| Message ID | 20241002190452.3405592-1-luiz.dentz@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3] Bluetooth: SCO: Use disable_delayed_work_sync | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | success | CheckPatch PASS |
| tedd_an/GitLint | success | Gitlint PASS |
| tedd_an/SubjectPrefix | success | Gitlint PASS |
| tedd_an/BuildKernel | success | BuildKernel PASS |
| tedd_an/CheckAllWarning | success | CheckAllWarning PASS |
| tedd_an/CheckSparse | warning | CheckSparse WARNING net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:147:35: warning: array of flexible structures |
#syz test On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > This makes use of disable_delayed_work_sync instead > cancel_delayed_work_sync as it not only cancel the ongoing work but also > disables new submit which is disarable since the object holding the work > is about to be freed. > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > since at that point it is useless to set a timer as the sk will be freed > there is nothing to be done in sco_sock_timeout. > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > --- > net/bluetooth/sco.c | 13 +------------ > 1 file changed, 1 insertion(+), 12 deletions(-) > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > index a5ac160c592e..2b1e66976068 100644 > --- a/net/bluetooth/sco.c > +++ b/net/bluetooth/sco.c > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > } > > /* Ensure no more work items will run before freeing conn. */ > - cancel_delayed_work_sync(&conn->timeout_work); > + disable_delayed_work_sync(&conn->timeout_work); > > hcon->sco_data = NULL; > kfree(conn); > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > case BT_CONNECTED: > case BT_CONFIG: > - if (sco_pi(sk)->conn->hcon) { > - sk->sk_state = BT_DISCONN; > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > - sco_conn_lock(sco_pi(sk)->conn); > - hci_conn_drop(sco_pi(sk)->conn->hcon); > - sco_pi(sk)->conn->hcon = NULL; > - sco_conn_unlock(sco_pi(sk)->conn); > - } else > - sco_chan_del(sk, ECONNRESET); > - break; > - > case BT_CONNECT2: > case BT_CONNECT: > case BT_DISCONN: > -- > 2.46.1 >
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff88807e2d5080 by task kworker/1:1/47
CPU: 1 UID: 0 PID: 47 Comm: kworker/1:1 Not tainted 6.12.0-rc1-syzkaller-ge32cde8d2bd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5759:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:500 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:531
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5760:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1259
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807e2d5000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff88807e2d5000, ffff88807e2d5800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e2d0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442000 ffffea0000a07800 dead000000000002
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442000 ffffea0000a07800 dead000000000002
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f8b401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4533, tgid 4533 (acpid), ts 19751533769, free_ts 17515017965
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
__netlink_create+0x65/0x260 net/netlink/af_netlink.c:646
netlink_create+0x3ab/0x560 net/netlink/af_netlink.c:704
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
free_contig_range+0x152/0x550 mm/page_alloc.c:6748
destroy_args+0x8a/0x840 mm/debug_vm_pgtable.c:1017
debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1397
do_one_initcall+0x24a/0x880 init/main.c:1269
do_initcall_level+0x157/0x210 init/main.c:1331
do_initcalls+0x3f/0x80 init/main.c:1347
kernel_init_freeable+0x435/0x5d0 init/main.c:1580
kernel_init+0x1d/0x2b0 init/main.c:1469
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff88807e2d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807e2d5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807e2d5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807e2d5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807e2d5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e32cde8d Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174f23d0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5997f8b13c390e73
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
#syz test On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > This makes use of disable_delayed_work_sync instead > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > disables new submit which is disarable since the object holding the work > > is about to be freed. > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > since at that point it is useless to set a timer as the sk will be freed > > there is nothing to be done in sco_sock_timeout. > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > --- > > net/bluetooth/sco.c | 13 +------------ > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > index a5ac160c592e..2b1e66976068 100644 > > --- a/net/bluetooth/sco.c > > +++ b/net/bluetooth/sco.c > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > } > > > > /* Ensure no more work items will run before freeing conn. */ > > - cancel_delayed_work_sync(&conn->timeout_work); > > + disable_delayed_work_sync(&conn->timeout_work); > > > > hcon->sco_data = NULL; > > kfree(conn); > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > case BT_CONNECTED: > > case BT_CONFIG: > > - if (sco_pi(sk)->conn->hcon) { > > - sk->sk_state = BT_DISCONN; > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > - sco_conn_lock(sco_pi(sk)->conn); > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > - sco_pi(sk)->conn->hcon = NULL; > > - sco_conn_unlock(sco_pi(sk)->conn); > > - } else > > - sco_chan_del(sk, ECONNRESET); > > - break; > > - > > case BT_CONNECT2: > > case BT_CONNECT: > > case BT_DISCONN: > > -- > > 2.46.1 > > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff8881436fb080 by task kworker/0:3/1150
CPU: 0 UID: 0 PID: 1150 Comm: kworker/0:3 Not tainted 6.12.0-rc1-syzkaller-ge32cde8d2bd7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5769:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:489 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:520
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5770:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1248
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8881436fb000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff8881436fb000, ffff8881436fb800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1436f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea00050dbe01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2322085089, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
acpi_add_single_object+0xe5/0x1e00 drivers/acpi/scan.c:1876
