syzbot


KASAN: use-after-free Write in hci_sock_bind (2)

Status: upstream: reported C repro on 2020/03/02 05:14
Reported-by: syzbot+04e804c8c2224b6a9497@syzkaller.appspotmail.com
First crash: 941d, last: 666d

Cause bisection: introduced by (bisect log) :
commit 7d13eca09ed5e477f6ecfd97a35058762228b5e4
Author: Florian Fainelli <f.fainelli@gmail.com>
Date: Sat Aug 27 22:34:20 2016 +0000

  Documentation: networking: dsa: Remove platform device TODO

Crash: KASAN: null-ptr-deref Read (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) [merge commit]:
commit c59c7588fc922e27c378a7e2a920b889bd6bf872
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri Dec 18 20:38:28 2020 +0000

  Merge tag 'drm-next-2020-12-18' of git://anongit.freedesktop.org/drm/drm

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in hci_sock_bind 4 955d 987d 16/24 fixed on 2020/02/18 14:31
linux-4.19 KASAN: use-after-free Write in hci_sock_bind C done 12 430d 990d 1/1 fixed on 2021/08/26 13:35
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/27 05:30 10m linux-next report log
2022/09/26 04:30 10m upstream report log
2022/09/23 15:30 11m upstream report log
2022/08/30 21:27 13m upstream report log
2020/04/06 15:03 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/06 14:11 17m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 OK
2020/04/06 13:05 17m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 OK
2020/04/06 11:49 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/06 07:58 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/06 07:28 15m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/06 05:35 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/06 04:08 3m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 error
2020/04/05 17:43 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/05 17:16 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/05 15:41 14m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/05 14:52 17m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 OK
2020/04/05 14:22 17m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/05 12:57 17m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 OK
2020/04/05 12:37 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/05 11:13 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/05 10:56 3m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 error
2020/04/05 07:57 10m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/04/05 07:06 4m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 error
2020/03/30 14:42 12m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/03/30 09:18 18m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/03/30 06:47 11m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/03/30 06:46 11m anenbupt@gmail.com git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/03/30 02:50 0m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 error
2020/03/29 16:26 11m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/03/28 12:53 18m anenbupt@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 770fbb32 report log
2020/03/28 11:57 9m anenbupt@gmail.com patch linux-next error
2020/03/28 11:40 3m anenbupt@gmail.com patch linux-next error
2020/03/28 10:46 9m anenbupt@gmail.com patch linux-next error

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in hci_sock_bind+0x587/0x1340 net/bluetooth/hci_sock.c:1250
Write of size 4 at addr ffff88801001d250 by task syz-executor325/15844

CPU: 0 PID: 15844 Comm: syz-executor325 Not tainted 5.8.0-rc6-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 instrument_atomic_write include/linux/instrumented.h:71 [inline]
 atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
 hci_sock_bind+0x587/0x1340 net/bluetooth/hci_sock.c:1250
 __sys_bind+0x1e9/0x250 net/socket.c:1657
 __do_sys_bind net/socket.c:1668 [inline]
 __se_sys_bind net/socket.c:1666 [inline]
 __x64_sys_bind+0x6f/0xb0 net/socket.c:1666
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x434b39
Code: Bad RIP value.
RSP: 002b:00007ffd2e7aba18 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000434b39
RDX: 0000000000000006 RSI: 00000000200000c0 RDI: 0000000000000004
RBP: 00007ffd2e7aba2c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000d237e
R13: 00000000ffffffff R14: 0000000000000000 R15: 0000000000000000

