syzbot


KASAN: slab-use-after-free Read in bt_accept_unlink

Status: upstream: reported on 2024/10/21 08:47
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+a1595e656a83ea5b78eb@syzkaller.appspotmail.com
First crash: 66d, last: 14d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bt_accept_unlink 0 (1) 2024/10/21 08:47
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in bt_accept_unlink (2) bluetooth 1 1374d 1370d 0/28 auto-closed as invalid on 2021/07/01 06:33

Sample crash report:
Bluetooth: hci1: Opcode 0x0c1a failed: -110
Bluetooth: hci1: Opcode 0x0406 failed: -110
==================================================================
BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x1a6/0x1c0 lib/list_debug.c:62
Read of size 8 at addr ffff8880616ac550 by task syz.0.6665/30046

CPU: 1 UID: 0 PID: 30046 Comm: syz.0.6665 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 __list_del_entry_valid_or_report+0x1a6/0x1c0 lib/list_debug.c:62
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del_init include/linux/list.h:287 [inline]
 bt_accept_unlink+0x34/0x2e0 net/bluetooth/af_bluetooth.c:256
 l2cap_sock_teardown_cb+0x1a3/0x3c0 net/bluetooth/l2cap_sock.c:1599
 l2cap_chan_del+0xba/0x900 net/bluetooth/l2cap_core.c:658
 l2cap_conn_del+0x37c/0x730 net/bluetooth/l2cap_core.c:1785
 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7233
 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
 hci_conn_failed+0x1c3/0x340 net/bluetooth/hci_conn.c:1265
 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5592
 hci_disconnect_all_sync.constprop.0+0x104/0x3c0 net/bluetooth/hci_sync.c:5615
 hci_suspend_sync+0x772/0xab0 net/bluetooth/hci_sync.c:6092
 hci_suspend_dev+0x30a/0x510 net/bluetooth/hci_core.c:2832
 hci_suspend_notifier+0x28d/0x2f0 net/bluetooth/hci_core.c:2412
 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
 notifier_call_chain_robust kernel/notifier.c:128 [inline]
 blocking_notifier_call_chain_robust kernel/notifier.c:353 [inline]
 blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:341
 pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102
 snapshot_open+0x189/0x2b0 kernel/power/user.c:77
 misc_open+0x35a/0x420 drivers/char/misc.c:165
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0x6ca/0x1530 fs/open.c:958
 vfs_open+0x82/0x3f0 fs/open.c:1088
 do_open fs/namei.c:3774 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3933
 do_filp_open+0x1dc/0x430 fs/namei.c:3960
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_openat fs/open.c:1446 [inline]
 __se_sys_openat fs/open.c:1441 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1441
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5c4937e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5c4a255038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f5c49535f80 RCX: 00007f5c4937e719
RDX: 0000000000000100 RSI: 0000000020000280 RDI: 00000000ffffff9c
RBP: 00007f5c493f132e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5c49535f80 R15: 00007fff26c36148
 </TASK>

