syzbot


KASAN: slab-out-of-bounds Read in hci_event_packet

Status: auto-obsoleted due to no activity on 2022/09/25 01:13
Reported-by: syzbot+cec7a50c412a2c03f8f5@syzkaller.appspotmail.com
First crash: 1897d, last: 1263d
Cause bisection: introduced by (bisect log) :
commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Feb 19 22:34:00 2017 +0000

  Linux 4.10

  
Fix bisection: failed (error log, bisect log)
  
Discussions (8)
Title Replies (including bot) Last reply
Reminder: 29 open syzbot bugs in bluetooth subsystem 1 (1) 2019/07/24 01:41
Reminder: 29 open syzbot bugs in bluetooth subsystem 1 (1) 2019/07/09 19:07
Reminder: 27 open syzbot bugs in bluetooth subsystem 1 (1) 2019/06/24 05:14
[Patch net v2 0/3] bluetooth: validate packet boundary carefully 9 (9) 2019/04/24 01:36
[PATCH] net/bluetooth: Fix bound check in event handling 9 (9) 2019/03/30 22:37
[Patch net v2 0/3] bluetooth: validate packet boundary carefully 4 (4) 2019/03/21 06:12
[Patch net] bluetooth: validate HCI_EVENT_PKT packet carefully 2 (2) 2019/03/19 01:32
KASAN: slab-out-of-bounds Read in hci_event_packet 0 (2) 2019/03/17 10:43
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: slab-out-of-bounds Read in hci_event_packet C done 17 1309d 1783d 1/1 fixed on 2020/09/17 01:43
linux-4.19 KASAN: slab-out-of-bounds Read in hci_event_packet C done 15 1315d 1525d 1/1 fixed on 2020/09/11 09:49
Last patch testing requests (12)
Created Duration User Patch Repo Result
2022/09/24 23:30 19m retest repro linux-next OK log
2022/09/24 20:30 18m retest repro linux-next OK log
2022/09/23 23:30 19m retest repro upstream OK log
2022/09/23 20:30 18m retest repro upstream OK log
2022/09/21 05:29 19m retest repro upstream OK log
2022/09/20 13:29 20m retest repro upstream OK log
2022/09/20 10:29 19m retest repro upstream OK log
2022/09/20 06:29 19m retest repro upstream OK log
2022/09/20 03:29 17m retest repro upstream OK log
2022/09/20 00:29 17m retest repro upstream OK log
2019/03/21 05:37 19m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git bluetooth OK
2019/03/18 20:02 19m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git bluetooth OK
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2020/05/11 20:02 0m bisect fix upstream error job log (0)
2020/02/08 04:28 21m bisect fix upstream job log (0) log
2020/01/08 17:36 21m bisect fix upstream job log (0) log
2019/12/08 16:11 19m bisect fix upstream job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in hci_le_direct_adv_report_evt net/bluetooth/hci_event.c:5875 [inline]
BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt net/bluetooth/hci_event.c:5939 [inline]
BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x763b/0x17e10 net/bluetooth/hci_event.c:6192
Read of size 1 at addr ffff88809f4a0a05 by task kworker/u5:1/6821

