syzbot

 sign-in | mailing list | source | docs
🐞 Open [717] 🐞 Fixed [181] 🐞 Invalid [640] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in kfree_skb

Status: fixed on 2019/12/28 10:32
Reported-by: syzbot+936d4a1552d3614148dd@syzkaller.appspotmail.com
Fix commit: 79d404a2aa86 Bluetooth: Fix invalid-free in bcsp_close()
First crash: 1736d, last: 1608d
Fix bisection: fixed by (bisect log) :
commit 79d404a2aa86efe4f1ade51e054318bd811cce71
Author: Tomas Bortoli <tomasbortoli@gmail.com>
Date: Fri Nov 1 20:42:44 2019 +0000

  Bluetooth: Fix invalid-free in bcsp_close()

  
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in kfree_skb net 1 2010d 2010d 11/26 fixed on 2018/11/12 21:25
linux-4.19 KASAN: use-after-free Read in kfree_skb C done 95 1610d 1730d 1/1 fixed on 2019/12/28 10:32
upstream KASAN: use-after-free Read in kfree_skb (2) tipc C 66 1951d 1960d 11/26 fixed on 2019/01/11 01:22
upstream KASAN: use-after-free Read in kfree_skb (3) C done error 313 1610d 1813d 0/26 auto-obsoleted due to no activity on 2022/12/22 07:00

Sample crash report:
Bluetooth: Error in BCSP hdr checksum
Bluetooth: Error in BCSP hdr checksum
Bluetooth: Error in BCSP hdr checksum
Bluetooth: hci0 command 0x1009 tx timeout
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:27 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:42 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:952 [inline]
BUG: KASAN: use-after-free in kfree_skb+0x2e9/0x340 net/core/skbuff.c:659
Read of size 4 at addr ffff88807cc72ae4 by task syz-executor650/6915

