It's a racy bug. e1000_clean() forcefully frees a socket even if
l2cap_sock_ready_cb() already have the socket lock, resulting in
use-after-free for accessing the socket.
I don't have a clever idea to handle this, since it looks beyond
the Bluetooth system.
For the l2cap_sock.c in the stack trace, please refer this file
for your convenience:
https://gist.github.com/swkim101/5c3b8cb7c7d7172aef23810c9412f323
This is discovered by FuzzBT on top of Syzkaller with Sungwoo Kim (me).
Other contributors for FuzzBT project are Ruoyu Wu([email protected])
and Hui Peng([email protected]).
==================================================================
BUG: KASAN: use-after-free in l2cap_sock_ready_cb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_sock.c:1685)
Read of size 8 at addr ffff88800f6efaa8 by task kworker/u3:0/76
CPU: 0 PID: 76 Comm: kworker/u3:0 Not tainted 6.1.0-rc2 #129
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
dump_stack_lvl (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/lib/dump_stack.c:105)
print_address_description+0x7e/0x360
print_report (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report.c:187 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report.c:389)
? __virt_addr_valid (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/linux/mmzone.h:1855 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/mm/physaddr.c:65)
? kasan_complete_mode_report_info (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report_generic.c:104 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report_generic.c:127 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report_generic.c:136)
? l2cap_sock_ready_cb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_sock.c:1685)
kasan_report (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report.c:? /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report.c:484)
? l2cap_sock_ready_cb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_sock.c:1685)
__asan_load8 (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:45 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:67 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:151 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:180 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:256)
l2cap_sock_ready_cb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_sock.c:1685)
l2cap_bredr_sig_cmd (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:4703 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:5884)
? vprintk_default (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk.c:2279)
? vprintk (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk_safe.c:50)
? _printk (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk.c:2289)
? bt_err (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/lib.c:?)
? bt_err (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/lib.c:249)
l2cap_recv_frame (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:7851 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:7919)
? _printk (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk.c:2289)
? bt_err (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/lib.c:?)
? __wake_up_klogd (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk.c:3481)
l2cap_recv_acldata (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:8601 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:8631)
? hci_conn_enter_active_mode (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/hci_conn.c:?)
hci_rx_work (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/net/bluetooth/hci_core.h:1121 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/hci_core.c:3937 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/hci_core.c:4189)
process_one_work (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2225)
worker_thread (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:816 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2107 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2159 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2408)
kthread (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/kthread.c:361)
? process_one_work (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2321)
? kthread_blkcg (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/kthread.c:76 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/kthread.c:1519)
ret_from_fork (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/entry/entry_64.S:306)
</TASK>
Allocated by task 328:
kasan_set_track (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:51)
kasan_save_alloc_info (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:432 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:498)
__kasan_kmalloc (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:356)
__kmalloc_node_track_caller (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slab_common.c:943 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slab_common.c:975)
__alloc_skb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/skbuff.c:516)
__tcp_send_ack (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/net/sock.h:1010 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp_output.c:3961)
tcp_send_ack (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp_output.c:3992)
__tcp_cleanup_rbuf (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp.c:1579)
tcp_recvmsg_locked (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/linux/skbuff.h:2324 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp.c:1633 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp.c:2633)
tcp_recvmsg (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/net/busy_poll.h:107 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp.c:2676)
inet_recvmsg (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/af_inet.c:859)
sock_read_iter (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/socket.c:1073)
vfs_read (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/linux/uio.h:345 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/fs/read_write.c:387 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/fs/read_write.c:470)
ksys_read (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/fs/read_write.c:?)
__x64_sys_read (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/fs/read_write.c:621)
do_syscall_64 (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/entry/common.c:49 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/entry/entry_64.S:120)
Freed by task 328:
kasan_set_track (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:51)
kasan_save_free_info (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:508)
____kasan_slab_free (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/linux/slub_def.h:164 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:214)
__kasan_slab_free (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:244)
slab_free_freelist_hook (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slub.c:381 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slub.c:1747)
__kmem_cache_free (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slub.c:3656 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slub.c:3674)
kfree (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slab_common.c:1007)
skb_release_data (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/skbuff.c:782)
napi_consume_skb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/skbuff.c:?)
e1000_clean (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/drivers/net/ethernet/intel/e1000/e1000_main.c:3855 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/drivers/net/ethernet/intel/e1000/e1000_main.c:3801)
__napi_poll (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./arch/x86/include/asm/bitops.h:207 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./arch/x86/include/asm/bitops.h:239 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/asm-generic/bitops/instrumented-non-atomic.h:142 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/dev.c:6497)
net_rx_action (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/dev.c:6639 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/dev.c:6667)
__do_softirq (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./arch/x86/include/asm/current.h:?)
The buggy address belongs to the object at ffff88800f6ef800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 680 bytes inside of
1024-byte region [ffff88800f6ef800, ffff88800f6efc00)
The buggy address belongs to the physical page:
page:00000000b954ec57 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xf6ec
head:00000000b954ec57 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 ffffea0000864c00 dead000000000003 ffff888005841dc0
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800f6ef980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800f6efa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88800f6efa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88800f6efb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800f6efb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb