KASAN: use-after-free Read in __queue_work (3)

Status: upstream: reported syz repro on 2020/08/08 21:27
First crash: 784d, last: 114d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) :
commit e2cb6b891ad2b8caa9131e3be70f45243df82a80
Author: Lin Ma <>
Date: Mon Apr 12 11:17:57 2021 +0000

  bluetooth: eliminate the potential race condition when removing the HCI controller

similar bugs (7):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in __queue_work C 19 1502d 1264d 0/3 public: reported C repro on 2019/04/13 00:00
linux-4.19 KASAN: use-after-free Read in __queue_work syz done 5 414d 786d 1/1 fixed on 2021/09/10 09:12
linux-4.14 KASAN: use-after-free Read in __queue_work syz 4 21d 786d 0/1 upstream: reported syz repro on 2020/08/03 15:06
upstream KASAN: use-after-free Read in __queue_work syz 2 1833d 1797d 0/24 closed as invalid on 2017/10/27 09:34
upstream KASAN: use-after-free Read in __queue_work (2) C done done 577 1188d 1542d 16/24 fixed on 2020/01/08 01:07
upstream general protection fault in __queue_work (2) C done 7043 167d 935d 0/24 upstream: reported C repro on 2020/03/07 03:55
linux-4.19 general protection fault in __queue_work (2) 1 258d 258d 0/1 auto-closed as invalid on 2022/05/12 22:08
Patch testing requests:
Created Duration User Patch Repo Result
2021/08/14 15:42 15m linux-next OK
2020/09/02 05:15 16m master report log

Sample crash report:
BUG: KASAN: use-after-free in __queue_work+0xc6c/0xf20 kernel/workqueue.c:1412
Read of size 4 at addr ffff88809f1ab9c0 by task syz-executor.3/16144

CPU: 0 PID: 16144 Comm: syz-executor.3 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __queue_work+0xc6c/0xf20 kernel/workqueue.c:1412
 queue_work_on+0x18b/0x200 kernel/workqueue.c:1518
 queue_work include/linux/workqueue.h:507 [inline]
 req_run+0x2c5/0x4a0 net/bluetooth/hci_request.c:90
 hci_req_run_skb net/bluetooth/hci_request.c:102 [inline]
 __hci_req_sync+0x1dd/0x830 net/bluetooth/hci_request.c:215
 hci_req_sync+0x8a/0xc0 net/bluetooth/hci_request.c:282
 hci_dev_cmd+0x5b3/0x950 net/bluetooth/hci_core.c:2011
 hci_sock_ioctl+0x3fa/0x800 net/bluetooth/hci_sock.c:1053
 sock_do_ioctl+0xcb/0x2d0 net/socket.c:1048
 sock_ioctl+0x3b8/0x730 net/socket.c:1199
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl fs/ioctl.c:760 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
RIP: 0033:0x45cce9
Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f18d49bfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000001d300 RCX: 000000000045cce9
RDX: 0000000020000000 RSI: 00000000400448de RDI: 0000000000000004
RBP: 000000000078c080 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c04c
R13: 00007ffc84a6ab1f R14: 00007f18d49c09c0 R15: 000000000078c04c

Allocated by task 9187:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x17a/0x340 mm/slab.c:3665
 kmalloc include/linux/slab.h:560 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 alloc_workqueue+0x166/0xe50 kernel/workqueue.c:4265
 hci_register_dev+0x1b5/0x930 net/bluetooth/hci_core.c:3509
 __vhci_create_device+0x2ac/0x5b0 drivers/bluetooth/hci_vhci.c:124
 vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
 vhci_open_timeout+0x38/0x50 drivers/bluetooth/hci_vhci.c:305
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Freed by task 16170:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 rcu_do_batch kernel/rcu/tree.c:2427 [inline]
 rcu_core+0x5c7/0x1190 kernel/rcu/tree.c:2655
 __do_softirq+0x2de/0xa24 kernel/softirq.c:298

The buggy address belongs to the object at ffff88809f1ab800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 448 bytes inside of
 1024-byte region [ffff88809f1ab800, ffff88809f1abc00)
The buggy address belongs to the page:
page:ffffea00027c6ac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00028becc8 ffffea00028ddbc8 ffff8880aa000c40
raw: 0000000000000000 ffff88809f1ab000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f1ab880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f1ab900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809f1ab980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f1aba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f1aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Crashes (4):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2020/08/04 21:23 upstream c0842fbc1b18 80a06902 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/10 16:15 linux-next f80535b9aa10 70301872 .config log report syz
ci-upstream-kasan-gce-386 2022/06/05 19:24 upstream 952923ddc011 c8857892 .config log report info KASAN: use-after-free Read in __queue_work
ci-upstream-kasan-gce-selinux-root 2020/11/14 20:47 upstream f01c30de86f1 1bf9a662 .config log report info
* Struck through repros no longer work on HEAD.