syzbot

Bluetooth: Error in BCSP hdr checksum
Bluetooth: Error in BCSP hdr checksum
Bluetooth: Error in BCSP hdr checksum
Bluetooth: hci0 command 0x1009 tx timeout
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:27 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:42 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:952 [inline]
BUG: KASAN: use-after-free in kfree_skb+0x2e9/0x340 net/core/skbuff.c:659
Read of size 4 at addr ffff88807cc72ae4 by task syz-executor650/6915

CPU: 0 PID: 6915 Comm: syz-executor650 Not tainted 4.14.150 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 __read_once_size include/linux/compiler.h:183 [inline]
 atomic_read arch/x86/include/asm/atomic.h:27 [inline]
 refcount_read include/linux/refcount.h:42 [inline]
 skb_unref include/linux/skbuff.h:952 [inline]
 kfree_skb+0x2e9/0x340 net/core/skbuff.c:659
 bcsp_close+0xc7/0x130 drivers/bluetooth/hci_bcsp.c:761
 hci_uart_tty_close+0x1cb/0x230 drivers/bluetooth/hci_ldisc.c:551
 tty_ldisc_close.isra.0+0x99/0xd0 drivers/tty/tty_ldisc.c:498
 tty_ldisc_kill+0x4b/0xc0 drivers/tty/tty_ldisc.c:644
 tty_ldisc_release+0xb6/0x230 drivers/tty/tty_ldisc.c:811
 tty_release_struct+0x1b/0x50 drivers/tty/tty_io.c:1603
 tty_release+0xaa3/0xd60 drivers/tty/tty_io.c:1776
 __fput+0x275/0x7a0 fs/file_table.c:210
 ____fput+0x16/0x20 fs/file_table.c:244
 task_work_run+0x114/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x7df/0x2c10 kernel/exit.c:874
 do_group_exit+0x111/0x330 kernel/exit.c:977
 get_signal+0x381/0x1cd0 kernel/signal.c:2409
 do_signal+0x86/0x19a0 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441309
RSP: 002b:00007fffe51432c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 00000000003654c0 RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130
R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 2549:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc_node+0x144/0x780 mm/slab.c:3642
 __alloc_skb+0x9c/0x500 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:980 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:336 [inline]
 bcsp_recv+0x38a/0x1450 drivers/bluetooth/hci_bcsp.c:684
 hci_uart_tty_receive+0x1f4/0x4d0 drivers/bluetooth/hci_ldisc.c:616
 tty_ldisc_receive_buf+0x14d/0x1a0 drivers/tty/tty_buffer.c:459
 tty_port_default_receive_buf+0x73/0xa0 drivers/tty/tty_port.c:37
 receive_buf drivers/tty/tty_buffer.c:475 [inline]
 flush_to_ldisc+0x1ec/0x400 drivers/tty/tty_buffer.c:527
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Freed by task 2549:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 kfree_skbmem net/core/skbuff.c:586 [inline]
 kfree_skbmem+0xac/0x120 net/core/skbuff.c:580
 __kfree_skb net/core/skbuff.c:646 [inline]
 kfree_skb+0xbd/0x340 net/core/skbuff.c:663
 bcsp_recv+0x28c/0x1450 drivers/bluetooth/hci_bcsp.c:622
 hci_uart_tty_receive+0x1f4/0x4d0 drivers/bluetooth/hci_ldisc.c:616
 tty_ldisc_receive_buf+0x14d/0x1a0 drivers/tty/tty_buffer.c:459
 tty_port_default_receive_buf+0x73/0xa0 drivers/tty/tty_port.c:37
 receive_buf drivers/tty/tty_buffer.c:475 [inline]
 flush_to_ldisc+0x1ec/0x400 drivers/tty/tty_buffer.c:527
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff88807cc72a00
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 228 bytes inside of
 232-byte region [ffff88807cc72a00, ffff88807cc72ae8)
The buggy address belongs to the page:
page:ffffea0001f31c80 count:1 mapcount:0 mapping:ffff88807cc72000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88807cc72000 0000000000000000 000000010000000c
raw: ffffea0002803c20 ffffea00024cdc20 ffff8880a9e19a80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88807cc72980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
 ffff88807cc72a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807cc72a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                                                       ^
 ffff88807cc72b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff88807cc72b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================