Hello, could you review the UAF bug and its fix?
The stack trace is at the bottom.
mgmt sync cmd could be used after freed in this scenario:
set_local_name() ... cmd is allocated, set_name_complete() is
queued in cmd_sync_work.
hci_error_reset() ... hci device reset.
hci_dev_close_sync() ... close hdev, at this point, cmd is freed.
set_name_complete() ... callback from cmd_sync_work. cmd->param causes UAF.
To fix this, this patch makes hci_dev_close_sync() call hci_cmd_sync_clear() to clear the cmd_sync_work.
Thanks,
Sungwoo Kim.
==================================================================
BUG: KASAN: slab-use-after-free in set_name_complete+0x4a/0x330 net/bluetooth/mgmt.c:3815
Read of size 8 at addr ffff888107259098 by task kworker/u3:0/66
CPU: 0 PID: 66 Comm: kworker/u3:0 Not tainted 6.8.0+ #61
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x85/0xb0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x18f/0x560 mm/kasan/report.c:488
kasan_report+0xd7/0x110 mm/kasan/report.c:601
__asan_report_load8_noabort+0x18/0x20 mm/kasan/report_generic.c:381
set_name_complete+0x4a/0x330 net/bluetooth/mgmt.c:3815
hci_cmd_sync_work+0x269/0x3e0 net/bluetooth/hci_sync.c:308
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x6b9/0xdc0 kernel/workqueue.c:2706
worker_thread+0xb2b/0x13d0 kernel/workqueue.c:2787
kthread+0x2a9/0x340 kernel/kthread.c:388
ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Allocated by task 308:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:575
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xa2/0xc0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace+0x1c9/0x390 mm/slub.c:4012
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:711 [inline]
mgmt_pending_new+0x6f/0x230 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x3f/0x120 net/bluetooth/mgmt_util.c:296
set_local_name+0x15a/0x4c0 net/bluetooth/mgmt.c:3892
hci_mgmt_cmd+0xb79/0x1190 net/bluetooth/hci_sock.c:1715
hci_sock_sendmsg+0x63a/0xf00 net/bluetooth/hci_sock.c:1835
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x227/0x270 net/socket.c:745
sock_write_iter+0x28d/0x3d0 net/socket.c:1160
do_iter_readv_writev+0x331/0x4c0
vfs_writev+0x2e6/0xa40 fs/read_write.c:971
do_writev+0xfd/0x250 fs/read_write.c:1018
__do_sys_writev fs/read_write.c:1091 [inline]
__se_sys_writev fs/read_write.c:1088 [inline]
__x64_sys_writev+0x86/0xa0 fs/read_write.c:1088
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x84/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6e/0x76
Freed by task 66:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
kasan_save_free_info+0x44/0x50 mm/kasan/generic.c:589
poison_slab_object+0x11a/0x190 mm/kasan/common.c:240
__kasan_slab_free+0x3b/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2121 [inline]
slab_free mm/slub.c:4299 [inline]
kfree+0x106/0x2e0 mm/slub.c:4409
mgmt_pending_free net/bluetooth/mgmt_util.c:309 [inline]
mgmt_pending_remove+0x19e/0x1d0 net/bluetooth/mgmt_util.c:315
cmd_complete_rsp+0x104/0x1a0
mgmt_pending_foreach+0xc7/0x120 net/bluetooth/mgmt_util.c:259
__mgmt_power_off+0x137/0x370 net/bluetooth/mgmt.c:9496
hci_dev_close_sync+0x4ab/0xe80 net/bluetooth/hci_sync.c:4953
hci_dev_do_close net/bluetooth/hci_core.c:554 [inline]
hci_error_reset+0x150/0x410 net/bluetooth/hci_core.c:1060
process_one_work kernel/workqueue.c:2633 [inline]
process_scheduled_works+0x6b9/0xdc0 kernel/workqueue.c:2706
worker_thread+0xb2b/0x13d0 kernel/workqueue.c:2787
kthread+0x2a9/0x340 kernel/kthread.c:388
ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
The buggy address belongs to the object at ffff888107259080
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 24 bytes inside of
freed 96-byte region [ffff888107259080, ffff8881072590e0)
The buggy address belongs to the physical page:
page:000000006bdb81a5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888107259280 pfn:0x107259
flags: 0x17ffffc0000a00(workingset|slab|node=0|zone=2|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 0017ffffc0000a00 ffff888100041780 ffffea0004145510 ffffea0004240190
