KASAN: use-after-free Read in hci_cmd

KASAN: use-after-free Read in hci_cmd_timeout
Status: upstream: reported C repro on 2019/05/07 09:10
Reported-by: syzbot+19a9f729f05272857487@syzkaller.appspotmail.com
First crash: 998d, last: 1d21h

Cause bisection: introduced by (bisect log) :
commit ff92b9dd9268507e23fc10cc4341626cef50367c
Author: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Date: Thu Oct 25 14:03:40 2018 +0000

scsi: mpt3sas: Update MPI headers to support Aero controllers

Crash: KASAN: use-after-free Read in hci_cmd_timeout (log)
Repro: C syz .config

Fix bisection: failed (bisect log)

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: use-after-free Read in hci_cmd_timeout	syz		error	11	123d	875d	0/1	upstream: reported syz repro on 2019/09/01 02:37
linux-4.14	KASAN: use-after-free Read in hci_cmd_timeout	C		inconclusive	11	5d23h	869d	0/1	upstream: reported C repro on 2019/09/06 20:31

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/08/14 15:41	18m	phind.uet@gmail.com		linux-next	OK
2020/10/27 16:43	18m	anmol.karan123@gmail.com		upstream	OK

Sample crash report:

Bluetooth: hci6: command tx timeout
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x203/0x210 net/bluetooth/hci_core.c:2654
Read of size 2 at addr ffff88806cf57c08 by task kworker/1:3/3749

