Hello,
syzbot found the following issue on:
HEAD commit: 13af6c74 Linux 4.19.136
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=11834598900000
kernel config:
https://syzkaller.appspot.com/x/.config?x=5b7578d3b5457a49
dashboard link:
https://syzkaller.appspot.com/bug?extid=0fe4efc137563eac3894
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+0fe4ef...@syzkaller.appspotmail.com
CR3 = 0x0000000000000000
RSP = 0x0000000000000f80 RIP = 0x0000000000000000
RFLAGS=0x00000002 DR7 = 0x0000000000000400
==================================================================
BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:317 [inline]
BUG: KASAN: use-after-free in sock_flag include/net/sock.h:839 [inline]
BUG: KASAN: use-after-free in l2cap_sock_kill net/bluetooth/l2cap_sock.c:1046 [inline]
BUG: KASAN: use-after-free in l2cap_sock_close_cb+0xbd/0xd0 net/bluetooth/l2cap_sock.c:1311
Read of size 8 at addr ffff888096dc4d20 by task kworker/0:0/5
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 4.19.136-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
constant_test_bit arch/x86/include/asm/bitops.h:317 [inline]
sock_flag include/net/sock.h:839 [inline]
l2cap_sock_kill net/bluetooth/l2cap_sock.c:1046 [inline]
l2cap_sock_close_cb+0xbd/0xd0 net/bluetooth/l2cap_sock.c:1311
l2cap_chan_timeout+0x1bb/0x210 net/bluetooth/l2cap_core.c:431
process_one_work+0x864/0x1570 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x30b/0x410 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 23936:
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15a/0x3c0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
sk_prot_alloc+0x1e2/0x2d0 net/core/sock.c:1466
sk_alloc+0x36/0xec0 net/core/sock.c:1520
l2cap_sock_alloc.constprop.0+0x31/0x210 net/bluetooth/l2cap_sock.c:1590
l2cap_sock_create+0x110/0x1b0 net/bluetooth/l2cap_sock.c:1636
bt_sock_create+0x154/0x2a0 net/bluetooth/af_bluetooth.c:130
__sock_create+0x3d8/0x740 net/socket.c:1276
rfcomm_l2sock_create net/bluetooth/rfcomm/core.c:203 [inline]
rfcomm_session_create net/bluetooth/rfcomm/core.c:738 [inline]
__rfcomm_dlc_open net/bluetooth/rfcomm/core.c:388 [inline]
rfcomm_dlc_open+0x6e2/0xcb0 net/bluetooth/rfcomm/core.c:431
rfcomm_sock_connect+0x317/0x420 net/bluetooth/rfcomm/sock.c:416
__sys_connect+0x265/0x2c0 net/socket.c:1663
__do_sys_connect net/socket.c:1674 [inline]
__se_sys_connect net/socket.c:1671 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 3597:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
sk_prot_free net/core/sock.c:1503 [inline]
__sk_destruct+0x5ff/0x810 net/core/sock.c:1584
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1707 [inline]
l2cap_sock_kill.part.0+0x6b/0x80 net/bluetooth/l2cap_sock.c:1055
l2cap_sock_kill net/bluetooth/l2cap_sock.c:1206 [inline]
l2cap_sock_release+0x158/0x190 net/bluetooth/l2cap_sock.c:1204
__sock_release net/socket.c:579 [inline]
sock_release+0x87/0x1d0 net/socket.c:599
rfcomm_session_del+0x15a/0x1f0 net/bluetooth/rfcomm/core.c:684
rfcomm_session_close net/bluetooth/rfcomm/core.c:723 [inline]
rfcomm_process_rx net/bluetooth/rfcomm/core.c:1916 [inline]
rfcomm_process_sessions net/bluetooth/rfcomm/core.c:2000 [inline]
rfcomm_run+0x12ed/0x4250 net/bluetooth/rfcomm/core.c:2087
kthread+0x30b/0x410 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff888096dc4cc0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 96 bytes inside of
2048-byte region [ffff888096dc4cc0, ffff888096dc54c0)
The buggy address belongs to the page:
page:ffffea00025b7100 count:1 mapcount:0 mapping:ffff88812c39cc40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00015c8d88 ffffea0002a1c688 ffff88812c39cc40
raw: 0000000000000000 ffff888096dc4440 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888096dc4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888096dc4c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff888096dc4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888096dc4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888096dc4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000
CS: sel=0x0000, attr=0x0009b, limit=0x0000ffff, base=0x0000000000000000
DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
SS: sel=0x0000, attr=0x00081, limit=0x0000ffff, base=0x0000000000000000
platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
audit: type=1804 audit(1596318366.514:413): pid=26262 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir234422321/syzkaller.lSt80x/585/bus" dev="sda1" ino=15812 res=1
ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
GDTR: limit=0x000007ff, base=0x0000000000001000
audit: type=1804 audit(1596318366.544:414): pid=26268 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir234422321/syzkaller.lSt80x/585/bus" dev="sda1" ino=15812 res=1
LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800
IDTR: limit=0x0000ffff, base=0x0000000000000000
TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000
EFER = 0x0000000000000000 PAT = 0x0007040600070406