KASAN: use-after-free in __mutex_lock

KASAN: use-after-free in __mutex_lock

[Sungwoo Kim]

Hello, I am Sungwoo Kim (https://sung-woo.kim) from Purdue University.

We report a bug found by FuzzBT, a modified version of syzkaller.
It looks similar to the recent bug:
https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org

We propose to add l2cap_chan_hold_unless_zero() for after calling
__l2cap_get_chan_blah().

Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref)
Bluetooth: chan 0000000023c4974d
Bluetooth: parent 00000000ae861c08
==================================================================
BUG: KASAN: use-after-free in __mutex_waiter_is_first
kernel/locking/mutex.c:191 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common
kernel/locking/mutex.c:671 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
kernel/locking/mutex.c:729
Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389

CPU: 0 PID: 389 Comm: kworker/u3:2 Not tainted 5.15.0 #14
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x7e/0xb7 lib/dump_stack.c:106
 print_address_description+0x88/0x3b0 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report+0x172/0x1c0 mm/kasan/report.c:459
 __asan_load8+0x80/0x90 mm/kasan/generic.c:256
 __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline]
 __mutex_lock_common kernel/locking/mutex.c:671 [inline]
 __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729
 __mutex_lock_slowpath+0x13/0x20 kernel/locking/mutex.c:979
 mutex_lock+0x91/0xf0 kernel/locking/mutex.c:280
 l2cap_chan_lock include/net/bluetooth/l2cap.h:890 [inline]
 l2cap_connect_create_rsp net/bluetooth/l2cap_core.c:4431 [inline]
 l2cap_bredr_sig_cmd+0xc7c/0x4060 net/bluetooth/l2cap_core.c:5865
 l2cap_sig_channel net/bluetooth/l2cap_core.c:6633 [inline]
 l2cap_recv_frame+0x71e/0xa00 net/bluetooth/l2cap_core.c:7899
 l2cap_recv_acldata+0x3a2/0x6c0 net/bluetooth/l2cap_core.c:8641
 hci_acldata_packet net/bluetooth/hci_core.c:5100 [inline]
 hci_rx_work+0x39c/0x500 net/bluetooth/hci_core.c:5307
 process_one_work+0x28c/0x440 kernel/workqueue.c:2297
 worker_thread+0x434/0x5d0 kernel/workqueue.c:2444
 kthread+0x214/0x250 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30

Allocated by task 389:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xd6/0x110 mm/kasan/common.c:513
 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:522
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 kmem_cache_alloc_trace+0x1a9/0x230 mm/slub.c:3240
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 l2cap_chan_create+0x4c/0x2c0 net/bluetooth/l2cap_core.c:481
 l2cap_sock_alloc+0xfa/0x150 net/bluetooth/l2cap_sock.c:1867
 l2cap_sock_new_connection_cb+0xc9/0x140 net/bluetooth/l2cap_sock.c:1467
 l2cap_connect+0x3eb/0x850 net/bluetooth/l2cap_core.c:4274
 l2cap_connect_req net/bluetooth/l2cap_core.c:4387 [inline]
 l2cap_bredr_sig_cmd+0x13fd/0x4060 net/bluetooth/l2cap_core.c:5860
 l2cap_sig_channel net/bluetooth/l2cap_core.c:6633 [inline]
 l2cap_recv_frame+0x71e/0xa00 net/bluetooth/l2cap_core.c:7899
 l2cap_recv_acldata+0x3a2/0x6c0 net/bluetooth/l2cap_core.c:8641
 hci_acldata_packet net/bluetooth/hci_core.c:5100 [inline]
 hci_rx_work+0x39c/0x500 net/bluetooth/hci_core.c:5307
 process_one_work+0x28c/0x440 kernel/workqueue.c:2297
 worker_thread+0x434/0x5d0 kernel/workqueue.c:2444
 kthread+0x214/0x250 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30

