KASAN: use-after-free Read in __queue

KASAN: use-after-free Read in __queue_work (3)
Status: upstream: reported syz repro on 2020/08/08 21:27
Reported-by: syzbot+77e5e02c6c81136cdaff@syzkaller.appspotmail.com
First crash: 440d, last: 188d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) :
commit e2cb6b891ad2b8caa9131e3be70f45243df82a80
Author: Lin Ma <linma@zju.edu.cn>
Date: Mon Apr 12 11:17:57 2021 +0000

bluetooth: eliminate the potential race condition when removing the HCI controller

similar bugs (5):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-49	KASAN: use-after-free Read in __queue_work	C			19	1157d	920d	0/3	public: reported C repro on 2019/04/13 00:00
linux-4.19	KASAN: use-after-free Read in __queue_work	syz		done	5	69d	441d	1/1	fixed on 2021/09/10 09:12
linux-4.14	KASAN: use-after-free Read in __queue_work	syz			4	8d08h	441d	0/1	upstream: reported syz repro on 2020/08/03 15:06
upstream	KASAN: use-after-free Read in __queue_work	syz			2	1488d	1452d	0/22	closed as invalid on 2017/10/27 09:34
upstream	KASAN: use-after-free Read in __queue_work (2)	C	done	done	577	844d	1197d	16/22	fixed on 2020/01/08 01:07

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/08/14 15:42	15m	phind.uet@gmail.com		linux-next	OK
2020/09/02 05:15	16m	anant.thazhemadam@gmail.com		https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	report log

Sample crash report:

==================================================================
BUG: KASAN: use-after-free in __queue_work+0xc6c/0xf20 kernel/workqueue.c:1412
Read of size 4 at addr ffff88809f1ab9c0 by task syz-executor.3/16144

CPU: 0 PID: 16144 Comm: syz-executor.3 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __queue_work+0xc6c/0xf20 kernel/workqueue.c:1412
 queue_work_on+0x18b/0x200 kernel/workqueue.c:1518
 queue_work include/linux/workqueue.h:507 [inline]
 req_run+0x2c5/0x4a0 net/bluetooth/hci_request.c:90
 hci_req_run_skb net/bluetooth/hci_request.c:102 [inline]
 __hci_req_sync+0x1dd/0x830 net/bluetooth/hci_request.c:215
 hci_req_sync+0x8a/0xc0 net/bluetooth/hci_request.c:282
 hci_dev_cmd+0x5b3/0x950 net/bluetooth/hci_core.c:2011
 hci_sock_ioctl+0x3fa/0x800 net/bluetooth/hci_sock.c:1053
 sock_do_ioctl+0xcb/0x2d0 net/socket.c:1048
 sock_ioctl+0x3b8/0x730 net/socket.c:1199
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl fs/ioctl.c:760 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45cce9
Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f18d49bfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000001d300 RCX: 000000000045cce9
RDX: 0000000020000000 RSI: 00000000400448de RDI: 0000000000000004
RBP: 000000000078c080 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c04c
R13: 00007ffc84a6ab1f R14: 00007f18d49c09c0 R15: 000000000078c04c

Allocated by task 9187:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x17a/0x340 mm/slab.c:3665
 kmalloc include/linux/slab.h:560 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 alloc_workqueue+0x166/0xe50 kernel/workqueue.c:4265
 hci_register_dev+0x1b5/0x930 net/bluetooth/hci_core.c:3509
 __vhci_create_device+0x2ac/0x5b0 drivers/bluetooth/hci_vhci.c:124
 vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
 vhci_open_timeout+0x38/0x50 drivers/bluetooth/hci_vhci.c:305
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Freed by task 16170:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 rcu_do_batch kernel/rcu/tree.c:2427 [inline]
 rcu_core+0x5c7/0x1190 kernel/rcu/tree.c:2655
 __do_softirq+0x2de/0xa24 kernel/softirq.c:298

The buggy address belongs to the object at ffff88809f1ab800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 448 bytes inside of
 1024-byte region [ffff88809f1ab800, ffff88809f1abc00)
The buggy address belongs to the page:
page:ffffea00027c6ac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00028becc8 ffffea00028ddbc8 ffff8880aa000c40
raw: 0000000000000000 ffff88809f1ab000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f1ab880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f1ab900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809f1ab980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88809f1aba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f1aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (3):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	VM info
ci-upstream-kasan-gce-root	2020/08/04 21:23	upstream	c0842fbc1b18	80a06902	.config	log	report	syz
ci-upstream-linux-next-kasan-gce-root	2020/08/10 16:15	linux-next	f80535b9aa10	70301872	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2020/11/14 20:47	upstream	f01c30de86f1	1bf9a662	.config	log	report		info