acpi_bus_check_add+0x32b/0x980 drivers/acpi/scan.c:2181
acpi_ns_walk_namespace+0x296/0x4f0
acpi_walk_namespace+0xeb/0x130 drivers/acpi/acpica/nsxfeval.c:606
acpi_bus_scan+0x4c1/0x560 drivers/acpi/scan.c:2595
acpi_scan_init+0x267/0x730 drivers/acpi/scan.c:2747
acpi_init+0x159/0x240 drivers/acpi/bus.c:1466
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881436faf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881436fb000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881436fb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881436fb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881436fb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e32cde8d Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13299927980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5997f8b13c390e73
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=121f23d0580000
#syz test On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > This makes use of disable_delayed_work_sync instead > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > disables new submit which is disarable since the object holding the work > > > is about to be freed. > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > since at that point it is useless to set a timer as the sk will be freed > > > there is nothing to be done in sco_sock_timeout. > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > --- > > > net/bluetooth/sco.c | 13 +------------ > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > index a5ac160c592e..2b1e66976068 100644 > > > --- a/net/bluetooth/sco.c > > > +++ b/net/bluetooth/sco.c > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > } > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > hcon->sco_data = NULL; > > > kfree(conn); > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > case BT_CONNECTED: > > > case BT_CONFIG: > > > - if (sco_pi(sk)->conn->hcon) { > > > - sk->sk_state = BT_DISCONN; > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > - sco_conn_lock(sco_pi(sk)->conn); > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > - sco_pi(sk)->conn->hcon = NULL; > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > - } else > > > - sco_chan_del(sk, ECONNRESET); > > > - break; > > > - > > > case BT_CONNECT2: > > > case BT_CONNECT: > > > case BT_DISCONN: > > > -- > > > 2.46.1 > > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff8881442d6080 by task kworker/1:3/5112
CPU: 1 UID: 0 PID: 5112 Comm: kworker/1:3 Not tainted 6.12.0-rc1-syzkaller-gf23aa4c0761a-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5785:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:490 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:521
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5786:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1249
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8881442d6000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff8881442d6000, ffff8881442d6800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1442d0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea000510b401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2464151042, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
acpi_ds_create_walk_state+0x103/0x2a0 drivers/acpi/acpica/dswstate.c:518
acpi_ps_execute_method+0x245/0x880 drivers/acpi/acpica/psxface.c:134
acpi_ns_evaluate+0x5df/0xa40 drivers/acpi/acpica/nseval.c:205
acpi_evaluate_object+0x59b/0xaf0 drivers/acpi/acpica/nsxfeval.c:354
map_mat_entry drivers/acpi/processor_core.c:241 [inline]
acpi_get_phys_id+0xa5/0xd00 drivers/acpi/processor_core.c:274
acpi_get_cpuid+0x28/0x1f0 drivers/acpi/processor_core.c:332
processor_physically_present+0x29a/0x380 drivers/acpi/acpi_processor.c:565
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881442d5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881442d6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881442d6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881442d6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881442d6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: f23aa4c0 Merge tag 'hid-for-linus-2024090201' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12d02307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14559927980000
#syz test On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > disables new submit which is disarable since the object holding the work > > > > is about to be freed. > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > since at that point it is useless to set a timer as the sk will be freed > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > --- > > > > net/bluetooth/sco.c | 13 +------------ > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > index a5ac160c592e..2b1e66976068 100644 > > > > --- a/net/bluetooth/sco.c > > > > +++ b/net/bluetooth/sco.c > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > } > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > hcon->sco_data = NULL; > > > > kfree(conn); > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > case BT_CONNECTED: > > > > case BT_CONFIG: > > > > - if (sco_pi(sk)->conn->hcon) { > > > > - sk->sk_state = BT_DISCONN; > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > - } else > > > > - sco_chan_del(sk, ECONNRESET); > > > > - break; > > > > - > > > > case BT_CONNECT2: > > > > case BT_CONNECT: > > > > case BT_DISCONN: > > > > -- > > > > 2.46.1 > > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in hci_conn_drop
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x280 include/net/bluetooth/hci_core.h:1548
Write of size 4 at addr ffff88801ea58010 by task syz-executor.0/5537
CPU: 0 UID: 0 PID: 5537 Comm: syz-executor.0 Not tainted 6.12.0-rc1-syzkaller-g7ec462100ef9-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
hci_conn_drop+0x34/0x280 include/net/bluetooth/hci_core.h:1548
sco_conn_destruct+0x57/0x100 net/bluetooth/sco.c:166
sco_sock_destruct+0x43/0x90 net/bluetooth/sco.c:407
__sk_destruct+0x5a/0x5f0 net/core/sock.c:2259
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1259
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
__do_sys_close fs/open.c:1565 [inline]
__se_sys_close fs/open.c:1550 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1550
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa71cc7cd5a
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007ffc91af2860 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007fa71cc7cd5a
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007fa71cdad980 R08: 0000001b2d160000 R09: 7fffffffffffffff
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000016f8e
R13: ffffffffffffffff R14: 00007fa71c800000 R15: 0000000000016c4d
</TASK>
Allocated by task 5455:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4296
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
