[syzbot] KASAN: use-after-free Write in sco_sock_timeout

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: e3f30ab28ac8 Merge branch 'pktgen-samples-next'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13249c96300000
kernel config: https://syzkaller.appspot.com/x/.config?x=ef482942966bf763
dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a29ea9300000

The issue was bisected to:

commit e1dee2c1de2b4dd00eb44004a4bda6326ed07b59
Author: Desmond Cheong Zhi Xi <desmond...@gmail.com>
Date: Tue Aug 10 04:14:10 2021 +0000

Bluetooth: fix repeated calls to sco_sock_kill

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15030c91300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=17030c91300000
console output: https://syzkaller.appspot.com/x/log.txt?x=13030c91300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2bef95...@syzkaller.appspotmail.com
Fixes: e1dee2c1de2b ("Bluetooth: fix repeated calls to sco_sock_kill")

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:111 [inline]
BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: use-after-free in sock_hold include/net/sock.h:702 [inline]
BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:88
Write of size 4 at addr ffff888034b46080 by task kworker/1:0/20

CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:111 [inline]
__refcount_add include/linux/refcount.h:193 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
sock_hold include/net/sock.h:702 [inline]
sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:88
process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 4872:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1822
sk_alloc+0x32/0xbc0 net/core/sock.c:1875
__netlink_create+0x63/0x2f0 net/netlink/af_netlink.c:640
netlink_create+0x3ad/0x5e0 net/netlink/af_netlink.c:703
__sock_create+0x353/0x790 net/socket.c:1461
sock_create net/socket.c:1512 [inline]
__sys_socket+0xef/0x200 net/socket.c:1554
__do_sys_socket net/socket.c:1563 [inline]
__se_sys_socket net/socket.c:1561 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1561
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 0:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1628 [inline]
slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1653
slab_free mm/slub.c:3213 [inline]
kfree+0xe4/0x540 mm/slub.c:4267
sk_prot_free net/core/sock.c:1858 [inline]
__sk_destruct+0x6a8/0x900 net/core/sock.c:1943
sk_destruct+0xbd/0xe0 net/core/sock.c:1958
__sk_free+0xef/0x3d0 net/core/sock.c:1969
sk_free+0x78/0xa0 net/core/sock.c:1980
deferred_put_nlk_sk+0x151/0x2f0 net/netlink/af_netlink.c:740
rcu_do_batch kernel/rcu/tree.c:2550 [inline]
rcu_core+0x7ab/0x1380 kernel/rcu/tree.c:2785
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558

Last potentially related work creation:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:3029 [inline]
call_rcu+0xb1/0x750 kernel/rcu/tree.c:3109
netlink_release+0xdd4/0x1dd0 net/netlink/af_netlink.c:812
__sock_release+0xcd/0x280 net/socket.c:649
sock_close+0x18/0x20 net/socket.c:1311
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
__do_sys_exit_group kernel/exit.c:933 [inline]
__se_sys_exit_group kernel/exit.c:931 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:931
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:3029 [inline]
call_rcu+0xb1/0x750 kernel/rcu/tree.c:3109
netlink_release+0xdd4/0x1dd0 net/netlink/af_netlink.c:812
__sock_release+0xcd/0x280 net/socket.c:649
sock_close+0x18/0x20 net/socket.c:1311
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
__do_sys_exit_group kernel/exit.c:933 [inline]
__se_sys_exit_group kernel/exit.c:931 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:931
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888034b46000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
2048-byte region [ffff888034b46000, ffff888034b46800)
The buggy address belongs to the page:
page:ffffea0000d2d000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34b40
head:ffffea0000d2d000 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000c37a00 0000000200000002 ffff888010c42000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8634, ts 417197903424, free_ts 417180376519
prep_new_page mm/page_alloc.c:2436 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4169
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391
alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244
alloc_slab_page mm/slub.c:1691 [inline]
allocate_slab+0x32e/0x4b0 mm/slub.c:1831
new_slab mm/slub.c:1894 [inline]
new_slab_objects mm/slub.c:2640 [inline]
___slab_alloc+0x473/0x7b0 mm/slub.c:2803
__slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2843
slab_alloc_node mm/slub.c:2925 [inline]
__kmalloc_node_track_caller+0x2e3/0x360 mm/slub.c:4653
kmalloc_reserve net/core/skbuff.c:355 [inline]
__alloc_skb+0xde/0x340 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1116 [inline]
alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6073
sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2475
mld_newpack+0x1df/0x770 net/ipv6/mcast.c:1756
add_grhead+0x265/0x330 net/ipv6/mcast.c:1859
add_grec+0x1053/0x14e0 net/ipv6/mcast.c:1997
mld_send_initial_cr.part.0+0xf6/0x230 net/ipv6/mcast.c:2244
mld_send_initial_cr net/ipv6/mcast.c:1232 [inline]
ipv6_mc_dad_complete+0x1d0/0x690 net/ipv6/mcast.c:2255
addrconf_dad_completed+0xa20/0xd60 net/ipv6/addrconf.c:4181
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1346 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
free_unref_page_prepare mm/page_alloc.c:3332 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3411
unfreeze_partials+0x16c/0x1b0 mm/slub.c:2421
put_cpu_partial+0x13d/0x230 mm/slub.c:2457
qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:2959 [inline]
slab_alloc mm/slub.c:2967 [inline]
kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972
getname_flags.part.0+0x50/0x4f0 fs/namei.c:138
getname_flags fs/namei.c:2747 [inline]
user_path_at_empty+0xa1/0x100 fs/namei.c:2747
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x142/0x390 fs/stat.c:203
vfs_fstatat fs/stat.c:225 [inline]
vfs_lstat include/linux/fs.h:3386 [inline]
__do_sys_newlstat+0x91/0x110 fs/stat.c:380
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
ffff888034b45f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888034b46000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888034b46080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888034b46100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888034b46180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Hillf Danton]

On Thu, 26 Aug 2021 09:29:24 -0700

Ensure work is canceled before sk_free by using the sync version, and if
this is a cure then the duplicate cancel in sco_conn_del() can be cleaned
up in a seperate one.

Only for thoughts now.

+++ x/net/bluetooth/sco.c
@@ -116,7 +116,7 @@ static void sco_sock_clear_timer(struct
return;

BT_DBG("sock %p state %d", sk, sk->sk_state);
- cancel_delayed_work(&sco_pi(sk)->conn->timeout_work);
+ cancel_delayed_work_sync(&sco_pi(sk)->conn->timeout_work);
}

/* ---- SCO connections ---- */

[Desmond Cheong Zhi Xi]

Hi Hillf,

Thanks for looking into this.

