syzbot

 sign-in | mailing list | source | docs
🐞 Open [952] Subsystems 🐞 Fixed [4574] 🐞 Invalid [10557] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in __queue_work (3)

Status: upstream: reported syz repro on 2020/08/08 21:27
Labels: bluetooth (incorrect?)
Reported-by: syzbot+77e5e02c6c81136cdaff@syzkaller.appspotmail.com
First crash: 1038d, last: 206d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) :
commit e2cb6b891ad2b8caa9131e3be70f45243df82a80
Author: Lin Ma <linma@zju.edu.cn>
Date: Mon Apr 12 11:17:57 2021 +0000

  bluetooth: eliminate the potential race condition when removing the HCI controller

Discussions (1)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in __queue_work (3) 1 (3) 2021/05/14 07:50
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in __queue_work C 19 1756d 1518d 0/3 public: reported C repro on 2019/04/13 00:00
linux-4.19 KASAN: use-after-free Read in __queue_work syz done 5 668d 1040d 1/1 fixed on 2021/09/10 09:12
linux-4.14 KASAN: use-after-free Read in __queue_work syz error 4 275d 1040d 0/1 upstream: reported syz repro on 2020/08/03 15:06
upstream KASAN: use-after-free Read in __queue_work syz 2 2087d 2051d 0/24 closed as invalid on 2017/10/27 09:34
upstream KASAN: use-after-free Read in __queue_work (2) C done done 577 1442d 1796d 16/24 fixed on 2020/01/08 01:07
upstream general protection fault in __queue_work (2) C done 7043 421d 1189d 0/24 auto-obsoleted due to no activity on 2022/11/16 06:42
linux-4.19 general protection fault in __queue_work (2) 1 512d 512d 0/1 auto-closed as invalid on 2022/05/12 22:08
upstream BUG: unable to handle kernel NULL pointer dereference in __queue_work C 1 1753d 1753d 0/24 closed as invalid on 2018/09/05 12:51
Last patch testing requests (5)
Created Duration User Patch Repo Result
2023/04/20 23:04 16m retest repro linux-next report log
2023/02/23 15:32 18m retest repro upstream OK log
2022/10/13 09:30 0m retest repro upstream error
2021/08/14 15:42 15m phind.uet@gmail.com linux-next OK
2020/09/02 05:15 16m anant.thazhemadam@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __queue_work+0xc6c/0xf20 kernel/workqueue.c:1412
Read of size 4 at addr ffff888093fd21c0 by task syz-executor.5/18594

CPU: 0 PID: 18594 Comm: syz-executor.5 Not tainted 5.8.0-next-20200810-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __queue_work+0xc6c/0xf20 kernel/workqueue.c:1412
 __queue_delayed_work+0x1c8/0x270 kernel/workqueue.c:1638
 queue_delayed_work_on+0x1a2/0x210 kernel/workqueue.c:1674
 queue_delayed_work include/linux/workqueue.h:522 [inline]
 hci_conn_drop include/net/bluetooth/hci_core.h:1142 [inline]
 hci_conn_drop include/net/bluetooth/hci_core.h:1112 [inline]
 sco_chan_del+0x1db/0x430 net/bluetooth/sco.c:149
 __sco_sock_close+0x16e/0x5b0 net/bluetooth/sco.c:434
 sco_sock_close net/bluetooth/sco.c:448 [inline]
 sco_sock_release+0x69/0x290 net/bluetooth/sco.c:1053
 __sock_release+0xcd/0x280 net/socket.c:596
 sock_close+0x18/0x20 net/socket.c:1277
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:135
 get_signal+0xd6c/0x1ee0 kernel/signal.c:2547
 arch_do_signal+0x82/0x2520 arch/x86/kernel/signal.c:811
 exit_to_user_mode_loop kernel/entry/common.c:135 [inline]
 exit_to_user_mode_prepare+0x15d/0x1c0 kernel/entry/common.c:166
 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45ce69
Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7d8674bc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 0000000000002180 RCX: 000000000045ce69
RDX: 0000000000000008 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffdb106899f R14: 00007f7d8674c9c0 R15: 000000000118bf2c

