KASAN: use-after-free Read in hci_cmd_timeout
51 views
Skip to first unread message
syzbot
Aug 31, 2019, 10:37:08 PM8/31/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 97ab07e1 Linux 4.19.69
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13f88c0a600000
kernel config: https://syzkaller.appspot.com/x/.config?x=a73820df154c3af
dashboard link: https://syzkaller.appspot.com/bug?extid=fba50ca40cd875b49388
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fba50c...@syzkaller.appspotmail.com
Bluetooth: hci3: command 0xfc11 tx timeout
Bluetooth: hci3: Entering manufacturer mode failed (-110)
Bluetooth: hci4: command tx timeout
Bluetooth: hci0: Entering manufacturer mode failed (-110)
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1ba/0x1d0
net/bluetooth/hci_core.c:2574
Read of size 2 at addr ffff8880a7ced008 by task kworker/0:0/5
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 4.19.69 #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
hci_cmd_timeout+0x1ba/0x1d0 net/bluetooth/hci_core.c:2574
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 8721:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:137
__alloc_skb+0x10b/0x5f0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
hci_prepare_cmd+0x30/0x230 net/bluetooth/hci_request.c:292
hci_req_add_ev+0xb0/0x210 net/bluetooth/hci_request.c:326
__hci_cmd_sync_ev+0xfc/0x1c0 net/bluetooth/hci_request.c:138
__hci_cmd_sync+0x37/0x50 net/bluetooth/hci_request.c:187
btintel_enter_mfg+0x2e/0x90 drivers/bluetooth/btintel.c:82
ag6xx_setup+0x106/0x820 drivers/bluetooth/hci_ag6xx.c:180
hci_uart_setup+0x1c1/0x490 drivers/bluetooth/hci_ldisc.c:431
hci_dev_do_open+0x674/0x14a0 net/bluetooth/hci_core.c:1423
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2130
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 8721:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
skb_free_head+0x99/0xc0 net/core/skbuff.c:554
skb_release_data+0x57d/0x7d0 net/core/skbuff.c:574
skb_release_all+0x4d/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb net/core/skbuff.c:663 [inline]
kfree_skb+0xe8/0x390 net/core/skbuff.c:657
hci_dev_do_open+0xd8c/0x14a0 net/bluetooth/hci_core.c:1509
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2130
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880a7ced000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
512-byte region [ffff8880a7ced000, ffff8880a7ced200)
The buggy address belongs to the page:
page:ffffea00029f3b40 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea000224aa08 ffffea0001959688 ffff88812c3f0940
raw: 0000000000000000 ffff8880a7ced000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a7cecf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a7cecf80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a7ced000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a7ced080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a7ced100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 97ab07e1 Linux 4.19.69
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13f88c0a600000
kernel config: https://syzkaller.appspot.com/x/.config?x=a73820df154c3af
dashboard link: https://syzkaller.appspot.com/bug?extid=fba50ca40cd875b49388
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fba50c...@syzkaller.appspotmail.com
Bluetooth: hci3: command 0xfc11 tx timeout
Bluetooth: hci3: Entering manufacturer mode failed (-110)
Bluetooth: hci4: command tx timeout
Bluetooth: hci0: Entering manufacturer mode failed (-110)
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1ba/0x1d0
net/bluetooth/hci_core.c:2574
Read of size 2 at addr ffff8880a7ced008 by task kworker/0:0/5
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 4.19.69 #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
hci_cmd_timeout+0x1ba/0x1d0 net/bluetooth/hci_core.c:2574
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 8721:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:137
__alloc_skb+0x10b/0x5f0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
hci_prepare_cmd+0x30/0x230 net/bluetooth/hci_request.c:292
hci_req_add_ev+0xb0/0x210 net/bluetooth/hci_request.c:326
__hci_cmd_sync_ev+0xfc/0x1c0 net/bluetooth/hci_request.c:138
__hci_cmd_sync+0x37/0x50 net/bluetooth/hci_request.c:187
btintel_enter_mfg+0x2e/0x90 drivers/bluetooth/btintel.c:82
ag6xx_setup+0x106/0x820 drivers/bluetooth/hci_ag6xx.c:180
hci_uart_setup+0x1c1/0x490 drivers/bluetooth/hci_ldisc.c:431
hci_dev_do_open+0x674/0x14a0 net/bluetooth/hci_core.c:1423
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2130
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 8721:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
skb_free_head+0x99/0xc0 net/core/skbuff.c:554
