config console log report syz C ci-upstream-kasan-gce
2020/02/29 08:26 upstream f8788d86ab28 59b57593 .config console log report syz C ci-upstream-kasan-gce
2020/02/08 23:02 upstream f757165705e9 06150bf1 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/08 05:17 upstream 41dcd67e8868 06150bf1 .config console log report syz C ci-upstream-kasan-gce
2020/02/07 12:55 upstream 90568ecf5615 06150bf1 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/05/18 04:36 upstream b9bbe6ed63b2 37bccd4e .config console log report syz C ci-upstream-kasan-gce-386
2020/02/28 06:54 upstream f8788d86ab28 59b57593 .config console log report syz C ci-upstream-kasan-gce-386
2020/05/20 15:49 linux-next ac935d227366 1255f02a .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/05/05 16:39 linux-next ac935d227366 4b76dd25 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/05/18 03:48 upstream 9b1f2cbdb6d3 37bccd4e .config console log report syz ci-upstream-kasan-gce
2020/07/13 11:41 upstream 11ba468877bb f90ec899 .config console log report ci-upstream-kasan-gce-root
2020/06/30 18:37 upstream 9ebcfadb0610 a2cdad9d .config console log report ci-upstream-kasan-gce-smack-root
2020/06/30 01:24 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-selinux-root
2020/06/28 05:38 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce-smack-root
2020/06/27 04:06 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce
2020/06/15 10:36 upstream 7ae77150d94d 8e3ab941 .config console log report ci-upstream-kasan-gce
2020/05/30 04:30 upstream 86852175b016 954bd312 .config console log report ci-upstream-kasan-gce
2020/04/26 03:00 upstream b2768df24ec4 99b258dd .config console log report ci-upstream-kasan-gce-root
2020/04/26 00:05 upstream b2768df24ec4 b8bb8e5f .config console log report ci-upstream-kasan-gce-root
2020/04/14 14:20 upstream 8f3d9f354286 3f3c5574 .config console log report ci-upstream-kasan-gce-smack-root
2020/04/09 19:28 upstream 5d30bcacd91a a8c6a3f8 .config console log report ci-upstream-kasan-gce-smack-root
2020/03/24 17:44 upstream 76ccd234269b 68660b21 .config console log report ci-upstream-kasan-gce-selinux-root
2020/06/27 13:21 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce-386
2020/05/15 09:30 upstream 1ae7efb38854 2d572622 .config console log report ci-qemu-upstream-386
* Struck through repros no longer work on HEAD.