| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bt_accept_unlink | 0 (1) | 2024/10/21 08:47 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bt_accept_unlink | 0 (1) | 2024/10/21 08:47 |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | general protection fault in bt_accept_unlink (2) bluetooth | 1 | 1486d | 1481d | 0/28 | auto-closed as invalid on 2021/07/01 06:33 | |||
| upstream | BUG: corrupted list in bt_accept_unlink bluetooth | syz | error | error | 1 | 1686d | 1686d | 0/28 | auto-obsoleted due to no activity on 2022/09/07 16:27 |
| linux-4.14 | BUG: corrupted list in bt_accept_unlink | syz | unreliable | 1 | 1571d | 1691d | 0/1 | upstream: reported syz repro on 2020/08/09 08:38 |
================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x92/0x190 lib/list_debug.c:62 Read of size 8 at addr ffff888057126550 by task syz-executor/7429 CPU: 0 UID: 0 PID: 7429 Comm: syz-executor Not tainted 6.14.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __list_del_entry_valid_or_report+0x92/0x190 lib/list_debug.c:62 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] bt_accept_unlink+0x39/0x250 net/bluetooth/af_bluetooth.c:256 l2cap_sock_teardown_cb+0x176/0x440 net/bluetooth/l2cap_sock.c:1600 l2cap_chan_del+0xba/0x5d0 net/bluetooth/l2cap_core.c:654 l2cap_conn_del+0x391/0x690 net/bluetooth/l2cap_core.c:1785 hci_disconn_cfm include/net/bluetooth/hci_core.h:2069 [inline] hci_conn_hash_flush+0x1c0/0x350 net/bluetooth/hci_conn.c:2698 hci_dev_close_sync+0xa8b/0x1260 net/bluetooth/hci_sync.c:5197 hci_dev_do_close net/bluetooth/hci_core.c:482 [inline] hci_unregister_dev+0x20b/0x510 net/bluetooth/hci_core.c:2677 vhci_release+0x80/0xd0 drivers/bluetooth/hci_vhci.c:664 __fput+0x3eb/0x9f0 fs/file_table.c:464 task_work_run+0x251/0x310 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2a/0x28e0 kernel/exit.c:938 do_group_exit+0x207/0x2c0 kernel/exit.c:1087 get_signal+0x168c/0x1720 kernel/signal.c:3036 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xce/0x340 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f23d79bf6a5 Code: Unable to access opcode bytes at 0x7f23d79bf67b. RSP: 002b:00007ffda2e2cae0 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6 RAX: fffffffffffffdfc RBX: 0000000000000726 RCX: 00007f23d79bf6a5 RDX: 00007ffda2e2cb20 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007ffda2e2cb8c R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000001388 R13: 00000000000927c0 R14: 0000000000152a34 R15: 00007ffda2e2cbe0 </TASK> Allocated by task 2146: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313 kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609 __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1331 [inline] mld_newpack+0x17c/0xc70 net/ipv6/mcast.c:1788 add_grhead net/ipv6/mcast.c:1899 [inline] add_grec+0x1492/0x19a0 net/ipv6/mcast.c:2037 mld_send_cr net/ipv6/mcast.c:2163 [inline] mld_ifc_work+0x691/0xd90 net/ipv6/mcast.c:2702 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xac0/0x18e0 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7ab/0x920 kernel/kthread.c:464 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 2146: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4609 [inline] kfree+0x196/0x430 mm/slub.c:4757 skb_kfree_head net/core/skbuff.c:1086 [inline] skb_free_head net/core/skbuff.c:1098 [inline] skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1271 [inline] kfree_skb include/linux/skbuff.h:1280 [inline] ip6_mc_input+0x974/0xb70 net/ipv6/ip6_input.c:591 NF_HOOK+0x3a6/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5828 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5941 process_backlog+0x662/0x15b0 net/core/dev.c:6289 __napi_poll+0xcd/0x490 net/core/dev.c:7106 napi_poll net/core/dev.c:7175 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7297 handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:561 do_softirq+0x11b/0x1e0 kernel/softirq.c:462 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x1775/0x3f50 net/core/dev.c:4611 dev_queue_xmit include/linux/netdevice.h:3311 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip6_finish_output2+0x127d/0x17c0 net/ipv6/ip6_output.c:141 ip6_finish_output+0x41e/0x840 net/ipv6/ip6_output.c:226 NF_HOOK+0x9e/0x430 include/linux/netfilter.h:314 mld_sendpack+0x843/0xdb0 net/ipv6/mcast.c:1868 mld_send_cr net/ipv6/mcast.c:2169 [inline] mld_ifc_work+0x7d9/0xd90 net/ipv6/mcast.c:2702 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xac0/0x18e0 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7ab/0x920 kernel/kthread.c:464 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff888057126000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1360 bytes inside of freed 2048-byte region [ffff888057126000, ffff888057126800) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888057123000 pfn:0x57120 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000240 