syzbot

 sign-in | mailing list | source | docs
🐞 Open [971] 🐞 Fixed [3881] 🐞 Invalid [8367] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KASAN: use-after-free Read in hci_cmd_timeout

Status: upstream: reported C repro on 2019/05/07 09:10
Reported-by: syzbot+19a9f729f05272857487@syzkaller.appspotmail.com
First crash: 1162d, last: 15h13m

Cause bisection: introduced by (bisect log) :
commit ff92b9dd9268507e23fc10cc4341626cef50367c
Author: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Date: Thu Oct 25 14:03:40 2018 +0000

  scsi: mpt3sas: Update MPI headers to support Aero controllers

Crash: KASAN: use-after-free Read in hci_cmd_timeout (log)
Repro: C syz .config

Fix bisection: failed (bisect log)
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in hci_cmd_timeout syz error 13 47d 1038d 0/1 upstream: reported syz repro on 2019/09/01 02:37
linux-4.14 KASAN: use-after-free Read in hci_cmd_timeout C inconclusive 11 169d 1032d 0/1 upstream: reported C repro on 2019/09/06 20:31
Patch testing requests:
Created Duration User Patch Repo Result
2021/08/14 15:41 18m phind.uet@gmail.com linux-next OK
2020/10/27 16:43 18m anmol.karan123@gmail.com upstream OK

Sample crash report:
Bluetooth: hci6: command tx timeout
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x203/0x210 net/bluetooth/hci_core.c:2654
Read of size 2 at addr ffff88806cf57c08 by task kworker/1:3/3749

