syzbot


KASAN: use-after-free Read in hci_chan_del

Status: upstream: reported C repro on 2020/08/02 20:45
Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com
First crash: 856d, last: 577d

Cause bisection: introduced by (bisect log) :
commit 166beccd47e11e4d27477e8ca1d7eda47cf3b2da
Author: Eric Anholt <eric@anholt.net>
Date: Mon Oct 3 18:52:06 2016 +0000

  staging/vchi: Convert to current get_user_pages() arguments.

Crash: WARNING in nf_unregister_net_hook (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit 43016d02cf6e46edfc4696452251d34bba0c0435
Author: Florian Westphal <fw@strlen.de>
Date: Mon May 3 11:51:15 2021 +0000

  netfilter: arptables: use pernet ops struct during unregister

similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in hci_chan_del C error 21 119d 855d 0/1 upstream: reported C repro on 2020/08/03 13:37
linux-4.19 KASAN: use-after-free Read in hci_chan_del C done 24 510d 856d 1/1 fixed on 2021/08/15 11:28
upstream BUG: corrupted list in hci_chan_del 2 844d 845d 0/24 auto-closed as invalid on 2020/12/12 09:03
linux-4.14 BUG: corrupted list in hci_chan_del 1 854d 854d 0/1 auto-closed as invalid on 2020/12/02 12:13
Patch testing requests:
Created Duration User Patch Repo Result
2022/10/05 12:30 17m retest repro linux-next error
2022/10/05 01:30 17m retest repro linux-next error
2022/10/04 23:30 17m retest repro linux-next error
2022/10/04 21:30 17m retest repro linux-next error
2022/10/04 20:30 17m retest repro linux-next error
2022/10/04 16:30 17m retest repro linux-next error
2022/10/04 12:30 17m retest repro linux-next error
2022/10/03 23:30 7m retest repro linux-next error
2022/10/03 22:30 17m retest repro linux-next error
2022/10/03 20:30 17m retest repro linux-next error
2022/10/03 19:30 17m retest repro linux-next error
2022/10/03 16:30 17m retest repro linux-next error
2022/10/03 14:30 17m retest repro linux-next error
2022/10/03 02:30 18m retest repro linux-next error
2022/10/03 00:30 18m retest repro linux-next error
2022/09/29 01:30 17m retest repro upstream OK log
2022/09/28 23:30 15m retest repro upstream OK log
2022/09/28 21:30 17m retest repro upstream OK log
2022/09/28 18:30 17m retest repro upstream OK log
2022/09/28 16:30 16m retest repro upstream OK log
2022/09/28 11:30 16m retest repro upstream OK log
2022/09/28 08:30 16m retest repro upstream OK log
2022/09/28 05:30 16m retest repro upstream OK log
2022/09/28 03:30 17m retest repro upstream OK log
2022/09/27 23:30 16m retest repro upstream OK log
2022/09/26 03:30 16m retest repro upstream OK log
2022/09/26 01:30 16m retest repro upstream OK log
2022/09/25 22:30 16m retest repro upstream OK log
2022/09/25 20:30 16m retest repro upstream OK log
2022/09/25 17:30 16m retest repro upstream OK log
2022/09/25 15:30 16m retest repro upstream OK log
2022/09/25 13:30 16m retest repro upstream OK log
2022/09/25 10:30 16m retest repro upstream OK log
2022/09/23 10:30 17m retest repro upstream OK log
2022/09/23 07:30 17m retest repro upstream OK log
2022/09/23 02:30 17m retest repro upstream OK log
2022/09/22 23:29 17m retest repro upstream OK log
2022/09/22 21:29 17m retest repro upstream OK log
2022/09/22 18:29 17m retest repro upstream OK log
2022/09/22 15:29 17m retest repro upstream OK log
2022/09/15 20:29 17m retest repro upstream OK log
2022/09/15 17:29 16m retest repro upstream OK log
2022/09/15 14:29 16m retest repro upstream OK log
2022/09/15 10:29 17m retest repro upstream OK log
2022/09/15 06:29 16m retest repro upstream OK log
2022/09/15 03:29 16m retest repro upstream OK log
2022/09/09 23:27 16m retest repro upstream OK log
2022/09/09 19:27 8m retest repro upstream error
2022/09/09 13:27 16m retest repro upstream OK log
2022/09/09 10:27 16m retest repro upstream OK log
2022/09/09 06:27 16m retest repro upstream OK log
2022/09/09 02:27 16m retest repro upstream OK log
2021/04/19 22:07 16m phil@philpotter.co.uk upstream report log
2020/10/02 12:01 10m anmol.karan123@gmail.com upstream report log
2020/08/05 02:44 16m coiby.xu@gmail.com https://github.com/coiby/linux.git syzbot4 OK
2020/08/04 15:28 9m coiby.xu@gmail.com https://github.com/coiby/linux.git syzbot4 report log

