KASAN: use-after-free Read in hci_cmd

KASAN: use-after-free Read in hci_cmd_timeout
Status: upstream: reported C repro on 2019/05/07 09:10
Reported-by: syzbot+19a9f729f05272857487@syzkaller.appspotmail.com
First crash: 873d, last: 1d05h

Cause bisection: introduced by (bisect log) :
commit ff92b9dd9268507e23fc10cc4341626cef50367c
Author: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Date: Thu Oct 25 14:03:40 2018 +0000

scsi: mpt3sas: Update MPI headers to support Aero controllers

Crash: KASAN: use-after-free Read in hci_cmd_timeout (log)
Repro: C syz .config

Fix bisection: failed (bisect log)

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: use-after-free Read in hci_cmd_timeout	syz		error	10	122d	750d	0/1	upstream: reported syz repro on 2019/09/01 02:37
linux-4.14	KASAN: use-after-free Read in hci_cmd_timeout	C		inconclusive	10	114d	744d	0/1	upstream: reported C repro on 2019/09/06 20:31

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/08/14 15:41	18m	phind.uet@gmail.com		linux-next	OK
2020/10/27 16:43	18m	anmol.karan123@gmail.com		upstream	OK

Sample crash report:

==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1f1/0x210 net/bluetooth/hci_core.c:2766
Read of size 8 at addr ffff888036d92850 by task kworker/0:2/8

CPU: 0 PID: 8 Comm: kworker/0:2 Tainted: G        W         5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events hci_cmd_timeout

Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:96
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 hci_cmd_timeout+0x1f1/0x210 net/bluetooth/hci_core.c:2766
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 8494:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc_node mm/slub.c:2970 [inline]
 slab_alloc mm/slub.c:2978 [inline]
 kmem_cache_alloc+0x29b/0x4a0 mm/slub.c:2983
 skb_clone+0x170/0x3c0 net/core/skbuff.c:1504
 hci_cmd_work+0x18c/0x390 net/bluetooth/hci_core.c:5156
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 8451:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:229 [inline]
 slab_free_hook mm/slub.c:1639 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1664
 slab_free mm/slub.c:3224 [inline]
 kmem_cache_free+0x8e/0x5a0 mm/slub.c:3240
 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:688
 __kfree_skb net/core/skbuff.c:745 [inline]
 kfree_skb net/core/skbuff.c:762 [inline]
 kfree_skb+0x140/0x3f0 net/core/skbuff.c:756
 hci_dev_do_open+0xa50/0x1a00 net/bluetooth/hci_core.c:1628
 hci_power_on+0x133/0x650 net/bluetooth/hci_core.c:2256
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff888036d92780
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 208 bytes inside of
 232-byte region [ffff888036d92780, ffff888036d92868)
The buggy address belongs to the page:
page:ffffea0000db6480 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36d92
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8881441f7000
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4869, ts 901671643713, free_ts 901657618048
 prep_new_page mm/page_alloc.c:2445 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4178
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5386
 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272
 alloc_slab_page mm/slub.c:1702 [inline]
 allocate_slab+0x32b/0x4c0 mm/slub.c:1842
 new_slab mm/slub.c:1905 [inline]
 new_slab_objects mm/slub.c:2651 [inline]
 ___slab_alloc+0x4ba/0x820 mm/slub.c:2814
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2854
 slab_alloc_node mm/slub.c:2936 [inline]
 kmem_cache_alloc_node+0x12c/0x3e0 mm/slub.c:3006
 __alloc_skb+0x20b/0x340 net/core/skbuff.c:414
 alloc_skb include/linux/skbuff.h:1112 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1186 [inline]
 netlink_sendmsg+0x954/0xda0 net/netlink/af_netlink.c:1904
 sock_sendmsg_nosec net/socket.c:702 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:722
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2385
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2439
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2468
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1355 [inline]
 free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3341 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3420
 qlink_free mm/kasan/quarantine.c:146 [inline]
 qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc_node mm/slub.c:2970 [inline]
 slab_alloc mm/slub.c:2978 [inline]
 __kmalloc+0x1f4/0x330 mm/slub.c:4106
 kmalloc include/linux/slab.h:596 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_number_perm+0x1d5/0x590 security/tomoyo/file.c:723
 security_path_chmod+0xe0/0x150 security/security.c:1205
 chmod_common+0x156/0x440 fs/open.c:580
 vfs_fchmod fs/open.c:601 [inline]
 __do_sys_fchmod fs/open.c:610 [inline]
 __se_sys_fchmod fs/open.c:604 [inline]
 __x64_sys_fchmod+0x10e/0x190 fs/open.c:604
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff888036d92700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
 ffff888036d92780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888036d92800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                                                 ^
 ffff888036d92880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
 ffff888036d92900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (73):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-386	2021/07/11 15:14	upstream	3dbdb38e2869	8f5a7b8c	.config	log	report	syz	C		KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root	2019/07/03 13:11	upstream	eca94432934f	55565fa0	.config	log	report	syz	C
ci-qemu-upstream	2020/06/16 19:24	upstream	435faf5c218a	4ea9d964	.config	log	report	syz
ci-upstream-kasan-gce	2021/09/10 02:34	upstream	a3fa7a101dcf	e2776ee4	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root	2021/09/05 21:22	upstream	0319b848b155	d236a457	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root	2021/09/04 14:13	upstream	f1583cb1be35	d236a457	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/08/28 12:44	upstream	64b4fc45bea6	be2c130d	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/08/27 17:25	upstream	77dd11439b86	b318694d	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/08/26 20:15	upstream	1a6d80ff2419	b318694d	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root	2021/08/22 20:26	upstream	1bdc3d5be7e1	b599f2fc	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/08/12 11:34	upstream	1746f4db5135	6972b106	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/08/12 07:38	upstream	761c6d7ec820	6972b106	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/07/18 06:45	upstream	ccbb22b9ab86	f115ae98	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/07/14 15:15	upstream	40226a3d96ef	484502bd	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root	2021/06/15 11:50	upstream	009c9aa5be65	58636922	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-root	2021/06/14 19:26	upstream	009c9aa5be65	1ba81399	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root	2021/06/10 21:43	upstream	f09eacca59d2	1ba81399	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/06/08 06:10	upstream	614124bea77e	b718257f	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/06/07 12:17	upstream	614124bea77e	e59537be	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/06/05 04:34	upstream	9d32fa5d74b1	500c2339	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/06/03 21:11	upstream	324c92e5e0ee	0740de69	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/05/20 10:47	upstream	293837b9ac8d	a343ba6b	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/05/11 10:16	upstream	1140ab592e2e	ca873091	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/04/19 20:24	upstream	bf05bf16c76b	50f523d7	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/04/02 09:45	upstream	ffd9fb546d49	6a81331a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/03/01 00:44	upstream	cd278456d4ca	4c37c133	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream	2021/02/20 10:40	upstream	f40ddce88593	053a2b26	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/02/17 20:45	upstream	f40ddce88593	14052202	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root	2021/02/14 21:13	upstream	358feceebbf6	98682e5e	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-smack-root	2021/02/10 07:42	upstream	e0756cfc7d7c	2bd9619f	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-selinux-root	2021/02/05 12:48	upstream	dd86e7fa07a3	23a562df	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/02/01 02:43	upstream	6642d600b541	fc9fd31e	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-386	2021/08/01 00:06	upstream	f3438b4c4e69	6c236867	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-386	2021/07/29 11:58	upstream	4010a528219e	b44001ce	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-qemu-upstream-386	2021/07/19 06:13	upstream	2734d6c1b1a0	f115ae98	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-386	2021/06/09 09:28	upstream	4c8684fe555e	5c2fe346	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce-386	2021/03/31 12:58	upstream	5e46d1b78a03	6a81331a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/09/19 02:30	linux-next	9004fd387338	70b76c1d	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/09/13 07:13	linux-next	24a36d3171e4	5ae8508a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/09/13 05:08	linux-next	24a36d3171e4	5ae8508a	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/08/01 12:26	linux-next	8d4b477da1a8	6c236867	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/07/24 08:38	linux-next	90d856e71443	bc5f1d88	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/07/24 04:15	linux-next	90d856e71443	bc5f1d88	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-linux-next-kasan-gce-root	2021/06/29 10:36	linux-next	a1f92694393a	9d2ab5df	.config	log	report			info	KASAN: use-after-free Read in hci_cmd_timeout
ci-upstream-kasan-gce	2021/04/09 10:19	upstream	4fa56ad0d12e	6a81331a	.config	log	report			info	KFENCE: use-after-free in hci_cmd_timeout
ci-upstream-kasan-gce	2021/01/14 09:52	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce	2021/01/13 13:16	upstream	e609571b5ffa	a945f0a3	.config	log	report			info
ci-upstream-kasan-gce	2020/12/12 16:39	upstream	7f376f1917d7	bca53db9	.config	log	report			info
ci-upstream-kasan-gce	2020/12/03 01:56	upstream	3bb61aa61828	8c9190ef	.config	log	report			info
ci-upstream-kasan-gce	2020/11/24 11:42	upstream	d5beb3140f91	1ab681a4	.config	log	report			info
ci-upstream-kasan-gce	2020/11/08 20:11	upstream	9dbc1c03eeb5	64069d48	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/09/29 10:03	upstream	fb0155a09b02	1b88c6d5	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2020/09/27 03:36	upstream	eeddbe6841cd	2d5ea0cb	.config	log	report			info
ci-upstream-kasan-gce	2020/09/23 01:30	upstream	eff48ddeab78	3e8f6c27	.config	log	report			info
ci-upstream-kasan-gce-root	2020/09/13 03:08	upstream	729e3d091984	ce441f06	.config	log	report
ci-upstream-kasan-gce	2020/09/05 04:38	upstream	59126901f200	abf9ba4f	.config	log	report
ci-upstream-kasan-gce-root	2020/09/04 04:42	upstream	e28f0104343d	abf9ba4f	.config	log	report
ci-upstream-kasan-gce	2020/08/29 14:00	upstream	4d41ead6ead9	d5a3ae1f	.config	log	report
ci-upstream-kasan-gce-root	2020/08/19 02:06	upstream	18445bf405cb	e1c29030	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/02/22 05:21	upstream	b0dd1eb220c0	2ffa6679	.config	log	report
ci-upstream-kasan-gce-root	2020/02/17 08:31	upstream	11a48a5a18c6	1f448cd6	.config	log	report
ci-upstream-kasan-gce	2019/11/30 08:00	upstream	81b6b96475ac	3a75be00	.config	log	report
ci-upstream-kasan-gce-root	2019/09/11 10:30	upstream	3120b9a6a3f7	a60cb4cd	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/06/19 11:42	upstream	bed3c0d84e7e	34bf9440	.config	log	report
ci-upstream-kasan-gce	2019/04/30 13:29	upstream	83a50840e72a	20f16bef	.config	log	report
ci-upstream-kasan-gce-386	2020/12/24 04:16	upstream	58cf05f597b0	c2c1d1dd	.config	log	report			info
ci-upstream-kasan-gce-386	2020/12/19 10:22	upstream	3644e2d2dda7	04201c06	.config	log	report			info
ci-upstream-kasan-gce-386	2020/11/20 10:56	upstream	4d02da974ea8	0767f13f	.config	log	report			info
ci-upstream-kasan-gce-386	2020/10/03 05:16	upstream	d3d45f8220d6	2653fa43	.config	log	report			info
ci-upstream-kasan-gce-386	2019/09/13 20:17	upstream	a7f89616b737	32d59357	.config	log	report
ci-upstream-kasan-gce-386	2019/06/16 14:30	upstream	e01e060fe00d	442206d7	.config	log	report
ci-upstream-kasan-gce-386	2019/05/04 00:24	upstream	a4ccb5f9dc6c	d28f4ce5	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/10/10 16:59	linux-next	d67bc7812221	4a77ae0b	.config	log	report			info