From: syzbot <syzbot+19a9f729f05272857487@syzkaller.appspotmail.com>
To: davem@davemloft.net, johan.hedberg@gmail.com,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
marcel@holtmann.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in hci_cmd_timeout
Date: Wed, 03 Jul 2019 06:12:05 -0700 [thread overview]
Message-ID: <00000000000097dfa5058cc69be3@google.com> (raw)
In-Reply-To: <00000000000035c756058848954a@google.com>
syzbot has found a reproducer for the following crash on:
HEAD commit: eca94432 Bluetooth: Fix faulty expression for minimum encr..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1006cc8ba00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f6451f0da3d42d53
dashboard link: https://syzkaller.appspot.com/bug?extid=19a9f729f05272857487
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125b7999a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=176deefba00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+19a9f729f05272857487@syzkaller.appspotmail.com
Bluetooth: hci0: command 0xfc11 tx timeout
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1fe/0x220
net/bluetooth/hci_core.c:2614
Read of size 8 at addr ffff88809e8a3c48 by task kworker/0:5/9461
CPU: 0 PID: 9461 Comm: kworker/0:5 Not tainted 5.2.0-rc7+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
__kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
kasan_report+0x12/0x20 mm/kasan/common.c:614
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
hci_cmd_timeout+0x1fe/0x220 net/bluetooth/hci_core.c:2614
process_one_work+0x989/0x1790 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x354/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 9446:
save_stack+0x23/0x90 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc mm/kasan/common.c:489 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497
slab_post_alloc_hook mm/slab.h:437 [inline]
slab_alloc mm/slab.c:3326 [inline]
kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488
skb_clone+0x154/0x3d0 net/core/skbuff.c:1321
hci_cmd_work+0xe0/0x2a0 net/bluetooth/hci_core.c:4495
process_one_work+0x989/0x1790 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x354/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 1501:
save_stack+0x23/0x90 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
__cache_free mm/slab.c:3432 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3698
kfree_skbmem net/core/skbuff.c:620 [inline]
kfree_skbmem+0xc5/0x150 net/core/skbuff.c:614
__kfree_skb net/core/skbuff.c:677 [inline]
kfree_skb net/core/skbuff.c:694 [inline]
kfree_skb+0xf0/0x390 net/core/skbuff.c:688
hci_dev_do_open+0xb20/0x1760 net/bluetooth/hci_core.c:1550
hci_power_on+0x10d/0x580 net/bluetooth/hci_core.c:2171
process_one_work+0x989/0x1790 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x354/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff88809e8a3b80
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 200 bytes inside of
224-byte region [ffff88809e8a3b80, ffff88809e8a3c60)
The buggy address belongs to the page:
page:ffffea00027a28c0 refcount:1 mapcount:0 mapping:ffff88821baabb40
index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00027b2d08 ffffea00021b83c8 ffff88821baabb40
raw: 0000000000000000 ffff88809e8a3040 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809e8a3b00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809e8a3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e8a3c00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff88809e8a3c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff88809e8a3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
next prev parent reply other threads:[~2019-07-03 13:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-07 9:10 KASAN: use-after-free Read in hci_cmd_timeout syzbot
2019-07-03 13:12 ` syzbot [this message]
2019-07-03 18:26 ` syzbot
2021-10-06 9:21 Hao Sun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000097dfa5058cc69be3@google.com \
--to=syzbot+19a9f729f05272857487@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.