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 net/bluetooth/hci_conn.c:1728
Read of size 8 at addr ffff8880a04d8618 by task syz-executor280/6828

CPU: 0 PID: 6828 Comm: syz-executor280 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 hci_chan_del+0x14f/0x190 net/bluetooth/hci_conn.c:1728
 l2cap_conn_del+0x61b/0x9e0 net/bluetooth/l2cap_core.c:1900
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8160 [inline]
 l2cap_disconn_cfm+0x85/0xa0 net/bluetooth/l2cap_core.c:8153
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1438 [inline]
 hci_conn_hash_flush+0x114/0x220 net/bluetooth/hci_conn.c:1557
 hci_dev_do_close+0x5c6/0x1080 net/bluetooth/hci_core.c:1770
 hci_unregister_dev+0x1bd/0xe30 net/bluetooth/hci_core.c:3790
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:135
 exit_task_work include/linux/task_work.h:25 [inline]
 do_exit+0xb7d/0x29f0 kernel/exit.c:806
 do_group_exit+0x125/0x310 kernel/exit.c:903
 __do_sys_exit_group kernel/exit.c:914 [inline]
 __se_sys_exit_group kernel/exit.c:912 [inline]
 __ia32_sys_exit_group+0x3a/0x50 kernel/exit.c:912
 do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]
 __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7efe549
Code: Bad RIP value.
RSP: 002b:00000000ffe9f49c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000080fd318
RDX: 0000000000000000 RSI: 00000000080e33e0 RDI: 00000000080fd320
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 1544:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 kmem_cache_alloc_trace+0x16e/0x2c0 mm/slab.c:3550
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 hci_chan_create+0x9b/0x330 net/bluetooth/hci_conn.c:1713
 l2cap_conn_add.part.0+0x1e/0xe10 net/bluetooth/l2cap_core.c:7698
 l2cap_conn_add net/bluetooth/l2cap_core.c:8140 [inline]
 l2cap_connect_cfm+0x23b/0x1090 net/bluetooth/l2cap_core.c:8098
 hci_connect_cfm include/net/bluetooth/hci_core.h:1423 [inline]
 le_conn_complete_evt+0x1153/0x1740 net/bluetooth/hci_event.c:5190
 hci_le_conn_complete_evt net/bluetooth/hci_event.c:5215 [inline]
 hci_le_meta_evt+0x745/0x3ff0 net/bluetooth/hci_event.c:5915
 hci_event_packet+0x2e25/0x87a8 net/bluetooth/hci_event.c:6192
 hci_rx_work+0x22e/0xb50 net/bluetooth/hci_core.c:4889
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 6831:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3756
 hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:5018 [inline]
 hci_event_packet+0x3e33/0x87a8 net/bluetooth/hci_event.c:6213
 hci_rx_work+0x22e/0xb50 net/bluetooth/hci_core.c:4889
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff8880a04d8600
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 128-byte region [ffff8880a04d8600, ffff8880a04d8680)
The buggy address belongs to the page:
page:000000009948ca60 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a04d8200 pfn:0xa04d8
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002890308 ffffea000289d9c8 ffff8880aa040400
raw: ffff8880a04d8200 ffff8880a04d8000 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a04d8500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a04d8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a04d8600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880a04d8680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a04d8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (87):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-386 2020/08/15 06:17 upstream b923f1247b72 424dd8e7 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/11/11 20:43 linux-next 6dd65e60af98 cca87986 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/12 15:46 linux-next bc09acc9f224 bb3e5fe6 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/12 13:20 linux-next bc09acc9f224 bb3e5fe6 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/11 17:58 linux-next 4c9b89d8981b bacaf5fa .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/10 23:49 linux-next f80535b9aa10 7adc7b65 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 22:39 linux-next 01830e6c042e 70301872 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 04:16 linux-next 01830e6c042e f721e4a0 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 02:31 linux-next 01830e6c042e f721e4a0 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 21:14 linux-next 01830e6c042e f721e4a0 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 19:13 linux-next 01830e6c042e f721e4a0 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 14:31 linux-next 01830e6c042e ff51e522 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/07 15:25 linux-next 01830e6c042e cb436c69 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/07 05:28 linux-next 01830e6c042e 1f122f88 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/07 00:36 linux-next 01830e6c042e 1f122f88 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/06 20:57 linux-next 01830e6c042e 1f122f88 .config log report syz
