KASAN: use-after-free Read in l2cap_chan

KASAN: use-after-free Read in l2cap_chan_close
Status: fixed on 2020/09/16 22:51
Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
Fix commit: f9c70bdc279b Bluetooth: add a mutex lock to avoid UAF in do_enale_set
First crash: 666d, last: 485d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: use-after-free Read in l2cap_chan_close	C		inconclusive	10	483d	665d	0/1	upstream: reported C repro on 2020/02/08 02:54
linux-4.19	KASAN: use-after-free Read in l2cap_chan_close	C		done	8	484d	667d	1/1	fixed on 2020/09/09 05:22

Sample crash report:

==================================================================
BUG: KASAN: use-after-free in l2cap_chan_close+0x564/0xb10 net/bluetooth/l2cap_core.c:794
Read of size 1 at addr ffff88809d984020 by task kworker/1:1/23

CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 l2cap_chan_close+0x564/0xb10 net/bluetooth/l2cap_core.c:794
 do_enable_set+0x4ed/0x980 net/bluetooth/6lowpan.c:1082
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 23:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 kmem_cache_alloc_trace+0x14f/0x2d0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 l2cap_chan_create+0x40/0x3a0 net/bluetooth/l2cap_core.c:450
 chan_create net/bluetooth/6lowpan.c:648 [inline]
 bt_6lowpan_listen net/bluetooth/6lowpan.c:967 [inline]
 do_enable_set+0x52f/0x980 net/bluetooth/6lowpan.c:1086
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 2578:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:488 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_chan_put+0x1b2/0x230 net/bluetooth/l2cap_core.c:502
 do_enable_set+0x4f9/0x980 net/bluetooth/6lowpan.c:1083
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff88809d984000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 32 bytes inside of
 2048-byte region [ffff88809d984000, ffff88809d984800)
The buggy address belongs to the page:
page:ffffea0002766100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000276f6c8 ffffea0002a20f88 ffff8880aa000e00
raw: 0000000000000000 ffff88809d984000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809d983f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88809d983f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88809d984000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88809d984080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809d984100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (37):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce-root	2020/08/06 05:05	upstream	fffe3ae0ee84	0487ea6f	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/08/05 17:49	upstream	442489c21923	b7129355	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2020/08/05 04:26	upstream	c0842fbc1b18	80a06902	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/08/04 20:05	upstream	c0842fbc1b18	80a06902	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2020/08/04 18:44	upstream	c0842fbc1b18	80a06902	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2020/08/04 12:09	upstream	3208167a865e	196277c4	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2020/05/23 23:52	upstream	423b8baf18a8	9682898d	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2020/05/22 12:29	upstream	d2f8825ab78e	5afa2ddd	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/05/18 03:08	upstream	b9bbe6ed63b2	37bccd4e	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/05/14 12:51	upstream	24085f70a6e1	2d572622	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2020/05/04 16:30	upstream	0e698dfa2822	58ae5e18	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/04/14 04:51	upstream	8f3d9f354286	7c54686a	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2020/03/03 11:03	upstream	63623fd44972	c88c7b75	.config	log	report	syz	C
ci-upstream-kasan-gce	2020/02/29 10:52	upstream	f8788d86ab28	59b57593	.config	log	report	syz	C
ci-upstream-kasan-gce	2020/02/29 08:26	upstream	f8788d86ab28	59b57593	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2020/02/08 23:02	upstream	f757165705e9	06150bf1	.config	log	report	syz	C
ci-upstream-kasan-gce	2020/02/08 05:17	upstream	41dcd67e8868	06150bf1	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/02/07 12:55	upstream	90568ecf5615	06150bf1	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2020/05/18 04:36	upstream	b9bbe6ed63b2	37bccd4e	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2020/02/28 06:54	upstream	f8788d86ab28	59b57593	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2020/05/20 15:49	linux-next	ac935d227366	1255f02a	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2020/05/05 16:39	linux-next	ac935d227366	4b76dd25	.config	log	report	syz	C
ci-upstream-kasan-gce	2020/05/18 03:48	upstream	9b1f2cbdb6d3	37bccd4e	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/07/13 11:41	upstream	11ba468877bb	f90ec899	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/06/30 18:37	upstream	9ebcfadb0610	a2cdad9d	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/06/30 01:24	upstream	4e99b32169e8	a2cdad9d	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/06/28 05:38	upstream	1590a2e1c681	ffec44b5	.config	log	report
ci-upstream-kasan-gce	2020/06/27 04:06	upstream	1590a2e1c681	ffec44b5	.config	log	report
ci-upstream-kasan-gce	2020/06/15 10:36	upstream	7ae77150d94d	8e3ab941	.config	log	report
ci-upstream-kasan-gce	2020/05/30 04:30	upstream	86852175b016	954bd312	.config	log	report
ci-upstream-kasan-gce-root	2020/04/26 03:00	upstream	b2768df24ec4	99b258dd	.config	log	report
ci-upstream-kasan-gce-root	2020/04/26 00:05	upstream	b2768df24ec4	b8bb8e5f	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/04/14 14:20	upstream	8f3d9f354286	3f3c5574	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/04/09 19:28	upstream	5d30bcacd91a	a8c6a3f8	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/03/24 17:44	upstream	76ccd234269b	68660b21	.config	log	report
ci-upstream-kasan-gce-386	2020/06/27 13:21	upstream	1590a2e1c681	ffec44b5	.config	log	report
ci-qemu-upstream-386	2020/05/15 09:30	upstream	1ae7efb38854	2d572622	.config	log	report