__hci_conn_add+0x2f9/0x1850 net/bluetooth/hci_conn.c:932
hci_conn_add_unset net/bluetooth/hci_conn.c:1041 [inline]
hci_connect_sco+0xd0/0x370 net/bluetooth/hci_conn.c:1689
sco_connect net/bluetooth/sco.c:279 [inline]
sco_sock_connect+0x2fc/0x990 net/bluetooth/sco.c:596
__sys_connect_file net/socket.c:2066 [inline]
__sys_connect+0x2d3/0x300 net/socket.c:2083
__do_sys_connect net/socket.c:2093 [inline]
__se_sys_connect net/socket.c:2090 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2090
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 4494:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
device_release+0x9b/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x231/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:174 [inline]
hci_conn_del+0x8c4/0xc40 net/bluetooth/hci_conn.c:1160
hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5586
hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:328
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
insert_work+0x3e/0x330 kernel/workqueue.c:2183
__queue_work+0xc8b/0xf50 kernel/workqueue.c:2339
queue_delayed_work_on+0x1ca/0x390 kernel/workqueue.c:2552
sco_conn_destruct+0x57/0x100 net/bluetooth/sco.c:166
sco_sock_destruct+0x43/0x90 net/bluetooth/sco.c:407
__sk_destruct+0x5a/0x5f0 net/core/sock.c:2259
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1259
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801ea58000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 16 bytes inside of
freed 8192-byte region [ffff88801ea58000, ffff88801ea5a000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ea58
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442280 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442280 0000000000000000 dead000000000001
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00007a9601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4772, tgid 4772 (dhcpcd-run-hook), ts 33884825404, free_ts 32631813811
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x11cd/0x2050 security/tomoyo/audit.c:264
tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2099
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
tomoyo_bprm_check_security+0x114/0x180 security/tomoyo/hooks.h:76
security_bprm_check+0x86/0x250 security/security.c:1296
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xa56/0x1770 fs/exec.c:1845
page last free pid 4743 tgid 4743 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__kmalloc_cache_noprof+0x132/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x1ca/0x2050 security/tomoyo/audit.c:255
tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2099
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x243/0x360 security/tomoyo/file.c:587
tomoyo_path_perm+0x480/0x740 security/tomoyo/file.c:838
security_inode_getattr+0x130/0x330 security/security.c:2371
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_fstat fs/stat.c:229 [inline]
vfs_fstatat+0xe4/0x190 fs/stat.c:338
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
Memory state around the buggy address:
ffff88801ea57f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801ea57f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801ea58000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801ea58080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801ea58100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 7ec46210 Merge tag 'pull-work.unaligned' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=114d5527980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15355527980000
#syz test On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > disables new submit which is disarable since the object holding the work > > > > > is about to be freed. > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > --- > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > --- a/net/bluetooth/sco.c > > > > > +++ b/net/bluetooth/sco.c > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > } > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > hcon->sco_data = NULL; > > > > > kfree(conn); > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > case BT_CONNECTED: > > > > > case BT_CONFIG: > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > - sk->sk_state = BT_DISCONN; > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > - } else > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > - break; > > > > > - > > > > > case BT_CONNECT2: > > > > > case BT_CONNECT: > > > > > case BT_DISCONN: > > > > > -- > > > > > 2.46.1 > > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_destruct
==================================================================
BUG: KASAN: slab-use-after-free in sco_conn_destruct net/bluetooth/sco.c:167 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_destruct+0xb9/0x170 net/bluetooth/sco.c:409
Write of size 8 at addr ffff88807926cfe8 by task syz-executor.0/5580
CPU: 0 UID: 0 PID: 5580 Comm: syz-executor.0 Not tainted 6.12.0-rc1-syzkaller-g7ec462100ef9-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
sco_conn_destruct net/bluetooth/sco.c:167 [inline]
sco_sock_destruct+0xb9/0x170 net/bluetooth/sco.c:409
__sk_destruct+0x5a/0x5f0 net/core/sock.c:2259
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1261
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f16c9a7de69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f16ca8910c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 00007f16c9babf80 RCX: 00007f16c9a7de69
RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000005
RBP: 00007f16c9aca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f16c9babf80 R15: 00007ffceef62378
</TASK>
Allocated by task 5580:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4296
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
__hci_conn_add+0x2f9/0x1850 net/bluetooth/hci_conn.c:932
hci_conn_add_unset net/bluetooth/hci_conn.c:1041 [inline]
hci_connect_sco+0xd0/0x370 net/bluetooth/hci_conn.c:1689
sco_connect net/bluetooth/sco.c:281 [inline]
sco_sock_connect+0x2fc/0x990 net/bluetooth/sco.c:598
__sys_connect_file net/socket.c:2066 [inline]
__sys_connect+0x2d3/0x300 net/socket.c:2083
__do_sys_connect net/socket.c:2093 [inline]
__se_sys_connect net/socket.c:2090 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2090
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 54:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
device_release+0x9b/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x231/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:174 [inline]
hci_conn_del+0x8c4/0xc40 net/bluetooth/hci_conn.c:1160
hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5586
hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:328
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
insert_work+0x3e/0x330 kernel/workqueue.c:2183
__queue_work+0xc8b/0xf50 kernel/workqueue.c:2339
queue_delayed_work_on+0x1ca/0x390 kernel/workqueue.c:2552