skb_release_data+0x57d/0x7d0 net/core/skbuff.c:574
skb_release_all+0x4d/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb net/core/skbuff.c:663 [inline]
kfree_skb+0xe8/0x390 net/core/skbuff.c:657
hci_dev_do_open+0xd8c/0x14a0 net/bluetooth/hci_core.c:1509
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2130
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880a7ced000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
512-byte region [ffff8880a7ced000, ffff8880a7ced200)
The buggy address belongs to the page:
page:ffffea00029f3b40 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea000224aa08 ffffea0001959688 ffff88812c3f0940
raw: 0000000000000000 ffff8880a7ced000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a7cecf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a7cecf80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a7ced000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a7ced080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a7ced100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 6, 2019, 4:31:10 PM9/6/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 414510bc Linux 4.14.142
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=173ba0e6600000
kernel config: https://syzkaller.appspot.com/x/.config?x=9aa0b2ccd827f416
dashboard link: https://syzkaller.appspot.com/bug?extid=188c65dac35116b39205
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141ad751600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Bluetooth: hci4 command 0xfc11 tx timeout
Bluetooth: hci4: Entering manufacturer mode failed (-110)
Bluetooth: hci5: Entering manufacturer mode failed (-110)
Bluetooth: hci1: Entering manufacturer mode failed (-110)
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1b4/0x1c0
net/bluetooth/hci_core.c:2524
Read of size 8 at addr ffff888093045c58 by task kworker/1:0/18
CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.14.142 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
hci_cmd_timeout+0x1b4/0x1c0 net/bluetooth/hci_core.c:2524
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
kobject: 'rfkill119' (ffff888098b16c68): kobject_cleanup, parent
(null)
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
kobject: 'rfkill119' (ffff888098b16c68): calling ktype release
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 6904:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
skb_clone+0x129/0x320 net/core/skbuff.c:1282
hci_cmd_work+0xc8/0x230 net/bluetooth/hci_core.c:4273
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 6879:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
kobject: 'rfkill119': free name
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
kfree_skbmem net/core/skbuff.c:586 [inline]
kfree_skbmem+0xac/0x120 net/core/skbuff.c:580
__kfree_skb net/core/skbuff.c:646 [inline]
kfree_skb+0xbd/0x340 net/core/skbuff.c:663
hci_dev_do_open+0x9db/0xf80 net/bluetooth/hci_core.c:1469
hci_power_on+0x8d/0x3d0 net/bluetooth/hci_core.c:2080
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
kobject: 'hci5' (ffff8880a0b29da8): kobject_uevent_env
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
The buggy address belongs to the object at ffff888093045b80
which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 216 bytes inside of
232-byte region [ffff888093045b80, ffff888093045c68)
The buggy address belongs to the page:
kobject: 'hci5' (ffff8880a0b29da8): fill_kobj_path: path
= '/devices/virtual/bluetooth/hci5'
page:ffffea00024c1140 count:1 mapcount:0 mapping:ffff888093045040 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888093045040 0000000000000000 000000010000000c
raw: ffffea000252e1a0 ffffea000271cca0 ffff88821b7203c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093045b00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff888093045b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888093045c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
^
ffff888093045c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff888093045d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 6, 2019, 4:34:10 PM12/6/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14439e41e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=e820c54dee153942
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10df382ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+188c65...@syzkaller.appspotmail.com
Bluetooth: hci5: Frame reassembly failed (-84)
Bluetooth: hci2: Entering manufacturer mode failed (-110)
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1aa/0x1c0
net/bluetooth/hci_core.c:2525
Read of size 2 at addr ffff88809ded8cc8 by task kworker/0:1/24
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.158-syzkaller #0