The problem with using cancel_delayed_work_sync is that
sco_sock_clear_timer is called under the locked socket. So this
deadlocks with sco_sock_timeout.

What surprises me is that sock_hold is still being called on a killed
socket. This part of sco_sock_timeout
> sco_conn_lock(conn);
> sk = conn->sk;
> if (sk)
> sock_hold(sk);
> sco_conn_unlock(conn);

is meant to avoid races with sco_chan_del, which is called on both the
shutdown and release paths, and prevent the socket from being freed
while sco_sock_timeout is running. But I'm probably missing something,
so thoughts would be appreciated.

[Hillf Danton]

On Fri, 27 Aug 2021 15:58:34 +0800 Desmond Cheong Zhi Xi wrote:
>
>The problem with using cancel_delayed_work_sync is that
>sco_sock_clear_timer is called under the locked socket. So this
>deadlocks with sco_sock_timeout.

Yes you are right and thanks for your explanation.

>
>What surprises me is that sock_hold is still being called on a killed
>socket. This part of sco_sock_timeout
>> sco_conn_lock(conn);
>> sk = conn->sk;
>> if (sk)
>> sock_hold(sk);
>> sco_conn_unlock(conn);
>
>is meant to avoid races with sco_chan_del, which is called on both the
>shutdown and release paths, and prevent the socket from being freed
>while sco_sock_timeout is running. But I'm probably missing something,
>so thoughts would be appreciated.

The report suggests a missing cancel and add it for the closed sock.
To do that add refcount in sco_conn and get/put helpers.

+++ x/net/bluetooth/sco.c
@@ -51,6 +51,7 @@ struct sco_conn {
struct delayed_work timeout_work;

unsigned int mtu;
+ atomic_t refcount;
};

#define sco_conn_lock(c) spin_lock(&c->lock)
@@ -119,6 +120,17 @@ static void sco_sock_clear_timer(struct
cancel_delayed_work(&sco_pi(sk)->conn->timeout_work);
}

+static void sco_conn_get(struct sco_conn *conn)
+{
+ atomic_inc(&conn->refcount);
+}
+
+static void sco_conn_put(struct sco_conn *conn)
+{
+ if (conn && atomic_dec_and_test(&conn->refcount))
+ kfree(conn);
+}
+

/* ---- SCO connections ---- */

static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
{
@@ -202,7 +214,7 @@ static void sco_conn_del(struct hci_conn
}

hcon->sco_data = NULL;
- kfree(conn);
+ sco_conn_put(conn);
}

static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
@@ -214,6 +226,7 @@ static void __sco_chan_add(struct sco_co
conn->sk = sk;

INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);
+ atomic_set(&conn->refcount, 1);

if (parent)
bt_accept_enqueue(parent, sk, true);
@@ -449,10 +462,20 @@ static void __sco_sock_close(struct sock
/* Must be called on unlocked socket. */
static void sco_sock_close(struct sock *sk)
{
+ struct sco_conn *conn;
+
lock_sock(sk);
- sco_sock_clear_timer(sk);
+ /* see comment for sco_chan_del() */
+ conn = sco_pi(sk)->conn;
+ if (conn)
+ sco_conn_get(conn);
__sco_sock_close(sk);
release_sock(sk);
+
+ if (conn) {
+ cancel_delayed_work_sync(&conn->timeout_work);
+ sco_conn_put(conn);
+ }
}

static void sco_skb_put_cmsg(struct sk_buff *skb, struct msghdr *msg,

[Hillf Danton]

On Fri, 27 Aug 2021 15:58:34 +0800 Desmond Cheong Zhi Xi wrote:

>On 27/8/21 9:19 am, Hillf Danton wrote:
>> On Thu, 26 Aug 2021 09:29:24 -0700
>>> syzbot found the following issue on:
>>>
>>> HEAD commit: e3f30ab28ac8 Merge branch 'pktgen-samples-next'
>>> git tree: net-next
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=13249c96300000
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=ef482942966bf763
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
>>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a29ea9300000
>>>
>>> The issue was bisected to:
>>>
>>> commit e1dee2c1de2b4dd00eb44004a4bda6326ed07b59
>>> Author: Desmond Cheong Zhi Xi <desmond...@gmail.com>
>>> Date: Tue Aug 10 04:14:10 2021 +0000
>>>
>>> Bluetooth: fix repeated calls to sco_sock_kill

To fix the uaf, grab another hold to sock to make the timeout work safe.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git e3f30ab28ac8

--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -190,15 +190,14 @@ static void sco_conn_del(struct hci_conn
sco_conn_unlock(conn);

if (sk) {
- sock_hold(sk);
lock_sock(sk);
sco_sock_clear_timer(sk);
sco_chan_del(sk, err);
release_sock(sk);
- sock_put(sk);

/* Ensure no more work items will run before freeing conn. */
cancel_delayed_work_sync(&conn->timeout_work);
+ sock_put(sk);
}

hcon->sco_data = NULL;
@@ -212,6 +211,8 @@ static void __sco_chan_add(struct sco_co

sco_pi(sk)->conn = conn;
conn->sk = sk;
+ /* make timeout_work safe; will be put in sco_conn_del() */
+ sock_hold(sk);

INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);

--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2bef95...@syzkaller.appspotmail.com

Tested on:

commit: e3f30ab2 Merge branch 'pktgen-samples-next'
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=ef482942966bf763
dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=108523fe300000

Note: testing is done by a robot and is best-effort only.

[Desmond Cheong Zhi Xi]

Hi Hillf,

Saw that this passed the reproducer. But on closer inspection, I think
what's happening is that sco_conn_del is never run.

So the extra sock_hold prevents a UAF, but that's because now the
reference count never goes to 0. In my opinion, something closer to your
previous proposal (+ also addressing other calls to __sco_sock_close)
where we call cancel_delayed_work_sync after the channel is deleted
would address the root cause better.

Just my two cents.

[Desmond Cheong Zhi Xi]

Ok I went back to make a more thorough audit. Even without calling
cancel_delayed_work_sync, sco_sock_timeout should not cause a UAF.

I believe the real issue is that we can allocate a connection twice in
sco_connect. This means that the first connection gets lost and we're
unable to clean it up properly.

Thoughts on this?

