syzbot

 sign-in | mailing list | source | docs
🐞 Open [712] 🐞 Fixed [297] 🐞 Invalid [838] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in kfree_skb

Status: fixed on 2019/12/28 10:32
Reported-by: syzbot+b92eb4b74ca4c06dec76@syzkaller.appspotmail.com
Fix commit: 03bf4876a593 Bluetooth: Fix invalid-free in bcsp_close()
First crash: 1730d, last: 1610d
Fix bisection: fixed by (bisect log) :
commit 03bf4876a5935ab48e4dbf56ebdffd25e44378a5
Author: Tomas Bortoli <tomasbortoli@gmail.com>
Date: Fri Nov 1 20:42:44 2019 +0000

  Bluetooth: Fix invalid-free in bcsp_close()

  
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in kfree_skb net 1 2011d 2011d 11/26 fixed on 2018/11/12 21:25
linux-4.14 KASAN: use-after-free Read in kfree_skb C done 98 1609d 1736d 1/1 fixed on 2019/12/28 10:32
upstream KASAN: use-after-free Read in kfree_skb (2) tipc C 66 1951d 1961d 11/26 fixed on 2019/01/11 01:22
upstream KASAN: use-after-free Read in kfree_skb (3) C done error 313 1611d 1813d 0/26 auto-obsoleted due to no activity on 2022/12/22 07:00

Sample crash report:
Bluetooth: Error in BCSP hdr checksum
Bluetooth: Error in BCSP hdr checksum
Bluetooth: Error in BCSP hdr checksum
Bluetooth: hci0: command 0x1009 tx timeout
==================================================================
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline]
BUG: KASAN: use-after-free in kfree_skb+0x38/0x390 net/core/skbuff.c:659
Read of size 4 at addr ffff8880887eb7e4 by task syz-executor544/7644

CPU: 1 PID: 7644 Comm: syz-executor544 Not tainted 4.19.79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
 refcount_read include/linux/refcount.h:43 [inline]
 skb_unref include/linux/skbuff.h:967 [inline]
 kfree_skb+0x38/0x390 net/core/skbuff.c:659
 bcsp_close+0xc7/0x130 drivers/bluetooth/hci_bcsp.c:763
 hci_uart_tty_close+0x1ea/0x250 drivers/bluetooth/hci_ldisc.c:555
 tty_ldisc_close.isra.0+0xaf/0xe0 drivers/tty/tty_ldisc.c:486
 tty_ldisc_kill+0x4b/0xc0 drivers/tty/tty_ldisc.c:632
 tty_ldisc_release+0xc6/0x280 drivers/tty/tty_ldisc.c:799
 tty_release_struct+0x1b/0x50 drivers/tty/tty_io.c:1611
 tty_release+0xbcb/0xe90 drivers/tty/tty_io.c:1784
 __fput+0x2dd/0x8b0 fs/file_table.c:278
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x145/0x1c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x994/0x2fa0 kernel/exit.c:876
 do_group_exit+0x135/0x370 kernel/exit.c:979
 get_signal+0x3ec/0x1fc0 kernel/signal.c:2574
 do_signal+0x95/0x1960 arch/x86/kernel/signal.c:821
 exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441309
Code: Bad RIP value.
RSP: 002b:00007ffe7b75c378 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 00000000003654c0 RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130
R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 23:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc_node+0x144/0x710 mm/slab.c:3649
 __alloc_skb+0xd5/0x5f0 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:995 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 bcsp_recv+0x8c7/0x13a0 drivers/bluetooth/hci_bcsp.c:685
 hci_uart_tty_receive+0x225/0x530 drivers/bluetooth/hci_ldisc.c:620
 tty_ldisc_receive_buf+0x15f/0x1c0 drivers/tty/tty_buffer.c:460
 tty_port_default_receive_buf+0x7d/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:476 [inline]
 flush_to_ldisc+0x222/0x390 drivers/tty/tty_buffer.c:528
 process_one_work+0x989/0x1750 kernel/workqueue.c:2153
 worker_thread+0x98/0xe40 kernel/workqueue.c:2296
 kthread+0x354/0x420 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 23:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3765
 kfree_skbmem net/core/skbuff.c:586 [inline]
 kfree_skbmem+0xcb/0x150 net/core/skbuff.c:580
 __kfree_skb net/core/skbuff.c:646 [inline]
 kfree_skb net/core/skbuff.c:663 [inline]
 kfree_skb+0xf0/0x390 net/core/skbuff.c:657
 bcsp_recv+0x2d8/0x13a0 drivers/bluetooth/hci_bcsp.c:623
 hci_uart_tty_receive+0x225/0x530 drivers/bluetooth/hci_ldisc.c:620
 tty_ldisc_receive_buf+0x15f/0x1c0 drivers/tty/tty_buffer.c:460
 tty_port_default_receive_buf+0x7d/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:476 [inline]
 flush_to_ldisc+0x222/0x390 drivers/tty/tty_buffer.c:528
 process_one_work+0x989/0x1750 kernel/workqueue.c:2153
 worker_thread+0x98/0xe40 kernel/workqueue.c:2296
 kthread+0x354/0x420 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff8880887eb700
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 228 bytes inside of
 232-byte region [ffff8880887eb700, ffff8880887eb7e8)
The buggy address belongs to the page:
page:ffffea000221fac0 count:1 mapcount:0 mapping:ffff8880aa34dac0 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea00020d77c8 ffffea000255b348 ffff8880aa34dac0
raw: 0000000000000000 ffff8880887eb0c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880887eb680: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
 ffff8880887eb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880887eb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                                                       ^
 ffff8880887eb800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880887eb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (95):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/15 21:06 linux-4.19.y dafd634415a7 b5268b89 .config console log report syz C ci2-linux-4-19
2019/08/03 22:09 linux-4.19.y 9a9de33a9dfa 6affd8e8 .config console log report syz C ci2-linux-4-19
2019/11/12 07:18 linux-4.19.y 7d8dbefc22ff 377d77fa .config console log report syz ci2-linux-4-19
2019/10/14 13:50 linux-4.19.y dafd634415a7 a6aef847 .config console log report syz ci2-linux-4-19
2019/09/19 17:31 linux-4.19.y dbc29aff8d04 eb940044 .config console log report syz ci2-linux-4-19
2019/08/02 06:21 linux-4.19.y 9a9de33a9dfa 835dffe7 .config console log report syz ci2-linux-4-19
2019/11/26 14:48 linux-4.19.y 14260788bbb9 598ca6c8 .config console log report ci2-linux-4-19
2019/11/26 09:20 linux-4.19.y 14260788bbb9 598ca6c8 .config console log report ci2-linux-4-19
2019/11/25 09:02 linux-4.19.y 14260788bbb9 598ca6c8 .config console log report ci2-linux-4-19
2019/11/25 05:39 linux-4.19.y 14260788bbb9 598ca6c8 .config console log report ci2-linux-4-19
2019/11/23 18:41 linux-4.19.y c63ee2939dc1 598ca6c8 .config console log report ci2-linux-4-19
2019/11/20 20:26 linux-4.19.y c555efaf1402 432c7650 .config console log report ci2-linux-4-19
2019/11/20 17:10 linux-4.19.y c555efaf1402 432c7650 .config console log report ci2-linux-4-19
2019/11/19 21:02 linux-4.19.y c555efaf1402 432c7650 .config console log report ci2-linux-4-19
2019/11/19 05:24 linux-4.19.y c555efaf1402 d5696d51 .config console log report ci2-linux-4-19
2019/11/18 16:54 linux-4.19.y c555efaf1402 d5696d51 .config console log report ci2-linux-4-19
