KASAN: use-after-free Read in l2cap_chan

KASAN: use-after-free Read in l2cap_chan_close
Status: upstream: reported C repro on 2020/02/07 17:18
Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
First crash: 111d, last: 5d04h

Cause bisection: the bug happens on the oldest tested release
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config

similar bugs (2):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: use-after-free Read in l2cap_chan_close	C		4	10d	111d	0/1	upstream: reported C repro on 2020/02/08 02:54
linux-4.19	KASAN: use-after-free Read in l2cap_chan_close	C		3	11d	112d	0/1	upstream: reported C repro on 2020/02/06 18:16

Sample crash report:

==================================================================
BUG: KASAN: use-after-free in l2cap_chan_close+0x763/0xb10 net/bluetooth/l2cap_core.c:794
Read of size 1 at addr ffff8880a74b9020 by task kworker/1:5/3388

CPU: 1 PID: 3388 Comm: kworker/1:5 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
 __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 l2cap_chan_close+0x763/0xb10 net/bluetooth/l2cap_core.c:794
 do_enable_set+0x4cf/0x8e0 net/bluetooth/6lowpan.c:1074
 process_one_work+0x965/0x16a0 kernel/workqueue.c:2268
 worker_thread+0x96/0xe20 kernel/workqueue.c:2414
 kthread+0x388/0x470 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351

Allocated by task 2792:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
 kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 l2cap_chan_create+0x40/0x3a0 net/bluetooth/l2cap_core.c:450
 chan_create+0xc/0xd0 net/bluetooth/6lowpan.c:640
 bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
 do_enable_set+0x511/0x8e0 net/bluetooth/6lowpan.c:1078
 process_one_work+0x965/0x16a0 kernel/workqueue.c:2268
 worker_thread+0x96/0xe20 kernel/workqueue.c:2414
 kthread+0x388/0x470 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351

Freed by task 2792:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x109/0x2b0 mm/slab.c:3757
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:488 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_chan_put+0x1b2/0x230 net/bluetooth/l2cap_core.c:502
 do_enable_set+0x4db/0x8e0 net/bluetooth/6lowpan.c:1075
 process_one_work+0x965/0x16a0 kernel/workqueue.c:2268
 worker_thread+0x96/0xe20 kernel/workqueue.c:2414
 kthread+0x388/0x470 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351

The buggy address belongs to the object at ffff8880a74b9000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 32 bytes inside of
 2048-byte region [ffff8880a74b9000, ffff8880a74b9800)
The buggy address belongs to the page:
page:ffffea00029d2e40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00029de808 ffffea00029d2e08 ffff8880aa000e00
raw: 0000000000000000 ffff8880a74b9000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a74b8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a74b8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a74b9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8880a74b9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a74b9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (23):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-upstream-kasan-gce-selinux-root	2020/05/23 23:52	upstream	423b8baf	9682898d	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/05/22 12:29	upstream	d2f8825a	5afa2ddd	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/05/18 03:08	upstream	b9bbe6ed	37bccd4e	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/05/14 12:51	upstream	24085f70	2d572622	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/05/04 16:30	upstream	0e698dfa	58ae5e18	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/04/14 04:51	upstream	8f3d9f35	7c54686a	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/03/03 11:03	upstream	63623fd4	c88c7b75	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/02/29 10:52	upstream	f8788d86	59b57593	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/02/29 08:26	upstream	f8788d86	59b57593	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/02/08 23:02	upstream	f7571657	06150bf1	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/02/08 05:17	upstream	41dcd67e	06150bf1	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/02/07 12:55	upstream	90568ecf	06150bf1	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-386	2020/05/18 04:36	upstream	b9bbe6ed	37bccd4e	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-386	2020/02/28 06:54	upstream	f8788d86	59b57593	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-linux-next-kasan-gce-root	2020/05/20 15:49	linux-next	ac935d22	1255f02a	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-linux-next-kasan-gce-root	2020/05/05 16:39	linux-next	ac935d22	4b76dd25	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/05/18 03:48	upstream	9b1f2cbd	37bccd4e	.config	log	report	syz		davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/04/26 03:00	upstream	b2768df2	99b258dd	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/04/26 00:05	upstream	b2768df2	b8bb8e5f	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/04/14 14:20	upstream	8f3d9f35	3f3c5574	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/04/09 19:28	upstream	5d30bcac	a8c6a3f8	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-selinux-root	2020/03/24 17:44	upstream	76ccd234	68660b21	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-qemu-upstream-386	2020/05/15 09:30	upstream	1ae7efb3	2d572622	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org