KASAN: use-after-free Read in skb_dequeue (2)
20 views
Skip to first unread message
syzbot
Aug 16, 2021, 2:05:26 AM8/16/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 59456c9cc40c Linux 4.19.204
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=167f96ee300000
kernel config: https://syzkaller.appspot.com/x/.config?x=a84b4514346e13dc
dashboard link: https://syzkaller.appspot.com/bug?extid=0be1a2e39756cde33649
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10040216300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171b6b09300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0be1a2...@syzkaller.appspotmail.com
Bluetooth: hci10: Frame reassembly failed (-84)
Bluetooth: hci10: Received unexpected HCI Event 00000000
Bluetooth: hci11: Frame reassembly failed (-84)
Bluetooth: hci11: Received unexpected HCI Event 00000000
==================================================================
BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:1916 [inline]
BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:1936 [inline]
BUG: KASAN: use-after-free in skb_dequeue+0x15f/0x180 net/core/skbuff.c:2838
Read of size 8 at addr ffff8880a154ee80 by task kworker/u5:3/8166
CPU: 0 PID: 8166 Comm: kworker/u5:3 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci11 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__skb_unlink include/linux/skbuff.h:1916 [inline]
__skb_dequeue include/linux/skbuff.h:1936 [inline]
skb_dequeue+0x15f/0x180 net/core/skbuff.c:2838
hci_rx_work+0x6d/0xc70 net/bluetooth/hci_core.c:4331
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 9547:
kmem_cache_alloc_node+0x146/0x3b0 mm/slab.c:3649
__alloc_skb+0x71/0x560 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:995 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
h4_recv_buf+0x57c/0xda0 drivers/bluetooth/hci_h4.c:197
h4_recv+0xdf/0x1f0 drivers/bluetooth/hci_h4.c:131
hci_uart_tty_receive+0x221/0x530 drivers/bluetooth/hci_ldisc.c:621
tiocsti drivers/tty/tty_io.c:2194 [inline]
tty_ioctl+0xff8/0x15c0 drivers/tty/tty_io.c:2580
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8166:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
kfree_skbmem+0xc1/0x140 net/core/skbuff.c:595
__kfree_skb net/core/skbuff.c:655 [inline]
kfree_skb+0x127/0x3d0 net/core/skbuff.c:672
hci_event_packet+0x32c/0x7e20 net/bluetooth/hci_event.c:5963
hci_rx_work+0x4ad/0xc70 net/bluetooth/hci_core.c:4366
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880a154ee80
which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 0 bytes inside of
232-byte region [ffff8880a154ee80, ffff8880a154ef68)
The buggy address belongs to the page:
page:ffffea0002855380 count:1 mapcount:0 mapping:ffff8880b5b8fd80 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002662908 ffffea000266a808 ffff8880b5b8fd80
raw: 0000000000000000 ffff8880a154e0c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a154ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a154ee00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a154ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a154ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff8880a154ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 59456c9cc40c Linux 4.19.204
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=167f96ee300000
kernel config: https://syzkaller.appspot.com/x/.config?x=a84b4514346e13dc
dashboard link: https://syzkaller.appspot.com/bug?extid=0be1a2e39756cde33649
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10040216300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171b6b09300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0be1a2...@syzkaller.appspotmail.com
Bluetooth: hci10: Frame reassembly failed (-84)
Bluetooth: hci10: Received unexpected HCI Event 00000000
Bluetooth: hci11: Frame reassembly failed (-84)
Bluetooth: hci11: Received unexpected HCI Event 00000000
==================================================================
BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:1916 [inline]
BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:1936 [inline]
BUG: KASAN: use-after-free in skb_dequeue+0x15f/0x180 net/core/skbuff.c:2838
Read of size 8 at addr ffff8880a154ee80 by task kworker/u5:3/8166
CPU: 0 PID: 8166 Comm: kworker/u5:3 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci11 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__skb_unlink include/linux/skbuff.h:1916 [inline]
__skb_dequeue include/linux/skbuff.h:1936 [inline]
skb_dequeue+0x15f/0x180 net/core/skbuff.c:2838
hci_rx_work+0x6d/0xc70 net/bluetooth/hci_core.c:4331
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 9547:
kmem_cache_alloc_node+0x146/0x3b0 mm/slab.c:3649
__alloc_skb+0x71/0x560 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:995 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
h4_recv_buf+0x57c/0xda0 drivers/bluetooth/hci_h4.c:197
h4_recv+0xdf/0x1f0 drivers/bluetooth/hci_h4.c:131
hci_uart_tty_receive+0x221/0x530 drivers/bluetooth/hci_ldisc.c:621
tiocsti drivers/tty/tty_io.c:2194 [inline]
tty_ioctl+0xff8/0x15c0 drivers/tty/tty_io.c:2580
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8166:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
kfree_skbmem+0xc1/0x140 net/core/skbuff.c:595
__kfree_skb net/core/skbuff.c:655 [inline]
kfree_skb+0x127/0x3d0 net/core/skbuff.c:672
hci_event_packet+0x32c/0x7e20 net/bluetooth/hci_event.c:5963
hci_rx_work+0x4ad/0xc70 net/bluetooth/hci_core.c:4366
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880a154ee80
which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 0 bytes inside of
232-byte region [ffff8880a154ee80, ffff8880a154ef68)
The buggy address belongs to the page:
page:ffffea0002855380 count:1 mapcount:0 mapping:ffff8880b5b8fd80 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002662908 ffffea000266a808 ffff8880b5b8fd80
raw: 0000000000000000 ffff8880a154e0c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a154ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a154ee00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a154ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a154ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff8880a154ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Oct 15, 2021, 7:37:09 AM10/15/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit f7bffefa322a3d5a292c0b7a9b93302b392928f6
Author: Nguyen Dinh Phi <phin...@gmail.com>
Date: Mon Aug 23 00:06:41 2021 +0000
tty: Fix data race between tiocsti() and flush_to_ldisc()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11adaefb300000
start commit: 59456c9cc40c Linux 4.19.204
git tree: linux-4.19.y
#syz fix: tty: Fix data race between tiocsti() and flush_to_ldisc()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit f7bffefa322a3d5a292c0b7a9b93302b392928f6
Author: Nguyen Dinh Phi <phin...@gmail.com>
Date: Mon Aug 23 00:06:41 2021 +0000
tty: Fix data race between tiocsti() and flush_to_ldisc()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11adaefb300000
start commit: 59456c9cc40c Linux 4.19.204
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=a84b4514346e13dc
dashboard link: https://syzkaller.appspot.com/bug?extid=0be1a2e39756cde33649
dashboard link: https://syzkaller.appspot.com/bug?extid=0be1a2e39756cde33649
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10040216300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171b6b09300000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171b6b09300000
#syz fix: tty: Fix data race between tiocsti() and flush_to_ldisc()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages