==================================================================
BUG: KASAN: use-after-free in bt_accept_unlink+0x77/0x1f0 net/bluetooth/af_bluetooth.c:189
Write of size 8 at addr ffff888104d59300 by task kworker/0:3/128
CPU: 0 PID: 128 Comm: kworker/0:3 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #58
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events l2cap_chan_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x72/0x95 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x175/0x478 mm/kasan/report.c:417
kasan_report+0xb1/0x130 mm/kasan/report.c:517
__list_del include/linux/list.h:114 [inline]
__list_del_entry include/linux/list.h:137 [inline]
list_del_init include/linux/list.h:206 [inline]
bt_accept_unlink+0x77/0x1f0 net/bluetooth/af_bluetooth.c:189
l2cap_sock_teardown_cb+0x1c6/0x4c0 net/bluetooth/l2cap_sock.c:1586
l2cap_chan_del+0x108/0x5e0 net/bluetooth/l2cap_core.c:651
l2cap_chan_close+0x159/0x830 net/bluetooth/l2cap_core.c:859
l2cap_chan_timeout+0x14f/0x240 net/bluetooth/l2cap_core.c:452
process_one_work+0x4ea/0x8e0 kernel/workqueue.c:2289
worker_thread+0x364/0x8e0 kernel/workqueue.c:2436
kthread+0x1b9/0x200 kernel/kthread.c:376
ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
</TASK>
Allocated by task 285:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x82/0x90 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:968 [inline]
__kmalloc+0x5a/0x140 mm/slab_common.c:981
kmalloc include/linux/slab.h:584 [inline]
sk_prot_alloc+0x113/0x1f0 net/core/sock.c:2040
sk_alloc+0x36/0x3c0 net/core/sock.c:2093
l2cap_sock_alloc.constprop.0+0x39/0x1c0 net/bluetooth/l2cap_sock.c:1851
l2cap_sock_create+0x10d/0x220 net/bluetooth/l2cap_sock.c:1897
bt_sock_create+0x183/0x290 net/bluetooth/af_bluetooth.c:132
__sock_create+0x226/0x380 net/socket.c:1518
sock_create net/socket.c:1569 [inline]
__sys_socket_create net/socket.c:1606 [inline]
__sys_socket_create net/socket.c:1591 [inline]
__sys_socket+0x112/0x200 net/socket.c:1639
__do_sys_socket net/socket.c:1652 [inline]
__se_sys_socket net/socket.c:1650 [inline]
__x64_sys_socket+0x40/0x50 net/socket.c:1650
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Freed by task 285:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:523
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free mm/kasan/common.c:200 [inline]
__kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook mm/slub.c:1807 [inline]
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0x88/0x1f0 mm/slub.c:3800
sk_prot_free net/core/sock.c:2076 [inline]
__sk_destruct+0x347/0x430 net/core/sock.c:2168
sk_destruct+0x9c/0xb0 net/core/sock.c:2183
__sk_free+0x82/0x220 net/core/sock.c:2194
sk_free+0x7c/0xa0 net/core/sock.c:2205
sock_put include/net/sock.h:1991 [inline]
l2cap_sock_kill+0x256/0x2b0 net/bluetooth/l2cap_sock.c:1257
l2cap_sock_release+0x169/0x1c0 net/bluetooth/l2cap_sock.c:1427
__sock_release+0x80/0x150 net/socket.c:650
sock_close+0x19/0x30 net/socket.c:1368
__fput+0x17a/0x5c0 fs/file_table.c:320
task_work_run+0x132/0x1c0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x113/0x120 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:296
do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Last potentially related work creation:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0x97/0xb0 mm/kasan/generic.c:493
insert_work+0x33/0x180 kernel/workqueue.c:1358
__queue_work+0x410/0x960 kernel/workqueue.c:1517
rcu_work_rcufn+0x2e/0x40 kernel/workqueue.c:1754
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x43b/0xe70 kernel/rcu/tree.c:2506
__do_softirq+0x124/0x3f9 kernel/softirq.c:571
Second to last potentially related work creation:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0x97/0xb0 mm/kasan/generic.c:493
__call_rcu_common.constprop.0+0x41/0x550 kernel/rcu/tree.c:2755
call_rcu_hurry include/linux/rcupdate.h:116 [inline]
queue_rcu_work+0x79/0x90 kernel/workqueue.c:1774
process_one_work+0x4ea/0x8e0 kernel/workqueue.c:2289
worker_thread+0x364/0x8e0 kernel/workqueue.c:2436
kthread+0x1b9/0x200 kernel/kthread.c:376
ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
The buggy address belongs to the object at ffff888104d59000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 768 bytes inside of
1024-byte region [ffff888104d59000, ffff888104d59400)
The buggy address belongs to the physical page:
page:0000000067fcb39f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104d58
head:0000000067fcb39f order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
anon flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 ffff888100041dc0 ffffea00041fa600 dead000000000003
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888104d59200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888104d59280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888104d59300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888104d59380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888104d59400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
l2cap_chan_timeout() tries to write on (struck sock*)chan->data that
points to already free'd address by l2cap_sock_release().
