| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Read in l2cap_sock_kill bluetooth | 1 | 1250d | 1250d | 0/26 | auto-closed as invalid on 2021/02/19 19:34 |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [712] 🐞 Fixed [297] 🐞 Invalid [838] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Read in l2cap_sock_kill bluetooth | 1 | 1250d | 1250d | 0/26 | auto-closed as invalid on 2021/02/19 19:34 |
================================================================== BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:317 [inline] BUG: KASAN: use-after-free in sock_flag include/net/sock.h:839 [inline] BUG: KASAN: use-after-free in l2cap_sock_kill+0xdb/0x100 net/bluetooth/l2cap_sock.c:1046 Read of size 8 at addr ffff88808e241660 by task kworker/0:1/6481 CPU: 0 PID: 6481 Comm: kworker/0:1 Not tainted 4.19.147-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 print_address_description.cold+0x56/0x25c mm/kasan/report.c:256 kasan_report_error.cold+0x66/0xb9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 constant_test_bit arch/x86/include/asm/bitops.h:317 [inline] sock_flag include/net/sock.h:839 [inline] l2cap_sock_kill+0xdb/0x100 net/bluetooth/l2cap_sock.c:1046 l2cap_chan_timeout+0x1bb/0x210 net/bluetooth/l2cap_core.c:431 process_one_work+0x796/0x14e0 kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 22133: __do_kmalloc mm/slab.c:3727 [inline] __kmalloc+0x15a/0x4f0 mm/slab.c:3736 kmalloc include/linux/slab.h:520 [inline] sk_prot_alloc+0x1e2/0x2d0 net/core/sock.c:1466 sk_alloc+0x36/0x1100 net/core/sock.c:1520 l2cap_sock_alloc.constprop.0+0x31/0x210 net/bluetooth/l2cap_sock.c:1590 l2cap_sock_create+0x110/0x1b0 net/bluetooth/l2cap_sock.c:1636 bt_sock_create+0x1d0/0x470 net/bluetooth/af_bluetooth.c:130 __sock_create+0x495/0x820 net/socket.c:1276 rfcomm_l2sock_create net/bluetooth/rfcomm/core.c:203 [inline] rfcomm_session_create net/bluetooth/rfcomm/core.c:738 [inline] __rfcomm_dlc_open net/bluetooth/rfcomm/core.c:388 [inline] rfcomm_dlc_open+0x6da/0xc50 net/bluetooth/rfcomm/core.c:431 rfcomm_sock_connect+0x317/0x420 net/bluetooth/rfcomm/sock.c:416 __sys_connect+0x265/0x2c0 net/socket.c:1663 __do_sys_connect net/socket.c:1674 [inline] __se_sys_connect net/socket.c:1671 [inline] __x64_sys_connect+0x6f/0xb0 net/socket.c:1671 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 3608: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x250 mm/slab.c:3822 sk_prot_free net/core/sock.c:1503 [inline] __sk_destruct+0x61d/0x830 net/core/sock.c:1584 sk_destruct net/core/sock.c:1599 [inline] __sk_free+0x165/0x3b0 net/core/sock.c:1610 sk_free+0x3b/0x50 net/core/sock.c:1621 sock_put include/net/sock.h:1711 [inline] l2cap_sock_kill+0xd4/0x100 net/bluetooth/l2cap_sock.c:1055 l2cap_sock_release+0xd9/0x100 net/bluetooth/l2cap_sock.c:1204 __sock_release net/socket.c:579 [inline] sock_release+0x87/0x1d0 net/socket.c:599 rfcomm_session_del+0x15a/0x1f0 net/bluetooth/rfcomm/core.c:684 rfcomm_session_close net/bluetooth/rfcomm/core.c:723 [inline] rfcomm_process_rx net/bluetooth/rfcomm/core.c:1916 [inline] rfcomm_process_sessions net/bluetooth/rfcomm/core.c:2000 [inline] rfcomm_run+0x13c4/0x45d1 net/bluetooth/rfcomm/core.c:2087 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff88808e241600 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 96 bytes inside of 2048-byte region [ffff88808e241600, ffff88808e241e00) The buggy address belongs to the page: page:ffffea0002389000 count:1 mapcount:0 mapping:ffff88812c3f6c40 index:0x0 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffffea00023ead88 ffffea0002387f08 ffff88812c3f6c40 raw: 0000000000000000 ffff88808e240500 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808e241500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808e241580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88808e241600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88808e241680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808e241700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2020/09/24 06:04 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | syz | C | ci2-linux-4-19 | |||