raw: ffff888107259280 000000000020000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888107258f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888107259000: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>ffff888107259080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888107259100: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff888107259180: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================
Signed-off-by: Sungwoo Kim <[email protected]>
---
net/bluetooth/hci_core.c | 2 --
net/bluetooth/hci_sync.c | 5 ++++-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index a7028d38c..c347efc4f 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2764,8 +2764,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
cancel_work_sync(&hdev->power_on);
- hci_cmd_sync_clear(hdev);
-
hci_unregister_suspend_notifier(hdev);
msft_unregister(hdev);
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index c5d879904..aa8e0c33c 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5181,9 +5181,12 @@ int hci_dev_close_sync(struct hci_dev *hdev)
clear_bit(HCI_INIT, &hdev->flags);
}
- /* flush cmd work */
+ /* flush cmd work */
flush_work(&hdev->cmd_work);
+ /* flush cmd sync work */
+ hci_cmd_sync_clear(hdev);
+
/* Drop queues */
skb_queue_purge(&hdev->rx_q);
skb_queue_purge(&hdev->cmd_q);
--
2.34.1
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Thu, 25 Apr 2024 00:11:28 -0400 you wrote:
> Hello, could you review the UAF bug and its fix?
> The stack trace is at the bottom.
>
> mgmt sync cmd could be used after freed in this scenario:
>
> set_local_name() ... cmd is allocated, set_name_complete() is
> queued in cmd_sync_work.
> hci_error_reset() ... hci device reset.
> hci_dev_close_sync() ... close hdev, at this point, cmd is freed.
> set_name_complete() ... callback from cmd_sync_work. cmd->param causes UAF.
>
> [...]
Here is the summary with links:
- Bluetooth: HCI: fix slab-use-after-free in cmd_sync_work
https://git.kernel.org/bluetooth/bluetooth-next/c/37dd04e4d594
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Dear All,
On 25.04.2024 06:11, Sungwoo Kim wrote:
> Hello, could you review the UAF bug and its fix?
> The stack trace is at the bottom.
>
> mgmt sync cmd could be used after freed in this scenario:
>
> set_local_name() ... cmd is allocated, set_name_complete() is
> queued in cmd_sync_work.
> hci_error_reset() ... hci device reset.
> hci_dev_close_sync() ... close hdev, at this point, cmd is freed.
> set_name_complete() ... callback from cmd_sync_work. cmd->param causes UAF.
>
> To fix this, this patch makes hci_dev_close_sync() call hci_cmd_sync_clear() to clear the cmd_sync_work.
>
> Thanks,
> Sungwoo Kim.
This patch landed in today's linux-next as commit 37dd04e4d594
("Bluetooth: HCI: fix slab-use-after-free in cmd_sync_work"). I believe
it correctly fixes the mentioned problem, but on the other hand it
introduces the following kernel's lock dependency checker warning:
============================================
WARNING: possible recursive locking detected
6.9.0-rc4-01047-g37dd04e4d594 #14949 Not tainted
--------------------------------------------
kworker/u9:0/56 is trying to acquire lock:
c3aba78c ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at:
__flush_work+0x1e0/0x538
but task is already holding lock:
f0eb5f18 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at:
process_scheduled_works+0x328/0x7a8
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock((work_completion)(&hdev->cmd_sync_work));
lock((work_completion)(&hdev->cmd_sync_work));
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by kworker/u9:0/56:
#0: c3a4e8b4 ((wq_completion)hci0){+.+.}-{0:0}, at:
process_scheduled_works+0x2fc/0x7a8
#1: f0eb5f18 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0},
at: process_scheduled_works+0x328/0x7a8
#2: c3abab6c (&hdev->req_lock){+.+.}-{3:3}, at:
hci_cmd_sync_work+0xa0/0x154 [bluetooth]
#3: c137bdfc (rcu_read_lock){....}-{1:2}, at: __flush_work+0x40/0x538
stack backtrace:
CPU: 0 PID: 56 Comm: kworker/u9:0 Not tainted
6.9.0-rc4-01047-g37dd04e4d594 #14949
Hardware name: Samsung Exynos (Flattened Device Tree)
Workqueue: hci0 hci_cmd_sync_work [bluetooth]
Call trace:.
