KASAN: slab-out-of-bounds Read in hci_event

KASAN: slab-out-of-bounds Read in hci_event_packet
Status: upstream: reported C repro on 2019/01/07 18:31
Reported-by: syzbot+cec7a50c412a2c03f8f5@syzkaller.appspotmail.com
First crash: 789d, last: 155d

Cause bisection: introduced by (bisect log) :
commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Feb 19 22:34:00 2017 +0000

Linux 4.10

Fix bisection: failed (bisect log)

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: slab-out-of-bounds Read in hci_event_packet	C		done	17	201d	675d	1/1	fixed on 2020/09/17 01:43
linux-4.19	KASAN: slab-out-of-bounds Read in hci_event_packet	C		done	15	207d	417d	1/1	fixed on 2020/09/11 09:49

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2019/03/21 05:37	19m	xiyou.wangcong@gmail.com		https://github.com/congwang/linux.git bluetooth	OK
2019/03/18 20:02	19m	xiyou.wangcong@gmail.com		https://github.com/congwang/linux.git bluetooth	OK

Sample crash report:

==================================================================
BUG: KASAN: slab-out-of-bounds in hci_le_direct_adv_report_evt net/bluetooth/hci_event.c:5875 [inline]
BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt net/bluetooth/hci_event.c:5939 [inline]
BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x763b/0x17e10 net/bluetooth/hci_event.c:6192
Read of size 1 at addr ffff88809f4a0a05 by task kworker/u5:1/6821

CPU: 1 PID: 6821 Comm: kworker/u5:1 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x620 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 hci_le_direct_adv_report_evt net/bluetooth/hci_event.c:5875 [inline]
 hci_le_meta_evt net/bluetooth/hci_event.c:5939 [inline]
 hci_event_packet+0x763b/0x17e10 net/bluetooth/hci_event.c:6192
 hci_rx_work+0x246/0xa20 net/bluetooth/hci_core.c:4889
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 6817:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0xde/0x4f0 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1085 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:165 [inline]
 vhci_write+0xb7/0x400 drivers/bluetooth/hci_vhci.c:285
 call_write_iter include/linux/fs.h:1882 [inline]
 new_sync_write fs/read_write.c:503 [inline]
 vfs_write+0xa96/0xd10 fs/read_write.c:578
 ksys_write+0x11b/0x220 fs/read_write.c:631
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88809f4a0800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 5 bytes to the right of
 512-byte region [ffff88809f4a0800, ffff88809f4a0a00)
The buggy address belongs to the page:
page:00000000f35f91a2 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9f4a0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000287ebc8 ffffea0002a4d048 ffff8880aa440600
raw: 0000000000000000 ffff88809f4a0000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f4a0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809f4a0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809f4a0a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88809f4a0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809f4a0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (67):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info
ci-upstream-kasan-gce-smack-root	2020/08/27 05:21	upstream	15bc20c6	318430cb	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/08/03 05:34	upstream	5a30a789	196277c4	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/08/03 05:14	upstream	5a30a789	196277c4	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/08/02 15:56	upstream	ac3a0c84	63a73341	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/07/31 14:33	upstream	83bdc727	8df85ed9	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/07/31 10:05	upstream	83bdc727	8df85ed9	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/07/09 19:45	upstream	0bddd227	bc238812	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/07/04 06:17	upstream	7cc2a8ea	51095195	.config	log	report	syz	C
ci-qemu-upstream	2020/05/16 15:29	upstream	12bf0b63	37bccd4e	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2020/04/02 17:46	upstream	919dce24	a34e2c33	.config	log	report	syz	C
ci-upstream-kasan-gce	2020/03/18 23:34	upstream	5076190d	0a96a13c	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2019/01/07 10:16	upstream	574823bf	ee332608	.config	log	report	syz	C
ci-upstream-kasan-gce	2019/01/07 09:42	upstream	574823bf	ee332608	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2019/01/07 09:41	upstream	574823bf	ee332608	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2019/01/07 09:41	upstream	574823bf	ee332608	.config	log	report	syz	C
ci-qemu-upstream-386	2020/06/13 23:31	upstream	435faf5c	dbce178a	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2020/03/19 01:05	upstream	5076190d	0a96a13c	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2019/01/07 09:42	upstream	574823bf	ee332608	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2020/04/11 19:35	linux-next	11ecafc6	a8c6a3f8	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2019/01/07 09:40	linux-next	a85b6b4f	ee332608	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/10/02 09:09	upstream	fcadab74	9602ddf4	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/08/08 04:48	upstream	5631c5e0	ff51e522	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/08/07 16:18	upstream	d6efb3ac	cb436c69	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/08/07 15:05	upstream	d6efb3ac	cb436c69	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/08/06 17:56	upstream	47ec5303	1f122f88	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/08/05 05:35	upstream	c0842fbc	80a06902	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/08/04 18:54	upstream	c0842fbc	80a06902	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/08/02 12:17	upstream	ac3a0c84	63a73341	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/08/02 11:17	upstream	ac3a0c84	63a73341	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/08/02 09:58	upstream	ac3a0c84	63a73341	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/08/01 12:31	upstream	7dc6fd0f	d895b3be	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/07/31 21:54	upstream	d8b9faec	d895b3be	.config	log	report
ci-upstream-kasan-gce-root	2020/07/31 11:40	upstream	83bdc727	8df85ed9	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/07/31 02:37	upstream	83bdc727	8df85ed9	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/07/30 23:42	upstream	83bdc727	8df85ed9	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/07/17 12:27	upstream	f8456690	54b3c45e	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/07/09 19:35	upstream	0bddd227	bc238812	.config	log	report
ci-upstream-kasan-gce	2020/06/21 21:28	upstream	7ae77150	4f2acff9	.config	log	report
ci-upstream-kasan-gce-root	2020/06/17 23:24	upstream	7ae77150	b9f3810b	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/06/10 18:54	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce-root	2020/06/10 18:45	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce-root	2020/06/10 18:23	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce	2020/06/10 18:05	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce-root	2020/06/10 16:16	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce	2020/05/21 04:50	upstream	b85051e7	c61086ab	.config	log	report
ci-upstream-kasan-gce	2020/05/15 05:08	upstream	8c1684bb	2d572622	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/03/04 09:22	upstream	63623fd4	c88c7b75	.config	log	report
ci-upstream-kasan-gce	2019/07/21 03:20	upstream	abdfd52a	1656845f	.config	log	report
ci-upstream-kasan-gce	2019/06/23 00:58	upstream	abf02e29	34bf9440	.config	log	report
ci-upstream-kasan-gce-386	2020/06/10 19:27	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce-386	2020/06/10 19:27	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce-386	2020/06/10 18:47	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce-386	2020/06/10 17:31	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-kasan-gce-386	2020/06/10 16:38	upstream	7ae77150	a6f7998d	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/06/10 18:28	linux-next	e7b08814	a6f7998d	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/06/10 18:08	linux-next	e7b08814	a6f7998d	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/06/10 16:34	linux-next	e7b08814	a6f7998d	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2019/06/27 22:01	linux-next	8087b004	7509bf36	.config	log	report