| 2020/10/01 09:54 | linux-4.19.y | 10ad6cfd5736 | 4103fce0 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/30 23:27 | linux-4.19.y | 10ad6cfd5736 | a9767fb2 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/30 15:58 | linux-4.19.y | 10ad6cfd5736 | 8516f6d3 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/30 11:21 | linux-4.19.y | 10ad6cfd5736 | 8516f6d3 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/30 06:55 | linux-4.19.y | 10ad6cfd5736 | 8516f6d3 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/30 05:02 | linux-4.19.y | 10ad6cfd5736 | 5abc3f1a | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/30 03:45 | linux-4.19.y | 10ad6cfd5736 | 5abc3f1a | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/30 01:13 | linux-4.19.y | 10ad6cfd5736 | 5abc3f1a | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/29 15:37 | linux-4.19.y | 10ad6cfd5736 | 5abc3f1a | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/29 00:39 | linux-4.19.y | 10ad6cfd5736 | 1b88c6d5 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/28 22:50 | linux-4.19.y | 10ad6cfd5736 | 6bfdbe89 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/28 14:46 | linux-4.19.y | 10ad6cfd5736 | 6bfdbe89 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/28 13:54 | linux-4.19.y | 10ad6cfd5736 | 6bfdbe89 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/28 09:53 | linux-4.19.y | 10ad6cfd5736 | 6bfdbe89 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/28 09:45 | linux-4.19.y | 10ad6cfd5736 | 6bfdbe89 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/28 01:10 | linux-4.19.y | 10ad6cfd5736 | 5dd8aee8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/28 01:10 | linux-4.19.y | 10ad6cfd5736 | 5dd8aee8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/27 07:02 | linux-4.19.y | 10ad6cfd5736 | 5dd8aee8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/27 05:21 | linux-4.19.y | 10ad6cfd5736 | 5dd8aee8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/27 05:11 | linux-4.19.y | 10ad6cfd5736 | 5dd8aee8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/27 01:11 | linux-4.19.y | 10ad6cfd5736 | 5dd8aee8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/27 01:04 | linux-4.19.y | 10ad6cfd5736 | 5dd8aee8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/26 15:06 | linux-4.19.y | d09b80172c22 | 2d5ea0cb | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/26 12:48 | linux-4.19.y | d09b80172c22 | 2d5ea0cb | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/26 12:44 | linux-4.19.y | d09b80172c22 | 2d5ea0cb | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/26 12:09 | linux-4.19.y | d09b80172c22 | 2d5ea0cb | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/26 11:22 | linux-4.19.y | d09b80172c22 | 2d5ea0cb | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/25 21:57 | linux-4.19.y | d09b80172c22 | 4a006f63 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/25 13:52 | linux-4.19.y | d09b80172c22 | 4a006f63 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/25 13:28 | linux-4.19.y | d09b80172c22 | 4a006f63 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/24 14:01 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/24 04:51 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/24 04:48 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/24 04:46 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/23 20:54 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/23 20:09 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/23 19:54 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/23 19:36 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/23 12:11 | linux-4.19.y | d09b80172c22 | 287cd75a | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/23 08:13 | linux-4.19.y | 015e94d0e37b | 287cd75a | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/23 08:06 | linux-4.19.y | 015e94d0e37b | 287cd75a | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/22 20:22 | linux-4.19.y | 015e94d0e37b | 3e8f6c27 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/22 09:40 | linux-4.19.y | 015e94d0e37b | 3e8f6c27 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/21 21:31 | linux-4.19.y | 015e94d0e37b | 9e1fa68e | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/21 20:58 | linux-4.19.y | 015e94d0e37b | 9e1fa68e | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/21 20:44 | linux-4.19.y | 015e94d0e37b | 9e1fa68e | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/21 20:11 | linux-4.19.y | 015e94d0e37b | 9e1fa68e | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/21 16:10 | linux-4.19.y | 015e94d0e37b | c81d99c8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/21 13:41 | linux-4.19.y | 015e94d0e37b | c81d99c8 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/21 02:18 | linux-4.19.y | 015e94d0e37b | 9564d2e9 | .config | console log | report | info | ci2-linux-4-19 | ||||
| 2020/09/18 18:42 | linux-4.19.y | 015e94d0e37b | 38962c8b | .config | console log | report | info | ci2-linux-4-19 |