Allocated by task 29368:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_noprof+0x1e8/0x400 mm/slub.c:4276
 kmalloc_noprof include/linux/slab.h:882 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2164
 sk_alloc+0x36/0xb90 net/core/sock.c:2217
 __netlink_create+0x5e/0x2c0 net/netlink/af_netlink.c:646
 netlink_create+0x3a4/0x630 net/netlink/af_netlink.c:704
 __sock_create+0x32e/0x840 net/socket.c:1576
 sock_create net/socket.c:1632 [inline]
 __sys_socket_create net/socket.c:1669 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1716
 __do_sys_socket net/socket.c:1730 [inline]
 __se_sys_socket net/socket.c:1728 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1728
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 25875:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4727
 sk_prot_free net/core/sock.c:2200 [inline]
 __sk_destruct+0x5eb/0x720 net/core/sock.c:2292
 sk_destruct+0xc2/0xf0 net/core/sock.c:2307
 __sk_free+0xf4/0x3e0 net/core/sock.c:2318
 sk_free+0x6a/0x90 net/core/sock.c:2329
 deferred_put_nlk_sk+0x13f/0x2d0 net/netlink/af_netlink.c:740
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823
 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu kernel/softirq.c:637 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
 __call_rcu_common.constprop.0+0x99/0x7a0 kernel/rcu/tree.c:3086
 netlink_release+0x1206/0x1ff0 net/netlink/af_netlink.c:823
 __sock_release+0xb0/0x270 net/socket.c:658
 sock_close+0x1c/0x30 net/socket.c:1426
 __fput+0x3f6/0xb60 fs/file_table.c:431
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880616ac000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1360 bytes inside of
 freed 2048-byte region [ffff8880616ac000, ffff8880616ac800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880616ab000 pfn:0x616a8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff88801b042f00 ffffea000168da10 ffffea0000e3f010
raw: ffff8880616ab000 0000000000080002 00000001f5000000 0000000000000000
head: 00fff00000000240 ffff88801b042f00 ffffea000168da10 ffffea0000e3f010
head: ffff8880616ab000 0000000000080002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000185aa01 ffffffffffffffff 0000000000000000
head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10848, tgid 10848 (kworker/2:4), ts 1027188475703, free_ts 1027188418619
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
 alloc_slab_page mm/slub.c:2412 [inline]
 allocate_slab mm/slub.c:2578 [inline]
 new_slab+0x2ba/0x3f0 mm/slub.c:2631
 ___slab_alloc+0xdac/0x1880 mm/slub.c:3818
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
 __slab_alloc_node mm/slub.c:3961 [inline]
 slab_alloc_node mm/slub.c:4122 [inline]
 __do_kmalloc_node mm/slub.c:4263 [inline]
 __kmalloc_node_track_caller_noprof+0x355/0x430 mm/slub.c:4283
 kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:609
 __alloc_skb+0x164/0x380 net/core/skbuff.c:678
 alloc_skb include/linux/skbuff.h:1322 [inline]
 alloc_skb_with_frags+0xe4/0x850 net/core/skbuff.c:6612
 sock_alloc_send_pskb+0x7f1/0x980 net/core/sock.c:2883
 sock_alloc_send_skb include/net/sock.h:1782 [inline]
 mld_newpack.isra.0+0x1ed/0x790 net/ipv6/mcast.c:1747
 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850
 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988
 mld_send_cr net/ipv6/mcast.c:2114 [inline]
 mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651
page last free pid 10848 tgid 10848 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638
 __put_partials+0x14c/0x170 mm/slub.c:3145
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4085 [inline]
 slab_alloc_node mm/slub.c:4134 [inline]
 kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4186
 __alloc_skb+0x2b1/0x380 net/core/skbuff.c:668
 alloc_skb include/linux/skbuff.h:1322 [inline]
 alloc_skb_with_frags+0xe4/0x850 net/core/skbuff.c:6612
 sock_alloc_send_pskb+0x7f1/0x980 net/core/sock.c:2883
 sock_alloc_send_skb include/net/sock.h:1782 [inline]
 mld_newpack.isra.0+0x1ed/0x790 net/ipv6/mcast.c:1747
 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850
 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988
 mld_send_cr net/ipv6/mcast.c:2114 [inline]
 mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389

Memory state around the buggy address:
 ffff8880616ac400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880616ac480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880616ac500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff8880616ac580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880616ac600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/27 14:44 upstream 850925a8133c 65e8686b .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in bt_accept_unlink
2024/10/10 10:49 upstream d3d1556696c1 a156c552 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in bt_accept_unlink
2024/10/01 18:11 upstream e32cde8d2bd7 e9f6e118 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in bt_accept_unlink
2024/11/22 18:55 linux-next cfba9f07a1d6 68da6d95 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in bt_accept_unlink
2024/11/21 22:47 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 7b1d1d4cfac0 4b25d554 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in bt_accept_unlink
2024/11/14 00:56 upstream f1b785f4c787 a8c99394 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-out-of-bounds Read in bt_accept_unlink
* Struck through repros no longer work on HEAD.