KASAN: use-after-free Read in l2cap_chan

KASAN: use-after-free Read in l2cap_chan_close
Status: upstream: reported C repro on 2020/02/07 17:18
Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
Fix commit: Bluetooth: add a mutex lock to avoid UAF in do_enale_set
Patched on: [ci-upstream-bpf-next-kasan-gce ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce], missing on: [ci-qemu-upstream ci-qemu-upstream-386 ci-upstream-bpf-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 180d, last: 4h17m

Cause bisection: the bug happens on the oldest tested release
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config

similar bugs (2):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: use-after-free Read in l2cap_chan_close	C	fix	5	3d06h	179d	0/1	upstream: reported C repro on 2020/02/08 02:54
linux-4.19	KASAN: use-after-free Read in l2cap_chan_close	C		6	18h55m	181d	0/1	upstream: reported C repro on 2020/02/06 18:16

Sample crash report:

==================================================================
BUG: KASAN: use-after-free in l2cap_chan_close+0x46/0xae0 net/bluetooth/l2cap_core.c:790
Read of size 8 at addr ffff888096e33000 by task kworker/0:2/2597

CPU: 0 PID: 2597 Comm: kworker/0:2 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x5a0 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 l2cap_chan_close+0x46/0xae0 net/bluetooth/l2cap_core.c:790
 do_enable_set+0x662/0x900 net/bluetooth/6lowpan.c:1082
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Allocated by task 2597:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
 kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 l2cap_chan_create+0x4c/0x320 net/bluetooth/l2cap_core.c:450
 chan_create net/bluetooth/6lowpan.c:648 [inline]
 bt_6lowpan_listen net/bluetooth/6lowpan.c:967 [inline]
 do_enable_set+0x6a7/0x900 net/bluetooth/6lowpan.c:1086
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Freed by task 2576:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 do_enable_set+0x66e/0x900 net/bluetooth/6lowpan.c:1083
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff888096e33000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [ffff888096e33000, ffff888096e33800)
The buggy address belongs to the page:
page:ffffea00025b8cc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002858c88 ffffea00028b3588 ffff8880aa400e00
raw: 0000000000000000 ffff888096e33000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888096e32f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888096e32f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888096e33000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888096e33080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888096e33100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (36):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-upstream-kasan-gce-smack-root	2020/08/05 17:49	upstream	442489c2	b7129355	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-selinux-root	2020/08/05 04:26	upstream	c0842fbc	80a06902	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/08/04 20:05	upstream	c0842fbc	80a06902	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-selinux-root	2020/08/04 18:44	upstream	c0842fbc	80a06902	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/08/04 12:09	upstream	3208167a	196277c4	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-selinux-root	2020/05/23 23:52	upstream	423b8baf	9682898d	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/05/22 12:29	upstream	d2f8825a	5afa2ddd	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/05/18 03:08	upstream	b9bbe6ed	37bccd4e	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/05/14 12:51	upstream	24085f70	2d572622	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/05/04 16:30	upstream	0e698dfa	58ae5e18	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/04/14 04:51	upstream	8f3d9f35	7c54686a	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/03/03 11:03	upstream	63623fd4	c88c7b75	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/02/29 10:52	upstream	f8788d86	59b57593	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/02/29 08:26	upstream	f8788d86	59b57593	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/02/08 23:02	upstream	f7571657	06150bf1	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/02/08 05:17	upstream	41dcd67e	06150bf1	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/02/07 12:55	upstream	90568ecf	06150bf1	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-386	2020/05/18 04:36	upstream	b9bbe6ed	37bccd4e	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-386	2020/02/28 06:54	upstream	f8788d86	59b57593	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-linux-next-kasan-gce-root	2020/05/20 15:49	linux-next	ac935d22	1255f02a	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-linux-next-kasan-gce-root	2020/05/05 16:39	linux-next	ac935d22	4b76dd25	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/05/18 03:48	upstream	9b1f2cbd	37bccd4e	.config	log	report	syz		davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/07/13 11:41	upstream	11ba4688	f90ec899	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/06/30 18:37	upstream	9ebcfadb	a2cdad9d	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-selinux-root	2020/06/30 01:24	upstream	4e99b321	a2cdad9d	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/06/28 05:38	upstream	1590a2e1	ffec44b5	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/06/27 04:06	upstream	1590a2e1	ffec44b5	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/06/15 10:36	upstream	7ae77150	8e3ab941	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/05/30 04:30	upstream	86852175	954bd312	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/04/26 03:00	upstream	b2768df2	99b258dd	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/04/26 00:05	upstream	b2768df2	b8bb8e5f	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/04/14 14:20	upstream	8f3d9f35	3f3c5574	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/04/09 19:28	upstream	5d30bcac	a8c6a3f8	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-selinux-root	2020/03/24 17:44	upstream	76ccd234	68660b21	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-386	2020/06/27 13:21	upstream	1590a2e1	ffec44b5	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-qemu-upstream-386	2020/05/15 09:30	upstream	1ae7efb3	2d572622	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org