CPU: 0 PID: 6915 Comm: syz-executor650 Not tainted 4.14.150 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 __read_once_size include/linux/compiler.h:183 [inline]
 atomic_read arch/x86/include/asm/atomic.h:27 [inline]
 refcount_read include/linux/refcount.h:42 [inline]
 skb_unref include/linux/skbuff.h:952 [inline]
 kfree_skb+0x2e9/0x340 net/core/skbuff.c:659
 bcsp_close+0xc7/0x130 drivers/bluetooth/hci_bcsp.c:761
 hci_uart_tty_close+0x1cb/0x230 drivers/bluetooth/hci_ldisc.c:551
 tty_ldisc_close.isra.0+0x99/0xd0 drivers/tty/tty_ldisc.c:498
 tty_ldisc_kill+0x4b/0xc0 drivers/tty/tty_ldisc.c:644
 tty_ldisc_release+0xb6/0x230 drivers/tty/tty_ldisc.c:811
 tty_release_struct+0x1b/0x50 drivers/tty/tty_io.c:1603
 tty_release+0xaa3/0xd60 drivers/tty/tty_io.c:1776
 __fput+0x275/0x7a0 fs/file_table.c:210
 ____fput+0x16/0x20 fs/file_table.c:244
 task_work_run+0x114/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x7df/0x2c10 kernel/exit.c:874
 do_group_exit+0x111/0x330 kernel/exit.c:977
 get_signal+0x381/0x1cd0 kernel/signal.c:2409
 do_signal+0x86/0x19a0 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441309
RSP: 002b:00007fffe51432c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 00000000003654c0 RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130
R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 2549:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc_node+0x144/0x780 mm/slab.c:3642
 __alloc_skb+0x9c/0x500 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:980 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:336 [inline]
 bcsp_recv+0x38a/0x1450 drivers/bluetooth/hci_bcsp.c:684
 hci_uart_tty_receive+0x1f4/0x4d0 drivers/bluetooth/hci_ldisc.c:616
 tty_ldisc_receive_buf+0x14d/0x1a0 drivers/tty/tty_buffer.c:459
 tty_port_default_receive_buf+0x73/0xa0 drivers/tty/tty_port.c:37
 receive_buf drivers/tty/tty_buffer.c:475 [inline]
 flush_to_ldisc+0x1ec/0x400 drivers/tty/tty_buffer.c:527
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Freed by task 2549:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 kfree_skbmem net/core/skbuff.c:586 [inline]
 kfree_skbmem+0xac/0x120 net/core/skbuff.c:580
 __kfree_skb net/core/skbuff.c:646 [inline]
 kfree_skb+0xbd/0x340 net/core/skbuff.c:663
 bcsp_recv+0x28c/0x1450 drivers/bluetooth/hci_bcsp.c:622
 hci_uart_tty_receive+0x1f4/0x4d0 drivers/bluetooth/hci_ldisc.c:616
 tty_ldisc_receive_buf+0x14d/0x1a0 drivers/tty/tty_buffer.c:459
 tty_port_default_receive_buf+0x73/0xa0 drivers/tty/tty_port.c:37
 receive_buf drivers/tty/tty_buffer.c:475 [inline]
 flush_to_ldisc+0x1ec/0x400 drivers/tty/tty_buffer.c:527
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff88807cc72a00
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 228 bytes inside of
 232-byte region [ffff88807cc72a00, ffff88807cc72ae8)
The buggy address belongs to the page:
page:ffffea0001f31c80 count:1 mapcount:0 mapping:ffff88807cc72000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88807cc72000 0000000000000000 000000010000000c
raw: ffffea0002803c20 ffffea00024cdc20 ffff8880a9e19a80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88807cc72980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
 ffff88807cc72a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807cc72a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                                                       ^
 ffff88807cc72b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff88807cc72b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (98):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/19 22:00 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report syz C ci2-linux-4-14
2019/08/03 15:52 linux-4.14.y 10d6aa565d05 6affd8e8 .config console log report syz C ci2-linux-4-14
2019/09/24 07:16 linux-4.14.y f6e27dbb1afa c68252d2 .config console log report syz ci2-linux-4-14
2019/08/02 03:38 linux-4.14.y 10d6aa565d05 835dffe7 .config console log report syz ci2-linux-4-14
2019/11/28 00:32 linux-4.14.y 43598c571e7e 0d63f89c .config console log report ci2-linux-4-14
2019/11/27 13:58 linux-4.14.y 43598c571e7e 1048481f .config console log report ci2-linux-4-14
2019/11/26 16:31 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/26 15:02 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/26 10:54 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/26 09:28 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/26 05:55 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/26 04:37 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/26 01:54 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/25 23:44 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/25 15:41 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/25 14:41 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/25 08:56 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/24 09:40 linux-4.14.y f56f3d0e65ad 598ca6c8 .config console log report ci2-linux-4-14
2019/11/24 00:16 linux-4.14.y f56f3d0e65ad 598ca6c8 .config console log report ci2-linux-4-14
2019/11/23 20:11 linux-4.14.y f56f3d0e65ad 598ca6c8 .config console log report ci2-linux-4-14
2019/11/23 16:46 linux-4.14.y f56f3d0e65ad 598ca6c8 .config console log report ci2-linux-4-14
2019/11/22 00:27 linux-4.14.y f56f3d0e65ad 8098ea0f .config console log report ci2-linux-4-14
2019/11/20 03:45 linux-4.14.y 775d01b65b5d 432c7650 .config console log report ci2-linux-4-14
2019/11/19 21:31 linux-4.14.y 775d01b65b5d 432c7650 .config console log report ci2-linux-4-14
2019/11/19 04:44 linux-4.14.y 775d01b65b5d d5696d51 .config console log report ci2-linux-4-14
2019/11/19 01:23 linux-4.14.y 775d01b65b5d d5696d51 .config console log report ci2-linux-4-14
2019/11/18 23:52 linux-4.14.y 775d01b65b5d d5696d51 .config console log report ci2-linux-4-14
2019/11/18 17:01 linux-4.14.y 775d01b65b5d d5696d51 .config console log report ci2-linux-4-14
2019/11/18 00:41 linux-4.14.y 775d01b65b5d d5696d51 .config console log report ci2-linux-4-14
2019/11/17 21:01 linux-4.14.y 775d01b65b5d d5696d51 .config console log report ci2-linux-4-14
2019/11/16 23:38 linux-4.14.y 775d01b65b5d cdac920b .config console log report ci2-linux-4-14
2019/11/16 16:45 linux-4.14.y 775d01b65b5d cdac920b .config console log report ci2-linux-4-14
2019/11/16 05:53 linux-4.14.y 775d01b65b5d cdac920b .config console log report ci2-linux-4-14
2019/11/15 01:11 linux-4.14.y 775d01b65b5d 048f2d49 .config console log report ci2-linux-4-14
2019/11/14 09:01 linux-4.14.y 775d01b65b5d 048f2d49 .config console log report ci2-linux-4-14
2019/11/13 16:23 linux-4.14.y 4762bcd451a9 048f2d49 .config console log report ci2-linux-4-14
2019/11/12 06:11 linux-4.14.y 4762bcd451a9 377d77fa .config console log report ci2-linux-4-14
2019/11/11 13:26 linux-4.14.y c9fda4f22428 dc438b91 .config console log report ci2-linux-4-14
2019/11/09 20:22 linux-4.14.y c9fda4f22428 1e35461e .config console log report ci2-linux-4-14
2019/11/09 09:02 linux-4.14.y c9fda4f22428 1e35461e .config console log report ci2-linux-4-14
2019/11/08 21:38 linux-4.14.y c9fda4f22428 1e35461e .config console log report ci2-linux-4-14
2019/11/08 09:36 linux-4.14.y c9fda4f22428 1e35461e .config console log report ci2-linux-4-14
2019/11/08 03:01 linux-4.14.y c9fda4f22428 f39aff9e .config console log report ci2-linux-4-14
2019/11/06 22:41 linux-4.14.y c9fda4f22428 da505f84 .config console log report ci2-linux-4-14
2019/11/01 11:44 linux-4.14.y ddef1e8e3f6e a41ca8fa .config console log report ci2-linux-4-14
2019/10/21 07:12 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/20 22:48 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/20 19:48 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/20 03:18 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/20 02:10 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/19 15:07 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/08/02 00:52 linux-4.14.y 10d6aa565d05 835dffe7 .config console log report ci2-linux-4-14
2019/07/23 10:43 linux-4.14.y ff33472c282e bb071d58 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.