CPU: 1 PID: 6821 Comm: kworker/u5:1 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x620 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 hci_le_direct_adv_report_evt net/bluetooth/hci_event.c:5875 [inline]
 hci_le_meta_evt net/bluetooth/hci_event.c:5939 [inline]
 hci_event_packet+0x763b/0x17e10 net/bluetooth/hci_event.c:6192
 hci_rx_work+0x246/0xa20 net/bluetooth/hci_core.c:4889
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 6817:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0xde/0x4f0 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1085 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:165 [inline]
 vhci_write+0xb7/0x400 drivers/bluetooth/hci_vhci.c:285
 call_write_iter include/linux/fs.h:1882 [inline]
 new_sync_write fs/read_write.c:503 [inline]
 vfs_write+0xa96/0xd10 fs/read_write.c:578
 ksys_write+0x11b/0x220 fs/read_write.c:631
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88809f4a0800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 5 bytes to the right of
 512-byte region [ffff88809f4a0800, ffff88809f4a0a00)
The buggy address belongs to the page:
page:00000000f35f91a2 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9f4a0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000287ebc8 ffffea0002a4d048 ffff8880aa440600
raw: 0000000000000000 ffff88809f4a0000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f4a0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809f4a0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809f4a0a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88809f4a0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809f4a0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (67):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/27 05:21 upstream 15bc20c6af4c 318430cb .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/03 05:34 upstream 5a30a78924ec 196277c4 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/03 05:14 upstream 5a30a78924ec 196277c4 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/02 15:56 upstream ac3a0c847296 63a73341 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/07/31 14:33 upstream 83bdc7275e62 8df85ed9 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/07/31 10:05 upstream 83bdc7275e62 8df85ed9 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/07/09 19:45 upstream 0bddd227f3dc bc238812 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/07/04 06:17 upstream 7cc2a8ea1048 51095195 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/05/16 15:29 upstream 12bf0b632ed0 37bccd4e .config console log report syz C ci-qemu-upstream
2020/04/02 17:46 upstream 919dce24701f a34e2c33 .config console log report syz C ci-upstream-kasan-gce-root
2020/03/18 23:34 upstream 5076190daded 0a96a13c .config console log report syz C ci-upstream-kasan-gce
2019/01/07 10:16 upstream 574823bfab82 ee332608 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/01/07 09:42 upstream 574823bfab82 ee332608 .config console log report syz C ci-upstream-kasan-gce
2019/01/07 09:41 upstream 574823bfab82 ee332608 .config console log report syz C ci-upstream-kasan-gce-root
2019/01/07 09:41 upstream 574823bfab82 ee332608 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/06/13 23:31 upstream 435faf5c218a dbce178a .config console log report syz C ci-qemu-upstream-386
2020/03/19 01:05 upstream 5076190daded 0a96a13c .config console log report syz C ci-upstream-kasan-gce-386
2019/01/07 09:42 upstream 574823bfab82 ee332608 .config console log report syz C ci-upstream-kasan-gce-386
2020/04/11 19:35 linux-next 11ecafc691e1 a8c6a3f8 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/01/07 09:40 linux-next a85b6b4f6416 ee332608 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/10/02 09:09 upstream fcadab740480 9602ddf4 .config console log report info ci-upstream-kasan-gce-smack-root
2020/08/08 04:48 upstream 5631c5e0eb90 ff51e522 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/07 16:18 upstream d6efb3ac3e6c cb436c69 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/07 15:05 upstream d6efb3ac3e6c cb436c69 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/06 17:56 upstream 47ec5303d73e 1f122f88 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/05 05:35 upstream c0842fbc1b18 80a06902 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/04 18:54 upstream c0842fbc1b18 80a06902 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/02 12:17 upstream ac3a0c847296 63a73341 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/02 11:17 upstream ac3a0c847296 63a73341 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/02 09:58 upstream ac3a0c847296 63a73341 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/01 12:31 upstream 7dc6fd0f3b84 d895b3be .config console log report ci-upstream-kasan-gce-smack-root
2020/07/31 21:54 upstream d8b9faec54ae d895b3be .config console log report ci-upstream-kasan-gce-smack-root
2020/07/31 11:40 upstream 83bdc7275e62 8df85ed9 .config console log report ci-upstream-kasan-gce-root
2020/07/31 02:37 upstream 83bdc7275e62 8df85ed9 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/30 23:42 upstream 83bdc7275e62 8df85ed9 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/17 12:27 upstream f8456690ba8e 54b3c45e .config console log report ci-upstream-kasan-gce-smack-root
2020/07/09 19:35 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce-selinux-root
2020/06/21 21:28 upstream 7ae77150d94d 4f2acff9 .config console log report ci-upstream-kasan-gce
2020/06/17 23:24 upstream 7ae77150d94d b9f3810b .config console log report ci-upstream-kasan-gce-root
2020/06/10 18:54 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-smack-root
2020/06/10 18:45 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-root
2020/06/10 18:23 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-root
2020/06/10 18:05 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce
2020/06/10 16:16 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-root
2020/05/21 04:50 upstream b85051e755b0 c61086ab .config console log report ci-upstream-kasan-gce
2020/05/15 05:08 upstream 8c1684bb81f1 2d572622 .config console log report ci-upstream-kasan-gce
2020/03/04 09:22 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce-smack-root
2019/07/21 03:20 upstream abdfd52a295f 1656845f .config console log report ci-upstream-kasan-gce
2019/06/23 00:58 upstream abf02e2964b3 34bf9440 .config console log report ci-upstream-kasan-gce
2020/06/10 19:27 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-386
2020/06/10 19:27 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-386
2020/06/10 18:47 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-386
2020/06/10 17:31 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-386
2020/06/10 16:38 upstream 7ae77150d94d a6f7998d .config console log report ci-upstream-kasan-gce-386
2020/06/10 18:28 linux-next e7b08814b16b a6f7998d .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/10 18:08 linux-next e7b08814b16b a6f7998d .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/10 16:34 linux-next e7b08814b16b a6f7998d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/06/27 22:01 linux-next 8087b004bd09 7509bf36 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.