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git e3f30ab28ac8

--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c

@@ -578,9 +578,6 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
addr->sa_family != AF_BLUETOOTH)
return -EINVAL;

- if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
- return -EBADFD;
-
if (sk->sk_type != SOCK_SEQPACKET)
return -EINVAL;

@@ -591,6 +588,13 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen

lock_sock(sk);

+ if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
+ hci_dev_unlock(hdev);
+ hci_dev_put(hdev);
+ err = -EBADFD;
+ goto done;
+ }
+
/* Set destination address and psm */
bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);

[Hillf Danton]

On Mon, 30 Aug 2021 02:34:11 +0800 Desmond Cheong Zhi Xi wrote:
>
>Ok I went back to make a more thorough audit. Even without calling
>cancel_delayed_work_sync, sco_sock_timeout should not cause a UAF.
>
>I believe the real issue is that we can allocate a connection twice in
>sco_connect. This means that the first connection gets lost and we're
>unable to clean it up properly.
>
>Thoughts on this?

LGTM regardless of the uaf reported.

Hillf

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2bef95...@syzkaller.appspotmail.com

Tested on:

commit: e3f30ab2 Merge branch 'pktgen-samples-next'
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=ef482942966bf763
dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=12580a25300000

[Desmond Cheong Zhi Xi]

On 30/8/21 8:15 am, Hillf Danton wrote:
> On Mon, 30 Aug 2021 02:34:11 +0800 Desmond Cheong Zhi Xi wrote:
>>
>> Ok I went back to make a more thorough audit. Even without calling
>> cancel_delayed_work_sync, sco_sock_timeout should not cause a UAF.
>>
>> I believe the real issue is that we can allocate a connection twice in
>> sco_connect. This means that the first connection gets lost and we're
>> unable to clean it up properly.
>>
>> Thoughts on this?
>
> LGTM regardless of the uaf reported.
>
> Hillf

Thanks for taking a look. It passed the Syzbot reproducer too, so I
think the root cause should have been addressed.

I'll write up a patch to summarize what we found out. May I include you
as a Co-developed-by: author?

[Hillf Danton]

On Mon, 30 Aug 2021 12:41:48 +0800 Desmond Cheong Zhi Xi wrote:
>
> Thanks for taking a look. It passed the Syzbot reproducer too, so I
> think the root cause should have been addressed.
>
> I'll write up a patch to summarize what we found out. May I include you
> as a Co-developed-by: author?

I prefer Cc. Thanks for your fix.

Hillf

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 922ea87ff6f2 ionic: use vmalloc include
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=177984ea700000
kernel config: https://syzkaller.appspot.com/x/.config?x=d63ad23bb09039e8
dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16678596700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=152b93e8700000

The issue was bisected to:

commit e1dee2c1de2b4dd00eb44004a4bda6326ed07b59
Author: Desmond Cheong Zhi Xi <desmond...@gmail.com>
Date: Tue Aug 10 04:14:10 2021 +0000

Bluetooth: fix repeated calls to sco_sock_kill

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15030c91300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=17030c91300000
console output: https://syzkaller.appspot.com/x/log.txt?x=13030c91300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2bef95...@syzkaller.appspotmail.com
Fixes: e1dee2c1de2b ("Bluetooth: fix repeated calls to sco_sock_kill")

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]

BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]

BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]

BUG: KASAN: use-after-free in sock_hold include/net/sock.h:726 [inline]
BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89
Write of size 4 at addr ffff88801e1f5080 by task kworker/0:0/6

CPU: 0 PID: 6 Comm: kworker/0:0 Not tainted 5.17.0-rc4-syzkaller-01424-g922ea87ff6f2 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout
Call Trace:

<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459

check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]

atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]

__refcount_add include/linux/refcount.h:193 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]

sock_hold include/net/sock.h:726 [inline]
sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89
process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
worker_thread+0x657/0x1110 kernel/workqueue.c:2454
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>

Allocated by task 3621:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
kmalloc include/linux/slab.h:586 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1936
sk_alloc+0x32/0xa80 net/core/sock.c:1989
sco_sock_alloc.constprop.0+0x31/0x330 net/bluetooth/sco.c:483
sco_sock_create+0xd5/0x1b0 net/bluetooth/sco.c:522
bt_sock_create+0x17c/0x340 net/bluetooth/af_bluetooth.c:130
__sock_create+0x353/0x790 net/socket.c:1468
sock_create net/socket.c:1519 [inline]
__sys_socket+0xef/0x200 net/socket.c:1561
__do_sys_socket net/socket.c:1570 [inline]
__se_sys_socket net/socket.c:1568 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1568

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3622:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
slab_free mm/slub.c:3509 [inline]
kfree+0xd0/0x390 mm/slub.c:4562
sk_prot_free net/core/sock.c:1972 [inline]
__sk_destruct+0x6c0/0x920 net/core/sock.c:2058
sk_destruct+0x131/0x180 net/core/sock.c:2076
__sk_free+0xef/0x3d0 net/core/sock.c:2087
sk_free+0x78/0xa0 net/core/sock.c:2098
sock_put include/net/sock.h:1926 [inline]
sco_sock_kill+0x18d/0x1b0 net/bluetooth/sco.c:403
sco_sock_release+0x155/0x2c0 net/bluetooth/sco.c:1259
__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x18/0x20 net/socket.c:1318
__fput+0x286/0x9f0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
get_signal+0x1de2/0x2490 kernel/signal.c:2631
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801e1f5000

which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of

2048-byte region [ffff88801e1f5000, ffff88801e1f5800)

The buggy address belongs to the page:

page:ffffea0000787c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e1f0
head:ffffea0000787c00 order:3 compound_mapcount:0 compound_pincount:0

flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c42000

raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3614, ts 122880165805, free_ts 122869063806
prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab+0x27f/0x3c0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0xbe1/0x12b0 mm/slub.c:3018
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
slab_alloc_node mm/slub.c:3196 [inline]
slab_alloc mm/slub.c:3238 [inline]
kmem_cache_alloc_trace+0x2f8/0x3d0 mm/slub.c:3255
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:715 [inline]
ipv6_add_dev+0xfe/0x12a0 net/ipv6/addrconf.c:378
addrconf_notify+0x614/0x1ba0 net/ipv6/addrconf.c:3521
notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1939
call_netdevice_notifiers_extack net/core/dev.c:1951 [inline]
call_netdevice_notifiers net/core/dev.c:1965 [inline]
register_netdevice+0x1102/0x15a0 net/core/dev.c:9696
register_netdev+0x2d/0x50 net/core/dev.c:9789
ip6gre_init_net+0x3cd/0x630 net/ipv6/ip6_gre.c:1610
ops_init+0xaf/0x470 net/core/net_namespace.c:134
setup_net+0x5d1/0xc50 net/core/net_namespace.c:325

page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]

free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404
__unfreeze_partials+0x320/0x340 mm/slub.c:2536
qlink_free mm/kasan/quarantine.c:157 [inline]
qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
kasan_slab_alloc include/linux/kasan.h:260 [inline]
slab_post_alloc_hook mm/slab.h:732 [inline]
slab_alloc_node mm/slub.c:3230 [inline]
slab_alloc mm/slub.c:3238 [inline]
kmem_cache_alloc_trace+0x258/0x3d0 mm/slub.c:3255
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:715 [inline]
ref_tracker_alloc+0x14c/0x550 lib/ref_tracker.c:85
__netdev_tracker_alloc include/linux/netdevice.h:3860 [inline]
dev_hold_track include/linux/netdevice.h:3889 [inline]
dev_hold_track include/linux/netdevice.h:3884 [inline]
netdev_queue_add_kobject net/core/net-sysfs.c:1650 [inline]
netdev_queue_update_kobjects+0x1a7/0x4e0 net/core/net-sysfs.c:1705
register_queue_kobjects net/core/net-sysfs.c:1766 [inline]
netdev_register_kobject+0x35a/0x430 net/core/net-sysfs.c:2012
register_netdevice+0xd9d/0x15a0 net/core/dev.c:9663
__ip_tunnel_create+0x398/0x5c0 net/ipv4/ip_tunnel.c:267
ip_tunnel_init_net+0x2e4/0x9d0 net/ipv4/ip_tunnel.c:1070
ops_init+0xaf/0x470 net/core/net_namespace.c:134
setup_net+0x5d1/0xc50 net/core/net_namespace.c:325
copy_net_ns+0x318/0x760 net/core/net_namespace.c:471

Memory state around the buggy address:

ffff88801e1f4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801e1f5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801e1f5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801e1f5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801e1f5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

WARNING in __mod_memcg_lruvec_state

------------[ cut here ]------------
WARNING: CPU: 0 PID: 34 at mm/memcontrol.c:749 __mod_memcg_lruvec_state+0x1ab/0x220
Modules linked in:
CPU: 0 PID: 34 Comm: khugepaged Not tainted 5.17.0-rc5-next-20220225-syzkaller-09128-g06aeb1495c39 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:__mod_memcg_lruvec_state+0x1ab/0x220
Code: bb 13 92 0e 48 c7 c7 a0 b6 d9 89 e8 df cd 95 07 65 c7 05 f4 c8 37 7e 00 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <0f> 0b e9 a6 fe ff ff 4c 89 f6 48 c7 c7 60 63 ee 8b e8 0f fb 45 02
RSP: 0018:ffffc90000ab7b68 EFLAGS: 00010202
RAX: 0000000000000206 RBX: 0000000000000200 RCX: ffffffff81aafa53
RDX: 1ffff1100218fa8d RSI: 000000000000001c RDI: ffff888010c7d468
RBP: ffff888010c7d000 R08: 0000000000000001 R09: ffffffff8ba144e7
R10: fffffbfff174289c R11: 0000000000000001 R12: 000000000000001c
R13: ffff888010e60000 R14: ffff888010e60000 R15: ffff88813fffa000
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcdb3e6a000 CR3: 0000000021a66000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__mod_lruvec_page_state+0x1e5/0x3e0
page_add_new_anon_rmap+0x2e5/0x930
khugepaged+0x5675/0x6720
kthread+0x2e9/0x3a0
ret_from_fork+0x1f/0x30
</TASK>