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x68/0x88
dump_stack_lvl from __lock_acquire+0x152c/0x1744
__lock_acquire from lock_acquire+0x21c/0x394
lock_acquire from __flush_work+0x20c/0x538
__flush_work from __cancel_work_sync+0x12c/0x20c
__cancel_work_sync from hci_cmd_sync_clear+0x1c/0x6c [bluetooth]
hci_cmd_sync_clear [bluetooth] from hci_dev_close_sync+0x31c/0x5f4
[bluetooth]
hci_dev_close_sync [bluetooth] from hci_set_powered_sync+0x27c/0x288
[bluetooth]
hci_set_powered_sync [bluetooth] from hci_cmd_sync_work+0xb0/0x154
[bluetooth]
hci_cmd_sync_work [bluetooth] from process_scheduled_works+0x390/0x7a8
process_scheduled_works from worker_thread+0x150/0x3bc
worker_thread from kthread+0x108/0x140
kthread from ret_from_fork+0x14/0x28
Exception stack(0xf0eb5fb0 to 0xf0eb5ff8)
...
Please check if the locking is really correct and if so, add the needed
lockdep annotation to the bluetooth code to silence the above warning.
> ==================================================================
> BUG: KASAN: slab-use-after-free in set_name_complete+0x4a/0x330 net/bluetooth/mgmt.c:3815
> Read of size 8 at addr ffff888107259098 by task kworker/u3:0/66
>
> CPU: 0 PID: 66 Comm: kworker/u3:0 Not tainted 6.8.0+ #61
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Workqueue: hci0 hci_cmd_sync_work
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x85/0xb0 lib/dump_stack.c:106
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x18f/0x560 mm/kasan/report.c:488
> kasan_report+0xd7/0x110 mm/kasan/report.c:601
> __asan_report_load8_noabort+0x18/0x20 mm/kasan/report_generic.c:381
> set_name_complete+0x4a/0x330 net/bluetooth/mgmt.c:3815
> hci_cmd_sync_work+0x269/0x3e0 net/bluetooth/hci_sync.c:308
> process_one_work kernel/workqueue.c:2633 [inline]
> process_scheduled_works+0x6b9/0xdc0 kernel/workqueue.c:2706
> worker_thread+0xb2b/0x13d0 kernel/workqueue.c:2787
> kthread+0x2a9/0x340 kernel/kthread.c:388
> ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
> </TASK>
>
> Allocated by task 308:
> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x30/0x70 mm/kasan/common.c:68
> kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:575
> poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
> __kasan_kmalloc+0xa2/0xc0 mm/kasan/common.c:387
> kasan_kmalloc include/linux/kasan.h:211 [inline]
> kmalloc_trace+0x1c9/0x390 mm/slub.c:4012
> kmalloc include/linux/slab.h:590 [inline]
> kzalloc include/linux/slab.h:711 [inline]
> mgmt_pending_new+0x6f/0x230 net/bluetooth/mgmt_util.c:269
> mgmt_pending_add+0x3f/0x120 net/bluetooth/mgmt_util.c:296
> set_local_name+0x15a/0x4c0 net/bluetooth/mgmt.c:3892
> hci_mgmt_cmd+0xb79/0x1190 net/bluetooth/hci_sock.c:1715
> hci_sock_sendmsg+0x63a/0xf00 net/bluetooth/hci_sock.c:1835
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg+0x227/0x270 net/socket.c:745
> sock_write_iter+0x28d/0x3d0 net/socket.c:1160
> do_iter_readv_writev+0x331/0x4c0
> vfs_writev+0x2e6/0xa40 fs/read_write.c:971
> do_writev+0xfd/0x250 fs/read_write.c:1018
> __do_sys_writev fs/read_write.c:1091 [inline]
> __se_sys_writev fs/read_write.c:1088 [inline]
> __x64_sys_writev+0x86/0xa0 fs/read_write.c:1088
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0x84/0x120 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x6e/0x76
>
> Freed by task 66:
> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x30/0x70 mm/kasan/common.c:68
