syzbot


KASAN: null-ptr-deref Write in l2cap_chan_put

Status: fixed on 2022/03/08 16:11
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+452e9465a3b2817fa4c2@syzkaller.appspotmail.com
Fix commit: 1bff51ea59a9 Bluetooth: fix use-after-free error in lock_sock_nested()
First crash: 1318d, last: 873d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config
  
Fix bisection: fixed by (bisect log) :
commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c
Author: Wang ShaoBo <bobo.shaobowang@huawei.com>
Date: Wed Sep 1 00:35:37 2021 +0000

  Bluetooth: fix use-after-free error in lock_sock_nested()

  
Discussions (1)
Title Replies (including bot) Last reply
KASAN: null-ptr-deref Write in l2cap_chan_put 1 (3) 2021/12/04 09:48
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: wild-memory-access Write in l2cap_chan_put bluetooth 2 1113d 1136d 0/26 auto-closed as invalid on 2021/06/30 01:30
Last patch testing requests (9)
Created Duration User Patch Repo Result
2021/03/22 09:43 10m ducheng2@gmail.com patch upstream report log
2021/03/22 08:40 12m ducheng2@gmail.com patch upstream report log
2021/03/22 08:05 12m ducheng2@gmail.com patch upstream report log
2021/03/18 05:01 10m ducheng2@gmail.com patch upstream report log
2021/03/18 02:34 12m ducheng2@gmail.com patch upstream report log
2021/03/15 08:12 10m ducheng2@gmail.com patch upstream report log
2021/03/15 04:53 9m ducheng2@gmail.com upstream report log
2020/09/06 08:00 10m anant.thazhemadam@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2020/09/02 05:15 10m anant.thazhemadam@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
Fix bisection attempts (13)
Created Duration User Patch Repo Result
2021/11/26 12:48 3h58m bisect fix upstream job log (1)
2021/10/27 12:27 20m bisect fix upstream job log (0) log
2021/09/25 16:36 20m bisect fix upstream job log (0) log
2021/08/26 11:41 25m bisect fix upstream job log (0) log
2021/07/19 19:47 21m bisect fix upstream job log (0) log
2021/06/19 19:24 21m bisect fix upstream job log (0) log
2021/05/19 23:16 20m bisect fix upstream job log (0) log
2021/04/19 19:18 20m bisect fix upstream job log (0) log
2021/03/13 11:55 19m bisect fix upstream job log (0) log
2021/01/24 10:47 18m bisect fix upstream job log (0) log
2020/12/25 10:30 17m bisect fix upstream job log (0) log
2020/11/25 10:12 17m bisect fix upstream job log (0) log
2020/10/26 09:54 18m bisect fix upstream job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
BUG: KASAN: null-ptr-deref in refcount_sub_and_test include/linux/refcount.h:266 [inline]
BUG: KASAN: null-ptr-deref in refcount_dec_and_test include/linux/refcount.h:294 [inline]
BUG: KASAN: null-ptr-deref in kref_put include/linux/kref.h:64 [inline]
BUG: KASAN: null-ptr-deref in l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
Write of size 4 at addr 0000000000000018 by task kworker/0:2/7081

CPU: 0 PID: 7081 Comm: kworker/0:2 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 __kasan_report mm/kasan/report.c:517 [inline]
 kasan_report.cold+0x5/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 instrument_atomic_write include/linux/instrumented.h:71 [inline]
 atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
 refcount_sub_and_test include/linux/refcount.h:266 [inline]
 refcount_dec_and_test include/linux/refcount.h:294 [inline]
 kref_put include/linux/kref.h:64 [inline]
 l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
 l2cap_sock_kill+0xbd/0x180 net/bluetooth/l2cap_sock.c:1217
 l2cap_chan_timeout+0x1c1/0x450 net/bluetooth/l2cap_core.c:438
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 7081 Comm: kworker/0:2 Tainted: G    B             5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 panic+0x347/0x7c0 kernel/panic.c:231
 end_report+0x4d/0x53 mm/kasan/report.c:104
 __kasan_report mm/kasan/report.c:520 [inline]
 kasan_report.cold+0xd/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 instrument_atomic_write include/linux/instrumented.h:71 [inline]
 atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
 refcount_sub_and_test include/linux/refcount.h:266 [inline]
 refcount_dec_and_test include/linux/refcount.h:294 [inline]
 kref_put include/linux/kref.h:64 [inline]
 l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
 l2cap_sock_kill+0xbd/0x180 net/bluetooth/l2cap_sock.c:1217
 l2cap_chan_timeout+0x1c1/0x450 net/bluetooth/l2cap_core.c:438
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/05 20:38 upstream c70672d8d316 abf9ba4f .config console log report syz ci-upstream-kasan-gce-root
2020/08/08 09:27 upstream 5631c5e0eb90 ff51e522 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/08/08 09:20 upstream 5631c5e0eb90 ff51e522 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/09/08 14:46 linux-next 7a6956579ce6 abf9ba4f .config console log report syz ci-upstream-linux-next-kasan-gce-root
2021/03/20 19:18 net-next-old d773b7957e4f 17810eae .config console log report info ci-upstream-net-kasan-gce KASAN: null-ptr-deref Write in l2cap_chan_put
2021/07/27 10:36 net-next-old 268ca4129d8d fd511809 .config console log report info ci-upstream-net-kasan-gce KASAN: wild-memory-access Write in l2cap_chan_put
2020/09/26 09:54 net-next-old 6fba737a9320 4a006f63 .config console log report info ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.