syzbot


KFENCE: invalid free in __hci_req_sync

Status: upstream: reported on 2024/05/04 01:00
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+27f0d8597a213f37c0b6@syzkaller.appspotmail.com
First crash: 84d, last: 13d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bluetooth?] KFENCE: invalid free in __hci_req_sync 0 (1) 2024/05/04 01:00
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KFENCE: invalid free in __hci_req_sync 1 65d 65d 0/3 upstream: reported on 2024/05/13 08:05

Sample crash report:
==================================================================
BUG: KFENCE: invalid free in kfree_skb include/linux/skbuff.h:1257 [inline]
BUG: KFENCE: invalid free in __hci_req_sync+0x62f/0x950 net/bluetooth/hci_request.c:184

Invalid free of 0xffff88823bd46000 (in kfence-#162):
 kfree_skb include/linux/skbuff.h:1257 [inline]
 __hci_req_sync+0x62f/0x950 net/bluetooth/hci_request.c:184
 hci_req_sync+0xa9/0xd0 net/bluetooth/hci_request.c:206
 hci_dev_cmd+0x4c5/0xa50 net/bluetooth/hci_core.c:787
 sock_do_ioctl+0x158/0x460 net/socket.c:1222
 sock_ioctl+0x629/0x8e0 net/socket.c:1341
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

kfence-#162: 0xffff88823bd46000-0xffff88823bd460ef, size=240, cache=skbuff_head_cache

allocated by task 5085 on cpu 1 at 140.459256s:
 skb_clone+0x20c/0x390 net/core/skbuff.c:2052
 hci_send_cmd_sync net/bluetooth/hci_core.c:4123 [inline]
 hci_cmd_work+0x29e/0x670 net/bluetooth/hci_core.c:4143
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

freed by task 5085 on cpu 1 at 140.459457s:
 kfree_skb include/linux/skbuff.h:1257 [inline]
 hci_req_sync_complete+0xe7/0x290 net/bluetooth/hci_request.c:109
 hci_event_packet+0xc71/0x1540 net/bluetooth/hci_event.c:7479
 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4074
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 0 PID: 6196 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
==================================================================

Crashes (35):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/07/01 09:33 upstream 22a40d14b572 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KFENCE: invalid free in __hci_req_sync
2024/06/18 23:57 upstream 2ccbdf43d5e7 639d6cdf .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KFENCE: invalid free in __hci_req_sync
2024/06/13 13:54 upstream 2ccbdf43d5e7 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KFENCE: invalid free in __hci_req_sync
2024/06/08 06:24 upstream 96e09b8f8166 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KFENCE: invalid free in __hci_req_sync
2024/04/24 03:06 upstream 9d1ddab261f3 21339d7b .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KFENCE: invalid free in __hci_req_sync
2024/07/02 20:40 upstream 1dfe225e9af5 dc6047a3 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KFENCE: invalid free in __hci_req_sync
2024/06/30 04:56 upstream 27b31deb900d 757f06b1 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KFENCE: invalid free in __hci_req_sync
2024/04/27 09:57 upstream e6ebf0117218 07b455f9 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KFENCE: invalid free in __hci_req_sync
2024/06/14 13:36 net be27b8965297 a9616ff5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KFENCE: invalid free in __hci_req_sync
2024/05/16 20:43 net 621cde16e49b ef5d53ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KFENCE: invalid free in __hci_req_sync
2024/07/04 01:50 net-next cda91d5b911a f76a75f3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/07/01 11:37 net-next 17784801d888 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/30 06:23 net-next 30972a4ea092 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/29 00:15 net-next 748e3bbf4721 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/28 23:33 net-next 748e3bbf4721 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/26 12:17 net-next 50b70845fc5c c6d33a01 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/25 01:53 net-next bf2468f9afba 215eef4a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/24 10:17 net-next 84562f9953ec edc5149a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/13 13:21 net-next d2675fe95fc7 2aa5052f .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/12 14:02 net-next 91579c93a9b2 f815599d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/08 20:21 net-next a99997323654 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/08 06:58 net-next a99997323654 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/05 16:46 net-next 54751f4d5406 5aa1a7c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/03 19:04 net-next 93e30878f7ec 0aba2352 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/06/02 02:20 net-next d1f9e6513e4e 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/27 14:34 net-next 66ad4829ddd0 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/26 03:29 net-next 66ad4829ddd0 a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/23 03:46 net-next 4b377b4868ef 4d098039 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/21 03:29 net-next 4b377b4868ef c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/17 01:00 net-next 1b294a1f3561 c2e07261 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/11 07:12 net-next cddd2dc6390b f7c35481 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/06 19:53 net-next b1de3c0df7ab d884b519 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/04 01:00 net-next f3ad4914332f 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
2024/05/01 11:54 bpf-next 9a1a2cb5a0e3 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KFENCE: invalid free in __hci_req_sync
2024/05/01 01:30 net-next b45176703647 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KFENCE: invalid free in __hci_req_sync
* Struck through repros no longer work on HEAD.