Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp841798rdb;
        Tue, 23 Jan 2024 17:44:33 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEouVmZmgDjsTTItsMyRbaD1ijFZHqwwk2DR1I2Qj04B0zYFTzy526zzMR8X1TNHo4DrIUv
X-Received: by 2002:a05:622a:6:b0:42a:2ee3:ad40 with SMTP id x6-20020a05622a000600b0042a2ee3ad40mr1905811qtw.60.1706060673629;
        Tue, 23 Jan 2024 17:44:33 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706060673; cv=pass;
        d=google.com; s=arc-20160816;
        b=a9NuY1GyoS/4hp3mAr7kbuVNpDxX1igRgz4saZIn0B7UXx2OLLfcZPst6DEc6QG6LI
         OKY3tn/0vPlH07nP3AX53McAweSS3D6grRHOV0nVGSe4XhiUDswFNMBuvAQKX/xv25tI
         wAtyhDfTuschOsM+gURAyh0hiZMUMQqxnSW9ejX5jzZ/G6M3PM6Nzuu9U9Rs5s/Sr1m0
         hAdQfAhUK0FIRYXszvExohbuxGgNP4o4YsrRlspoxJ7Ba6ojznJVgYwBhyPzmExG3DSP
         hFh/jTLW7+gW3WfQS8c1FcIdCG6SzVXv1lrrIR4YAGier+Bqu1CzkoWgl2KR8Lltn4BS
         4sRw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:from:cc:to:user-agent
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :date:message-id:dkim-signature;
        bh=HTlHWkFqNzrWB6UEbwT6IpKGC+SqXWzHxYzJA+j6t0A=;
        fh=0INnah7VWmjWTgA5aOVGJk9ZUXntZUmJur2nRQgJDNs=;
        b=GPdcvc9uq/4AzgzrelYOrcHoPGpZdk2QDBJfLVByAUXW/1x8n1EoWnI1Viueixw4Wo
         DjQQv0epORd3gc7ZUfXj/PzgplUtcdXcQbCsl81vwUbRqh333s9BoPxBca6O1sw8+Otc
         ZXhVTif7aM0v5TK8VIvNQqiJb/AmJcDvhC50l8Q0iqlRIlyMOwKtkJMrHx+dVxVRwMIB
         yCcBpXHjQLbPh7CyPP/I07AH48/7hFc9hbiWPyElciuBHYPM4d3EHCWr7rXDr9yXwgPT
         QYVGg3YpRkws1lb4JokNdpYWr+JqOxflTQmRad9SToIF/zMHS6PXybrhtuX81fyN2glm
         HtXw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@buaa.edu.cn header.s=buaa header.b=E+bBTdOb;
       arc=pass (i=1 spf=pass spfdomain=buaa.edu.cn dkim=pass dkdomain=buaa.edu.cn dmarc=pass fromdomain=buaa.edu.cn);
       spf=pass (google.com: domain of linux-bluetooth+bounces-1287-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-1287-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=buaa.edu.cn
Return-Path: <linux-bluetooth+bounces-1287-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id o14-20020a05622a044e00b0042a2b88f57asi9048632qtx.770.2024.01.23.17.44.33
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Jan 2024 17:44:33 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-1287-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@buaa.edu.cn header.s=buaa header.b=E+bBTdOb;
       arc=pass (i=1 spf=pass spfdomain=buaa.edu.cn dkim=pass dkdomain=buaa.edu.cn dmarc=pass fromdomain=buaa.edu.cn);
       spf=pass (google.com: domain of linux-bluetooth+bounces-1287-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-1287-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=buaa.edu.cn
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 563731C23594
	for <linux.lists.archive@gmail.com>; Wed, 24 Jan 2024 01:44:33 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id EAEFB15D2;
	Wed, 24 Jan 2024 01:44:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=buaa.edu.cn header.i=@buaa.edu.cn header.b="E+bBTdOb"
X-Original-To: linux-bluetooth@vger.kernel.org
Received: from zg8tndyumtaxlji0oc4xnzya.icoremail.net (zg8tndyumtaxlji0oc4xnzya.icoremail.net [46.101.248.176])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 08D9A20F4;
