syzbot


KASAN: use-after-free Read in klist_dec_and_del

Status: upstream: reported C repro on 2021/08/06 19:37
Reported-by: syzbot+675cee2a9f10b1ecf7c4@syzkaller.appspotmail.com
First crash: 323d, last: 46d

Fix bisection: failed (bisect log)
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in klist_dec_and_del C inconclusive inconclusive 1 386d 442d 0/22 upstream: reported C repro on 2021/04/09 12:29

Sample crash report:
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
kobject_add_internal failed for hci0:200 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci0: failed to register connection device
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51
Read of size 8 at addr ffff8880a449fb20 by task kworker/u5:1/8123

CPU: 1 PID: 8123 Comm: kworker/u5:1 Not tainted 4.19.201-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 klist_release lib/klist.c:190 [inline]
 kref_put include/linux/kref.h:70 [inline]
 klist_dec_and_del+0x97/0x480 lib/klist.c:207
 klist_put+0x7a/0x150 lib/klist.c:218
 device_del+0x162/0xaf0 drivers/base/core.c:2320
 hci_conn_del_sysfs+0xdc/0x180 net/bluetooth/hci_sysfs.c:78
 hci_conn_cleanup+0x24b/0x550 net/bluetooth/hci_conn.c:128
 hci_conn_del+0x2a0/0x780 net/bluetooth/hci_conn.c:611
 hci_disconn_complete_evt net/bluetooth/hci_event.c:2678 [inline]
 hci_event_packet+0x11ca/0x7e20 net/bluetooth/hci_event.c:5787
 hci_rx_work+0x4ad/0xc70 net/bluetooth/hci_core.c:4366
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 8123:
 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 device_private_init drivers/base/core.c:2035 [inline]
 device_add+0xe5a/0x16d0 drivers/base/core.c:2080
 hci_conn_add_sysfs+0x97/0x1a0 net/bluetooth/hci_sysfs.c:53
 hci_conn_complete_evt net/bluetooth/hci_event.c:2445 [inline]
 hci_event_packet+0x2647/0x7e20 net/bluetooth/hci_event.c:5779
 hci_rx_work+0x4ad/0xc70 net/bluetooth/hci_core.c:4366
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 8123:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 device_add+0x713/0x16d0 drivers/base/core.c:2213
 hci_conn_add_sysfs+0x97/0x1a0 net/bluetooth/hci_sysfs.c:53
 hci_sync_conn_complete_evt.isra.0+0x9e9/0xca0 net/bluetooth/hci_event.c:4091
 hci_event_packet+0x391f/0x7e20 net/bluetooth/hci_event.c:5869
 hci_rx_work+0x4ad/0xc70 net/bluetooth/hci_core.c:4366
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff8880a449fac0
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 96 bytes inside of
 256-byte region [ffff8880a449fac0, ffff8880a449fbc0)
The buggy address belongs to the page:
page:ffffea00029127c0 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0xffff8880a449f200
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002d488c8 ffffea0002917c48 ffff88813bff07c0
raw: ffff8880a449f200 ffff8880a449f0c0 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a449fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a449fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880a449fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8880a449fb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a449fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2021/08/06 20:19 linux-4.19.y 6ca2f514c578 6972b106 .config log report syz C KASAN: use-after-free Read in klist_dec_and_del
ci2-linux-4-19 2022/05/11 03:23 linux-4.19.y 3f8a27f9e27b 8d7b3b67 .config log report info KASAN: use-after-free Read in klist_dec_and_del
ci2-linux-4-19 2021/08/06 19:37 linux-4.19.y 6ca2f514c578 6972b106 .config log report info KASAN: use-after-free Read in klist_dec_and_del