CPU: 1 PID: 3749 Comm: kworker/1:3 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 hci_cmd_timeout+0x203/0x210 net/bluetooth/hci_core.c:2654
 process_one_work+0x9b2/0x1660 kernel/workqueue.c:2298
 worker_thread+0x65d/0x1130 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 3720:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:590 [inline]
 kzalloc include/linux/slab.h:724 [inline]
 kernfs_fop_open+0x2b9/0xd30 fs/kernfs/file.c:628
 do_dentry_open+0x4b9/0x1240 fs/open.c:822
 do_open fs/namei.c:3426 [inline]
 path_openat+0x1cad/0x2750 fs/namei.c:3559
 do_filp_open+0x1aa/0x400 fs/namei.c:3586
 do_sys_openat2+0x16d/0x4d0 fs/open.c:1212
 do_sys_open fs/open.c:1228 [inline]
 __do_sys_openat fs/open.c:1244 [inline]
 __se_sys_openat fs/open.c:1239 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1239
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3703:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
 slab_free mm/slub.c:3513 [inline]
 kfree+0xf6/0x560 mm/slub.c:4561
 skb_free_head net/core/skbuff.c:655 [inline]
 skb_release_data+0x65a/0x790 net/core/skbuff.c:677
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb net/core/skbuff.c:756 [inline]
 kfree_skb net/core/skbuff.c:774 [inline]
 kfree_skb+0x133/0x3f0 net/core/skbuff.c:768
 hci_dev_do_open+0xa50/0x1870 net/bluetooth/hci_core.c:1513
 hci_power_on+0x133/0x650 net/bluetooth/hci_core.c:2143
 process_one_work+0x9b2/0x1660 kernel/workqueue.c:2298
 worker_thread+0x65d/0x1130 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff88806cf57c00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 512-byte region [ffff88806cf57c00, ffff88806cf57e00)
The buggy address belongs to the page:
page:ffffea0001b3d500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6cf54
head:ffffea0001b3d500 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001e89200 dead000000000002 ffff888010c41c80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3697, ts 1610686922392, free_ts 12316497295
 prep_new_page mm/page_alloc.c:2418 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2190
 alloc_slab_page mm/slub.c:1793 [inline]
 allocate_slab mm/slub.c:1930 [inline]
 new_slab+0x32d/0x4a0 mm/slub.c:1993
 ___slab_alloc+0x918/0xfe0 mm/slub.c:3022
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
 slab_alloc_node mm/slub.c:3200 [inline]
 __kmalloc_node_track_caller+0x2cb/0x360 mm/slub.c:4956
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 pskb_expand_head+0x15e/0x1060 net/core/skbuff.c:1701
 netlink_trim+0x1ea/0x240 net/netlink/af_netlink.c:1301
 netlink_broadcast+0x5b/0xd50 net/netlink/af_netlink.c:1497
 nlmsg_multicast include/net/netlink.h:1033 [inline]
 nlmsg_notify+0x8f/0x280 net/netlink/af_netlink.c:2539
 rtmsg_fib+0x2e3/0x450 net/ipv4/fib_semantics.c:530
 fib_table_insert+0x714/0x1af0 net/ipv4/fib_trie.c:1389
 fib_magic+0x455/0x540 net/ipv4/fib_frontend.c:1087
 fib_add_ifaddr+0x476/0x500 net/ipv4/fib_frontend.c:1129
 fib_netdev_event+0x46f/0x680 net/ipv4/fib_frontend.c:1466
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3309 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3388
 free_contig_range+0xa8/0xf0 mm/page_alloc.c:9271
 destroy_args+0xa8/0x646 mm/debug_vm_pgtable.c:1016
 debug_vm_pgtable+0x2961/0x29f3 mm/debug_vm_pgtable.c:1330
 do_one_initcall+0x103/0x650 init/main.c:1297
 do_initcall_level init/main.c:1370 [inline]
 do_initcalls init/main.c:1386 [inline]
 do_basic_setup init/main.c:1405 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1610
 kernel_init+0x1a/0x1d0 init/main.c:1499
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff88806cf57b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806cf57b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806cf57c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88806cf57c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806cf57d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (168):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-root	2021/12/30 00:56	upstream	e7c124bd0463	6cc879d4	.config	log	report	syz	C		KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-386	2021/07/11 15:14	upstream	3dbdb38e2869	8f5a7b8c	.config	log	report	syz	C		KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root	2019/07/03 13:11	upstream	eca94432934f	55565fa0	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2021/12/13 07:21	linux-next	ea922272cbe5	49ca1f59	.config	log	report	syz			KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2020/06/16 19:24	upstream	435faf5c218a	4ea9d964	.config	log	report	syz
ci-qemu-upstream	2022/01/19 21:34	upstream	1d1df41c5a33	5da9499f	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2022/01/18 23:27	upstream	99613159ad74	731a2d23	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2022/01/18 20:49	upstream	99613159ad74	731a2d23	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2022/01/17 07:48	upstream	79e06c4c4950	723cfaf0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2022/01/16 10:38	upstream	d0a231f01e5b	723cfaf0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2022/01/16 04:46	upstream	a33f5c380c4b	723cfaf0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2022/01/15 23:22	upstream	a33f5c380c4b	723cfaf0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2022/01/15 19:55	upstream	a33f5c380c4b	723cfaf0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root	2022/01/15 14:25	upstream	112450df61b7	723cfaf0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2022/01/12 15:17	upstream	daadb3bd0e8d	44d1319a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root	2022/01/12 07:03	upstream	6f38be8f2ccd	44d1319a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2022/01/11 16:13	upstream	fe8152b38d3a	1884f55a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2021/12/29 11:03	upstream	e7c124bd0463	76c8cf06	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2021/12/15 22:22	upstream	2b14864acbaa	572bcb40	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/12/15 09:22	upstream	5472f14a3742	f752fb53	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/12/13 22:26	upstream	2585cf9dfaad	49ca1f59	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root	2021/12/07 13:47	upstream	f80ef9e49fdf	0230ba3e	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2021/12/05 06:30	upstream	bbef3c7a63d2	a617004c	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/11/30 05:32	upstream	d58071a8a76d	d0830353	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/11/30 04:09	upstream	d58071a8a76d	d0830353	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root	2021/11/27 21:51	upstream	741392771338	63eeac02	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/11/26 19:57	upstream	a4849f6000e2	63eeac02	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2021/11/26 16:20	upstream	a4849f6000e2	63eeac02	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2021/11/25 07:37	upstream	5f53fa508db0	545ab074	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2021/11/19 19:51	upstream	4c388a8e740d	3a9d0024	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/11/18 15:35	upstream	42eb8fdac2fc	31a30fc0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/10/24 08:09	upstream	9c0c4d24ac00	282f03fb	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386	2022/01/21 15:13	upstream	1f40caa08047	214351e1	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386	2021/12/11 17:57	upstream	6f513529296f	49ca1f59	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386	2021/12/03 07:53	upstream	a51e3ac43ddb	61f86278	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386	2021/12/02 08:03	upstream	58e1100fdc59	61f86278	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386	2021/11/29 03:29	upstream	d06c942efea4	63eeac02	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386	2021/11/22 20:00	upstream	136057256686	545ab074	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-386	2021/10/11 11:57	upstream	64570fbc14f8	838e7e2c	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2022/01/20 14:16	linux-next	7fc5253f5a13	5da9499f	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2022/01/14 07:12	linux-next	27c9d5b3c24a	b8d780ab	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2022/01/12 02:20	linux-next	a70bf4a85b43	44d1319a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2022/01/12 00:24	linux-next	a70bf4a85b43	44d1319a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2022/01/09 17:43	linux-next	b8170452cd51	2ca0d385	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2022/01/09 09:22	linux-next	b8170452cd51	2ca0d385	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/12/23 20:25	linux-next	79f063d60c8c	6caa12e4	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/12/21 06:04	linux-next	07f8c60fe60f	62bd192b	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/12/14 04:05	linux-next	ea922272cbe5	5d14b1ea	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/12/14 02:40	linux-next	ea922272cbe5	5d14b1ea	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/12/04 11:53	linux-next	f81e94e91878	a617004c	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/12/03 18:03	linux-next	f81e94e91878	c7c20675	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/11/30 13:07	linux-next	f81e94e91878	80270552	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/11/28 10:55	linux-next	f81e94e91878	63eeac02	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/11/27 17:03	linux-next	f81e94e91878	63eeac02	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/11/26 07:58	linux-next	f81e94e91878	63eeac02	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/11/26 05:30	linux-next	f81e94e91878	63eeac02	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/11/24 17:23	linux-next	4b74e088fef6	545ab074	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/11/19 09:59	linux-next	5191249f8803	31a30fc0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/11/19 00:13	linux-next	5191249f8803	31a30fc0	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/01/14 09:52	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce	2019/04/30 13:29	upstream	83a50840e72a	20f16bef	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2022/01/13 00:15	linux-next	32ce2abb03cf	44d1319a	.config	log	report			info	KFENCE: use-after-free in hci_cmd_timeout