Allocated by task 8143:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x1a8/0x320 mm/slab.c:3664
 kmalloc include/linux/slab.h:559 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 alloc_workqueue+0x166/0xe50 kernel/workqueue.c:4265
 hci_register_dev+0x1b5/0xa30 net/bluetooth/hci_core.c:3688
 __vhci_create_device+0x2ac/0x5b0 drivers/bluetooth/hci_vhci.c:124
 vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
 vhci_open_timeout+0x38/0x50 drivers/bluetooth/hci_vhci.c:305
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 9:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3756
 rcu_do_batch kernel/rcu/tree.c:2428 [inline]
 rcu_core+0x5c7/0x1190 kernel/rcu/tree.c:2656
 __do_softirq+0x2de/0xa24 kernel/softirq.c:298

Last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346
 __call_rcu kernel/rcu/tree.c:2894 [inline]
 call_rcu+0x14f/0x7e0 kernel/rcu/tree.c:2968
 pwq_unbound_release_workfn+0x23a/0x2d0 kernel/workqueue.c:3694
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff888093fd2000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 448 bytes inside of
 1024-byte region [ffff888093fd2000, ffff888093fd2400)
The buggy address belongs to the page:
page:00000000f47b22de refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x93fd2
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000251df88 ffffea000299b008 ffff8880aa040700
raw: 0000000000000000 ffff888093fd2000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888093fd2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888093fd2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888093fd2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888093fd2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888093fd2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (83):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2020/08/10 16:15 linux-next f80535b9aa10 70301872 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/08/04 21:23 upstream c0842fbc1b18 80a06902 .config console log report syz ci-upstream-kasan-gce-root
2022/11/15 14:22 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in __queue_work
2022/11/15 13:57 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/11/15 08:42 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/11/14 21:09 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/11/14 19:41 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/11/14 17:29 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/11/14 05:53 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in __queue_work
2022/11/14 05:20 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64 KASAN: use-after-free Read in __queue_work
2022/11/14 04:32 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/11/14 03:35 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/11/14 03:09 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/11/14 02:17 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64-mte KASAN: use-after-free Read in __queue_work
2022/06/05 19:24 upstream 952923ddc011 c8857892 .config console log report info ci-upstream-kasan-gce-386 KASAN: use-after-free Read in __queue_work
2020/11/14 20:47 upstream f01c30de86f1 1bf9a662 .config console log report info ci-upstream-kasan-gce-selinux-root
2022/11/15 12:53 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in __queue_work
2022/11/15 11:16 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in __queue_work
2022/11/15 10:02 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in __queue_work
2022/11/15 09:53 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in __queue_work
2022/11/15 07:38 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/15 06:32 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/15 05:22 upstream e01d50cbd6ee 97de9cfc .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in __queue_work
2022/11/14 21:14 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 21:11 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 21:00 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 20:52 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 18:32 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 18:01 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 17:50 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 17:43 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 17:12 upstream 094226ad94f4 943f4cb8 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 05:54 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in __queue_work
2022/11/14 05:44 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 05:38 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in __queue_work
2022/11/14 05:24 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in __queue_work
2022/11/14 05:21 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 05:07 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 04:56 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 04:36 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in __queue_work
2022/11/14 03:47 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 03:21 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 03:14 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 02:45 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 02:14 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 01:29 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 01:27 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 00:56 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in __queue_work
2022/11/14 00:36 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/11/14 00:27 upstream af7a05689189 7ba4d859 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __queue_work
2022/10/27 13:59 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 86777b7f .config console log report info [disk image] [vmlinux] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in __queue_work
* Struck through repros no longer work on HEAD.