	Wed, 24 Jan 2024 01:44:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.101.248.176
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706060666; cv=none; b=Wls92tfZ9FL63KFaeNNCy2iq0dAOFDW5J81wSq1ZW7tGPinyNteAhP7X0jLbWo3yHwSVgo3F4zKS/yffgzizrfUNHc5vR4MxDeHuEKrE9gMG4Wlij/gLZslVQ7pt2JquQjYjx80ImqMwp4ExdYxe1Z8ApvCNGxmcG8IR9g9+Ndo=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706060666; c=relaxed/simple;
	bh=t1kuy7jzuyGVsEMIivKdEr1GrnpSTkE1vbZObwWuBmA=;
	h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type; b=Ja9KpygBW8AquM/rMW9c7sI8CvyVho/PiToT1IyWLppRz5M5zgjRU0a11ntk2OPctOBKKATGxHMgkdjbSvGIbF1JX55jYaNGeXQwJDmbMdk08DeCwoSoNstmIixDIp1jz337yF0++9FQA0qNkreZ88DjyG2IG7FfKFRPY45QFZ4=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=buaa.edu.cn; spf=pass smtp.mailfrom=buaa.edu.cn; dkim=pass (1024-bit key) header.d=buaa.edu.cn header.i=@buaa.edu.cn header.b=E+bBTdOb; arc=none smtp.client-ip=46.101.248.176
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=buaa.edu.cn
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=buaa.edu.cn
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=buaa.edu.cn; s=buaa; h=Received:Message-ID:Date:MIME-Version:
	User-Agent:To:Cc:From:Subject:Content-Type:
	Content-Transfer-Encoding; bh=HTlHWkFqNzrWB6UEbwT6IpKGC+SqXWzHxY
	zJA+j6t0A=; b=E+bBTdObrImXR2mHzgtmetFl40fE0LlmHkUdAHG+dsvYzONyqv
	pe9u+wIZ8w7UnI3bnqXy46K1+lSyxfiCjbPCJqcGuriWbJqvyNezlWcIALNwAx57
	tUp1jJx7QKUyD+Q5Y4D/YzYGQBJo3V2C6dLehF8S19IN7DM/Mh3465DLw=
Received: from [10.128.52.159] (unknown [10.128.52.159])
	by coremail-app1 (Coremail) with SMTP id OCz+CgAXSFpga7BlqwA0AQ--.3661S2;
	Wed, 24 Jan 2024 09:44:00 +0800 (CST)
Message-ID: <2070c707-4fd0-4ca5-b643-5317fa61edc2@buaa.edu.cn>
Date: Wed, 24 Jan 2024 09:44:29 +0800
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com
Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
 baijiaju1990@gmail.com
From: Yuxuan Hu <yuxuanhu@buaa.edu.cn>
Subject: Possible Use-After-Free in bt_accept_poll
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-CM-TRANSID:OCz+CgAXSFpga7BlqwA0AQ--.3661S2
X-Coremail-Antispam: 1UD129KBjvJXoW3WFy5JFy5uw45JrWfAF15CFg_yoW7tw15pr
	98Gas3Gw4kWrykAr4UJw18WryUCr4qv3ZrCr97Kr13Aa43Ga1UJr1jkFyjgr17CrZ8Ar17
	K3WkG3yakwn3Aw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUkSb7Iv0xC_Kw4lb4IE77IF4wAFc2x0x2IEx4CE42xK8VAvwI8I
	cIk0rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2
	AK021l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v2
	6F4j6r4UJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4vEx4A2jsIEc7CjxVAFwI
	0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2Wl
	Yx0E2Ix0cI8IcVAFwI0_JF0_Jw1lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbV
	WUJVW8JwACjcxG0xvEwIxGrwCY02Avz4vE-syl42xK82IYc2Ij64vIr41l42xK82IY6x8E
	rcxFaVAv8VWrXryUJr1UMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr
	0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUAVWUtwCIc40Y0x0E
	wIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJV
	W8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAI
	cVC2z280aVCY1x0267AKxVWUJVW8JbIYCTnIWIevJa73UjIFyTuYvjxUqZqWUUUUU
X-CM-SenderInfo: ysqtljawssquxxddhvlgxou0/

Hello,

I am writing to report a potential use-after-free that our fuzzing tool 
found in the 'bt_accept_poll' function. The bug was encountered while 
testing kernel 6.7-rc2 during a Bluetooth pairing procedure. Due to the 
non-determinism of concurrent execution, this bug cannot be stably 
reproduced in my testing.

Through disassembly, we have pinpointed the code at 
'bt_sock_poll+0x233', which corresponds to the inline function 
'bt_accept_poll', specifically at the line:

···
File: net/bluetooth/af_bluetooth.c
Line: 492
list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q)
···

Based on the allocate and free tasks reported by KASAN, we suspect that 
the use-after-free issue originates from the 'parent' variable in the 
'bt_accept_poll' function, which corresponds to the 'sk' from 
'bt_sock_poll' that is passed into it.

The 'bt_accept_poll' function is called from 'bt_sock_poll' as follows:

···
File: net/bluetooth/af_bluetooth.c
Line: 506
     struct sock *sk = sock->sk;
     __poll_t mask = 0;

     poll_wait(file, sk_sleep(sk), wait);

     if (sk->sk_state == BT_LISTEN)
         return bt_accept_poll(sk);
···

This suggests that at the time of evaluating 'if (sk->sk_state == 
BT_LISTEN)', 'sk' is likely not NULL, and its 'sk_state' is 'BT_LISTEN'. 
However, by the time the execution reaches the section of code in 
'bt_accept_poll' mentioned above, 'sk' seems to have been freed. This 
appears to be a very subtle timing issue, which may explain the 
difficulty we have had in reproducing the bug.

KASAN report：
==================================================================
BUG: KASAN: slab-use-after-free in bt_sock_poll+0x233/0x9d0 [bluetooth]
Read of size 8 at addr ffff888005f142f8 by task bluetoothd/521

CPU: 0 PID: 521 Comm: bluetoothd Tainted: G           O 6.7.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
  <TASK>
  dump_stack_lvl+0xbf/0xf0
  print_address_description+0x7f/0x3d0
  print_report+0x11d/0x250
  ? __virt_addr_valid+0xc5/0xf0
  ? bt_sock_poll+0x233/0x9d0 [bluetooth]
  kasan_report+0x137/0x170
  ? bt_sock_poll+0x233/0x9d0 [bluetooth]
  bt_sock_poll+0x233/0x9d0 [bluetooth]
  sock_poll+0x2a0/0x350
  do_sys_poll+0x926/0x11a0
  ? __ia32_compat_sys_ppoll_time64+0x290/0x290
  ? __ia32_compat_sys_ppoll_time64+0x290/0x290
  ? __ia32_compat_sys_ppoll_time64+0x290/0x290
  ? __ia32_compat_sys_ppoll_time64+0x290/0x290
  ? __ia32_compat_sys_ppoll_time64+0x290/0x290
  ? __ia32_compat_sys_ppoll_time64+0x290/0x290
  ? __ia32_compat_sys_ppoll_time64+0x290/0x290
  ? __ia32_compat_sys_ppoll_time64+0x290/0x290
  __se_sys_poll+0x15d/0x340
  ? fpregs_assert_state_consistent+0x24/0xa0
  do_syscall_64+0x32/0xa0
  entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f6c44c1f933
Code: 49 8b 45 10 5d 41 5c 41 5d 41 5e c3 66 2e 0f 1f 84 00 00 00 00 00 
90 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 07 00 00 00 0f 05 <48> 3d 00 
f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 89 54 24 1c 48
RSP: 002b:00007ffe74204ad8 EFLAGS: 00000246 ORIG_RAX: 0000000000000007
RAX: ffffffffffffffda RBX: 00007f6c44ee1410 RCX: 00007f6c44c1f933
RDX: 00000000ffffffff RSI: 000000000000000f RDI: 00005614a8807720
RBP: 00005614a8807720 R08: 0000000000000010 R09: 0000000000000002
R10: 000000000000000f R11: 0000000000000246 R12: 000000000000000f
R13: 00007ffe74204af4 R14: 00000000ffffffff R15: 00005614a87f8bd0
  </TASK>

Allocated by task 671:
  kasan_set_track+0x4c/0x70
  __kasan_kmalloc+0x82/0x90
  __kmalloc+0xac/0x1d0
  sk_prot_alloc+0xdd/0x1a0
  sk_alloc+0x2c/0x4f0
  bt_sock_alloc+0x43/0x440 [bluetooth]
  l2cap_sock_alloc+0x3f/0x160 [bluetooth]
  l2cap_sock_new_connection_cb+0x12f/0x240 [bluetooth]
  l2cap_connect+0x7f1/0x1490 [bluetooth]
  l2cap_bredr_sig_cmd+0x45c/0x71c0 [bluetooth]
  l2cap_recv_frame+0xd46/0x1610 [bluetooth]
  l2cap_recv_acldata+0x2c5/0xd00 [bluetooth]
  hci_rx_work+0x67b/0xd00 [bluetooth]
  process_one_work+0x4f0/0xab0
  worker_thread+0x8af/0xee0
  kthread+0x275/0x300
  ret_from_fork+0x30/0x60
  ret_from_fork_asm+0x11/0x20

Freed by task 670:
  kasan_set_track+0x4c/0x70
  kasan_save_free_info+0x24/0x40
  ____kasan_slab_free+0x118/0x190
  slab_free_freelist_hook+0xd1/0x160
  __kmem_cache_free+0xa3/0x170
  __sk_destruct+0x317/0x400
  sock_put+0x81/0xd0 [bluetooth]
  l2cap_sock_kill+0xf6/0x110 [bluetooth]
  l2cap_sock_close_cb+0x66/0x80 [bluetooth]
  l2cap_conn_del+0x345/0x640 [bluetooth]
  l2cap_connect_cfm+0xdb/0x1060 [bluetooth]
  hci_connect_cfm+0x100/0x1c0 [bluetooth]
  hci_conn_failed+0x1c8/0x280 [bluetooth]
  hci_abort_conn_sync+0x7d9/0xaf0 [bluetooth]
  hci_disconnect_all_sync+0x152/0x1b0 [bluetooth]
  hci_set_powered_sync+0x499/0x6c0 [bluetooth]
  hci_cmd_sync_work+0x1f7/0x2b0 [bluetooth]
  process_one_work+0x4f0/0xab0
  worker_thread+0x8af/0xee0
  kthread+0x275/0x300
  ret_from_fork+0x30/0x60
  ret_from_fork_asm+0x11/0x20

Last potentially related work creation:
  kasan_save_stack+0x3b/0x60
  kasan_record_aux_stack_noalloc+0x96/0xa0
  __call_rcu_common+0x75/0xb40
  addrconf_ifdown+0x147a/0x1680
  addrconf_notify+0x161/0x1900
  notifier_call_chain+0xcd/0x1e0
  unregister_netdevice_many_notify+0xaa1/0x1230
  sit_exit_batch_net+0x53c/0x570
  cleanup_net+0x51f/0x970
  process_one_work+0x4f0/0xab0
  worker_thread+0x8af/0xee0
  kthread+0x275/0x300
  ret_from_fork+0x30/0x60
  ret_from_fork_asm+0x11/0x20