syzbot


KASAN: use-after-free Read in hci_cmd_timeout

Status: upstream: reported syz repro on 2019/09/01 02:37
Reported-by: syzbot+fba50ca40cd875b49388@syzkaller.appspotmail.com
First crash: 1190d, last: 24d

Fix bisection: failed (bisect log)
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in hci_cmd_timeout C inconclusive 11 321d 1184d 0/1 upstream: reported C repro on 2019/09/06 20:31
upstream KASAN: use-after-free Read in hci_cmd_timeout C done error 369 4d06h 1307d 0/24 upstream: reported C repro on 2019/05/07 09:10

Sample crash report:
Bluetooth: hci8: Entering manufacturer mode failed (-110)
Bluetooth: hci8: sending frame failed (-49)
Bluetooth: hci10: Entering manufacturer mode failed (-110)
Bluetooth: hci9: Entering manufacturer mode failed (-110)
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1ae/0x1c0 net/bluetooth/hci_core.c:2576
Read of size 2 at addr ffff888096c9d348 by task kworker/0:0/5

CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 4.19.187-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443
 hci_cmd_timeout+0x1ae/0x1c0 net/bluetooth/hci_core.c:2576
 process_one_work+0x864/0x1570 kernel/workqueue.c:2152
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2295
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 8162:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0xae/0x560 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 hci_prepare_cmd+0x2a/0x290 net/bluetooth/hci_request.c:292
 hci_req_add_ev+0xdc/0x220 net/bluetooth/hci_request.c:326
 __hci_cmd_sync_ev+0x119/0x670 net/bluetooth/hci_request.c:138
 btintel_enter_mfg+0x2a/0x90 drivers/bluetooth/btintel.c:82
 ag6xx_setup+0xfc/0x790 drivers/bluetooth/hci_ag6xx.c:180
 hci_uart_setup+0x1b1/0x470 drivers/bluetooth/hci_ldisc.c:431
 hci_dev_do_open+0x360/0x1260 net/bluetooth/hci_core.c:1425
 hci_power_on+0x117/0x530 net/bluetooth/hci_core.c:2132
 process_one_work+0x864/0x1570 kernel/workqueue.c:2152
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2295
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 8162:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 skb_free_head net/core/skbuff.c:563 [inline]
 skb_release_data+0x6de/0x920 net/core/skbuff.c:583
 skb_release_all net/core/skbuff.c:640 [inline]
 __kfree_skb net/core/skbuff.c:654 [inline]
 kfree_skb+0x11a/0x3d0 net/core/skbuff.c:672
 hci_dev_do_open+0xaf0/0x1260 net/bluetooth/hci_core.c:1511
 hci_power_on+0x117/0x530 net/bluetooth/hci_core.c:2132
 process_one_work+0x864/0x1570 kernel/workqueue.c:2152
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2295
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff888096c9d340
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 512-byte region [ffff888096c9d340, ffff888096c9d540)
The buggy address belongs to the page:
page:ffffea00025b2740 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002d36588 ffffea0002d3efc8 ffff88813bff0940
raw: 0000000000000000 ffff888096c9d0c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888096c9d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888096c9d280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888096c9d300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff888096c9d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888096c9d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Bluetooth: hci11: Entering manufacturer mode failed (-110)

Crashes (16):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2021/04/15 03:53 linux-4.19.y 0f1b4cb77d7f fcdb12ba .config log report syz KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2020/07/05 12:13 linux-4.19.y 399849e4654e 24d7f505 .config log report syz
ci2-linux-4-19 2019/12/07 00:14 linux-4.19.y fb683b5e3f53 85f26751 .config log report syz
ci2-linux-4-19 2022/11/10 15:46 linux-4.19.y 3f8a27f9e27b 3ead01ad .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2022/10/28 09:02 linux-4.19.y 3f8a27f9e27b 5c716ff6 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2022/07/28 07:58 linux-4.19.y 3f8a27f9e27b fb95c74d .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2022/05/19 13:29 linux-4.19.y 3f8a27f9e27b cb1ac2e7 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2022/02/27 12:06 linux-4.19.y 3f8a27f9e27b 45a13a73 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2021/09/21 13:20 linux-4.19.y b172b44fcb17 169724fe .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2021/05/20 12:21 linux-4.19.y 3c8c23092588 c560a65d .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2021/04/14 21:52 linux-4.19.y 0f1b4cb77d7f fcdb12ba .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2021/03/04 06:02 linux-4.19.y 2d19be4653f5 d7e4e604 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci2-linux-4-19 2020/07/19 02:48 linux-4.19.y 17a87580a885 9c812472 .config log report
ci2-linux-4-19 2020/07/12 04:04 linux-4.19.y dce0f88600e4 7ba05d2d .config log report
ci2-linux-4-19 2019/12/29 11:13 linux-4.19.y 672481c2deff af6b8ef8 .config log report
ci2-linux-4-19 2019/09/01 01:36 linux-4.19.y 97ab07e11fbf bad3cce2 .config log report
* Struck through repros no longer work on HEAD.