> kasan_save_free_info+0x44/0x50 mm/kasan/generic.c:589
> poison_slab_object+0x11a/0x190 mm/kasan/common.c:240
> __kasan_slab_free+0x3b/0x60 mm/kasan/common.c:256
> kasan_slab_free include/linux/kasan.h:184 [inline]
> slab_free_hook mm/slub.c:2121 [inline]
> slab_free mm/slub.c:4299 [inline]
> kfree+0x106/0x2e0 mm/slub.c:4409
> mgmt_pending_free net/bluetooth/mgmt_util.c:309 [inline]
> mgmt_pending_remove+0x19e/0x1d0 net/bluetooth/mgmt_util.c:315
> cmd_complete_rsp+0x104/0x1a0
> mgmt_pending_foreach+0xc7/0x120 net/bluetooth/mgmt_util.c:259
> __mgmt_power_off+0x137/0x370 net/bluetooth/mgmt.c:9496
> hci_dev_close_sync+0x4ab/0xe80 net/bluetooth/hci_sync.c:4953
> hci_dev_do_close net/bluetooth/hci_core.c:554 [inline]
> hci_error_reset+0x150/0x410 net/bluetooth/hci_core.c:1060
> process_one_work kernel/workqueue.c:2633 [inline]
> process_scheduled_works+0x6b9/0xdc0 kernel/workqueue.c:2706
> worker_thread+0xb2b/0x13d0 kernel/workqueue.c:2787
> kthread+0x2a9/0x340 kernel/kthread.c:388
> ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
>
> The buggy address belongs to the object at ffff888107259080
> which belongs to the cache kmalloc-96 of size 96
> The buggy address is located 24 bytes inside of
> freed 96-byte region [ffff888107259080, ffff8881072590e0)
>
> The buggy address belongs to the physical page:
> page:000000006bdb81a5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888107259280 pfn:0x107259
> flags: 0x17ffffc0000a00(workingset|slab|node=0|zone=2|lastcpupid=0x1fffff)
> page_type: 0xffffffff()
> raw: 0017ffffc0000a00 ffff888100041780 ffffea0004145510 ffffea0004240190
> raw: ffff888107259280 000000000020000f 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff888107258f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888107259000: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>> ffff888107259080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> ^
> ffff888107259100: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> ffff888107259180: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
> ==================================================================
>
> Signed-off-by: Sungwoo Kim <[email protected]>
> ---
> net/bluetooth/hci_core.c | 2 --
> net/bluetooth/hci_sync.c | 5 ++++-
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index a7028d38c..c347efc4f 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -2764,8 +2764,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
>
> cancel_work_sync(&hdev->power_on);
>
> - hci_cmd_sync_clear(hdev);
> -
> hci_unregister_suspend_notifier(hdev);
>
> msft_unregister(hdev);
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index c5d879904..aa8e0c33c 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -5181,9 +5181,12 @@ int hci_dev_close_sync(struct hci_dev *hdev)
> clear_bit(HCI_INIT, &hdev->flags);
> }
>
> - /* flush cmd work */
> + /* flush cmd work */
> flush_work(&hdev->cmd_work);
>
> + /* flush cmd sync work */
> + hci_cmd_sync_clear(hdev);
> +
> /* Drop queues */
> skb_queue_purge(&hdev->rx_q);
> skb_queue_purge(&hdev->cmd_q);
Best regards
--
Marek Szyprowski, PhD
Samsung R&D Institute Poland
Hi,
On Fri, Apr 26, 2024 at 7:10 AM Marek Szyprowski
<[email protected]> wrote:
>
> Dear All,
>
> On 25.04.2024 06:11, Sungwoo Kim wrote:
> > Hello, could you review the UAF bug and its fix?