sco_chan_del net/bluetooth/sco.c:190 [inline]
__sco_sock_close+0x22b/0x430 net/bluetooth/sco.c:461
sco_sock_close net/bluetooth/sco.c:476 [inline]
sco_sock_release+0xb3/0x320 net/bluetooth/sco.c:1251
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807926c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4072 bytes inside of
freed 8192-byte region [ffff88807926c000, ffff88807926e000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79268
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442280 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442280 0000000000000000 0000000000000001
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001e49a01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4757, tgid 4757 (start-stop-daem), ts 32264510159, free_ts 32243341192
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x11cd/0x2050 security/tomoyo/audit.c:264
tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2099
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
tomoyo_bprm_check_security+0x114/0x180 security/tomoyo/hooks.h:76
security_bprm_check+0x86/0x250 security/security.c:1296
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xa56/0x1770 fs/exec.c:1845
page last free pid 4757 tgid 4757 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
load_elf_phdrs fs/binfmt_elf.c:526 [inline]
load_elf_binary+0x2eb/0x2710 fs/binfmt_elf.c:855
search_binary_handler fs/exec.c:1752 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve+0xafa/0x1770 fs/exec.c:1845
do_execveat_common+0x55f/0x6f0 fs/exec.c:1952
do_execve fs/exec.c:2026 [inline]
__do_sys_execve fs/exec.c:2102 [inline]
__se_sys_execve fs/exec.c:2097 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2097
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807926ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807926cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807926cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807926d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807926d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 7ec46210 Merge tag 'pull-work.unaligned' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e97580580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11f17580580000
#syz test On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > disables new submit which is disarable since the object holding the work > > > > > > is about to be freed. > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > --- > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > --- a/net/bluetooth/sco.c > > > > > > +++ b/net/bluetooth/sco.c > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > } > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > kfree(conn); > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > case BT_CONNECTED: > > > > > > case BT_CONFIG: > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > - } else > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > - break; > > > > > > - > > > > > > case BT_CONNECT2: > > > > > > case BT_CONNECT: > > > > > > case BT_DISCONN: > > > > > > -- > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff88802639a080 by task kworker/1:2/1808
CPU: 1 UID: 0 PID: 1808 Comm: kworker/1:2 Not tainted 6.12.0-rc1-syzkaller-00113-g8c245fe7dde3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 25:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4284
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 25:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
skb_kfree_head net/core/skbuff.c:1086 [inline]
skb_free_head net/core/skbuff.c:1098 [inline]
skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
consume_skb+0x9f/0xf0 net/core/skbuff.c:1436
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x765/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff88802639a000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 128 bytes inside of
freed 4096-byte region [ffff88802639a000, ffff88802639b000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26398
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000098e601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5398, tgid 5398 (udevd), ts 123333990998, free_ts 123322335448
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path2_perm+0x3eb/0xbb0 security/tomoyo/file.c:923
tomoyo_path_rename+0x198/0x1e0 security/tomoyo/hooks.h:274
security_path_rename+0x266/0x4e0 security/security.c:2020
do_renameat2+0x94a/0x13f0 fs/namei.c:5157
__do_sys_rename fs/namei.c:5217 [inline]
__se_sys_rename fs/namei.c:5215 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5215
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
page last free pid 4548 tgid 4548 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4491
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
security_inode_getattr+0x130/0x330 security/security.c:2371
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_fstat fs/stat.c:229 [inline]
vfs_fstatat+0xe4/0x190 fs/stat.c:338
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888026399f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802639a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802639a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802639a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802639a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 8c245fe7 Merge tag 'net-6.12-rc2' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13156307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17377580580000
On Thu, Oct 3, 2024 at 3:44 PM syzbot <syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > KASAN: slab-use-after-free Write in sco_sock_timeout > > ================================================================== > BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] > BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] > BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline] > BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline] > BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline] > BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline] > BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92 > Write of size 4 at addr ffff88802639a080 by task kworker/1:2/1808 This really doesn't make much sense, it seems this is catching a UAF on sock_hold but the backtrace shows it was freed with skb_free, even if the memory was reclaimed and then reallocated that would just it more difficult to find out why this is happening. > CPU: 1 UID: 0 PID: 1808 Comm: kworker/1:2 Not tainted 6.12.0-rc1-syzkaller-00113-g8c245fe7dde3-dirty #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 > Workqueue: events sco_sock_timeout > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:377 [inline] > print_report+0x169/0x550 mm/kasan/report.c:488 > kasan_report+0x143/0x180 mm/kasan/report.c:601 > kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 > instrument_atomic_read_write include/linux/instrumented.h:96 [inline] > atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] > __refcount_add include/linux/refcount.h:184 [inline] > __refcount_inc include/linux/refcount.h:241 [inline] > refcount_inc include/linux/refcount.h:258 [inline] > sock_hold include/net/sock.h:781 [inline] > sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f2/0x390 kernel/kthread.c:389 > ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > </TASK> > > Allocated by task 25: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:377 [inline] > __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 > kasan_kmalloc include/linux/kasan.h:257 [inline] > __do_kmalloc_node mm/slub.c:4265 [inline] > __kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4284 > kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609 > __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678 > alloc_skb include/linux/skbuff.h:1322 [inline] > nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline] > nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline] > nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f2/0x390 kernel/kthread.c:389 > ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Freed by task 25: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 > poison_slab_object mm/kasan/common.c:247 [inline] > __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 > kasan_slab_free include/linux/kasan.h:230 [inline] > slab_free_hook mm/slub.c:2343 [inline] > slab_free mm/slub.c:4580 [inline] > kfree+0x1a0/0x440 mm/slub.c:4728 > skb_kfree_head net/core/skbuff.c:1086 [inline] > skb_free_head net/core/skbuff.c:1098 [inline] > skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125 > skb_release_all net/core/skbuff.c:1190 [inline] > __kfree_skb net/core/skbuff.c:1204 [inline] > consume_skb+0x9f/0xf0 net/core/skbuff.c:1436 > nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline] > nsim_dev_trap_report_work+0x765/0xaa0 drivers/net/netdevsim/dev.c:850 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f2/0x390 kernel/kthread.c:389 > ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > The buggy address belongs to the object at ffff88802639a000 > which belongs to the cache kmalloc-4k of size 4096 > The buggy address is located 128 bytes inside of > freed 4096-byte region [ffff88802639a000, ffff88802639b000) > > The buggy address belongs to the physical page: > page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26398 > head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000 > raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 > head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000 > head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 > head: 00fff00000000003 ffffea000098e601 ffffffffffffffff 0000000000000000 > head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5398, tgid 5398 (udevd), ts 123333990998, free_ts 123322335448 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 > prep_new_page mm/page_alloc.c:1545 [inline] > get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457 > __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733 > alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 > alloc_slab_page+0x6a/0x120 mm/slub.c:2413 > allocate_slab+0x5a/0x2f0 mm/slub.c:2579 > new_slab mm/slub.c:2632 [inline] > ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819 > __slab_alloc+0x58/0xa0 mm/slub.c:3909 > __slab_alloc_node mm/slub.c:3962 [inline] > slab_alloc_node mm/slub.c:4123 [inline] > __do_kmalloc_node mm/slub.c:4264 [inline] > __kmalloc_noprof+0x25a/0x400 mm/slub.c:4277 > kmalloc_noprof include/linux/slab.h:882 [inline] > tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251 > tomoyo_get_realpath security/tomoyo/file.c:151 [inline] > tomoyo_path2_perm+0x3eb/0xbb0 security/tomoyo/file.c:923 > tomoyo_path_rename+0x198/0x1e0 security/tomoyo/hooks.h:274 > security_path_rename+0x266/0x4e0 security/security.c:2020 > do_renameat2+0x94a/0x13f0 fs/namei.c:5157 > __do_sys_rename fs/namei.c:5217 [inline] > __se_sys_rename fs/namei.c:5215 [inline] > __x64_sys_rename+0x82/0x90 fs/namei.c:5215 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > page last free pid 4548 tgid 4548 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > free_pages_prepare mm/page_alloc.c:1108 [inline] > free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638 > __slab_free+0x31b/0x3d0 mm/slub.c:4491 > qlink_free mm/kasan/quarantine.c:163 [inline] > qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 > kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 > __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 > kasan_slab_alloc include/linux/kasan.h:247 [inline] > slab_post_alloc_hook mm/slub.c:4086 [inline] > slab_alloc_node mm/slub.c:4135 [inline] > __do_kmalloc_node mm/slub.c:4264 [inline] > __kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277 > kmalloc_noprof include/linux/slab.h:882 [inline] > tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251 > tomoyo_get_realpath security/tomoyo/file.c:151 [inline] > tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822 > security_inode_getattr+0x130/0x330 security/security.c:2371 > vfs_getattr+0x45/0x430 fs/stat.c:204 > vfs_fstat fs/stat.c:229 [inline] > vfs_fstatat+0xe4/0x190 fs/stat.c:338 > __do_sys_newfstatat fs/stat.c:505 [inline] > __se_sys_newfstatat fs/stat.c:499 [inline] > __x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Memory state around the buggy address: > ffff888026399f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88802639a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff88802639a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff88802639a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88802639a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > > Tested on: > > commit: 8c245fe7 Merge tag 'net-6.12-rc2' of git://git.kernel... > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13156307980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e > dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > patch: https://syzkaller.appspot.com/x/patch.diff?x=17377580580000 >
#syz test On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > is about to be freed. > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > --- > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > } > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > kfree(conn); > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > case BT_CONFIG: > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > - } else > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > - break; > > > > > > > - > > > > > > > case BT_CONNECT2: > > > > > > > case BT_CONNECT: > > > > > > > case BT_DISCONN: > > > > > > > -- > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_conn_del
