KASAN: use-after-free Read in sco_sock_timeout
15 views
Skip to first unread message
syzbot
Feb 10, 2022, 8:41:21 AM2/10/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 21ad423fe521 Linux 4.14.265
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1028f428700000
kernel config: https://syzkaller.appspot.com/x/.config?x=f79494e54ef9cb67
dashboard link: https://syzkaller.appspot.com/bug?extid=721232d643053b0b56d9
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+721232...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
Read of size 8 at addr ffff888092d5b5a0 by task kworker/0:3/19468
CPU: 0 PID: 19468 Comm: kworker/0:3 Not tainted 4.14.265-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
sco_sock_timeout+0x7b/0x1a0 net/bluetooth/sco.c:95
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 29165:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15a/0x400 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
sk_prot_alloc+0x1ba/0x290 net/core/sock.c:1484
sk_alloc+0x36/0xcd0 net/core/sock.c:1538
sco_sock_alloc.constprop.0+0x31/0x200 net/bluetooth/sco.c:476
sco_sock_create+0xc5/0x180 net/bluetooth/sco.c:511
bt_sock_create+0x13b/0x280 net/bluetooth/af_bluetooth.c:130
__sock_create+0x303/0x620 net/socket.c:1275
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd1/0x1b0 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 29165:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
sk_prot_free net/core/sock.c:1521 [inline]
__sk_destruct+0x5e3/0x760 net/core/sock.c:1600
sk_destruct net/core/sock.c:1615 [inline]
__sk_free+0xd9/0x2d0 net/core/sock.c:1623
sk_free+0x2b/0x40 net/core/sock.c:1634
sock_put include/net/sock.h:1664 [inline]
sco_sock_kill.part.0+0x97/0xb0 net/bluetooth/sco.c:408
sco_sock_kill net/bluetooth/sco.c:400 [inline]
sco_sock_release+0x17d/0x2f0 net/bluetooth/sco.c:1043
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2223
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff888092d5b500
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 160 bytes inside of
2048-byte region [ffff888092d5b500, ffff888092d5bd00)
The buggy address belongs to the page:
page:ffffea00024b5680 count:1 mapcount:0 mapping:ffff888092d5a400 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff888092d5a400 0000000000000000 0000000100000003
raw: ffffea0002bc44a0 ffffea0002d5d2a0 ffff88813fe74c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888092d5b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888092d5b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888092d5b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888092d5b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888092d5b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 21ad423fe521 Linux 4.14.265
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1028f428700000
kernel config: https://syzkaller.appspot.com/x/.config?x=f79494e54ef9cb67
dashboard link: https://syzkaller.appspot.com/bug?extid=721232d643053b0b56d9
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+721232...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
Read of size 8 at addr ffff888092d5b5a0 by task kworker/0:3/19468
CPU: 0 PID: 19468 Comm: kworker/0:3 Not tainted 4.14.265-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
sco_sock_timeout+0x7b/0x1a0 net/bluetooth/sco.c:95
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 29165:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15a/0x400 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
sk_prot_alloc+0x1ba/0x290 net/core/sock.c:1484
sk_alloc+0x36/0xcd0 net/core/sock.c:1538
sco_sock_alloc.constprop.0+0x31/0x200 net/bluetooth/sco.c:476
sco_sock_create+0xc5/0x180 net/bluetooth/sco.c:511
bt_sock_create+0x13b/0x280 net/bluetooth/af_bluetooth.c:130
__sock_create+0x303/0x620 net/socket.c:1275
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd1/0x1b0 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 29165:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
sk_prot_free net/core/sock.c:1521 [inline]
__sk_destruct+0x5e3/0x760 net/core/sock.c:1600
sk_destruct net/core/sock.c:1615 [inline]
__sk_free+0xd9/0x2d0 net/core/sock.c:1623
sk_free+0x2b/0x40 net/core/sock.c:1634
sock_put include/net/sock.h:1664 [inline]
sco_sock_kill.part.0+0x97/0xb0 net/bluetooth/sco.c:408
sco_sock_kill net/bluetooth/sco.c:400 [inline]
sco_sock_release+0x17d/0x2f0 net/bluetooth/sco.c:1043
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2223
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff888092d5b500
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 160 bytes inside of
2048-byte region [ffff888092d5b500, ffff888092d5bd00)
The buggy address belongs to the page:
page:ffffea00024b5680 count:1 mapcount:0 mapping:ffff888092d5a400 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff888092d5a400 0000000000000000 0000000100000003
raw: ffffea0002bc44a0 ffffea0002d5d2a0 ffff88813fe74c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888092d5b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888092d5b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888092d5b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888092d5b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888092d5b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 20, 2022, 9:39:24 AM5/20/22
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: dffb5c6ff09c Linux 4.14.280
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=121d8765f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9bde605ce69ece2e
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a74e01f00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+721232...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
Read of size 8 at addr ffff8880b0af8d60 by task kworker/0:0/7978
CPU: 0 PID: 7978 Comm: kworker/0:0 Not tainted 4.14.280-syzkaller #0
The buggy address belongs to the object at ffff8880b0af8cc0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff8880b0af8440 0000000000000000 0000000100000003
raw: ffffea00024f96a0 ffffea0002c184a0 ffff88813fe74c40 0000000000000000
ffff8880b0af8c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880b0af8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880b0af8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880b0af8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: dffb5c6ff09c Linux 4.14.280
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=121d8765f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9bde605ce69ece2e
dashboard link: https://syzkaller.appspot.com/bug?extid=721232d643053b0b56d9
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c06019f00000
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a74e01f00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+721232...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
CPU: 0 PID: 7978 Comm: kworker/0:0 Not tainted 4.14.280-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
sco_sock_timeout+0x7b/0x1a0 net/bluetooth/sco.c:95
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 8136:
Workqueue: events sco_sock_timeout
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
sco_sock_timeout+0x7b/0x1a0 net/bluetooth/sco.c:95
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15a/0x400 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
sk_prot_alloc+0x1ba/0x290 net/core/sock.c:1484
sk_alloc+0x36/0xcd0 net/core/sock.c:1538
sco_sock_alloc.constprop.0+0x31/0x200 net/bluetooth/sco.c:476
sco_sock_create+0xc5/0x180 net/bluetooth/sco.c:511
bt_sock_create+0x13b/0x280 net/bluetooth/af_bluetooth.c:130
__sock_create+0x303/0x620 net/socket.c:1275
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd1/0x1b0 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 8137:
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15a/0x400 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
sk_prot_alloc+0x1ba/0x290 net/core/sock.c:1484
sk_alloc+0x36/0xcd0 net/core/sock.c:1538
sco_sock_alloc.constprop.0+0x31/0x200 net/bluetooth/sco.c:476
sco_sock_create+0xc5/0x180 net/bluetooth/sco.c:511
bt_sock_create+0x13b/0x280 net/bluetooth/af_bluetooth.c:130
__sock_create+0x303/0x620 net/socket.c:1275
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd1/0x1b0 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 160 bytes inside of
2048-byte region [ffff8880b0af8cc0, ffff8880b0af94c0)
The buggy address is located 160 bytes inside of
The buggy address belongs to the page:
page:ffffea0002c2be00 count:1 mapcount:0 mapping:ffff8880b0af8440 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff8880b0af8440 0000000000000000 0000000100000003
raw: ffffea00024f96a0 ffffea0002c184a0 ffff88813fe74c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880b0af8c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff8880b0af8c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880b0af8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880b0af8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880b0af8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Reply all
Reply to author
Forward
0 new messages