syzbot


KASAN: use-after-free Read in hci_chan_del

Status: upstream: reported C repro on 2020/08/02 20:45
Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com
First crash: 968d, last: 689d

Cause bisection: introduced by (bisect log) :
commit 166beccd47e11e4d27477e8ca1d7eda47cf3b2da
Author: Eric Anholt <eric@anholt.net>
Date: Mon Oct 3 18:52:06 2016 +0000

  staging/vchi: Convert to current get_user_pages() arguments.

Crash: WARNING in nf_unregister_net_hook (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit 43016d02cf6e46edfc4696452251d34bba0c0435
Author: Florian Westphal <fw@strlen.de>
Date: Mon May 3 11:51:15 2021 +0000

  netfilter: arptables: use pernet ops struct during unregister

similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in hci_chan_del C error 21 231d 967d 0/1 upstream: reported C repro on 2020/08/03 13:37
linux-4.19 KASAN: use-after-free Read in hci_chan_del C done 24 622d 968d 1/1 fixed on 2021/08/15 11:28
upstream BUG: corrupted list in hci_chan_del 2 957d 957d 0/24 auto-closed as invalid on 2020/12/12 09:03
linux-4.14 BUG: corrupted list in hci_chan_del 1 966d 966d 0/1 auto-closed as invalid on 2020/12/02 12:13
Last patch testing requests:
Created Duration User Patch Repo Result
2023/01/19 02:32 20m retest repro linux-next OK log
2023/01/18 16:32 20m retest repro linux-next OK log
2023/01/18 15:32 20m retest repro linux-next OK log
2023/01/18 08:32 20m retest repro linux-next OK log
2023/01/18 05:32 20m retest repro linux-next OK log
2023/01/18 03:32 21m retest repro linux-next OK log
2023/01/17 21:32 21m retest repro linux-next OK log
2023/01/17 18:32 21m retest repro linux-next OK log
2023/01/17 06:32 21m retest repro linux-next OK log
2023/01/17 03:32 21m retest repro linux-next OK log
2021/04/19 22:07 16m phil@philpotter.co.uk upstream report log
2020/10/02 12:01 10m anmol.karan123@gmail.com upstream report log
2020/08/05 02:44 16m coiby.xu@gmail.com https://github.com/coiby/linux.git syzbot4 OK
2020/08/04 15:28 9m coiby.xu@gmail.com https://github.com/coiby/linux.git syzbot4 report log

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 net/bluetooth/hci_conn.c:1728
Read of size 8 at addr ffff88809a22eb18 by task syz-executor678/6864