hci_cmd_timeout+0x1aa/0x1c0 net/bluetooth/hci_core.c:2525
__kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
__alloc_skb+0xcf/0x500 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:336 [inline]
hci_prepare_cmd+0x30/0x220 net/bluetooth/hci_request.c:298
hci_req_add_ev+0xa3/0x200 net/bluetooth/hci_request.c:332
__hci_cmd_sync_ev+0x152/0x610 net/bluetooth/hci_request.c:129
__hci_cmd_sync+0x37/0x50 net/bluetooth/hci_request.c:185
btintel_enter_mfg+0x74/0xe0 drivers/bluetooth/btintel.c:81
ag6xx_setup+0xfb/0x770 drivers/bluetooth/hci_ag6xx.c:180
hci_uart_setup+0x1a3/0x430 drivers/bluetooth/hci_ldisc.c:429
hci_dev_do_open+0x575/0xf80 net/bluetooth/hci_core.c:1384
kfree+0xcc/0x270 mm/slab.c:3815
skb_free_head+0x8b/0xb0 net/core/skbuff.c:554
skb_release_data+0x543/0x7c0 net/core/skbuff.c:574
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809ded8040 0000000000000000 0000000100000006
raw: ffffea00026c61e0 ffffea00026d1420 ffff8880aa800940 0000000000000000
ffff88809ded8c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff88809ded8c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff88809ded8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809ded8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14439e41e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=e820c54dee153942
dashboard link: https://syzkaller.appspot.com/bug?extid=188c65dac35116b39205
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1475a90ee00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10df382ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+188c65...@syzkaller.appspotmail.com
Bluetooth: hci1: Entering manufacturer mode failed (-110)
Bluetooth: hci1 command 0xfc11 tx timeout
Bluetooth: hci2: Entering manufacturer mode failed (-110)
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1aa/0x1c0
net/bluetooth/hci_core.c:2525
Read of size 2 at addr ffff88809ded8cc8 by task kworker/0:1/24
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
hci_cmd_timeout+0x1aa/0x1c0 net/bluetooth/hci_core.c:2525
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 6991:
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
__alloc_skb+0xcf/0x500 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:336 [inline]
hci_prepare_cmd+0x30/0x220 net/bluetooth/hci_request.c:298
hci_req_add_ev+0xa3/0x200 net/bluetooth/hci_request.c:332
__hci_cmd_sync_ev+0x152/0x610 net/bluetooth/hci_request.c:129
__hci_cmd_sync+0x37/0x50 net/bluetooth/hci_request.c:185
btintel_enter_mfg+0x74/0xe0 drivers/bluetooth/btintel.c:81
ag6xx_setup+0xfb/0x770 drivers/bluetooth/hci_ag6xx.c:180
hci_uart_setup+0x1a3/0x430 drivers/bluetooth/hci_ldisc.c:429
hci_dev_do_open+0x575/0xf80 net/bluetooth/hci_core.c:1384
hci_power_on+0x8d/0x3d0 net/bluetooth/hci_core.c:2080
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 6991:
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
kfree+0xcc/0x270 mm/slab.c:3815
skb_free_head+0x8b/0xb0 net/core/skbuff.c:554
skb_release_data+0x543/0x7c0 net/core/skbuff.c:574
skb_release_all+0x4d/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb+0xb5/0x350 net/core/skbuff.c:663
__kfree_skb net/core/skbuff.c:645 [inline]
hci_dev_do_open+0x9db/0xf80 net/bluetooth/hci_core.c:1469
hci_power_on+0x8d/0x3d0 net/bluetooth/hci_core.c:2080
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
hci_power_on+0x8d/0x3d0 net/bluetooth/hci_core.c:2080
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
The buggy address belongs to the object at ffff88809ded8cc0
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
512-byte region [ffff88809ded8cc0, ffff88809ded8ec0)
The buggy address is located 8 bytes inside of
The buggy address belongs to the page:
page:ffffea000277b600 count:1 mapcount:0 mapping:ffff88809ded8040 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809ded8040 0000000000000000 0000000100000006
raw: ffffea00026c61e0 ffffea00026d1420 ffff8880aa800940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809ded8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff88809ded8c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff88809ded8c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff88809ded8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809ded8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Dec 6, 2019, 7:15:09 PM12/6/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: fb683b5e Linux 4.19.88
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11388f36e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=598969d2888c3fa1
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fba50c...@syzkaller.appspotmail.com
Bluetooth: hci5: command 0xfc11 tx timeout
Bluetooth: hci5: Entering manufacturer mode failed (-110)