Freed by task 364:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0x13a/0x170 mm/kasan/common.c:366
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1700 [inline]
 slab_free_freelist_hook+0x100/0x1a0 mm/slub.c:1726
 slab_free mm/slub.c:3492 [inline]
 kfree+0xe0/0x270 mm/slub.c:4552
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:524 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_chan_put+0x147/0x190 net/bluetooth/l2cap_core.c:540
 l2cap_sock_cleanup_listen net/bluetooth/l2cap_sock.c:1449 [inline]
 l2cap_sock_teardown_cb+0x33a/0x3e0 net/bluetooth/l2cap_sock.c:1564
 l2cap_chan_close+0x297/0x640
 l2cap_sock_shutdown+0x6cc/0x8b0 net/bluetooth/l2cap_sock.c:1367
 l2cap_sock_release+0x7d/0x130 net/bluetooth/l2cap_sock.c:1411
 __sock_release+0x80/0x170 net/socket.c:649
 sock_close+0x1e/0x30 net/socket.c:1314
 __fput+0x2de/0x5d0 fs/file_table.c:280
 ____fput+0x1a/0x20 fs/file_table.c:313
 task_work_run+0x102/0x150 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0x511/0x1260 kernel/exit.c:825
 do_group_exit+0xd9/0x1a0 kernel/exit.c:922
 get_signal+0x397/0x11a0 kernel/signal.c:2855
 arch_do_signal_or_restart+0x3b/0x3b0 arch/x86/kernel/signal.c:865
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x103/0x1a0 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x2a/0x40 kernel/entry/common.c:300
 do_syscall_64+0x52/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888006a49800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 776 bytes inside of
 1024-byte region [ffff888006a49800, ffff888006a49c00)
The buggy address belongs to the page:
page:000000004d4d912c refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x6a48
head:000000004d4d912c order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 dead000000000100 dead000000000122 ffff888001041dc0
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888006a49a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888006a49a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888006a49b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888006a49b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888006a49c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2c9de67da..0e7978228 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4309,7 +4309,10 @@ static int l2cap_connect_create_rsp(struct
l2cap_conn *conn,

        err = 0;

-       l2cap_chan_lock(chan);
+       chan = l2cap_chan_hold_unless_zero(chan);
+       if (chan) {
+               l2cap_chan_lock(chan);
+       }

        switch (result) {
        case L2CAP_CR_SUCCESS:
@@ -4336,6 +4339,7 @@ static int l2cap_connect_create_rsp(struct
l2cap_conn *conn,
        }

        l2cap_chan_unlock(chan);
+       l2cap_chan_put(chan);

 unlock:
        mutex_unlock(&conn->chan_lock);


Best regards,
Sungwoo Kim.

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

Re: KASAN: use-after-free in __mutex_lock

[Luiz Augusto von Dentz]

