KASAN: use-after-free Read in rfcomm_dlc

Title	Replies (including bot)	Last reply
Reminder: 29 open syzbot bugs in bluetooth subsystem	1 (1)	2019/07/24 01:41
Reminder: 29 open syzbot bugs in bluetooth subsystem	1 (1)	2019/07/09 19:07
Reminder: 27 open syzbot bugs in bluetooth subsystem	1 (1)	2019/06/24 05:14
KASAN: use-after-free Read in rfcomm_dlc_open (2)	0 (1)	2019/04/23 16:22

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in rfcomm_dlc_open bluetooth				1	2082d	2078d	0/26	auto-closed as invalid on 2019/02/22 10:29

upstream

KASAN: use-after-free Read in rfcomm_dlc_open bluetooth

2082d

2078d

0/26

auto-closed as invalid on 2019/02/22 10:29

================================================================== BUG: KASAN: use-after-free in rfcomm_dlc_get net/bluetooth/rfcomm/core.c:360 [inline] BUG: KASAN: use-after-free in __rfcomm_dlc_open net/bluetooth/rfcomm/core.c:396 [inline] BUG: KASAN: use-after-free in rfcomm_dlc_open+0xc9d/0xd80 net/bluetooth/rfcomm/core.c:431 Read of size 1 at addr ffff88808eb73644 by task syz-executor.3/17540 CPU: 0 PID: 17540 Comm: syz-executor.3 Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0xd4/0x306 mm/kasan/report.c:351 __kasan_report.cold+0x1b/0x36 mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:618 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:129 rfcomm_dlc_get net/bluetooth/rfcomm/core.c:360 [inline] __rfcomm_dlc_open net/bluetooth/rfcomm/core.c:396 [inline] rfcomm_dlc_open+0xc9d/0xd80 net/bluetooth/rfcomm/core.c:431 rfcomm_sock_connect+0x38a/0x4b0 net/bluetooth/rfcomm/sock.c:416 __sys_connect+0x264/0x330 net/socket.c:1828 __do_sys_connect net/socket.c:1839 [inline] __se_sys_connect net/socket.c:1836 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:1836 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f63c84a4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 000000000000000e RSI: 0000000020000100 RDI: 0000000000000005 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f63c84a56d4 R13: 00000000004bfda3 R14: 00000000004d1bf0 R15: 00000000ffffffff Allocated by task 15796: save_stack+0x23/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc mm/kasan/common.c:493 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:466 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3550 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] rfcomm_dlc_alloc+0x82/0x410 net/bluetooth/rfcomm/core.c:305 rfcomm_sock_alloc.constprop.0+0xb3/0x370 net/bluetooth/rfcomm/sock.c:286 rfcomm_sock_create+0xf3/0x2b0 net/bluetooth/rfcomm/sock.c:329 bt_sock_create+0x16a/0x2d0 net/bluetooth/af_bluetooth.c:130 __sock_create+0x3d8/0x730 net/socket.c:1418 sock_create net/socket.c:1469 [inline] __sys_socket+0x103/0x220 net/socket.c:1511 __do_sys_socket net/socket.c:1520 [inline] __se_sys_socket net/socket.c:1518 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1518 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 17165: save_stack+0x23/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 __cache_free mm/slab.c:3425 [inline] kfree+0x10a/0x2c0 mm/slab.c:3756 rfcomm_dlc_free+0x20/0x30 net/bluetooth/rfcomm/core.c:328 rfcomm_dlc_put include/net/bluetooth/rfcomm.h:258 [inline] __rfcomm_create_dev net/bluetooth/rfcomm/tty.c:417 [inline] rfcomm_create_dev net/bluetooth/rfcomm/tty.c:486 [inline] rfcomm_dev_ioctl+0x183e/0x1b80 net/bluetooth/rfcomm/tty.c:588 rfcomm_sock_ioctl+0x90/0xb0 net/bluetooth/rfcomm/sock.c:902 sock_do_ioctl+0xd8/0x2f0 net/socket.c:1038 sock_ioctl+0x3ed/0x780 net/socket.c:1189 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88808eb73500 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 324 bytes inside of 512-byte region [ffff88808eb73500, ffff88808eb73700) The buggy address belongs to the page: page:ffffea00023adcc0 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea00025a0fc8 ffffea0001258188 ffff8880aa400a80 raw: 0000000000000000 ffff88808eb73000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808eb73500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808eb73580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88808eb73600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88808eb73680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808eb73700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (19):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Manager
2019/09/09 22:08	net-old	28abe5796252	a60cb4cd	.config	console log	report	ci-upstream-net-this-kasan-gce
2019/09/06 23:42	net-old	74346c434cd2	a60cb4cd	.config	console log	report	ci-upstream-net-this-kasan-gce
2019/08/27 18:57	net-old	f53a7ad18959	d21c5d9d	.config	console log	report	ci-upstream-net-this-kasan-gce
2019/08/27 16:48	net-old	f53a7ad18959	d21c5d9d	.config	console log	report	ci-upstream-net-this-kasan-gce
2019/08/27 00:01	net-old	f53a7ad18959	d21c5d9d	.config	console log	report	ci-upstream-net-this-kasan-gce
2019/04/26 16:02	net-old	ad759c906954	b617407b	.config	console log	report	ci-upstream-net-this-kasan-gce
2019/08/12 03:16	net-next-old	2cc2743d8fee	acb51638	.config	console log	report	ci-upstream-net-kasan-gce
2019/08/04 02:50	net-next-old	31cc088a4f5d	6affd8e8	.config	console log	report	ci-upstream-net-kasan-gce
2019/08/03 21:42	net-next-old	31cc088a4f5d	6affd8e8	.config	console log	report	ci-upstream-net-kasan-gce
2019/07/29 14:58	net-next-old	31cc088a4f5d	c85e1c5b	.config	console log	report	ci-upstream-net-kasan-gce
2019/07/29 09:50	net-next-old	31cc088a4f5d	c85e1c5b	.config	console log	report	ci-upstream-net-kasan-gce
2019/07/28 17:10	net-next-old	31cc088a4f5d	c85e1c5b	.config	console log	report	ci-upstream-net-kasan-gce
2019/07/28 14:40	net-next-old	31cc088a4f5d	c85e1c5b	.config	console log	report	ci-upstream-net-kasan-gce
2019/07/28 06:02	net-next-old	31cc088a4f5d	c85e1c5b	.config	console log	report	ci-upstream-net-kasan-gce
2019/07/28 03:10	net-next-old	31cc088a4f5d	c85e1c5b	.config	console log	report	ci-upstream-net-kasan-gce
2019/05/21 06:54	net-next-old	f49aa1de9836	8285069f	.config	console log	report	ci-upstream-net-kasan-gce
2019/05/14 14:14	net-next-old	63863ee8e2f6	ada3c44c	.config	console log	report	ci-upstream-net-kasan-gce
2019/05/08 17:06	net-next-old	a55a385d8c84	a7383bfa	.config	console log	report	ci-upstream-net-kasan-gce
2019/04/16 22:48	net-next-old	432bc230700f	505ab413	.config	console log	report	ci-upstream-net-kasan-gce

Crashes (19):

Assets (help?)

2019/09/09 22:08

net-old