DUID 00:04:31:81:bd:3a:74:32:45:5d:eb:38:a8:c9:66:19:d5:78
forked to background, child pid 3172
[ 28.009463][ T3173] 8021q: adding VLAN 0 to HW filter on device bond0
[ 28.019187][ T3173] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.10.51' (ECDSA) to the list of known hosts.
2022/02/26 18:10:08 fuzzer started
2022/02/26 18:10:08 connecting to host at 10.128.0.169:33047
2022/02/26 18:10:08 checking machine...
2022/02/26 18:10:08 checking revisions...
2022/02/26 18:10:09 testing simple program...
syzkaller login: [ 50.606856][ T3593] cgroup: Unknown subsys name 'net'
[ 50.750087][ T3593] cgroup: Unknown subsys name 'rlimit'
[ 51.999929][ T3598] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 52.008568][ T3598] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 52.016582][ T3598] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 52.024932][ T3598] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 52.032733][ T3598] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 52.040222][ T3598] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 52.129607][ T3595] chnl_net:caif_netlink_parms(): no params data found
[ 52.175305][ T3595] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.183277][ T3595] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.191725][ T3595] device bridge_slave_0 entered promiscuous mode
[ 52.201020][ T3595] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.208358][ T3595] bridge0: port 2(bridge_slave_1) entered disabled state
[ 52.216420][ T3595] device bridge_slave_1 entered promiscuous mode
[ 52.237561][ T3595] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 52.248480][ T3595] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 52.271879][ T3595] team0: Port device team_slave_0 added
[ 52.281223][ T3595] team0: Port device team_slave_1 added
[ 52.299287][ T3595] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 52.306454][ T3595] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 52.333353][ T3595] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 52.346667][ T3595] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 52.353679][ T3595] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 52.379919][ T3595] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 52.406307][ T3595] device hsr_slave_0 entered promiscuous mode
[ 52.413750][ T3595] device hsr_slave_1 entered promiscuous mode
[ 52.495662][ T3595] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 52.506340][ T3595] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 52.516191][ T3595] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 52.525865][ T3595] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 52.548937][ T3595] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.556158][ T3595] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 52.564608][ T3595] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.571872][ T3595] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 52.616862][ T3595] 8021q: adding VLAN 0 to HW filter on device bond0
[ 52.629866][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 52.640920][ T22] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.650139][ T22] bridge0: port 2(bridge_slave_1) entered disabled state
[ 52.659708][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 52.672887][ T3595] 8021q: adding VLAN 0 to HW filter on device team0
[ 52.685647][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 52.694601][ T14] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.701684][ T14] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 52.712651][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 52.721794][ T3607] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.728901][ T3607] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 52.748139][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 52.757318][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 52.769943][ T3606] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 52.786045][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 52.794661][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 52.806859][ T3595] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 52.826004][ T3606] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 52.834637][ T3606] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 52.846839][ T3595] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 52.954643][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 52.964304][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 52.972891][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 52.981197][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 52.992480][ T3595] device veth0_vlan entered promiscuous mode
[ 53.004325][ T3595] device veth1_vlan entered promiscuous mode
[ 53.022333][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 53.031304][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 53.040646][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 53.052172][ T3595] device veth0_macvtap entered promiscuous mode
[ 53.061691][ T3595] device veth1_macvtap entered promiscuous mode
[ 53.078479][ T3595] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 53.086449][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 53.096191][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 53.107897][ T3595] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 53.117764][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 53.128131][ T3595] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 53.137414][ T3595] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 53.147733][ T3595] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 53.157907][ T3595] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 53.225098][ T91] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 53.233559][ T91] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 53.249628][ T142] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 53.269030][ T91] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 53.277653][ T91] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 53.287027][ T142] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
2022/02/26 18:10:11 building call list...
executing program
[ 53.821112][ T34] ------------[ cut here ]------------
[ 53.827109][ T34] WARNING: CPU: 0 PID: 34 at mm/memcontrol.c:749 __mod_memcg_lruvec_state+0x1ab/0x220
[ 53.837302][ T34] Modules linked in:
[ 53.841230][ T34] CPU: 0 PID: 34 Comm: khugepaged Not tainted 5.17.0-rc5-next-20220225-syzkaller-09128-g06aeb1495c39 #0
[ 53.852923][ T34] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 53.863180][ T34] RIP: 0010:__mod_memcg_lruvec_state+0x1ab/0x220
[ 53.870101][ T34] Code: bb 13 92 0e 48 c7 c7 a0 b6 d9 89 e8 df cd 95 07 65 c7 05 f4 c8 37 7e 00 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <0f> 0b e9 a6 fe ff ff 4c 89 f6 48 c7 c7 60 63 ee 8b e8 0f fb 45 02
[ 53.890382][ T34] RSP: 0018:ffffc90000ab7b68 EFLAGS: 00010202
[ 53.896639][ T34] RAX: 0000000000000206 RBX: 0000000000000200 RCX: ffffffff81aafa53
[ 53.904890][ T34] RDX: 1ffff1100218fa8d RSI: 000000000000001c RDI: ffff888010c7d468
[ 53.912865][ T34] RBP: ffff888010c7d000 R08: 0000000000000001 R09: ffffffff8ba144e7
[ 53.921359][ T34] R10: fffffbfff174289c R11: 0000000000000001 R12: 000000000000001c
[ 53.929495][ T34] R13: ffff888010e60000 R14: ffff888010e60000 R15: ffff88813fffa000
[ 53.937547][ T34] FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[ 53.946917][ T34] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 53.953664][ T34] CR2: 00007fcdb3e6a000 CR3: 0000000021a66000 CR4: 00000000003506f0
[ 53.961660][ T34] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 53.969784][ T34] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 53.977806][ T34] Call Trace:
[ 53.981130][ T34] <TASK>
[ 53.984111][ T34] __mod_lruvec_page_state+0x1e5/0x3e0
[ 53.989618][ T34] page_add_new_anon_rmap+0x2e5/0x930
[ 53.995254][ T34] khugepaged+0x5675/0x6720
[ 53.999892][ T34] ? collapse_pte_mapped_thp+0xbd0/0xbd0
[ 54.005678][ T34] ? finish_wait+0x270/0x270
[ 54.010294][ T34] ? __kthread_parkme+0xce/0x220
[ 54.015303][ T34] ? lock_downgrade+0x6e0/0x6e0
[ 54.020196][ T34] ? lockdep_hardirqs_on+0x79/0x100
[ 54.025653][ T34] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 54.031930][ T34] ? __kthread_parkme+0x15f/0x220
[ 54.037130][ T34] ? collapse_pte_mapped_thp+0xbd0/0xbd0
[ 54.042789][ T34] kthread+0x2e9/0x3a0
[ 54.047258][ T34] ? kthread_complete_and_exit+0x40/0x40
[ 54.052960][ T34] ret_from_fork+0x1f/0x30
[ 54.057652][ T34] </TASK>
[ 54.060668][ T34] Kernel panic - not syncing: panic_on_warn set ...
[ 54.067237][ T34] CPU: 0 PID: 34 Comm: khugepaged Not tainted 5.17.0-rc5-next-20220225-syzkaller-09128-g06aeb1495c39 #0
[ 54.078332][ T34] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 54.088393][ T34] Call Trace:
[ 54.091777][ T34] <TASK>
[ 54.094705][ T34] dump_stack_lvl+0xcd/0x134
[ 54.099301][ T34] panic+0x2d7/0x735
[ 54.103204][ T34] ? __warn_printk+0xf3/0xf3
[ 54.107807][ T34] ? __warn.cold+0x1d1/0x2c5
[ 54.112404][ T34] ? __mod_memcg_lruvec_state+0x1ab/0x220
[ 54.118138][ T34] __warn.cold+0x1e2/0x2c5
[ 54.122570][ T34] ? __mod_memcg_lruvec_state+0x1ab/0x220
[ 54.128301][ T34] report_bug+0x1bd/0x210
[ 54.132651][ T34] handle_bug+0x3c/0x60
[ 54.136804][ T34] exc_invalid_op+0x14/0x40
[ 54.141304][ T34] asm_exc_invalid_op+0x12/0x20
[ 54.146198][ T34] RIP: 0010:__mod_memcg_lruvec_state+0x1ab/0x220
[ 54.152649][ T34] Code: bb 13 92 0e 48 c7 c7 a0 b6 d9 89 e8 df cd 95 07 65 c7 05 f4 c8 37 7e 00 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <0f> 0b e9 a6 fe ff ff 4c 89 f6 48 c7 c7 60 63 ee 8b e8 0f fb 45 02
[ 54.172279][ T34] RSP: 0018:ffffc90000ab7b68 EFLAGS: 00010202
[ 54.178358][ T34] RAX: 0000000000000206 RBX: 0000000000000200 RCX: ffffffff81aafa53
[ 54.186504][ T34] RDX: 1ffff1100218fa8d RSI: 000000000000001c RDI: ffff888010c7d468
[ 54.194475][ T34] RBP: ffff888010c7d000 R08: 0000000000000001 R09: ffffffff8ba144e7
[ 54.202461][ T34] R10: fffffbfff174289c R11: 0000000000000001 R12: 000000000000001c
[ 54.210521][ T34] R13: ffff888010e60000 R14: ffff888010e60000 R15: ffff88813fffa000
[ 54.218499][ T34] ? __mod_node_page_state+0xf3/0x130
[ 54.223919][ T34] __mod_lruvec_page_state+0x1e5/0x3e0
[ 54.229405][ T34] page_add_new_anon_rmap+0x2e5/0x930
[ 54.235145][ T34] khugepaged+0x5675/0x6720
[ 54.239681][ T34] ? collapse_pte_mapped_thp+0xbd0/0xbd0
[ 54.245503][ T34] ? finish_wait+0x270/0x270
[ 54.250130][ T34] ? __kthread_parkme+0xce/0x220
[ 54.255106][ T34] ? lock_downgrade+0x6e0/0x6e0
[ 54.259988][ T34] ? lockdep_hardirqs_on+0x79/0x100
[ 54.265198][ T34] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 54.271468][ T34] ? __kthread_parkme+0x15f/0x220
[ 54.276529][ T34] ? collapse_pte_mapped_thp+0xbd0/0xbd0
[ 54.282182][ T34] kthread+0x2e9/0x3a0
[ 54.286277][ T34] ? kthread_complete_and_exit+0x40/0x40
[ 54.291945][ T34] ret_from_fork+0x1f/0x30
[ 54.296404][ T34] </TASK>
[ 54.299667][ T34] Kernel Offset: disabled
[ 54.304407][ T34] Rebooting in 86400 seconds..



