syzbot

 sign-in | mailing list | source | docs
🐞 Open [960] 🐞 Fixed [3811] 🐞 Invalid [8185] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KASAN: null-ptr-deref Write in l2cap_chan_put
Status: fixed on 2022/03/08 16:11
Reported-by: syzbot+452e9465a3b2817fa4c2@syzkaller.appspotmail.com
Fix commit: 1bff51ea59a9 Bluetooth: fix use-after-free error in lock_sock_nested()
First crash: 658d, last: 212d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) :
commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c
Author: Wang ShaoBo <bobo.shaobowang@huawei.com>
Date: Wed Sep 1 00:35:37 2021 +0000

  Bluetooth: fix use-after-free error in lock_sock_nested()

similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: wild-memory-access Write in l2cap_chan_put 2 452d 476d 0/22 auto-closed as invalid on 2021/06/30 01:30
Patch testing requests:
Created Duration User Patch Repo Result
2021/03/22 09:43 10m ducheng2@gmail.com patch upstream report log
2021/03/22 08:40 12m ducheng2@gmail.com patch upstream report log
2021/03/22 08:05 12m ducheng2@gmail.com patch upstream report log
2021/03/18 05:01 10m ducheng2@gmail.com patch upstream report log
2021/03/18 02:34 12m ducheng2@gmail.com patch upstream report log
2021/03/15 08:12 10m ducheng2@gmail.com patch upstream report log
2021/03/15 04:53 9m ducheng2@gmail.com upstream report log
2020/09/06 08:00 10m anant.thazhemadam@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2020/09/02 05:15 10m anant.thazhemadam@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
BUG: KASAN: null-ptr-deref in refcount_sub_and_test include/linux/refcount.h:266 [inline]
BUG: KASAN: null-ptr-deref in refcount_dec_and_test include/linux/refcount.h:294 [inline]
BUG: KASAN: null-ptr-deref in kref_put include/linux/kref.h:64 [inline]
BUG: KASAN: null-ptr-deref in l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
Write of size 4 at addr 0000000000000018 by task kworker/0:2/7081

CPU: 0 PID: 7081 Comm: kworker/0:2 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 __kasan_report mm/kasan/report.c:517 [inline]
 kasan_report.cold+0x5/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 instrument_atomic_write include/linux/instrumented.h:71 [inline]
 atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
 refcount_sub_and_test include/linux/refcount.h:266 [inline]
 refcount_dec_and_test include/linux/refcount.h:294 [inline]
 kref_put include/linux/kref.h:64 [inline]
 l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
 l2cap_sock_kill+0xbd/0x180 net/bluetooth/l2cap_sock.c:1217
 l2cap_chan_timeout+0x1c1/0x450 net/bluetooth/l2cap_core.c:438
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 7081 Comm: kworker/0:2 Tainted: G    B             5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 panic+0x347/0x7c0 kernel/panic.c:231
 end_report+0x4d/0x53 mm/kasan/report.c:104
 __kasan_report mm/kasan/report.c:520 [inline]
 kasan_report.cold+0xd/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 instrument_atomic_write include/linux/instrumented.h:71 [inline]
 atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
 refcount_sub_and_test include/linux/refcount.h:266 [inline]
 refcount_dec_and_test include/linux/refcount.h:294 [inline]
 kref_put include/linux/kref.h:64 [inline]
 l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
 l2cap_sock_kill+0xbd/0x180 net/bluetooth/l2cap_sock.c:1217
 l2cap_chan_timeout+0x1c1/0x450 net/bluetooth/l2cap_core.c:438
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (7):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2020/09/05 20:38 upstream c70672d8d316 abf9ba4f .config log report syz
ci-upstream-kasan-gce-selinux-root 2020/08/08 09:27 upstream 5631c5e0eb90 ff51e522 .config log report syz
ci-upstream-kasan-gce-smack-root 2020/08/08 09:20 upstream 5631c5e0eb90 ff51e522 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/09/08 14:46 linux-next 7a6956579ce6 abf9ba4f .config log report syz
ci-upstream-net-kasan-gce 2021/03/20 19:18 net-next d773b7957e4f 17810eae .config log report info KASAN: null-ptr-deref Write in l2cap_chan_put
ci-upstream-net-kasan-gce 2021/07/27 10:36 net-next 268ca4129d8d fd511809 .config log report info KASAN: wild-memory-access Write in l2cap_chan_put
ci-upstream-net-kasan-gce 2020/09/26 09:54 net-next 6fba737a9320 4a006f63 .config log report info