2019/11/16 06:36 linux-4.19.y c555efaf1402 cdac920b .config console log report ci2-linux-4-19
2019/11/16 05:32 linux-4.19.y c555efaf1402 cdac920b .config console log report ci2-linux-4-19
2019/11/15 04:08 linux-4.19.y c555efaf1402 048f2d49 .config console log report ci2-linux-4-19
2019/11/13 20:52 linux-4.19.y c555efaf1402 048f2d49 .config console log report ci2-linux-4-19
2019/11/13 14:59 linux-4.19.y 7d8dbefc22ff 048f2d49 .config console log report ci2-linux-4-19
2019/11/12 23:58 linux-4.19.y 7d8dbefc22ff 048f2d49 .config console log report ci2-linux-4-19
2019/11/12 15:24 linux-4.19.y 7d8dbefc22ff 048f2d49 .config console log report ci2-linux-4-19
2019/11/12 12:07 linux-4.19.y 7d8dbefc22ff 048f2d49 .config console log report ci2-linux-4-19
2019/11/12 09:18 linux-4.19.y 7d8dbefc22ff 048f2d49 .config console log report ci2-linux-4-19
2019/11/12 07:07 linux-4.19.y 7d8dbefc22ff 377d77fa .config console log report ci2-linux-4-19
2019/11/12 04:49 linux-4.19.y 7d8dbefc22ff 377d77fa .config console log report ci2-linux-4-19
2019/11/11 16:35 linux-4.19.y 7d8dbefc22ff 377d77fa .config console log report ci2-linux-4-19
2019/11/11 13:44 linux-4.19.y 5ee93551c703 dc438b91 .config console log report ci2-linux-4-19
2019/11/11 01:14 linux-4.19.y 5ee93551c703 dc438b91 .config console log report ci2-linux-4-19
2019/11/09 16:29 linux-4.19.y 5ee93551c703 1e35461e .config console log report ci2-linux-4-19
2019/11/09 00:58 linux-4.19.y 5ee93551c703 1e35461e .config console log report ci2-linux-4-19
2019/11/08 05:28 linux-4.19.y 5ee93551c703 f39aff9e .config console log report ci2-linux-4-19
2019/11/07 22:24 linux-4.19.y 5ee93551c703 f39aff9e .config console log report ci2-linux-4-19
2019/11/07 14:58 linux-4.19.y 5ee93551c703 d5bc6812 .config console log report ci2-linux-4-19
2019/11/02 16:44 linux-4.19.y ef244c308885 997ccc67 .config console log report ci2-linux-4-19
2019/11/02 08:38 linux-4.19.y ef244c308885 997ccc67 .config console log report ci2-linux-4-19
2019/11/02 04:17 linux-4.19.y ef244c308885 997ccc67 .config console log report ci2-linux-4-19
2019/11/01 16:33 linux-4.19.y ef244c308885 a41ca8fa .config console log report ci2-linux-4-19
2019/10/31 23:11 linux-4.19.y ef244c308885 a41ca8fa .config console log report ci2-linux-4-19
2019/10/25 12:54 linux-4.19.y c3038e718a19 04ca72cd .config console log report ci2-linux-4-19
2019/10/24 03:13 linux-4.19.y c3038e718a19 b602d64b .config console log report ci2-linux-4-19
2019/10/21 07:15 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report ci2-linux-4-19
2019/10/21 05:28 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report ci2-linux-4-19
2019/10/21 02:38 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report ci2-linux-4-19
2019/10/20 19:44 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report ci2-linux-4-19
2019/10/20 17:19 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report ci2-linux-4-19
2019/10/20 15:54 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report ci2-linux-4-19
2019/10/19 03:11 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report ci2-linux-4-19
2019/10/14 03:25 linux-4.19.y dafd634415a7 2f661ec4 .config console log report ci2-linux-4-19
2019/10/06 21:03 linux-4.19.y 6cad9d0cf87b f3f7d9c8 .config console log report ci2-linux-4-19
2019/10/02 21:05 linux-4.19.y 555161ee1b7a 2e29b534 .config console log report ci2-linux-4-19
2019/10/02 03:09 linux-4.19.y 555161ee1b7a b7a87a83 .config console log report ci2-linux-4-19
2019/10/01 05:15 linux-4.19.y d573e8a79f70 c7a4fb99 .config console log report ci2-linux-4-19
2019/09/29 15:56 linux-4.19.y d573e8a79f70 c1ad5441 .config console log report ci2-linux-4-19
2019/09/26 16:41 linux-4.19.y d573e8a79f70 24d405a3 .config console log report ci2-linux-4-19
2019/09/24 21:47 linux-4.19.y d573e8a79f70 e38a6630 .config console log report ci2-linux-4-19
2019/09/23 21:31 linux-4.19.y d573e8a79f70 c68252d2 .config console log report ci2-linux-4-19
2019/09/23 15:09 linux-4.19.y d573e8a79f70 1e9788a0 .config console log report ci2-linux-4-19
2019/08/12 00:04 linux-4.19.y 893af1c79e42 acb51638 .config console log report ci2-linux-4-19
2019/08/11 22:31 linux-4.19.y 893af1c79e42 acb51638 .config console log report ci2-linux-4-19
2019/08/11 22:06 linux-4.19.y 893af1c79e42 acb51638 .config console log report ci2-linux-4-19
2019/08/11 12:23 linux-4.19.y 893af1c79e42 acb51638 .config console log report ci2-linux-4-19
2019/08/10 21:39 linux-4.19.y 893af1c79e42 acb51638 .config console log report ci2-linux-4-19
2019/08/09 14:17 linux-4.19.y cc4c818b2219 aff9e255 .config console log report ci2-linux-4-19
2019/08/05 23:19 linux-4.19.y b3060a1a313f 6affd8e8 .config console log report ci2-linux-4-19
2019/08/05 21:47 linux-4.19.y b3060a1a313f 6affd8e8 .config console log report ci2-linux-4-19
2019/08/05 10:50 linux-4.19.y b3060a1a313f 6affd8e8 .config console log report ci2-linux-4-19
2019/08/02 14:09 linux-4.19.y 9a9de33a9dfa 835dffe7 .config console log report ci2-linux-4-19
2019/07/29 12:28 linux-4.19.y 64f4694072aa c85e1c5b .config console log report ci2-linux-4-19
2019/07/29 09:04 linux-4.19.y 64f4694072aa c85e1c5b .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.