Tested on:

commit: 06aeb149 Add linux-next specific files for 20220225
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=e66975300ad76350

dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

[Hillf Danton]

On Wed, 23 Feb 2022 08:15:19 -0800

Fix uaf by waiting for the timeout work to complete.

Another more complicated fix is close sock with sco_chan deleted.

Hillf

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/ 922ea87ff6f2

--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c
@@ -445,6 +445,11 @@ static void sco_sock_close(struct sock *
sco_sock_clear_timer(sk);
__sco_sock_close(sk);
release_sock(sk);
+
+ if (sco_pi(sk)->conn) {
+ /* sock zapped without calling sco_chan_del() */
+ cancel_delayed_work_sync(&sco_pi(sk)->conn->timeout_work);

+ }
}

static void sco_skb_put_cmsg(struct sk_buff *skb, struct msghdr *msg,

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in sco_sock_timeout

Bluetooth: hci0: command 0x040f tx timeout
Bluetooth: hci0: command 0x0405 tx timeout

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: use-after-free in sock_hold include/net/sock.h:726 [inline]
BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89

Write of size 4 at addr ffff888021031080 by task kworker/0:3/1132

CPU: 0 PID: 1132 Comm: kworker/0:3 Not tainted 5.17.0-rc4-syzkaller-01424-g922ea87ff6f2-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
__refcount_add include/linux/refcount.h:193 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
sock_hold include/net/sock.h:726 [inline]
sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89
process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
worker_thread+0x657/0x1110 kernel/workqueue.c:2454
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>

Allocated by task 4058:

kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
kmalloc include/linux/slab.h:586 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1936
sk_alloc+0x32/0xa80 net/core/sock.c:1989

sco_sock_alloc.constprop.0+0x31/0x330 net/bluetooth/sco.c:488
sco_sock_create+0xd5/0x1b0 net/bluetooth/sco.c:527

bt_sock_create+0x17c/0x340 net/bluetooth/af_bluetooth.c:130
__sock_create+0x353/0x790 net/socket.c:1468
sock_create net/socket.c:1519 [inline]
__sys_socket+0xef/0x200 net/socket.c:1561
__do_sys_socket net/socket.c:1570 [inline]
__se_sys_socket net/socket.c:1568 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 4058:

kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
slab_free mm/slub.c:3509 [inline]
kfree+0xd0/0x390 mm/slub.c:4562
sk_prot_free net/core/sock.c:1972 [inline]
__sk_destruct+0x6c0/0x920 net/core/sock.c:2058
sk_destruct+0x131/0x180 net/core/sock.c:2076
__sk_free+0xef/0x3d0 net/core/sock.c:2087
sk_free+0x78/0xa0 net/core/sock.c:2098
sock_put include/net/sock.h:1926 [inline]
sco_sock_kill+0x18d/0x1b0 net/bluetooth/sco.c:403

sco_sock_release+0x197/0x310 net/bluetooth/sco.c:1264

__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x18/0x20 net/socket.c:1318
__fput+0x286/0x9f0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
get_signal+0x1de2/0x2490 kernel/signal.c:2631
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888021031000

which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of

2048-byte region [ffff888021031000, ffff888021031800)

The buggy address belongs to the page:

page:ffffea0000840c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21030
head:ffffea0000840c00 order:3 compound_mapcount:0 compound_pincount:0

flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c42000

raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3595, ts 45073525139, free_ts 36261730425

prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab+0x27f/0x3c0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0xbe1/0x12b0 mm/slub.c:3018
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
slab_alloc_node mm/slub.c:3196 [inline]

__kmalloc_node_track_caller+0x339/0x470 mm/slub.c:4957
kmalloc_reserve net/core/skbuff.c:354 [inline]
pskb_expand_head+0x15e/0x1060 net/core/skbuff.c:1699
netlink_trim+0x1ea/0x240 net/netlink/af_netlink.c:1299
netlink_broadcast+0x5b/0xd50 net/netlink/af_netlink.c:1495
nlmsg_multicast include/net/netlink.h:1033 [inline]
nlmsg_notify+0x8f/0x280 net/netlink/af_netlink.c:2537
rtnl_notify net/core/rtnetlink.c:730 [inline]
rtmsg_ifinfo_send net/core/rtnetlink.c:3857 [inline]
rtmsg_ifinfo_event net/core/rtnetlink.c:3872 [inline]
rtmsg_ifinfo_event net/core/rtnetlink.c:3860 [inline]
rtnetlink_event+0x193/0x1d0 net/core/rtnetlink.c:5649

notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1939

__netdev_upper_dev_link+0x3fd/0x7f0 net/core/dev.c:7483
netdev_upper_dev_link+0x8a/0xc0 net/core/dev.c:7524

page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404

__put_page+0x193/0x1e0 mm/swap.c:128
folio_put include/linux/mm.h:1199 [inline]
put_page include/linux/mm.h:1237 [inline]
__skb_frag_unref include/linux/skbuff.h:3249 [inline]
skb_release_data+0x49d/0x790 net/core/skbuff.c:672
skb_release_all net/core/skbuff.c:742 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:756
__sk_defer_free_flush net/ipv4/tcp.c:1600 [inline]
sk_defer_free_flush include/net/tcp.h:1380 [inline]
tcp_recvmsg+0x1ca/0x610 net/ipv4/tcp.c:2574
inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850
sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
sock_recvmsg net/socket.c:962 [inline]
sock_read_iter+0x33c/0x470 net/socket.c:1039
call_read_iter include/linux/fs.h:2068 [inline]
new_sync_read+0x5c2/0x6e0 fs/read_write.c:400
vfs_read+0x35c/0x600 fs/read_write.c:481
ksys_read+0x1ee/0x250 fs/read_write.c:619

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:

ffff888021030f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888021031000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888021031080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888021031100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888021031180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 922ea87f ionic: use vmalloc include
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=152f4b46700000

kernel config: https://syzkaller.appspot.com/x/.config?x=d63ad23bb09039e8
dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=170926a2700000

[Hillf Danton]

On Sat, 26 Feb 2022 19:07:08 -0800

Fix uaf by closing sock with sco_chan deleted.

Hillf

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/ 922ea87ff6f2

--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c

@@ -432,6 +432,7 @@ static void __sco_sock_close(struct sock
break;

default:
+ sco_chan_del(sk, ECONNRESET);
sock_set_flag(sk, SOCK_ZAPPED);
break;
}
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in sco_sock_timeout

Bluetooth: hci0: command 0x0419 tx timeout

Bluetooth: hci0: command 0x0405 tx timeout
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: use-after-free in sock_hold include/net/sock.h:726 [inline]
BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89

Write of size 4 at addr ffff888074aac080 by task kworker/1:2/141

CPU: 1 PID: 141 Comm: kworker/1:2 Not tainted 5.17.0-rc4-syzkaller-01424-g922ea87ff6f2-dirty #0

sco_sock_alloc.constprop.0+0x31/0x330 net/bluetooth/sco.c:484
sco_sock_create+0xd5/0x1b0 net/bluetooth/sco.c:523

bt_sock_create+0x17c/0x340 net/bluetooth/af_bluetooth.c:130
__sock_create+0x353/0x790 net/socket.c:1468
sock_create net/socket.c:1519 [inline]
__sys_socket+0xef/0x200 net/socket.c:1561
__do_sys_socket net/socket.c:1570 [inline]
__se_sys_socket net/socket.c:1568 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 4059:

kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
slab_free mm/slub.c:3509 [inline]
kfree+0xd0/0x390 mm/slub.c:4562
sk_prot_free net/core/sock.c:1972 [inline]
__sk_destruct+0x6c0/0x920 net/core/sock.c:2058
sk_destruct+0x131/0x180 net/core/sock.c:2076
__sk_free+0xef/0x3d0 net/core/sock.c:2087
sk_free+0x78/0xa0 net/core/sock.c:2098
sock_put include/net/sock.h:1926 [inline]
sco_sock_kill+0x18d/0x1b0 net/bluetooth/sco.c:403

sco_sock_release+0x155/0x2c0 net/bluetooth/sco.c:1260

__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x18/0x20 net/socket.c:1318
__fput+0x286/0x9f0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
get_signal+0x1de2/0x2490 kernel/signal.c:2631
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888074aac000

which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of

2048-byte region [ffff888074aac000, ffff888074aac800)

The buggy address belongs to the page:

page:ffffea0001d2aa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74aa8
head:ffffea0001d2aa00 order:3 compound_mapcount:0 compound_pincount:0

flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000010200 ffffea000078ac00 dead000000000002 ffff888010c42000

raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3593, ts 45984233319, free_ts 45950800073

prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab+0x27f/0x3c0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0xbe1/0x12b0 mm/slub.c:3018
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
slab_alloc_node mm/slub.c:3196 [inline]

slab_alloc mm/slub.c:3238 [inline]
__kmalloc+0x372/0x450 mm/slub.c:4420
kmalloc include/linux/slab.h:586 [inline]
kzalloc include/linux/slab.h:715 [inline]
__register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1335
__devinet_sysctl_register+0x156/0x280 net/ipv4/devinet.c:2588
devinet_sysctl_register net/ipv4/devinet.c:2628 [inline]
devinet_sysctl_register+0x160/0x230 net/ipv4/devinet.c:2618
inetdev_init+0x286/0x580 net/ipv4/devinet.c:279
inetdev_event+0xa8a/0x15d0 net/ipv4/devinet.c:1536

notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1939

call_netdevice_notifiers_extack net/core/dev.c:1951 [inline]
call_netdevice_notifiers net/core/dev.c:1965 [inline]
register_netdevice+0x1102/0x15a0 net/core/dev.c:9696

veth_newlink+0x59c/0xa90 drivers/net/veth.c:1725

page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404

__unfreeze_partials+0x320/0x340 mm/slub.c:2536
qlink_free mm/kasan/quarantine.c:157 [inline]
qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
kasan_slab_alloc include/linux/kasan.h:260 [inline]
slab_post_alloc_hook mm/slab.h:732 [inline]
slab_alloc_node mm/slub.c:3230 [inline]
slab_alloc mm/slub.c:3238 [inline]
kmem_cache_alloc_trace+0x258/0x3d0 mm/slub.c:3255
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:715 [inline]
ref_tracker_alloc+0x14c/0x550 lib/ref_tracker.c:85
__netdev_tracker_alloc include/linux/netdevice.h:3860 [inline]
dev_hold_track include/linux/netdevice.h:3889 [inline]
dev_hold_track include/linux/netdevice.h:3884 [inline]
netdev_queue_add_kobject net/core/net-sysfs.c:1650 [inline]
netdev_queue_update_kobjects+0x1a7/0x4e0 net/core/net-sysfs.c:1705
register_queue_kobjects net/core/net-sysfs.c:1766 [inline]
netdev_register_kobject+0x35a/0x430 net/core/net-sysfs.c:2012
register_netdevice+0xd9d/0x15a0 net/core/dev.c:9663

veth_newlink+0x405/0xa90 drivers/net/veth.c:1694
__rtnl_newlink+0x107c/0x1760 net/core/rtnetlink.c:3483
rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3531
rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5598
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494

Memory state around the buggy address:

ffff888074aabf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888074aac000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888074aac080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888074aac100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888074aac180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================


Tested on:

commit: 922ea87f ionic: use vmalloc include
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=118926a2700000

kernel config: https://syzkaller.appspot.com/x/.config?x=d63ad23bb09039e8
dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=130215b6700000

[Hillf Danton]

On Sat, 26 Feb 2022 19:39:14 -0800

V1: Fix uaf by closing sock with sco_chan deleted.