Allocated by task 15843:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 kmem_cache_alloc_trace+0x14f/0x2d0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 hci_alloc_dev+0x3e/0x1ff0 net/bluetooth/hci_core.c:3376
 __vhci_create_device+0xf7/0x5b0 drivers/bluetooth/hci_vhci.c:99
 vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
 vhci_write+0x2b6/0x450 drivers/bluetooth/hci_vhci.c:285
 call_write_iter include/linux/fs.h:1908 [inline]
 new_sync_write+0x422/0x650 fs/read_write.c:503
 vfs_write+0x59d/0x6b0 fs/read_write.c:578
 ksys_write+0x12d/0x250 fs/read_write.c:631
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 15843:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 bt_host_release+0x15/0x20 net/bluetooth/hci_sysfs.c:86
 device_release+0x71/0x200 drivers/base/core.c:1579
 kobject_cleanup lib/kobject.c:693 [inline]
 kobject_release lib/kobject.c:722 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1c0/0x270 lib/kobject.c:739
 put_device+0x1b/0x30 drivers/base/core.c:2799
 vhci_release+0x78/0xe0 drivers/bluetooth/hci_vhci.c:341
 __fput+0x33c/0x880 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:135
 exit_task_work include/linux/task_work.h:25 [inline]
 do_exit+0xb72/0x2a40 kernel/exit.c:805
 do_group_exit+0x125/0x310 kernel/exit.c:903
 __do_sys_exit_group kernel/exit.c:914 [inline]
 __se_sys_exit_group kernel/exit.c:912 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:912
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88801001c000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4688 bytes inside of
 8192-byte region [ffff88801001c000, ffff88801001e000)
The buggy address belongs to the page:
page:ffffea0000400700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0000400700 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0000a22608 ffffea0000777f08 ffff88802c8021c0
raw: 0000000000000000 ffff88801001c000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88801001d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801001d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801001d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88801001d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801001d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (26):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu-upstream 2020/07/23 22:15 upstream d15be546031c 70c104a1 .config log report syz C
ci-upstream-kasan-gce-root 2020/05/24 06:31 upstream 423b8baf18a8 96c92ad3 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/05/24 05:55 upstream 423b8baf18a8 96c92ad3 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/22 22:09 linux-next 770fbb32d34e 78267cec .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/06/29 06:52 upstream 4e99b32169e8 a2cdad9d .config log report
ci-upstream-kasan-gce-selinux-root 2020/06/18 23:13 upstream 7ae77150d94d d45a4d69 .config log report
ci-upstream-kasan-gce-selinux-root 2020/06/03 19:12 upstream d6f9469a03d8 a5ce5de0 .config log report
ci-upstream-kasan-gce-smack-root 2020/06/02 06:16 upstream 9bf9511e3d9f a0331e89 .config log report
ci-upstream-kasan-gce-root 2020/05/30 02:13 upstream 75caf310d16c 3905eaae .config log report
ci-upstream-kasan-gce-smack-root 2020/05/29 08:09 upstream 75caf310d16c d19ed305 .config log report
ci-upstream-kasan-gce-selinux-root 2020/05/26 15:52 upstream 9cb1fd0efd19 8ca3b7d2 .config log report
ci-upstream-kasan-gce-root 2020/05/16 01:34 upstream 12bf0b632ed0 37bccd4e .config log report
ci-upstream-kasan-gce-root 2020/04/26 17:05 upstream b2768df24ec4 99b258dd .config log report
ci-upstream-kasan-gce-smack-root 2020/04/13 15:28 upstream 8f3d9f354286 17a986e5 .config log report
ci-upstream-kasan-gce-selinux-root 2020/04/09 17:08 upstream 5d30bcacd91a a8c6a3f8 .config log report
ci-upstream-kasan-gce-root 2020/04/02 08:11 upstream 919dce24701f a34e2c33 .config log report
ci-upstream-kasan-gce-selinux-root 2020/04/02 04:02 upstream 1a323ea5356e a34e2c33 .config log report
ci-upstream-kasan-gce-root 2020/03/30 13:54 upstream 7111951b8d49 c8d1cc20 .config log report
ci-upstream-kasan-gce-root 2020/03/27 16:00 upstream f3e69428b5e2 7d95711b .config log report
ci-upstream-kasan-gce-selinux-root 2020/03/19 17:57 upstream 5076190daded 2c31c529 .config log report
ci-upstream-kasan-gce-root 2020/03/02 14:16 upstream 63623fd44972 c88c7b75 .config log report
ci-upstream-kasan-gce-root 2020/02/29 17:41 upstream f8788d86ab28 59b57593 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/06/24 23:05 linux-next e7b08814b16b 54566aff .config log report
ci-upstream-linux-next-kasan-gce-root 2020/05/18 05:51 linux-next ac935d227366 37bccd4e .config log report
ci-upstream-linux-next-kasan-gce-root 2020/03/29 07:17 linux-next 770fbb32d34e 05736b29 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/03/22 21:22 linux-next 770fbb32d34e 78267cec .config log report
* Struck through repros no longer work on HEAD.