KASAN: use-after-free Read in __queue

KASAN: use-after-free Read in __queue_work
Status: fixed on 2021/09/10 09:12
Reported-by: syzbot+cc2c0bfd39eb9c4f3998@syzkaller.appspotmail.com
Fix commit: 3719acc161d5 Bluetooth: defer cleanup of resources in hci_unregister_dev()
First crash: 417d, last: 45d

Fix bisection: fixed by (bisect log) :
commit 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66
Author: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date: Wed Aug 4 10:26:56 2021 +0000

Bluetooth: defer cleanup of resources in hci_unregister_dev()

similar bugs (6):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-49	KASAN: use-after-free Read in __queue_work	C			19	1133d	895d	0/3	public: reported C repro on 2019/04/13 00:00
linux-4.14	KASAN: use-after-free Read in __queue_work	syz			4	14d	417d	0/1	upstream: reported syz repro on 2020/08/03 15:06
upstream	KASAN: use-after-free Read in __queue_work	syz			2	1464d	1428d	0/22	closed as invalid on 2017/10/27 09:34
upstream	KASAN: use-after-free Read in __queue_work (3)	syz	done	done	3	164d	411d	0/22	upstream: reported syz repro on 2020/08/08 21:27
upstream	KASAN: use-after-free Read in __queue_work (2)	C	done	done	577	819d	1173d	16/22	fixed on 2020/01/08 01:07
upstream	general protection fault in __queue_work (2)	C	done		7041	29d	566d	0/22	upstream: reported C repro on 2020/03/07 03:55

Sample crash report:

==================================================================
BUG: KASAN: use-after-free in __queue_work+0xdff/0x1100 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:1383
Read of size 4 at addr ffff8880b3b02b80 by task syz-executor.5/14347

CPU: 0 PID: 14347 Comm: syz-executor.5 Not tainted 4.19.172-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack syzkaller/managers/linux-4-19/kernel/lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef syzkaller/managers/linux-4-19/kernel/lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 syzkaller/managers/linux-4-19/kernel/mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 syzkaller/managers/linux-4-19/kernel/mm/kasan/report.c:354
 kasan_report syzkaller/managers/linux-4-19/kernel/mm/kasan/report.c:412 [inline]
 __asan_report_load4_noabort+0x88/0x90 syzkaller/managers/linux-4-19/kernel/mm/kasan/report.c:432
 __queue_work+0xdff/0x1100 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:1383
 queue_work_on+0x17e/0x1f0 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:1488
 queue_work syzkaller/managers/linux-4-19/kernel/./include/linux/workqueue.h:512 [inline]
 req_run+0x2d4/0x500 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_request.c:87
 hci_req_run_skb syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_request.c:99 [inline]
 __hci_req_sync+0x212/0x8a0 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_request.c:212
 hci_req_sync+0x7d/0xb0 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_request.c:279
 hci_inquiry+0x6a6/0x920 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_core.c:1310
 hci_sock_ioctl+0x1a7/0x7d0 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_sock.c:1048
 sock_do_ioctl+0xcb/0x2d0 syzkaller/managers/linux-4-19/kernel/net/socket.c:950
 sock_ioctl+0x2ef/0x5d0 syzkaller/managers/linux-4-19/kernel/net/socket.c:1074
 vfs_ioctl syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:46 [inline]
 file_ioctl syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:705
 __do_sys_ioctl syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:712 [inline]
 __se_sys_ioctl syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 syzkaller/managers/linux-4-19/kernel/arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x465b09
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1157c8f188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000056c0b0 RCX: 0000000000465b09
RDX: 0000000020000240 RSI: 00000000800448f0 RDI: 0000000000000005
RBP: 00000000004b069f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0b0
R13: 00007ffe571d8e5f R14: 00007f1157c8f300 R15: 0000000000022000

Allocated by task 25:
 __do_kmalloc syzkaller/managers/linux-4-19/kernel/mm/slab.c:3727 [inline]
 __kmalloc+0x15a/0x3c0 syzkaller/managers/linux-4-19/kernel/mm/slab.c:3736
 kmalloc syzkaller/managers/linux-4-19/kernel/./include/linux/slab.h:520 [inline]
 kzalloc syzkaller/managers/linux-4-19/kernel/./include/linux/slab.h:709 [inline]
 __alloc_workqueue_key+0x789/0xed0 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:4094
 hci_register_dev+0x1ce/0x960 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_core.c:3179
 __vhci_create_device+0x2b5/0x580 syzkaller/managers/linux-4-19/kernel/drivers/bluetooth/hci_vhci.c:139
 vhci_create_device syzkaller/managers/linux-4-19/kernel/drivers/bluetooth/hci_vhci.c:163 [inline]
 vhci_open_timeout+0x35/0x50 syzkaller/managers/linux-4-19/kernel/drivers/bluetooth/hci_vhci.c:319
 process_one_work+0x864/0x1570 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:2298
 kthread+0x33f/0x460 syzkaller/managers/linux-4-19/kernel/kernel/kthread.c:259
 ret_from_fork+0x24/0x30 syzkaller/managers/linux-4-19/kernel/arch/x86/entry/entry_64.S:415

Freed by task 9:
 __cache_free syzkaller/managers/linux-4-19/kernel/mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 syzkaller/managers/linux-4-19/kernel/mm/slab.c:3822
 __rcu_reclaim syzkaller/managers/linux-4-19/kernel/kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch syzkaller/managers/linux-4-19/kernel/kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks syzkaller/managers/linux-4-19/kernel/kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks syzkaller/managers/linux-4-19/kernel/kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0x8ff/0x18b0 syzkaller/managers/linux-4-19/kernel/kernel/rcu/tree.c:2881
 __do_softirq+0x265/0x980 syzkaller/managers/linux-4-19/kernel/kernel/softirq.c:292

The buggy address belongs to the object at ffff8880b3b02a00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 384 bytes inside of
 512-byte region [ffff8880b3b02a00, ffff8880b3b02c00)
The buggy address belongs to the page:
page:ffffea0002cec080 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff8880b3b02280
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002770148 ffffea00026de6c8 ffff88813bff0940
raw: ffff8880b3b02280 ffff8880b3b02000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b3b02a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b3b02b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880b3b02b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880b3b02c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880b3b02c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (5):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	VM info	Title
ci2-linux-4-19	2021/02/11 01:48	linux-4.19.y	811218eceeaa	a52ee10a	.config	log	report	syz		KASAN: use-after-free Read in __queue_work
ci2-linux-4-19	2020/08/05 06:46	linux-4.19.y	13af6c74b14a	02034dac	.config	log	report	syz
ci2-linux-4-19	2020/08/03 04:15	linux-4.19.y	13af6c74b14a	96dd3623	.config	log	report	syz
ci2-linux-4-19	2021/01/04 15:49	linux-4.19.y	3207316b3bee	79264ae3	.config	log	report		info
ci2-linux-4-19	2020/08/22 03:25	linux-4.19.y	d18b78abc0c6	6436ce4b	.config	log	report