Hillf

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/ 922ea87ff6f2

--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c

@@ -444,6 +444,7 @@ static void sco_sock_close(struct sock *
lock_sock(sk);
sco_sock_clear_timer(sk);
__sco_sock_close(sk);
+ sco_chan_del(sk, ECONNRESET);
release_sock(sk);
}

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in sco_sock_timeout

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: use-after-free in sock_hold include/net/sock.h:726 [inline]
BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89

Write of size 4 at addr ffff88801d165080 by task kworker/0:1/8

CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 5.17.0-rc4-syzkaller-01424-g922ea87ff6f2-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
__refcount_add include/linux/refcount.h:193 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
sock_hold include/net/sock.h:726 [inline]
sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89
process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
worker_thread+0x657/0x1110 kernel/workqueue.c:2454
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>

Allocated by task 4059:

kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
kmalloc include/linux/slab.h:586 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1936
sk_alloc+0x32/0xa80 net/core/sock.c:1989
sco_sock_alloc.constprop.0+0x31/0x330 net/bluetooth/sco.c:484
sco_sock_create+0xd5/0x1b0 net/bluetooth/sco.c:523
bt_sock_create+0x17c/0x340 net/bluetooth/af_bluetooth.c:130
__sock_create+0x353/0x790 net/socket.c:1468
sock_create net/socket.c:1519 [inline]
__sys_socket+0xef/0x200 net/socket.c:1561
__do_sys_socket net/socket.c:1570 [inline]
__se_sys_socket net/socket.c:1568 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 4060:

kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
slab_free mm/slub.c:3509 [inline]
kfree+0xd0/0x390 mm/slub.c:4562
sk_prot_free net/core/sock.c:1972 [inline]
__sk_destruct+0x6c0/0x920 net/core/sock.c:2058
sk_destruct+0x131/0x180 net/core/sock.c:2076
__sk_free+0xef/0x3d0 net/core/sock.c:2087
sk_free+0x78/0xa0 net/core/sock.c:2098
sock_put include/net/sock.h:1926 [inline]
sco_sock_kill+0x18d/0x1b0 net/bluetooth/sco.c:403

sco_sock_release+0x162/0x2d0 net/bluetooth/sco.c:1260

__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x18/0x20 net/socket.c:1318
__fput+0x286/0x9f0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
get_signal+0x1de2/0x2490 kernel/signal.c:2631
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:

kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:3026 [inline]
call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
netlink_release+0xf08/0x1db0 net/netlink/af_netlink.c:813

__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x18/0x20 net/socket.c:1318
__fput+0x286/0x9f0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164

tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207

__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:

kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:3026 [inline]
call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
netlink_release+0xf08/0x1db0 net/netlink/af_netlink.c:813

__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x18/0x20 net/socket.c:1318
__fput+0x286/0x9f0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164

tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207

__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801d165000

which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of

2048-byte region [ffff88801d165000, ffff88801d165800)

The buggy address belongs to the page:

page:ffffea0000745800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d160
head:ffffea0000745800 order:3 compound_mapcount:0 compound_pincount:0

flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000010200 ffffea000070c000 dead000000000002 ffff888010c42000

raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 54, ts 8464675040, free_ts 0

prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab+0x27f/0x3c0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0xbe1/0x12b0 mm/slub.c:3018
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
slab_alloc_node mm/slub.c:3196 [inline]
slab_alloc mm/slub.c:3238 [inline]
__kmalloc+0x372/0x450 mm/slub.c:4420
kmalloc include/linux/slab.h:586 [inline]
kzalloc include/linux/slab.h:715 [inline]

scsi_alloc_target+0x132/0xc60 drivers/scsi/scsi_scan.c:498
__scsi_scan_target+0x13a/0xdb0 drivers/scsi/scsi_scan.c:1632
scsi_scan_channel drivers/scsi/scsi_scan.c:1737 [inline]
scsi_scan_channel+0x148/0x1e0 drivers/scsi/scsi_scan.c:1713
scsi_scan_host_selected+0x2df/0x3b0 drivers/scsi/scsi_scan.c:1766
do_scsi_scan_host+0x1e8/0x260 drivers/scsi/scsi_scan.c:1905
do_scan_async+0x3e/0x500 drivers/scsi/scsi_scan.c:1915
async_run_entry_fn+0x9d/0x550 kernel/async.c:127

process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
worker_thread+0x657/0x1110 kernel/workqueue.c:2454

page_owner free stack trace missing

Memory state around the buggy address:

ffff88801d164f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d165000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801d165080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801d165100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801d165180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================


Tested on:

commit: 922ea87f ionic: use vmalloc include
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/

console output: https://syzkaller.appspot.com/x/log.txt?x=144f85da700000

kernel config: https://syzkaller.appspot.com/x/.config?x=d63ad23bb09039e8
dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=16e9136c700000

[Hillf Danton]

On Sat, 26 Feb 2022 22:20:07 -0800

V2: Fix uaf by making conn->sk stable through out its life span.

Hillf

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/ 922ea87ff6f2

--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c

@@ -203,6 +203,8 @@ static void sco_conn_del(struct hci_conn

/* Ensure no more work items will run before freeing conn. */
cancel_delayed_work_sync(&conn->timeout_work);

+ if (sk)

+ sock_put(sk);

hcon->sco_data = NULL;

kfree(conn);
@@ -215,6 +217,7 @@ static void __sco_chan_add(struct sco_co

sco_pi(sk)->conn = conn;
conn->sk = sk;

+ sock_hold(sk);

if (parent)
bt_accept_enqueue(parent, sk, true);

--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2bef95...@syzkaller.appspotmail.com

Tested on:

commit: 922ea87f ionic: use vmalloc include
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/

kernel config: https://syzkaller.appspot.com/x/.config?x=3f802340579dda19

dashboard link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=134f85da700000