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_del+0x9a/0x2c0 net/bluetooth/sco.c:227
Write of size 4 at addr ffff88801f485080 by task kworker/u9:1/4491
CPU: 0 UID: 0 PID: 4491 Comm: kworker/u9:1 Not tainted 6.12.0-rc1-syzkaller-00125-g0c559323bbaa-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_conn_del+0x9a/0x2c0 net/bluetooth/sco.c:227
sco_connect_cfm+0xe6/0xb40 net/bluetooth/sco.c:1381
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_conn_failed+0x1d0/0x300 net/bluetooth/hci_conn.c:1262
hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5586
hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:328
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5576:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:517 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:548
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5577:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1276
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801f485000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff88801f485000, ffff88801f485800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f480
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442000 ffffea00007d4800 0000000000000002
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442000 ffffea00007d4800 0000000000000002
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00007d2001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5098, tgid 5098 (syz-executor.0), ts 63096504293, free_ts 61414295203
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
kmalloc_array_noprof include/linux/slab.h:923 [inline]
cache_create_net+0x83/0x270 net/sunrpc/cache.c:1743
nfsd_idmap_init+0xe8/0x1e0 fs/nfsd/nfs4idmap.c:476
nfsd_net_init+0x4b/0x450 fs/nfsd/nfsctl.c:2242
ops_init+0x320/0x590 net/core/net_namespace.c:139
setup_net+0x287/0x9e0 net/core/net_namespace.c:356
copy_net_ns+0x33f/0x570 net/core/net_namespace.c:494
create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110
page last free pid 5088 tgid 5085 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_add_entry security/tomoyo/common.c:2033 [inline]
tomoyo_supervisor+0xe0d/0x11f0 security/tomoyo/common.c:2105
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x243/0x360 security/tomoyo/file.c:587
tomoyo_path_perm+0x480/0x740 security/tomoyo/file.c:838
security_inode_getattr+0x130/0x330 security/security.c:2371
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_statx_path fs/stat.c:251 [inline]
vfs_statx+0x199/0x490 fs/stat.c:315
vfs_fstatat+0x145/0x190 fs/stat.c:341
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
Memory state around the buggy address:
ffff88801f484f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801f485000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801f485080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801f485100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801f485180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0c559323 Merge tag 'rust-fixes-6.12' of https://github..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13fdb3d0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=160db3d0580000
#syz test On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > --- > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > } > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > kfree(conn); > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > case BT_CONFIG: > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > - } else > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > - break; > > > > > > > > - > > > > > > > > case BT_CONNECT2: > > > > > > > > case BT_CONNECT: > > > > > > > > case BT_DISCONN: > > > > > > > > -- > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff88802719a080 by task kworker/1:3/5509
CPU: 1 UID: 0 PID: 5509 Comm: kworker/1:3 Not tainted 6.12.0-rc1-syzkaller-00125-g0c559323bbaa-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5115:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4284
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 5115:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
skb_kfree_head net/core/skbuff.c:1086 [inline]
skb_free_head net/core/skbuff.c:1098 [inline]
skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
consume_skb+0x9f/0xf0 net/core/skbuff.c:1436
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x765/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff88802719a000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 128 bytes inside of
freed 4096-byte region [ffff88802719a000, ffff88802719b000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27198
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00009c6601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5115, tgid 5115 (kworker/0:4), ts 122322399972, free_ts 122095257880
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_node_track_caller_noprof+0x281/0x440 mm/slub.c:4284
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
page last free pid 5425 tgid 5425 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4491
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4142
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888027199f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802719a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802719a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802719a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802719a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0c559323 Merge tag 'rust-fixes-6.12' of https://github..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=152e9307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12d69307980000
#syz test On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > --- > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > } > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > kfree(conn); > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > case BT_CONFIG: > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > - } else > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > - break; > > > > > > > > > - > > > > > > > > > case BT_CONNECT2: > > > > > > > > > case BT_CONNECT: > > > > > > > > > case BT_DISCONN: > > > > > > > > > -- > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff8880237b3080 by task kworker/0:1/9
CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-rc2-syzkaller-g8cf0b93919e1-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5742:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:521 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:552
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5743:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x1a0/0x440 mm/slub.c:4727
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1280