CPU: 1 PID: 3749 Comm: kworker/1:3 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 hci_cmd_timeout+0x203/0x210 net/bluetooth/hci_core.c:2654
 process_one_work+0x9b2/0x1660 kernel/workqueue.c:2298
 worker_thread+0x65d/0x1130 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 3720:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:590 [inline]
 kzalloc include/linux/slab.h:724 [inline]
 kernfs_fop_open+0x2b9/0xd30 fs/kernfs/file.c:628
 do_dentry_open+0x4b9/0x1240 fs/open.c:822
 do_open fs/namei.c:3426 [inline]
 path_openat+0x1cad/0x2750 fs/namei.c:3559
 do_filp_open+0x1aa/0x400 fs/namei.c:3586
 do_sys_openat2+0x16d/0x4d0 fs/open.c:1212
 do_sys_open fs/open.c:1228 [inline]
 __do_sys_openat fs/open.c:1244 [inline]
 __se_sys_openat fs/open.c:1239 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1239
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3703:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
 slab_free mm/slub.c:3513 [inline]
 kfree+0xf6/0x560 mm/slub.c:4561
 skb_free_head net/core/skbuff.c:655 [inline]
 skb_release_data+0x65a/0x790 net/core/skbuff.c:677
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb net/core/skbuff.c:756 [inline]
 kfree_skb net/core/skbuff.c:774 [inline]
 kfree_skb+0x133/0x3f0 net/core/skbuff.c:768
 hci_dev_do_open+0xa50/0x1870 net/bluetooth/hci_core.c:1513
 hci_power_on+0x133/0x650 net/bluetooth/hci_core.c:2143
 process_one_work+0x9b2/0x1660 kernel/workqueue.c:2298
 worker_thread+0x65d/0x1130 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff88806cf57c00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 512-byte region [ffff88806cf57c00, ffff88806cf57e00)
The buggy address belongs to the page:
page:ffffea0001b3d500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6cf54
head:ffffea0001b3d500 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001e89200 dead000000000002 ffff888010c41c80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3697, ts 1610686922392, free_ts 12316497295
 prep_new_page mm/page_alloc.c:2418 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2190
 alloc_slab_page mm/slub.c:1793 [inline]
 allocate_slab mm/slub.c:1930 [inline]
 new_slab+0x32d/0x4a0 mm/slub.c:1993
 ___slab_alloc+0x918/0xfe0 mm/slub.c:3022
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
 slab_alloc_node mm/slub.c:3200 [inline]
 __kmalloc_node_track_caller+0x2cb/0x360 mm/slub.c:4956
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 pskb_expand_head+0x15e/0x1060 net/core/skbuff.c:1701
 netlink_trim+0x1ea/0x240 net/netlink/af_netlink.c:1301
 netlink_broadcast+0x5b/0xd50 net/netlink/af_netlink.c:1497
 nlmsg_multicast include/net/netlink.h:1033 [inline]
 nlmsg_notify+0x8f/0x280 net/netlink/af_netlink.c:2539
 rtmsg_fib+0x2e3/0x450 net/ipv4/fib_semantics.c:530
 fib_table_insert+0x714/0x1af0 net/ipv4/fib_trie.c:1389
 fib_magic+0x455/0x540 net/ipv4/fib_frontend.c:1087
 fib_add_ifaddr+0x476/0x500 net/ipv4/fib_frontend.c:1129
 fib_netdev_event+0x46f/0x680 net/ipv4/fib_frontend.c:1466
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3309 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3388
 free_contig_range+0xa8/0xf0 mm/page_alloc.c:9271
 destroy_args+0xa8/0x646 mm/debug_vm_pgtable.c:1016
 debug_vm_pgtable+0x2961/0x29f3 mm/debug_vm_pgtable.c:1330
 do_one_initcall+0x103/0x650 init/main.c:1297
 do_initcall_level init/main.c:1370 [inline]
 do_initcalls init/main.c:1386 [inline]
 do_basic_setup init/main.c:1405 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1610
 kernel_init+0x1a/0x1d0 init/main.c:1499
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff88806cf57b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806cf57b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806cf57c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88806cf57c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806cf57d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (280):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2021/12/30 00:56 upstream e7c124bd0463 6cc879d4 .config log report syz C KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-386 2021/07/11 15:14 upstream 3dbdb38e2869 8f5a7b8c .config log report syz C KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/15 03:41 linux-next 1e1b28b936ae 744a39e2 .config log report syz C KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root 2019/07/03 13:11 upstream eca94432934f 55565fa0 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2022/04/11 06:25 upstream 1862a69c9174 e22c3da3 .config log report syz KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/03/24 06:20 upstream 1bc191051dca 5ff41e94 .config log report syz KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/03/12 22:23 linux-next 91265a6da44d 9e8eaa75 .config log report syz KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/03/03 07:05 linux-next e6ada6df471f 45a13a73 .config log report syz KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2021/12/13 07:21 linux-next ea922272cbe5 49ca1f59 .config log report syz KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream 2020/06/16 19:24 upstream 435faf5c218a 4ea9d964 .config log report syz
ci-upstream-kasan-gce-root 2022/07/05 03:13 upstream c1084b6c5620 bff65f44 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root 2022/06/16 22:16 upstream 48a23ec6ff2b 1719ee24 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root 2022/06/16 19:21 upstream 30306f6194ca 1719ee24 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/06/13 01:05 upstream 7a68065eb9cd 0d5abf15 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/06/12 00:22 upstream 1c27f1fc1549 0d5abf15 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root 2022/06/11 12:11 upstream 0885eacdc81f 0d5abf15 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root 2022/06/09 08:58 upstream 6bfb56e93bce 0d5abf15 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/06/07 10:51 upstream e71e60cd74df c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root 2022/06/07 04:18 upstream e71e60cd74df c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/06/05 20:05 upstream 44688ffd111a c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/06/05 05:14 upstream 952923ddc011 c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/06/04 10:48 upstream 032dcf09e2bf c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root 2022/06/04 06:00 upstream 032dcf09e2bf c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/06/03 20:50 upstream 50fd82b3a9a9 eee80d3c .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root 2022/06/02 15:37 upstream d1dc87763f40 5783034f .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/05/29 18:10 upstream 664a393a2663 a46af346 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream 2022/05/29 04:29 upstream 664a393a2663 a46af346 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream 2022/05/22 23:49 upstream 4b0986a3613c 7268fa62 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/05/16 12:54 upstream 42226c989789 744a39e2 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream 2022/05/16 03:50 upstream 42226c989789 744a39e2 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root 2022/05/14 21:11 upstream 2fe1020d73ca 744a39e2 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/05/14 05:11 upstream ec7f49619d8e 107f6434 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root 2022/05/07 21:10 upstream 30c8e80f7932 e60b1103 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream 2022/04/19 12:27 upstream b2d229d4ddb1 c334415e .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root 2022/04/17 13:16 upstream a2c29ccd9477 8bcc32a6 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream 2022/04/17 11:27 upstream a2c29ccd9477 8bcc32a6 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream 2022/04/08 08:36 upstream 1831fed55973 c6ff3e05 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root 2022/04/04 15:50 upstream 312310928417 5915c2cb .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root 2022/04/03 18:34 upstream be2d3ecedd99 79a2a8fc .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/04/03 09:37 upstream be2d3ecedd99 79a2a8fc .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root 2022/03/28 21:51 upstream ae085d7f9365 ee339263 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce 2021/10/24 08:09 upstream 9c0c4d24ac00 282f03fb .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386 2022/07/03 23:36 upstream 20855e4cb361 1434eec0 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386 2022/06/20 11:00 upstream a111daf0c53a 8f633d84 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386 2022/06/13 23:27 upstream b13baccc3850 0f087040 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386 2022/06/07 22:45 upstream 9886142c7a22 b2706118 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386 2022/06/05 22:56 upstream 44688ffd111a c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386 2022/06/04 16:36 upstream 032dcf09e2bf c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386 2022/04/22 04:38 upstream 59f0c2447e25 2738b391 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-386 2021/10/11 11:57 upstream 64570fbc14f8 838e7e2c .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/06/23 18:16 linux-next 08897940f458 912f5df7 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/06/21 12:04 linux-next 34d1d36073ea 0fc5c330 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/06/15 06:43 linux-next 6012273897fe 127d1faf .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/06/14 11:53 linux-next 35d872b9ea5b 0f087040 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/06/14 00:54 linux-next 6d0c80680317 0f087040 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/06/10 04:02 linux-next ff539ac73ea5 0d5abf15 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/06/07 04:16 linux-next 40b58e42584b c8857892 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/17 16:27 linux-next 3f7bdc402fb0 744a39e2 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/15 00:14 linux-next 1e1b28b936ae 744a39e2 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/13 10:01 linux-next 1e1b28b936ae 9ad6612a .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/12 23:12 linux-next 187b9ac8c348 9ad6612a .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/10 04:27 linux-next 38a288f5941e 8b277b8e .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/07 10:23 linux-next 38a288f5941e e60b1103 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/07 03:32 linux-next 38a288f5941e e60b1103 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/02 22:25 linux-next 9f9b9a2972eb 2df221f6 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/02 12:57 linux-next 9f9b9a2972eb 2df221f6 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/05/01 03:30 linux-next 5469f0c06732 2df221f6 .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root 2022/04/27 10:18 linux-next f02ac5c95dfd 1fa34c1b .config log report info KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce 2021/01/14 09:52 upstream 65f0d2414b70 269d24e8 .config log report info
ci-upstream-kasan-gce 2019/04/30 13:29 upstream 83a50840e72a 20f16bef .config log report
ci-upstream-linux-next-kasan-gce-root 2022/01/13 00:15 linux-next 32ce2abb03cf 44d1319a .config log report info KFENCE: use-after-free in hci_cmd_timeout