| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bt_accept_unlink | 0 (1) | 2024/10/21 08:47 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bt_accept_unlink | 0 (1) | 2024/10/21 08:47 |
Bluetooth: hci1: Opcode 0x0c1a failed: -110 Bluetooth: hci1: Opcode 0x0406 failed: -110 ================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x1a6/0x1c0 lib/list_debug.c:62 Read of size 8 at addr ffff8880616ac550 by task syz.0.6665/30046 CPU: 1 UID: 0 PID: 30046 Comm: syz.0.6665 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 __list_del_entry_valid_or_report+0x1a6/0x1c0 lib/list_debug.c:62 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] bt_accept_unlink+0x34/0x2e0 net/bluetooth/af_bluetooth.c:256 l2cap_sock_teardown_cb+0x1a3/0x3c0 net/bluetooth/l2cap_sock.c:1599 l2cap_chan_del+0xba/0x900 net/bluetooth/l2cap_core.c:658 l2cap_conn_del+0x37c/0x730 net/bluetooth/l2cap_core.c:1785 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7233 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1c3/0x340 net/bluetooth/hci_conn.c:1265 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5592 hci_disconnect_all_sync.constprop.0+0x104/0x3c0 net/bluetooth/hci_sync.c:5615 hci_suspend_sync+0x772/0xab0 net/bluetooth/hci_sync.c:6092 hci_suspend_dev+0x30a/0x510 net/bluetooth/hci_core.c:2832 hci_suspend_notifier+0x28d/0x2f0 net/bluetooth/hci_core.c:2412 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 notifier_call_chain_robust kernel/notifier.c:128 [inline] blocking_notifier_call_chain_robust kernel/notifier.c:353 [inline] blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:341 pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102 snapshot_open+0x189/0x2b0 kernel/power/user.c:77 misc_open+0x35a/0x420 drivers/char/misc.c:165 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5c4937e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5c4a255038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f5c49535f80 RCX: 00007f5c4937e719 RDX: 0000000000000100 RSI: 0000000020000280 RDI: 00000000ffffff9c RBP: 00007f5c493f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f5c49535f80 R15: 00007fff26c36148 </TASK> Allocated by task 29368: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_noprof+0x1e8/0x400 mm/slub.c:4276 kmalloc_noprof include/linux/slab.h:882 [inline] sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2164 sk_alloc+0x36/0xb90 net/core/sock.c:2217 __netlink_create+0x5e/0x2c0 net/netlink/af_netlink.c:646 netlink_create+0x3a4/0x630 net/netlink/af_netlink.c:704 __sock_create+0x32e/0x840 net/socket.c:1576 sock_create net/socket.c:1632 [inline] __sys_socket_create net/socket.c:1669 [inline] __sys_socket+0x14f/0x260 net/socket.c:1716 __do_sys_socket net/socket.c:1730 [inline] __se_sys_socket net/socket.c:1728 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1728 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 25875: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x14f/0x4b0 mm/slub.c:4727 sk_prot_free net/core/sock.c:2200 [inline] __sk_destruct+0x5eb/0x720 net/core/sock.c:2292 sk_destruct+0xc2/0xf0 net/core/sock.c:2307 __sk_free+0xf4/0x3e0 net/core/sock.c:2318 sk_free+0x6a/0x90 net/core/sock.c:2329 deferred_put_nlk_sk+0x13f/0x2d0 net/netlink/af_netlink.c:740 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:637 [inline] irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 Last potentially related work creation: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541 __call_rcu_common.constprop.0+0x99/0x7a0 kernel/rcu/tree.c:3086 netlink_release+0x1206/0x1ff0 net/netlink/af_netlink.c:823 __sock_release+0xb0/0x270 net/socket.c:658 sock_close+0x1c/0x30 net/socket.c:1426 __fput+0x3f6/0xb60 fs/file_table.c:431 task_work_run+0x14e/0x250 kernel/task_work.c:239 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8880616ac000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1360 bytes inside of freed 2048-byte region [ffff8880616ac000, ffff8880616ac800) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880616ab000 pfn:0x616a8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000240 ffff88801b042f00 ffffea000168da10 ffffea0000e3f010 raw: ffff8880616ab000 0000000000080002 00000001f5000000 0000000000000000 head: 00fff00000000240 ffff88801b042f00 ffffea000168da10 ffffea0000e3f010 head: ffff8880616ab000 0000000000080002 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea000185aa01 ffffffffffffffff 0000000000000000 head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10848, tgid 10848 (kworker/2:4), ts 1027188475703, free_ts 1027188418619 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265 alloc_slab_page mm/slub.c:2412 [inline] allocate_slab mm/slub.c:2578 [inline] new_slab+0x2ba/0x3f0 mm/slub.c:2631 ___slab_alloc+0xdac/0x1880 mm/slub.c:3818 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908 __slab_alloc_node mm/slub.c:3961 [inline] slab_alloc_node mm/slub.c:4122 [inline] __do_kmalloc_node mm/slub.c:4263 [inline] __kmalloc_node_track_caller_noprof+0x355/0x430 mm/slub.c:4283 kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:609 __alloc_skb+0x164/0x380 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] alloc_skb_with_frags+0xe4/0x850 net/core/skbuff.c:6612 sock_alloc_send_pskb+0x7f1/0x980 net/core/sock.c:2883 sock_alloc_send_skb include/net/sock.h:1782 [inline] mld_newpack.isra.0+0x1ed/0x790 net/ipv6/mcast.c:1747 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 page last free pid 10848 tgid 10848 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __put_partials+0x14c/0x170 mm/slub.c:3145 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4085 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4186 __alloc_skb+0x2b1/0x380 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1322 [inline] alloc_skb_with_frags+0xe4/0x850 net/core/skbuff.c:6612 sock_alloc_send_pskb+0x7f1/0x980 net/core/sock.c:2883 sock_alloc_send_skb include/net/sock.h:1782 [inline] mld_newpack.isra.0+0x1ed/0x790 net/ipv6/mcast.c:1747 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Memory state around the buggy address: ffff8880616ac400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880616ac480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880616ac500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880616ac580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880616ac600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/10/27 14:44 | upstream | 850925a8133c | 65e8686b | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/10/10 10:49 | upstream | d3d1556696c1 | a156c552 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/10/01 18:11 | upstream | e32cde8d2bd7 | e9f6e118 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/11/14 00:56 | upstream | f1b785f4c787 | a8c99394 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-out-of-bounds Read in bt_accept_unlink |