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880237b3000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff8880237b3000, ffff8880237b3800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880237b5000 pfn:0x237b0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff888015442000 ffffea00008c6a10 ffffea0001f13610
raw: ffff8880237b5000 0000000000080005 00000001f5000000 0000000000000000
head: 00fff00000000240 ffff888015442000 ffffea00008c6a10 ffffea0001f13610
head: ffff8880237b5000 0000000000080005 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00008dec01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4550, tgid 4550 (udevd), ts 62011136939, free_ts 61932137647
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
__netlink_create+0x65/0x260 net/netlink/af_netlink.c:646
netlink_create+0x3ab/0x560 net/netlink/af_netlink.c:704
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
page last free pid 4539 tgid 4539 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2677 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3145
put_cpu_partial+0x17c/0x250 mm/slub.c:3220
__slab_free+0x2ea/0x3d0 mm/slub.c:4449
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4186
__alloc_skb+0x1c3/0x440 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1322 [inline]
alloc_skb_with_frags+0xc3/0x820 net/core/skbuff.c:6612
sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2883
unix_dgram_sendmsg+0x6d3/0x1f80 net/unix/af_unix.c:2027
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x223/0x270 net/socket.c:744
__sys_sendto+0x39b/0x4f0 net/socket.c:2209
__do_sys_sendto net/socket.c:2221 [inline]
__se_sys_sendto net/socket.c:2217 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2217
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
Memory state around the buggy address:
ffff8880237b2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880237b3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880237b3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880237b3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880237b3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 8cf0b939 Linux 6.12-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11e7db80580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5119ec8290b5433
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=150b2707980000
#syz test On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > --- > > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > > kfree(conn); > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > > case BT_CONFIG: > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > > - } else > > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > > - break; > > > > > > > > > > - > > > > > > > > > > case BT_CONNECT2: > > > > > > > > > > case BT_CONNECT: > > > > > > > > > > case BT_DISCONN: > > > > > > > > > > -- > > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0xa2/0x2d0 net/bluetooth/sco.c:140
Write of size 4 at addr ffff888140eac080 by task kworker/0:2/921
CPU: 0 UID: 0 PID: 921 Comm: kworker/0:2 Not tainted 6.12.0-rc2-syzkaller-g87d6aab2389e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0xa2/0x2d0 net/bluetooth/sco.c:140
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5764:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:543 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:574
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5765:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x1a0/0x440 mm/slub.c:4727
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1302
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888140eac000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff888140eac000, ffff888140eac800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888140eab000 pfn:0x140ea8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000240(workingset|head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000240 ffff888015442000 ffffea000515b410 ffffea000510e610
raw: ffff888140eab000 0000000000080006 00000001f5000000 0000000000000000
head: 057ff00000000240 ffff888015442000 ffffea000515b410 ffffea000510e610
head: ffff888140eab000 0000000000080006 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea000503aa01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2263006817, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
acpi_ds_create_walk_state+0x103/0x2a0 drivers/acpi/acpica/dswstate.c:518
acpi_ds_auto_serialize_method+0xe7/0x240 drivers/acpi/acpica/dsmethod.c:81
acpi_ds_init_one_object+0x1bb/0x370 drivers/acpi/acpica/dsinit.c:110
acpi_ns_walk_namespace+0x296/0x4f0
acpi_ds_initialize_objects+0x199/0x2b0 drivers/acpi/acpica/dsinit.c:189
acpi_ns_load_table+0xfd/0x120 drivers/acpi/acpica/nsload.c:106
acpi_tb_load_namespace+0x291/0x6d0 drivers/acpi/acpica/tbxfload.c:158
page_owner free stack trace missing
Memory state around the buggy address:
ffff888140eabf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888140eac000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888140eac080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888140eac100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888140eac180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 87d6aab2 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=101aa707980000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5119ec8290b5433
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=124a3b80580000
#syz test On Mon, Oct 7, 2024 at 4:54 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > --- > > > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > > > kfree(conn); > > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > > > case BT_CONFIG: > > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > > > - } else > > > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > > > - break; > > > > > > > > > > > - > > > > > > > > > > > case BT_CONNECT2: > > > > > > > > > > > case BT_CONNECT: > > > > > > > > > > > case BT_DISCONN: > > > > > > > > > > > -- > > > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_conn_del
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_del+0xa5/0x310 net/bluetooth/sco.c:220
Write of size 4 at addr ffff88807bd72080 by task syz-executor.0/5406
CPU: 0 UID: 0 PID: 5406 Comm: syz-executor.0 Not tainted 6.12.0-rc4-syzkaller-gc2ee9f594da8-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_conn_del+0xa5/0x310 net/bluetooth/sco.c:220
hci_disconn_cfm include/net/bluetooth/hci_core.h:1975 [inline]
hci_conn_hash_flush+0x101/0x240 net/bluetooth/hci_conn.c:2592
hci_dev_close_sync+0x9ef/0x11a0 net/bluetooth/hci_sync.c:5195
hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
hci_unregister_dev+0x20b/0x510 net/bluetooth/hci_core.c:2698
vhci_release+0x80/0xd0 drivers/bluetooth/hci_vhci.c:664
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f018087de69
Code: Unable to access opcode bytes at 0x7f018087de3f.
RSP: 002b:00007fffa31fb468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f018087de69
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 00007f01808ca45b R08: 00007fffa31f9207 R09: 000000000006d03d
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 000000000006d03d R14: 000000000006ccf5 R15: 0000000000000004
</TASK>
Allocated by task 5400:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
getname fs/namei.c:225 [inline]
__do_sys_unlink fs/namei.c:4581 [inline]
__se_sys_unlink fs/namei.c:4579 [inline]
__x64_sys_unlink+0x3a/0x50 fs/namei.c:4579
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5400:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kmem_cache_free+0x1a2/0x420 mm/slub.c:4681
do_unlinkat+0x7b0/0x830 fs/namei.c:4556
__do_sys_unlink fs/namei.c:4581 [inline]
__se_sys_unlink fs/namei.c:4579 [inline]
__x64_sys_unlink+0x47/0x50 fs/namei.c:4579
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807bd71100
which belongs to the cache names_cache of size 4096
The buggy address is located 3968 bytes inside of
freed 4096-byte region [ffff88807bd71100, ffff88807bd72100)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bd70
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff8880162f4780 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff8880162f4780 dead000000000122 0000000000000000
head: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001ef5c01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5400, tgid 5400 (udevd), ts 432009536360, free_ts 431999575653
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
vfs_fstatat+0x12c/0x190 fs/stat.c:340
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 4552 tgid 4552 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2677 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3145
put_cpu_partial+0x17c/0x250 mm/slub.c:3220
__slab_free+0x2ea/0x3d0 mm/slub.c:4449
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
security_inode_getattr+0x130/0x330 security/security.c:2373
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_fstat fs/stat.c:229 [inline]
vfs_fstatat+0xe4/0x190 fs/stat.c:338
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807bd71f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807bd72000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807bd72080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807bd72100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807bd72180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: c2ee9f59 KVM: selftests: Fix build on on non-x86 archi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103ff430580000
kernel config: https://syzkaller.appspot.com/x/.config?x=346c6d758171538d
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13264a5f980000
#syz test On Tue, Oct 22, 2024 at 12:44 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Mon, Oct 7, 2024 at 4:54 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > --- > > > > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > > > > kfree(conn); > > > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > > > > case BT_CONFIG: > > > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > > > > - } else > > > > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > > > > - break; > > > > > > > > > > > > - > > > > > > > > > > > > case BT_CONNECT2: > > > > > > > > > > > > case BT_CONNECT: > > > > > > > > > > > > case BT_DISCONN: > > > > > > > > > > > > -- > > > > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Tested-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Tested on:
commit: c2ee9f59 KVM: selftests: Fix build on on non-x86 archi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12a34a5f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=346c6d758171538d
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=101c0c30580000
Note: testing is done by a robot and is best-effort only.
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index a5ac160c592e..2b1e66976068 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) } /* Ensure no more work items will run before freeing conn. */ - cancel_delayed_work_sync(&conn->timeout_work); + disable_delayed_work_sync(&conn->timeout_work); hcon->sco_data = NULL; kfree(conn); @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) case BT_CONNECTED: case BT_CONFIG: - if (sco_pi(sk)->conn->hcon) { - sk->sk_state = BT_DISCONN; - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); - sco_conn_lock(sco_pi(sk)->conn); - hci_conn_drop(sco_pi(sk)->conn->hcon); - sco_pi(sk)->conn->hcon = NULL; - sco_conn_unlock(sco_pi(sk)->conn); - } else - sco_chan_del(sk, ECONNRESET); - break; - case BT_CONNECT2: case BT_CONNECT: case BT_DISCONN: