syzbot


KASAN: use-after-free Read in hci_chan_del

Status: upstream: reported C repro on 2020/08/02 20:45
Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com
First crash: 701d, last: 423d

Cause bisection: introduced by (bisect log) :
commit 166beccd47e11e4d27477e8ca1d7eda47cf3b2da
Author: Eric Anholt <eric@anholt.net>
Date: Mon Oct 3 18:52:06 2016 +0000

  staging/vchi: Convert to current get_user_pages() arguments.

Crash: WARNING in nf_unregister_net_hook (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit 43016d02cf6e46edfc4696452251d34bba0c0435
Author: Florian Westphal <fw@strlen.de>
Date: Mon May 3 11:51:15 2021 +0000

  netfilter: arptables: use pernet ops struct during unregister

similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in hci_chan_del C 21 25d 701d 0/1 upstream: reported C repro on 2020/08/03 13:37
linux-4.19 KASAN: use-after-free Read in hci_chan_del C done 24 355d 701d 1/1 fixed on 2021/08/15 11:28
upstream BUG: corrupted list in hci_chan_del 2 690d 690d 0/22 auto-closed as invalid on 2020/12/12 09:03
linux-4.14 BUG: corrupted list in hci_chan_del 1 700d 700d 0/1 auto-closed as invalid on 2020/12/02 12:13
Patch testing requests:
Created Duration User Patch Repo Result
2021/04/19 22:07 16m phil@philpotter.co.uk upstream report log
2020/10/02 12:01 10m anmol.karan123@gmail.com upstream report log
2020/08/05 02:44 16m coiby.xu@gmail.com https://github.com/coiby/linux.git syzbot4 OK
2020/08/04 15:28 9m coiby.xu@gmail.com https://github.com/coiby/linux.git syzbot4 report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in hci_chan_del+0x1c5/0x200 net/bluetooth/hci_conn.c:1728
Read of size 8 at addr ffff888015337918 by task syz-executor033/8525

CPU: 1 PID: 8525 Comm: syz-executor033 Not tainted 5.10.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 hci_chan_del+0x1c5/0x200 net/bluetooth/hci_conn.c:1728
 l2cap_conn_del+0x478/0x7b0 net/bluetooth/l2cap_core.c:1900
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8161 [inline]
 l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8154
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1441 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1557
 hci_dev_do_close+0x569/0x1110 net/bluetooth/hci_core.c:1770
 hci_unregister_dev+0x223/0xfe0 net/bluetooth/hci_core.c:3827
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:151
 exit_task_work include/linux/task_work.h:30 [inline]
 do_exit+0xb64/0x29b0 kernel/exit.c:809
 do_group_exit+0x125/0x310 kernel/exit.c:906
 get_signal+0x428/0x1f00 kernel/signal.c:2758
 arch_do_signal+0x82/0x2390 arch/x86/kernel/signal.c:811
 exit_to_user_mode_loop kernel/entry/common.c:161 [inline]
 exit_to_user_mode_prepare+0x100/0x1a0 kernel/entry/common.c:191
 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:266
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4468b9
Code: Unable to access opcode bytes at RIP 0x44688f.
RSP: 002b:00007ff435fccdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468b9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38
RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007ffcbf363e5f R14: 00007ff435fcd9c0 R15: 00000000006dbc3c

Allocated by task 2042:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:664 [inline]
 hci_chan_create+0xaa/0x3c0 net/bluetooth/hci_conn.c:1713
 l2cap_conn_add.part.0+0x1e/0xdf0 net/bluetooth/l2cap_core.c:7699
 l2cap_conn_add include/net/bluetooth/l2cap.h:858 [inline]
 l2cap_connect_cfm+0x5be/0xf50 net/bluetooth/l2cap_core.c:8099
 hci_connect_cfm include/net/bluetooth/hci_core.h:1426 [inline]
 le_conn_complete_evt+0x123d/0x18a0 net/bluetooth/hci_event.c:5195
 hci_le_conn_complete_evt net/bluetooth/hci_event.c:5220 [inline]
 hci_le_meta_evt+0x433/0x4400 net/bluetooth/hci_event.c:5920
 hci_event_packet+0x5d9/0x7d60 net/bluetooth/hci_event.c:6269
 hci_rx_work+0x511/0xd30 net/bluetooth/hci_core.c:4926
 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
 kthread+0x3af/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Freed by task 8496:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1544 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
 slab_free mm/slub.c:3142 [inline]
 kfree+0xdb/0x360 mm/slub.c:4124
 hci_disconn_loglink_complete_evt.isra.0+0x1cf/0x240 net/bluetooth/hci_event.c:5023
 hci_event_packet+0x2ded/0x7d60 net/bluetooth/hci_event.c:6290
 hci_rx_work+0x511/0xd30 net/bluetooth/hci_core.c:4926
 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
 kthread+0x3af/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