CPU: 1 PID: 13226 Comm: kworker/1:2 Not tainted 4.19.88-syzkaller #0
index:0xffff8880970b2a40
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00025868c8 ffffea00029e0308 ffff88812c31c940
raw: ffff8880970b2a40 ffff8880970b2040 0000000100000002 0000000000000000
ffff8880970b2700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8880970b2780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880970b2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880970b2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: fb683b5e Linux 4.19.88
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11388f36e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=598969d2888c3fa1
dashboard link: https://syzkaller.appspot.com/bug?extid=fba50ca40cd875b49388
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15a00aeae00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fba50c...@syzkaller.appspotmail.com
Bluetooth: hci5: Entering manufacturer mode failed (-110)
Bluetooth: hci5: Frame reassembly failed (-84)
Bluetooth: hci0: Entering manufacturer mode failed (-110)
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1ba/0x1d0
net/bluetooth/hci_core.c:2574
Read of size 2 at addr ffff8880970b27c8 by task kworker/1:2/13226
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1ba/0x1d0
net/bluetooth/hci_core.c:2574
CPU: 1 PID: 13226 Comm: kworker/1:2 Not tainted 4.19.88-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
hci_cmd_timeout+0x1ba/0x1d0 net/bluetooth/hci_core.c:2574
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 8014:
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
hci_cmd_timeout+0x1ba/0x1d0 net/bluetooth/hci_core.c:2574
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:137
__alloc_skb+0x10b/0x5f0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
hci_prepare_cmd+0x30/0x230 net/bluetooth/hci_request.c:292
hci_req_add_ev+0xb0/0x210 net/bluetooth/hci_request.c:326
__hci_cmd_sync_ev+0xfc/0x1c0 net/bluetooth/hci_request.c:138
__hci_cmd_sync+0x37/0x50 net/bluetooth/hci_request.c:187
btintel_enter_mfg+0x2e/0x90 drivers/bluetooth/btintel.c:82
ag6xx_setup+0x106/0x820 drivers/bluetooth/hci_ag6xx.c:180
hci_uart_setup+0x1c1/0x490 drivers/bluetooth/hci_ldisc.c:431
hci_dev_do_open+0x674/0x14a0 net/bluetooth/hci_core.c:1423
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2130
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 8014:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:137
__alloc_skb+0x10b/0x5f0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
hci_prepare_cmd+0x30/0x230 net/bluetooth/hci_request.c:292
hci_req_add_ev+0xb0/0x210 net/bluetooth/hci_request.c:326
__hci_cmd_sync_ev+0xfc/0x1c0 net/bluetooth/hci_request.c:138
__hci_cmd_sync+0x37/0x50 net/bluetooth/hci_request.c:187
btintel_enter_mfg+0x2e/0x90 drivers/bluetooth/btintel.c:82
ag6xx_setup+0x106/0x820 drivers/bluetooth/hci_ag6xx.c:180
hci_uart_setup+0x1c1/0x490 drivers/bluetooth/hci_ldisc.c:431
hci_dev_do_open+0x674/0x14a0 net/bluetooth/hci_core.c:1423
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2130
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
skb_free_head+0x99/0xc0 net/core/skbuff.c:554
skb_release_data+0x619/0x8d0 net/core/skbuff.c:574
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
skb_free_head+0x99/0xc0 net/core/skbuff.c:554
skb_release_all+0x4d/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb net/core/skbuff.c:663 [inline]
kfree_skb+0xe8/0x390 net/core/skbuff.c:657
hci_dev_do_open+0xd8c/0x14a0 net/bluetooth/hci_core.c:1509
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2130
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880970b27c0
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb net/core/skbuff.c:663 [inline]
kfree_skb+0xe8/0x390 net/core/skbuff.c:657
hci_dev_do_open+0xd8c/0x14a0 net/bluetooth/hci_core.c:1509
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2130
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
512-byte region [ffff8880970b27c0, ffff8880970b29c0)
The buggy address is located 8 bytes inside of
The buggy address belongs to the page:
page:ffffea00025c2c80 count:1 mapcount:0 mapping:ffff88812c31c940
index:0xffff8880970b2a40
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00025868c8 ffffea00029e0308 ffff88812c31c940
raw: ffff8880970b2a40 ffff8880970b2040 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880970b2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880970b2700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8880970b2780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880970b2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880970b2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Reply all
Reply to author
Forward
0 new messages