CPU: 0 PID: 6864 Comm: syz-executor678 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 hci_chan_del+0x14f/0x190 net/bluetooth/hci_conn.c:1728
 l2cap_conn_del+0x61b/0x9e0 net/bluetooth/l2cap_core.c:1900
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8160 [inline]
 l2cap_disconn_cfm+0x85/0xa0 net/bluetooth/l2cap_core.c:8153
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1438 [inline]
 hci_conn_hash_flush+0x114/0x220 net/bluetooth/hci_conn.c:1557
 hci_dev_do_close+0x5c6/0x1080 net/bluetooth/hci_core.c:1770
 hci_unregister_dev+0x1bd/0xe30 net/bluetooth/hci_core.c:3790
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:135
 exit_task_work include/linux/task_work.h:25 [inline]
 do_exit+0xb7d/0x29f0 kernel/exit.c:806
 do_group_exit+0x125/0x310 kernel/exit.c:903
 __do_sys_exit_group kernel/exit.c:914 [inline]
 __se_sys_exit_group kernel/exit.c:912 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:912
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4450d8
Code: Bad RIP value.
RSP: 002b:00007ffe807b7b78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450d8
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 00000000004cce90 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6889:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 kmem_cache_alloc_trace+0x16e/0x2c0 mm/slab.c:3550
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 hci_chan_create+0x9b/0x330 net/bluetooth/hci_conn.c:1713
 l2cap_conn_add.part.0+0x1e/0xe10 net/bluetooth/l2cap_core.c:7698
 l2cap_conn_add net/bluetooth/l2cap_core.c:8140 [inline]
 l2cap_connect_cfm+0x23b/0x1090 net/bluetooth/l2cap_core.c:8098
 hci_connect_cfm include/net/bluetooth/hci_core.h:1423 [inline]
 le_conn_complete_evt+0x1153/0x1740 net/bluetooth/hci_event.c:5187
 hci_le_conn_complete_evt net/bluetooth/hci_event.c:5212 [inline]
 hci_le_meta_evt+0xe55/0x3fd0 net/bluetooth/hci_event.c:5903
 hci_event_packet+0x2e25/0x87a8 net/bluetooth/hci_event.c:6180
 hci_rx_work+0x22e/0xb50 net/bluetooth/hci_core.c:4889
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 6889:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3756
 hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:5015 [inline]
 hci_event_packet+0x3e33/0x87a8 net/bluetooth/hci_event.c:6201
 hci_rx_work+0x22e/0xb50 net/bluetooth/hci_core.c:4889
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff88809a22eb00
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 128-byte region [ffff88809a22eb00, ffff88809a22eb80)
The buggy address belongs to the page:
page:0000000041193b81 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809a22ee00 pfn:0x9a22e
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00025c8748 ffffea0002868e88 ffff8880aa000400
raw: ffff88809a22ee00 ffff88809a22e000 000000010000000d 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809a22ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809a22ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809a22eb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff88809a22eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809a22ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (87):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-linux-next-kasan-gce-root 2020/08/07 15:25 linux-next 01830e6c042e cb436c69 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/07 05:28 linux-next 01830e6c042e 1f122f88 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/07 00:36 linux-next 01830e6c042e 1f122f88 .config console log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/06 20:57 linux-next 01830e6c042e 1f122f88 .config console log report syz
ci-upstream-kasan-gce-root 2020/11/13 09:13 upstream af5043c89a8e 16fca0c8 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2020/11/12 14:23 upstream 3d5e28bff7ad 77a55c8e .config console log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/12 11:40 upstream 3dd0130f2430 4a77ae0b .config console log report syz C
ci-upstream-kasan-gce 2020/08/15 20:25 upstream c9c9735c46f5 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce 2020/08/15 12:59 upstream 7fca4dee610d 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce 2020/08/15 08:59 upstream 7fca4dee610d 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce 2020/08/15 05:43 upstream 7fca4dee610d 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce 2020/08/15 05:03 upstream 7fca4dee610d 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce 2020/08/14 12:23 upstream a1d21081a60d 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce-root 2020/08/09 21:36 upstream 06a81c1c7db9 70301872 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/09 02:49 upstream 449dc8c97089 f721e4a0 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/09 00:21 upstream 449dc8c97089 f721e4a0 .config console log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/08 21:01 upstream 449dc8c97089 f721e4a0 .config console log report syz C