ffff88801b042000 ffffea000084be10 ffffea00015b0c10 raw: ffff888057123000 0000000000080007 00000000f5000000 0000000000000000 head: 00fff00000000240 ffff88801b042000 ffffea000084be10 ffffea00015b0c10 head: ffff888057123000 0000000000080007 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea00015c4801 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5832, tgid 5832 (syz-executor), ts 77500910407, free_ts 23735187118 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1551 prep_new_page mm/page_alloc.c:1559 [inline] get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3477 __alloc_frozen_pages_noprof+0x292/0x710 mm/page_alloc.c:4739 alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270 alloc_slab_page mm/slub.c:2423 [inline] allocate_slab+0x8f/0x3a0 mm/slub.c:2587 new_slab mm/slub.c:2640 [inline] ___slab_alloc+0xc27/0x14a0 mm/slub.c:3826 __slab_alloc+0x58/0xa0 mm/slub.c:3916 __slab_alloc_node mm/slub.c:3991 [inline] slab_alloc_node mm/slub.c:4152 [inline] __do_kmalloc_node mm/slub.c:4293 [inline] __kmalloc_node_noprof+0x2ee/0x4d0 mm/slub.c:4300 kmalloc_node_noprof include/linux/slab.h:928 [inline] qdisc_alloc+0x9a/0xa80 net/sched/sch_generic.c:947 qdisc_create_dflt+0x62/0x4b0 net/sched/sch_generic.c:1009 attach_one_default_qdisc net/sched/sch_generic.c:1175 [inline] netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] attach_default_qdiscs net/sched/sch_generic.c:1193 [inline] dev_activate+0x3c0/0x1240 net/sched/sch_generic.c:1252 __dev_open+0x38e/0x4a0 net/core/dev.c:1613 __dev_change_flags+0x1e2/0x6f0 net/core/dev.c:9172 dev_change_flags+0x8b/0x1a0 net/core/dev.c:9244 do_setlink+0xcca/0x4300 net/core/rtnetlink.c:3118 rtnl_changelink net/core/rtnetlink.c:3733 [inline] __rtnl_newlink net/core/rtnetlink.c:3885 [inline] rtnl_newlink+0x1704/0x1d30 net/core/rtnetlink.c:4022 page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_frozen_pages+0xe0d/0x10e0 mm/page_alloc.c:2660 free_contig_range+0x14c/0x430 mm/page_alloc.c:6678 destroy_args+0x94/0x4b0 mm/debug_vm_pgtable.c:1017 debug_vm_pgtable+0x551/0x590 mm/debug_vm_pgtable.c:1397 do_one_initcall+0x24a/0x930 init/main.c:1257 do_initcall_level+0x157/0x210 init/main.c:1319 do_initcalls+0x71/0xd0 init/main.c:1335 kernel_init_freeable+0x435/0x5d0 init/main.c:1568 kernel_init+0x1d/0x2b0 init/main.c:1457 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Memory state around the buggy address: ffff888057126400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888057126480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888057126500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888057126580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888057126600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/02/17 17:43 | upstream | 0ad2507d5d93 | 9be4ace3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/08 00:03 | upstream | 7ee983c850b4 | a4f327c2 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/01/16 05:15 | upstream | 619f0b6fad52 | 968edaf4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/03/01 04:22 | upstream | 276f98efb64a | 67cf5345 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/01/16 22:26 | upstream | ce69b4019001 | f9e07a6e | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/10/27 14:44 | upstream | 850925a8133c | 65e8686b | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/10/10 10:49 | upstream | d3d1556696c1 | a156c552 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/10/01 18:11 | upstream | e32cde8d2bd7 | e9f6e118 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/15 02:47 | upstream | 04f41cbf03ec | 40a34ec9 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/11 19:48 | upstream | febbc555cf0f | f2baddf5 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/01/28 17:15 | upstream | 805ba04cb7cc | ac37c1f8 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/15 19:38 | linux-next | 0ae0fa3bf0b4 | 40a34ec9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/11 22:13 | linux-next | df5d6180169a | f2baddf5 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/12/07 21:44 | linux-next | af2ea8ab7a54 | 9ac0fdc6 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/11/22 18:55 | linux-next | cfba9f07a1d6 | 68da6d95 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/11/21 22:47 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 7b1d1d4cfac0 | 4b25d554 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/11/14 00:56 | upstream | f1b785f4c787 | a8c99394 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2025/02/05 02:52 | upstream | d009de7d5428 | 44c01590 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2025/01/21 14:39 | upstream | 3d3a9c8b89d4 | 6e87cfa2 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2024/12/21 04:48 | upstream | e9b8ffafd20a | d7f584ee | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | BUG: corrupted list in bt_accept_unlink |