The buggy address belongs to the object at ffff888015337900
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 128-byte region [ffff888015337900, ffff888015337980)
The buggy address belongs to the page:
page:00000000a4b08fa7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x15337
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea00007ff480 0000000c0000000c ffff888010041640
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888015337800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888015337880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888015337900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888015337980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888015337a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (87):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2020/11/13 09:13 upstream af5043c89a8e 16fca0c8 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/11/12 14:23 upstream 3d5e28bff7ad 77a55c8e .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/12 11:40 upstream 3dd0130f2430 4a77ae0b .config log report syz C
ci-upstream-kasan-gce 2020/08/15 20:25 upstream c9c9735c46f5 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/15 12:59 upstream 7fca4dee610d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/15 08:59 upstream 7fca4dee610d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/15 05:43 upstream 7fca4dee610d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/15 05:03 upstream 7fca4dee610d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce 2020/08/14 12:23 upstream a1d21081a60d 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/09 21:36 upstream 06a81c1c7db9 70301872 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/09 02:49 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/09 00:21 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/08 21:01 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/08 20:33 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/08 18:49 upstream 449dc8c97089 f721e4a0 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/07 21:14 upstream d6efb3ac3e6c cb436c69 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/07 20:17 upstream d6efb3ac3e6c cb436c69 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/07 12:04 upstream d6efb3ac3e6c cb436c69 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/07 04:38 upstream 47ec5303d73e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/06 21:42 upstream 47ec5303d73e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/06 21:13 upstream 47ec5303d73e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/06 19:48 upstream 47ec5303d73e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/05 01:59 upstream c0842fbc1b18 80a06902 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/04 11:09 upstream 3208167a865e 196277c4 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/03 22:41 upstream bcf876870b95 196277c4 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/03 08:39 upstream 5a30a78924ec 196277c4 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/08/03 01:23 upstream ac3a0c847296 63a73341 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/08/02 19:04 upstream ac3a0c847296 63a73341 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 21:24 upstream c9c9735c46f5 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 14:22 upstream b923f1247b72 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 10:22 upstream b923f1247b72 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 06:58 upstream b923f1247b72 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/15 06:17 upstream b923f1247b72 424dd8e7 .config log report syz C
ci-upstream-kasan-gce-386 2020/08/14 06:34 upstream 990f227371a4 54ce1ed6 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/11/11 20:43 linux-next 6dd65e60af98 cca87986 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/12 15:46 linux-next bc09acc9f224 bb3e5fe6 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/12 13:20 linux-next bc09acc9f224 bb3e5fe6 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/11 17:58 linux-next 4c9b89d8981b bacaf5fa .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/10 23:49 linux-next f80535b9aa10 7adc7b65 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 22:39 linux-next 01830e6c042e 70301872 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 04:16 linux-next 01830e6c042e f721e4a0 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/09 02:31 linux-next 01830e6c042e f721e4a0 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 21:14 linux-next 01830e6c042e f721e4a0 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 19:13 linux-next 01830e6c042e f721e4a0 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/08 14:31 linux-next 01830e6c042e ff51e522 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/07 15:25 linux-next 01830e6c042e cb436c69 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/08/07 05:28 linux-next 01830e6c042e 1f122f88 .config log report syz C
ci-upstream-kasan-gce-root 2020/08/10 16:39 upstream 9420f1ce0186 70301872 .config log report syz
ci-upstream-kasan-gce-root 2020/08/10 14:31 upstream 9420f1ce0186 70301872 .config log report syz
ci-upstream-kasan-gce-selinux-root 2020/08/03 13:42 upstream 5a30a78924ec 196277c4 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/07 00:36 linux-next 01830e6c042e 1f122f88 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/06 20:57 linux-next 01830e6c042e 1f122f88 .config log report syz
ci-upstream-kasan-gce-root 2021/04/19 14:31 upstream bf05bf16c76b 50f523d7 .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-root 2021/03/07 02:54 upstream a38fd8748464 e4b4d570 .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-smack-root 2021/02/12 02:49 upstream 291009f656e8 a5f86b15 .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce-386 2021/05/08 15:40 upstream d2b6f8a17919 bc5434be .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-linux-next-kasan-gce-root 2021/01/31 11:24 linux-next b01f250d83f6 fc9fd31e .config log report info KASAN: use-after-free Read in hci_chan_del
ci-upstream-kasan-gce 2020/12/09 12:37 upstream 7d8761ba27fc 40cc414d .config log report info
ci-upstream-kasan-gce-root 2020/11/23 03:52 upstream a349e4c65960 0d27f508 .config log report info
ci-upstream-kasan-gce-root 2020/09/24 05:58 upstream c9c9e6a49f89 54289b08 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/22 08:07 upstream 98477740630f 9e1fa68e .config log report info
ci-upstream-kasan-gce-root 2020/08/04 10:28 upstream 3208167a865e 196277c4 .config log report
ci-upstream-kasan-gce-386 2021/04/04 12:56 upstream 2023a53bdf41 6a81331a .config log report info BUG: corrupted list in hci_chan_del
ci-upstream-kasan-gce-386 2020/08/15 01:31 upstream b923f1247b72 424dd8e7 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/12/12 21:58 linux-next 14240d4c5b25 bca53db9 .config log report info