ci-upstream-kasan-gce-root 2020/11/13 09:13 upstream af5043c89a8e 16fca0c8 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/11/12 14:23 upstream 3d5e28bff7ad 77a55c8e .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/12 11:40 upstream 3dd0130f2430 4a77ae0b .config log report syz C
ci-upstream-kasan-gce 2020/08/15 20:25 upstream c9c9735c46f5 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/15 12:59 upstream 7fca4dee610d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/15 08:59 upstream 7fca4dee610d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/15 05:43 upstream 7fca4dee610d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/15 05:03 upstream 7fca4dee610d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/14 12:23 upstream a1d21081a60d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/09 21:36 upstream 06a81c1c7db9 70301872 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/09 02:49 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/09 00:21 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/08 21:01 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/08 20:33 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/08 18:49 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/07 21:14 upstream d6efb3ac3e6c cb436c69 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/07 20:17 upstream d6efb3ac3e6c cb436c69 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/07 12:04 upstream d6efb3ac3e6c cb436c69 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/07 04:38 upstream 47ec5303d73e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/06 21:42 upstream 47ec5303d73e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/06 21:13 upstream 47ec5303d73e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/06 19:48 upstream 47ec5303d73e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/05 01:59 upstream c0842fbc1b18 80a06902 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/04 11:09 upstream 3208167a865e 196277c4 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/03 22:41 upstream bcf876870b95 196277c4 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/03 08:39 upstream 5a30a78924ec 196277c4 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/03 01:23 upstream ac3a0c847296 63a73341 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/02 19:04 upstream ac3a0c847296 63a73341 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 21:24 upstream c9c9735c46f5 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 14:22 upstream b923f1247b72 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 10:22 upstream b923f1247b72 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 06:58 upstream b923f1247b72 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/14 06:34 upstream 990f227371a4 54ce1ed6 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/10 16:39 upstream 9420f1ce0186 70301872 .config log report syz
ci-upstream-kasan-gce-root 2020/08/10 14:31 upstream 9420f1ce0186 70301872 .config log report syz
ci-upstream-kasan-gce-selinux-root 2020/08/03 13:42 upstream 5a30a78924ec 196277c4 .config log report syz
ci-upstream-kasan-gce-root 2021/04/19 14:31 upstream bf05bf16c76b 50f523d7 .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-root 2021/03/07 02:54 upstream a38fd8748464 e4b4d570 .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-smack-root 2021/02/12 02:49 upstream 291009f656e8 a5f86b15 .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-386 2021/05/08 15:40 upstream d2b6f8a17919 bc5434be .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-linux-next-kasan-gce-root 2021/01/31 11:24 linux-next b01f250d83f6 fc9fd31e .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce 2020/12/09 12:37 upstream 7d8761ba27fc 40cc414d .config log report info
ci-upstream-kasan-gce-root 2020/11/23 03:52 upstream a349e4c65960 0d27f508 .config log report info
ci-upstream-kasan-gce-root 2020/09/24 05:58 upstream c9c9e6a49f89 54289b08 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/22 08:07 upstream 98477740630f 9e1fa68e .config log report info
ci-upstream-kasan-gce-root 2020/08/04 10:28 upstream 3208167a865e 196277c4 .config log report
ci-upstream-kasan-gce-386 2021/04/04 12:56 upstream 2023a53bdf41 6a81331a .config log report info BUG: corrupted list in hci_chan_del
ci-upstream-kasan-gce-386 2020/08/15 01:31 upstream b923f1247b72 424dd8e7 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/12/12 21:58 linux-next 14240d4c5b25 bca53db9 .config log report info
* Struck through repros no longer work on HEAD.