> > The stack trace is at the bottom.
> >
> > mgmt sync cmd could be used after freed in this scenario:
> >
> > set_local_name() ... cmd is allocated, set_name_complete() is
> > queued in cmd_sync_work.
> > hci_error_reset() ... hci device reset.
> > hci_dev_close_sync() ... close hdev, at this point, cmd is freed.
> > set_name_complete() ... callback from cmd_sync_work. cmd->param causes UAF.
> >
> > To fix this, this patch makes hci_dev_close_sync() call hci_cmd_sync_clear() to clear the cmd_sync_work.
> >
> > Thanks,
> > Sungwoo Kim.
>
> This patch landed in today's linux-next as commit 37dd04e4d594
> ("Bluetooth: HCI: fix slab-use-after-free in cmd_sync_work"). I believe
> it correctly fixes the mentioned problem, but on the other hand it
> introduces the following kernel's lock dependency checker warning:
>
> ============================================
> WARNING: possible recursive locking detected
> 6.9.0-rc4-01047-g37dd04e4d594 #14949 Not tainted
> --------------------------------------------
> kworker/u9:0/56 is trying to acquire lock:
> c3aba78c ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at:
> __flush_work+0x1e0/0x538
>
> but task is already holding lock:
> f0eb5f18 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at:
> process_scheduled_works+0x328/0x7a8
>
> other info that might help us debug this:
> Possible unsafe locking scenario:
>
> CPU0
> ----
> lock((work_completion)(&hdev->cmd_sync_work));
> lock((work_completion)(&hdev->cmd_sync_work));
>
> *** DEADLOCK ***
>
> May be due to missing lock nesting notation
>
> 4 locks held by kworker/u9:0/56:
> #0: c3a4e8b4 ((wq_completion)hci0){+.+.}-{0:0}, at:
> process_scheduled_works+0x2fc/0x7a8
> #1: f0eb5f18 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0},
> at: process_scheduled_works+0x328/0x7a8
> #2: c3abab6c (&hdev->req_lock){+.+.}-{3:3}, at:
> hci_cmd_sync_work+0xa0/0x154 [bluetooth]
> #3: c137bdfc (rcu_read_lock){....}-{1:2}, at: __flush_work+0x40/0x538
>
> stack backtrace:
> CPU: 0 PID: 56 Comm: kworker/u9:0 Not tainted
> 6.9.0-rc4-01047-g37dd04e4d594 #14949
> Hardware name: Samsung Exynos (Flattened Device Tree)
> Workqueue: hci0 hci_cmd_sync_work [bluetooth]
> Call trace:.
> unwind_backtrace from show_stack+0x10/0x14
> show_stack from dump_stack_lvl+0x68/0x88
> dump_stack_lvl from __lock_acquire+0x152c/0x1744
> __lock_acquire from lock_acquire+0x21c/0x394
> lock_acquire from __flush_work+0x20c/0x538
> __flush_work from __cancel_work_sync+0x12c/0x20c
> __cancel_work_sync from hci_cmd_sync_clear+0x1c/0x6c [bluetooth]
> hci_cmd_sync_clear [bluetooth] from hci_dev_close_sync+0x31c/0x5f4
> [bluetooth]
> hci_dev_close_sync [bluetooth] from hci_set_powered_sync+0x27c/0x288
> [bluetooth]
> hci_set_powered_sync [bluetooth] from hci_cmd_sync_work+0xb0/0x154
> [bluetooth]
> hci_cmd_sync_work [bluetooth] from process_scheduled_works+0x390/0x7a8
> process_scheduled_works from worker_thread+0x150/0x3bc
> worker_thread from kthread+0x108/0x140
> kthread from ret_from_fork+0x14/0x28
> Exception stack(0xf0eb5fb0 to 0xf0eb5ff8)
> ...