This patch prevents this by clearing the timers in l2cap_sock_release()
as l2cap_sock_cleanup_listen() does.
Ack: This bug is found by FuzzBT with a modified Syzkaller. Other
contributors are Ruoyu Wu and Hui Peng.
Fixes: 1bff51ea59a9 (Bluetooth: fix use-after-free error in
lock_sock_nested())
Signed-off-by: Sungwoo Kim <[email protected]>
---
net/bluetooth/l2cap_sock.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index eebe25610..cb274ee1c 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1423,6 +1423,7 @@ static int l2cap_sock_release(struct socket *sock)
l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
+ __clear_chan_timer(chan);
sock_orphan(sk);
l2cap_sock_kill(sk);
--
2.34.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=750377
---Test result---
Test Summary:
CheckPatch FAIL 0.98 seconds
GitLint FAIL 0.66 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 33.08 seconds
CheckAllWarning PASS 36.09 seconds
CheckSparse PASS 40.84 seconds
CheckSmatch PASS 110.21 seconds
BuildKernel32 PASS 31.86 seconds
TestRunnerSetup PASS 452.30 seconds
TestRunner_l2cap-tester PASS 17.47 seconds
TestRunner_iso-tester PASS 22.33 seconds
TestRunner_bnep-tester PASS 5.71 seconds
TestRunner_mgmt-tester PASS 116.58 seconds
TestRunner_rfcomm-tester PASS 9.18 seconds
TestRunner_sco-tester PASS 8.46 seconds
TestRunner_ioctl-tester PASS 9.96 seconds
TestRunner_mesh-tester PASS 7.29 seconds
TestRunner_smp-tester PASS 8.28 seconds
TestRunner_userchan-tester PASS 6.02 seconds
IncrementalBuild PASS 30.56 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: L2CAP: Fix use-after-free in bt_accept_unlink
WARNING: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#75:
CPU: 0 PID: 128 Comm: kworker/0:3 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #58
WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: 3ad340b7a678 ("Merge 6a1cd83c73a590cbf19d2bd75c22dc551bcf2170 into 04c0ec2ca4c0e76c6c9833f8e58909a86aad3e44")'
#207:
Fixes: 1bff51ea59a9 (Bluetooth: fix use-after-free error in
total: 0 errors, 2 warnings, 0 checks, 7 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13252806.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: L2CAP: Fix use-after-free in bt_accept_unlink
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (90>80): "BUG: KASAN: use-after-free in bt_accept_unlink+0x77/0x1f0 net/bluetooth/af_bluetooth.c:189"
7: B1 Line exceeds max length (81>80): "CPU: 0 PID: 128 Comm: kworker/0:3 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #58"
116: B1 Line exceeds max length (91>80): "page:0000000067fcb39f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104d58"
117: B1 Line exceeds max length (89>80): "head:0000000067fcb39f order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0"
---
Regards,
Linux Bluetooth