Hi Kim,

On Sat, Sep 3, 2022 at 1:09 PM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> Hello, I am Sungwoo Kim (https://sung-woo.kim) from Purdue University.
>
> We report a bug found by FuzzBT, a modified version of syzkaller.
> It looks similar to the recent bug:
> https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org
>
> We propose to add l2cap_chan_hold_unless_zero() for after calling
> __l2cap_get_chan_blah().
>
> Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref)
> Bluetooth: chan 0000000023c4974d
> Bluetooth: parent 00000000ae861c08
> ==================================================================
> BUG: KASAN: use-after-free in __mutex_waiter_is_first
> kernel/locking/mutex.c:191 [inline]
> BUG: KASAN: use-after-free in __mutex_lock_common
> kernel/locking/mutex.c:671 [inline]
> BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
> kernel/locking/mutex.c:729
> Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
>
> CPU: 0 PID: 389 Comm: kworker/u3:2 Not tainted 5.15.0 #14
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Workqueue: hci0 hci_rx_work
> Call Trace:
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x7e/0xb7 lib/dump_stack.c:106
>  print_address_description+0x88/0x3b0 mm/kasan/report.c:256
>  __kasan_report mm/kasan/report.c:442 [inline]
>  kasan_report+0x172/0x1c0 mm/kasan/report.c:459
>  __asan_load8+0x80/0x90 mm/kasan/generic.c:256
>  __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline]
>  __mutex_lock_common kernel/locking/mutex.c:671 [inline]
>  __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729
>  __mutex_lock_slowpath+0x13/0x20 kernel/locking/mutex.c:979
>  mutex_lock+0x91/0xf0 kernel/locking/mutex.c:280
>  l2cap_chan_lock include/net/bluetooth/l2cap.h:890 [inline]
>  l2cap_connect_create_rsp net/bluetooth/l2cap_core.c:4431 [inline]
>  l2cap_bredr_sig_cmd+0xc7c/0x4060 net/bluetooth/l2cap_core.c:5865
>  l2cap_sig_channel net/bluetooth/l2cap_core.c:6633 [inline]
>  l2cap_recv_frame+0x71e/0xa00 net/bluetooth/l2cap_core.c:7899
>  l2cap_recv_acldata+0x3a2/0x6c0 net/bluetooth/l2cap_core.c:8641
>  hci_acldata_packet net/bluetooth/hci_core.c:5100 [inline]
>  hci_rx_work+0x39c/0x500 net/bluetooth/hci_core.c:5307
>  process_one_work+0x28c/0x440 kernel/workqueue.c:2297
>  worker_thread+0x434/0x5d0 kernel/workqueue.c:2444
>  kthread+0x214/0x250 kernel/kthread.c:319
>  ret_from_fork+0x1f/0x30
>
> Allocated by task 389:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track mm/kasan/common.c:46 [inline]
>  set_alloc_info mm/kasan/common.c:434 [inline]
>  ____kasan_kmalloc+0xd6/0x110 mm/kasan/common.c:513
>  __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:522
>  kasan_kmalloc include/linux/kasan.h:264 [inline]
>  kmem_cache_alloc_trace+0x1a9/0x230 mm/slub.c:3240
>  kmalloc include/linux/slab.h:591 [inline]
>  kzalloc include/linux/slab.h:721 [inline]
>  l2cap_chan_create+0x4c/0x2c0 net/bluetooth/l2cap_core.c:481
>  l2cap_sock_alloc+0xfa/0x150 net/bluetooth/l2cap_sock.c:1867
>  l2cap_sock_new_connection_cb+0xc9/0x140 net/bluetooth/l2cap_sock.c:1467
>  l2cap_connect+0x3eb/0x850 net/bluetooth/l2cap_core.c:4274
>  l2cap_connect_req net/bluetooth/l2cap_core.c:4387 [inline]
>  l2cap_bredr_sig_cmd+0x13fd/0x4060 net/bluetooth/l2cap_core.c:5860
>  l2cap_sig_channel net/bluetooth/l2cap_core.c:6633 [inline]
>  l2cap_recv_frame+0x71e/0xa00 net/bluetooth/l2cap_core.c:7899
>  l2cap_recv_acldata+0x3a2/0x6c0 net/bluetooth/l2cap_core.c:8641
>  hci_acldata_packet net/bluetooth/hci_core.c:5100 [inline]
>  hci_rx_work+0x39c/0x500 net/bluetooth/hci_core.c:5307
>  process_one_work+0x28c/0x440 kernel/workqueue.c:2297
>  worker_thread+0x434/0x5d0 kernel/workqueue.c:2444
>  kthread+0x214/0x250 kernel/kthread.c:319
>  ret_from_fork+0x1f/0x30
>
> Freed by task 364:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
>  kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:360
>  ____kasan_slab_free+0x13a/0x170 mm/kasan/common.c:366
>  __kasan_slab_free+0x11/0x20 mm/kasan/common.c:374
>  kasan_slab_free include/linux/kasan.h:230 [inline]
>  slab_free_hook mm/slub.c:1700 [inline]
>  slab_free_freelist_hook+0x100/0x1a0 mm/slub.c:1726
>  slab_free mm/slub.c:3492 [inline]
>  kfree+0xe0/0x270 mm/slub.c:4552
>  l2cap_chan_destroy net/bluetooth/l2cap_core.c:524 [inline]
>  kref_put include/linux/kref.h:65 [inline]
>  l2cap_chan_put+0x147/0x190 net/bluetooth/l2cap_core.c:540
>  l2cap_sock_cleanup_listen net/bluetooth/l2cap_sock.c:1449 [inline]
>  l2cap_sock_teardown_cb+0x33a/0x3e0 net/bluetooth/l2cap_sock.c:1564
>  l2cap_chan_close+0x297/0x640
>  l2cap_sock_shutdown+0x6cc/0x8b0 net/bluetooth/l2cap_sock.c:1367
>  l2cap_sock_release+0x7d/0x130 net/bluetooth/l2cap_sock.c:1411
>  __sock_release+0x80/0x170 net/socket.c:649
>  sock_close+0x1e/0x30 net/socket.c:1314
>  __fput+0x2de/0x5d0 fs/file_table.c:280
>  ____fput+0x1a/0x20 fs/file_table.c:313
>  task_work_run+0x102/0x150 kernel/task_work.c:164
>  exit_task_work include/linux/task_work.h:32 [inline]
>  do_exit+0x511/0x1260 kernel/exit.c:825
>  do_group_exit+0xd9/0x1a0 kernel/exit.c:922
>  get_signal+0x397/0x11a0 kernel/signal.c:2855
>  arch_do_signal_or_restart+0x3b/0x3b0 arch/x86/kernel/signal.c:865
>  handle_signal_work kernel/entry/common.c:148 [inline]
>  exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
>  exit_to_user_mode_prepare+0x103/0x1a0 kernel/entry/common.c:207
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
>  syscall_exit_to_user_mode+0x2a/0x40 kernel/entry/common.c:300
>  do_syscall_64+0x52/0xc0 arch/x86/entry/common.c:86
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> The buggy address belongs to the object at ffff888006a49800
>  which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 776 bytes inside of
>  1024-byte region [ffff888006a49800, ffff888006a49c00)
> The buggy address belongs to the page:
> page:000000004d4d912c refcount:1 mapcount:0 mapping:0000000000000000
> index:0x0 pfn:0x6a48
> head:000000004d4d912c order:2 compound_mapcount:0 compound_pincount:0
> flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
> raw: 000fffffc0010200 dead000000000100 dead000000000122 ffff888001041dc0
> raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffff888006a49a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff888006a49a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff888006a49b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                       ^
>  ffff888006a49b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff888006a49c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 2c9de67da..0e7978228 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4309,7 +4309,10 @@ static int l2cap_connect_create_rsp(struct
> l2cap_conn *conn,
>
>         err = 0;
>
> -       l2cap_chan_lock(chan);
> +       chan = l2cap_chan_hold_unless_zero(chan);
> +       if (chan) {
> +               l2cap_chan_lock(chan);
> +       }

This obviously doesn't work since you will need to bail out if chan is
NULL, so we would need to do something like:

if (!chan) {
  err = -EBADSLT;
  goto unlock;
}

l2cap_chan_lock(chan);

>
>         switch (result) {
>         case L2CAP_CR_SUCCESS:
> @@ -4336,6 +4339,7 @@ static int l2cap_connect_create_rsp(struct
> l2cap_conn *conn,
>         }
>
>         l2cap_chan_unlock(chan);
> +       l2cap_chan_put(chan);
>
>  unlock:
>         mutex_unlock(&conn->chan_lock);
>
>
> Best regards,
> Sungwoo Kim.



-- 
Luiz Augusto von Dentz

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

RE: KASAN: use-after-free in __mutex_lock

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----
error: corrupt patch at line 6
hint: Use 'git am --show-current-patch' to see the failed patch


Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

Re: KASAN: use-after-free in __mutex_lock

[Sungwoo Kim]

Hi Dentz,
How about to use l2cap_get_chan_by_scid because it looks resposible to
handle ref_cnt.

Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
 net/bluetooth/l2cap_core.c | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2c9de67da..d3a074cbc 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4291,26 +4291,18 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 	BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
 	       dcid, scid, result, status);
 
-	mutex_lock(&conn->chan_lock);
-
 	if (scid) {
-		chan = __l2cap_get_chan_by_scid(conn, scid);
-		if (!chan) {
-			err = -EBADSLT;
-			goto unlock;
-		}
+		chan = l2cap_get_chan_by_scid(conn, scid);
+		if (!chan)
+			return -EBADSLT;
 	} else {
-		chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
-		if (!chan) {
-			err = -EBADSLT;
-			goto unlock;
-		}
+		chan = l2cap_get_chan_by_ident(conn, cmd->ident);
+		if (!chan)
+			return -EBADSLT;
 	}
 
 	err = 0;
 
-	l2cap_chan_lock(chan);
-
 	switch (result) {
 	case L2CAP_CR_SUCCESS:
 		l2cap_state_change(chan, BT_CONFIG);
@@ -4336,9 +4328,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 	}
 
 	l2cap_chan_unlock(chan);
-
-unlock:
-	mutex_unlock(&conn->chan_lock);
+	l2cap_chan_put(chan);
 
 	return err;
 }
-- 
2.25.1

Re: KASAN: use-after-free in __mutex_lock

[Luiz Augusto von Dentz]

Hi Kim,

On Fri, Sep 30, 2022 at 9:09 AM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> Hi Dentz,
> How about to use l2cap_get_chan_by_scid because it looks resposible to
> handle ref_cnt.
>
> Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
> ---
>  net/bluetooth/l2cap_core.c | 24 +++++++-----------------
>  1 file changed, 7 insertions(+), 17 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 2c9de67da..d3a074cbc 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4291,26 +4291,18 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
>         BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
>                dcid, scid, result, status);
>
> -       mutex_lock(&conn->chan_lock);
> -
>         if (scid) {
> -               chan = __l2cap_get_chan_by_scid(conn, scid);
> -               if (!chan) {
> -                       err = -EBADSLT;
> -                       goto unlock;
> -               }
> +               chan = l2cap_get_chan_by_scid(conn, scid);
> +               if (!chan)
> +                       return -EBADSLT;
>         } else {
> -               chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
> -               if (!chan) {
> -                       err = -EBADSLT;
> -                       goto unlock;
> -               }
> +               chan = l2cap_get_chan_by_ident(conn, cmd->ident);
> +               if (!chan)
> +                       return -EBADSLT;
>         }
>
>         err = 0;
>
> -       l2cap_chan_lock(chan);
> -
>         switch (result) {
>         case L2CAP_CR_SUCCESS:
>                 l2cap_state_change(chan, BT_CONFIG);
> @@ -4336,9 +4328,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
>         }
>
>         l2cap_chan_unlock(chan);
> -
> -unlock:
> -       mutex_unlock(&conn->chan_lock);
> +       l2cap_chan_put(chan);
>
>         return err;
>  }
> --
> 2.25.1

Ive sent a fix yesterday:

https://patchwork.kernel.org/project/bluetooth/patch/20220929203241.4140795-1-luiz.dentz@gmail.com/

Both are sorta similar but the one above end up causing less code
changes which might be easier to backport.

-- 
Luiz Augusto von Dentz