>
>
> Please check if the locking is really correct and if so, add the needed
> lockdep annotation to the bluetooth code to silence the above warning.
>
>
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in set_name_complete+0x4a/0x330 net/bluetooth/mgmt.c:3815
> > Read of size 8 at addr ffff888107259098 by task kworker/u3:0/66
> >
> > CPU: 0 PID: 66 Comm: kworker/u3:0 Not tainted 6.8.0+ #61
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > Workqueue: hci0 hci_cmd_sync_work
> > Call Trace:
> > <TASK>
> > __dump_stack lib/dump_stack.c:88 [inline]
> > dump_stack_lvl+0x85/0xb0 lib/dump_stack.c:106
> > print_address_description mm/kasan/report.c:377 [inline]
> > print_report+0x18f/0x560 mm/kasan/report.c:488
> > kasan_report+0xd7/0x110 mm/kasan/report.c:601
> > __asan_report_load8_noabort+0x18/0x20 mm/kasan/report_generic.c:381
> > set_name_complete+0x4a/0x330 net/bluetooth/mgmt.c:3815
> > hci_cmd_sync_work+0x269/0x3e0 net/bluetooth/hci_sync.c:308
> > process_one_work kernel/workqueue.c:2633 [inline]
> > process_scheduled_works+0x6b9/0xdc0 kernel/workqueue.c:2706
> > worker_thread+0xb2b/0x13d0 kernel/workqueue.c:2787
> > kthread+0x2a9/0x340 kernel/kthread.c:388
> > ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147
> > ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
> > </TASK>
> >
> > Allocated by task 308:
> > kasan_save_stack mm/kasan/common.c:47 [inline]
> > kasan_save_track+0x30/0x70 mm/kasan/common.c:68
> > kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:575
> > poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
> > __kasan_kmalloc+0xa2/0xc0 mm/kasan/common.c:387
> > kasan_kmalloc include/linux/kasan.h:211 [inline]
> > kmalloc_trace+0x1c9/0x390 mm/slub.c:4012
> > kmalloc include/linux/slab.h:590 [inline]
> > kzalloc include/linux/slab.h:711 [inline]
> > mgmt_pending_new+0x6f/0x230 net/bluetooth/mgmt_util.c:269
> > mgmt_pending_add+0x3f/0x120 net/bluetooth/mgmt_util.c:296
> > set_local_name+0x15a/0x4c0 net/bluetooth/mgmt.c:3892
> > hci_mgmt_cmd+0xb79/0x1190 net/bluetooth/hci_sock.c:1715
> > hci_sock_sendmsg+0x63a/0xf00 net/bluetooth/hci_sock.c:1835
> > sock_sendmsg_nosec net/socket.c:730 [inline]
> > __sock_sendmsg+0x227/0x270 net/socket.c:745
> > sock_write_iter+0x28d/0x3d0 net/socket.c:1160
> > do_iter_readv_writev+0x331/0x4c0
> > vfs_writev+0x2e6/0xa40 fs/read_write.c:971
> > do_writev+0xfd/0x250 fs/read_write.c:1018
> > __do_sys_writev fs/read_write.c:1091 [inline]
> > __se_sys_writev fs/read_write.c:1088 [inline]
> > __x64_sys_writev+0x86/0xa0 fs/read_write.c:1088
> > do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > do_syscall_64+0x84/0x120 arch/x86/entry/common.c:83
> > entry_SYSCALL_64_after_hwframe+0x6e/0x76
> >
> > Freed by task 66:
> > kasan_save_stack mm/kasan/common.c:47 [inline]
> > kasan_save_track+0x30/0x70 mm/kasan/common.c:68
> > kasan_save_free_info+0x44/0x50 mm/kasan/generic.c:589
> > poison_slab_object+0x11a/0x190 mm/kasan/common.c:240
> > __kasan_slab_free+0x3b/0x60 mm/kasan/common.c:256
> > kasan_slab_free include/linux/kasan.h:184 [inline]
> > slab_free_hook mm/slub.c:2121 [inline]
> > slab_free mm/slub.c:4299 [inline]
> > kfree+0x106/0x2e0 mm/slub.c:4409
> > mgmt_pending_free net/bluetooth/mgmt_util.c:309 [inline]
> > mgmt_pending_remove+0x19e/0x1d0 net/bluetooth/mgmt_util.c:315
> > cmd_complete_rsp+0x104/0x1a0
> > mgmt_pending_foreach+0xc7/0x120 net/bluetooth/mgmt_util.c:259
> > __mgmt_power_off+0x137/0x370 net/bluetooth/mgmt.c:9496
> > hci_dev_close_sync+0x4ab/0xe80 net/bluetooth/hci_sync.c:4953
> > hci_dev_do_close net/bluetooth/hci_core.c:554 [inline]
> > hci_error_reset+0x150/0x410 net/bluetooth/hci_core.c:1060
> > process_one_work kernel/workqueue.c:2633 [inline]
> > process_scheduled_works+0x6b9/0xdc0 kernel/workqueue.c:2706
> > worker_thread+0xb2b/0x13d0 kernel/workqueue.c:2787
> > kthread+0x2a9/0x340 kernel/kthread.c:388
> > ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147
> > ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:243
> >
> > The buggy address belongs to the object at ffff888107259080
> > which belongs to the cache kmalloc-96 of size 96
> > The buggy address is located 24 bytes inside of
> > freed 96-byte region [ffff888107259080, ffff8881072590e0)
> >
> > The buggy address belongs to the physical page:
> > page:000000006bdb81a5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888107259280 pfn:0x107259
> > flags: 0x17ffffc0000a00(workingset|slab|node=0|zone=2|lastcpupid=0x1fffff)
> > page_type: 0xffffffff()
> > raw: 0017ffffc0000a00 ffff888100041780 ffffea0004145510 ffffea0004240190
> > raw: ffff888107259280 000000000020000f 00000001ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> > ffff888107258f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > ffff888107259000: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
> >> ffff888107259080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > ^
> > ffff888107259100: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > ffff888107259180: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
> > ==================================================================
> >
> > Signed-off-by: Sungwoo Kim <[email protected]>
> > ---
> > net/bluetooth/hci_core.c | 2 --
> > net/bluetooth/hci_sync.c | 5 ++++-
> > 2 files changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > index a7028d38c..c347efc4f 100644
> > --- a/net/bluetooth/hci_core.c
> > +++ b/net/bluetooth/hci_core.c
> > @@ -2764,8 +2764,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
> >
> > cancel_work_sync(&hdev->power_on);
> >
> > - hci_cmd_sync_clear(hdev);
> > -
> > hci_unregister_suspend_notifier(hdev);
> >
> > msft_unregister(hdev);
> > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > index c5d879904..aa8e0c33c 100644
> > --- a/net/bluetooth/hci_sync.c
> > +++ b/net/bluetooth/hci_sync.c
> > @@ -5181,9 +5181,12 @@ int hci_dev_close_sync(struct hci_dev *hdev)
> > clear_bit(HCI_INIT, &hdev->flags);
> > }
> >
> > - /* flush cmd work */
> > + /* flush cmd work */
> > flush_work(&hdev->cmd_work);
> >
> > + /* flush cmd sync work */
> > + hci_cmd_sync_clear(hdev);
> > +
> > /* Drop queues */
> > skb_queue_purge(&hdev->rx_q);
> > skb_queue_purge(&hdev->cmd_q);
>
> Best regards
> --
> Marek Szyprowski, PhD
> Samsung R&D Institute Poland
>
Yeah, I will be reverting it from bluetooth-next until we find a
solution that doesn't cause side effects.
--
Luiz Augusto von Dentz