ci-upstream-kasan-gce-root 2020/08/08 20:33 upstream 449dc8c97089 f721e4a0 .config console log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/08 18:49 upstream 449dc8c97089 f721e4a0 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/07 21:14 upstream d6efb3ac3e6c cb436c69 .config console log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/07 20:17 upstream d6efb3ac3e6c cb436c69 .config console log report syz C
ci-upstream-kasan-gce-root 2020/08/07 12:04 upstream d6efb3ac3e6c cb436c69 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/07 04:38 upstream 47ec5303d73e 1f122f88 .config console log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/06 21:42 upstream 47ec5303d73e 1f122f88 .config console log report syz C
ci-upstream-kasan-gce-root 2020/08/06 21:13 upstream 47ec5303d73e 1f122f88 .config console log report syz C
ci-upstream-kasan-gce-root 2020/08/06 19:48 upstream 47ec5303d73e 1f122f88 .config console log report syz C
ci-upstream-kasan-gce-root 2020/08/05 01:59 upstream c0842fbc1b18 80a06902 .config console log report syz C
ci-upstream-kasan-gce-root 2020/08/04 11:09 upstream 3208167a865e 196277c4 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/03 22:41 upstream bcf876870b95 196277c4 .config console log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/03 08:39 upstream 5a30a78924ec 196277c4 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/03 01:23 upstream ac3a0c847296 63a73341 .config console log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/02 19:04 upstream ac3a0c847296 63a73341 .config console log report syz C
ci-upstream-kasan-gce-386 2020/08/15 21:24 upstream c9c9735c46f5 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce-386 2020/08/15 14:22 upstream b923f1247b72 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce-386 2020/08/15 10:22 upstream b923f1247b72 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce-386 2020/08/15 06:58 upstream b923f1247b72 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce-386 2020/08/15 06:17 upstream b923f1247b72 424dd8e7 .config console log report syz C
ci-upstream-kasan-gce-386 2020/08/14 06:34 upstream 990f227371a4 54ce1ed6 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/11/11 20:43 linux-next 6dd65e60af98 cca87986 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/12 15:46 linux-next bc09acc9f224 bb3e5fe6 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/12 13:20 linux-next bc09acc9f224 bb3e5fe6 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/11 17:58 linux-next 4c9b89d8981b bacaf5fa .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/10 23:49 linux-next f80535b9aa10 7adc7b65 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 22:39 linux-next 01830e6c042e 70301872 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 04:16 linux-next 01830e6c042e f721e4a0 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 02:31 linux-next 01830e6c042e f721e4a0 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 21:14 linux-next 01830e6c042e f721e4a0 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 19:13 linux-next 01830e6c042e f721e4a0 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 14:31 linux-next 01830e6c042e ff51e522 .config console log report syz C
ci-upstream-kasan-gce-root 2020/08/10 16:39 upstream 9420f1ce0186 70301872 .config console log report syz
ci-upstream-kasan-gce-root 2020/08/10 14:31 upstream 9420f1ce0186 70301872 .config console log report syz
ci-upstream-kasan-gce-selinux-root 2020/08/03 13:42 upstream 5a30a78924ec 196277c4 .config console log report syz
ci-upstream-kasan-gce-root 2021/04/19 14:31 upstream bf05bf16c76b 50f523d7 .config console log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-root 2021/03/07 02:54 upstream a38fd8748464 e4b4d570 .config console log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-smack-root 2021/02/12 02:49 upstream 291009f656e8 a5f86b15 .config console log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-386 2021/05/08 15:40 upstream d2b6f8a17919 bc5434be .config console log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-linux-next-kasan-gce-root 2021/01/31 11:24 linux-next b01f250d83f6 fc9fd31e .config console log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce 2020/12/09 12:37 upstream 7d8761ba27fc 40cc414d .config console log report info
ci-upstream-kasan-gce-root 2020/11/23 03:52 upstream a349e4c65960 0d27f508 .config console log report info
ci-upstream-kasan-gce-root 2020/09/24 05:58 upstream c9c9e6a49f89 54289b08 .config console log report info
ci-upstream-kasan-gce-smack-root 2020/09/22 08:07 upstream 98477740630f 9e1fa68e .config console log report info
ci-upstream-kasan-gce-root 2020/08/04 10:28 upstream 3208167a865e 196277c4 .config console log report
ci-upstream-kasan-gce-386 2021/04/04 12:56 upstream 2023a53bdf41 6a81331a .config console log report info BUG: corrupted list in hci_chan_del
ci-upstream-kasan-gce-386 2020/08/15 01:31 upstream b923f1247b72 424dd8e7 .config console log report
ci-upstream-linux-next-kasan-gce-root 2020/12/12 21:58 linux-next 14240d4c5b25 bca53db9 .config console log report info
* Struck through repros no longer work on HEAD.