It's a racy bug. e1000_clean() forcefully frees a socket even if l2cap_sock_ready_cb() already have the socket lock, resulting in use-after-free for accessing the socket. I don't have a clever idea to handle this, since it looks beyond the Bluetooth system. For the l2cap_sock.c in the stack trace, please refer this file for your convenience: https://gist.github.com/swkim101/5c3b8cb7c7d7172aef23810c9412f323 This is discovered by FuzzBT on top of Syzkaller with Sungwoo Kim (me). Other contributors for FuzzBT project are Ruoyu Wu(wuruoyu@xxxxxx) and Hui Peng(benquike@xxxxxxxxx). ================================================================== BUG: KASAN: use-after-free in l2cap_sock_ready_cb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_sock.c:1685) Read of size 8 at addr ffff88800f6efaa8 by task kworker/u3:0/76 CPU: 0 PID: 76 Comm: kworker/u3:0 Not tainted 6.1.0-rc2 #129 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: hci0 hci_rx_work Call Trace: <TASK> dump_stack_lvl (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/lib/dump_stack.c:105) print_address_description+0x7e/0x360 print_report (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report.c:187 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report.c:389) ? __virt_addr_valid (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/linux/mmzone.h:1855 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/mm/physaddr.c:65) ? kasan_complete_mode_report_info (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report_generic.c:104 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report_generic.c:127 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report_generic.c:136) ? l2cap_sock_ready_cb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_sock.c:1685) kasan_report (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report.c:? /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/report.c:484) ? l2cap_sock_ready_cb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_sock.c:1685) __asan_load8 (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:45 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:67 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:151 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:180 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:256) l2cap_sock_ready_cb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_sock.c:1685) l2cap_bredr_sig_cmd (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:4703 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:5884) ? vprintk_default (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk.c:2279) ? vprintk (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk_safe.c:50) ? _printk (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk.c:2289) ? bt_err (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/lib.c:?) ? bt_err (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/lib.c:249) l2cap_recv_frame (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:7851 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:7919) ? _printk (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk.c:2289) ? bt_err (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/lib.c:?) ? __wake_up_klogd (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/printk/printk.c:3481) l2cap_recv_acldata (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:8601 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/l2cap_core.c:8631) ? hci_conn_enter_active_mode (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/hci_conn.c:?) hci_rx_work (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/net/bluetooth/hci_core.h:1121 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/hci_core.c:3937 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/bluetooth/hci_core.c:4189) process_one_work (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2225) worker_thread (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:816 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2107 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2159 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2408) kthread (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/kthread.c:361) ? process_one_work (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/workqueue.c:2321) ? kthread_blkcg (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/kthread.c:76 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/kernel/kthread.c:1519) ret_from_fork (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/entry/entry_64.S:306) </TASK> Allocated by task 328: kasan_set_track (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:51) kasan_save_alloc_info (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:432 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:498) __kasan_kmalloc (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:356) __kmalloc_node_track_caller (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slab_common.c:943 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slab_common.c:975) __alloc_skb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/skbuff.c:516) __tcp_send_ack (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/net/sock.h:1010 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp_output.c:3961) tcp_send_ack (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp_output.c:3992) __tcp_cleanup_rbuf (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp.c:1579) tcp_recvmsg_locked (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/linux/skbuff.h:2324 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp.c:1633 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp.c:2633) tcp_recvmsg (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/net/busy_poll.h:107 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/tcp.c:2676) inet_recvmsg (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/ipv4/af_inet.c:859) sock_read_iter (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/socket.c:1073) vfs_read (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/linux/uio.h:345 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/fs/read_write.c:387 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/fs/read_write.c:470) ksys_read (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/fs/read_write.c:?) __x64_sys_read (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/fs/read_write.c:621) do_syscall_64 (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/entry/common.c:49 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/arch/x86/entry/entry_64.S:120) Freed by task 328: kasan_set_track (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:51) kasan_save_free_info (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/generic.c:508) ____kasan_slab_free (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/linux/slub_def.h:164 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:214) __kasan_slab_free (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/kasan/common.c:244) slab_free_freelist_hook (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slub.c:381 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slub.c:1747) __kmem_cache_free (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slub.c:3656 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slub.c:3674) kfree (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/mm/slab_common.c:1007) skb_release_data (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/skbuff.c:782) napi_consume_skb (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/skbuff.c:?) e1000_clean (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/drivers/net/ethernet/intel/e1000/e1000_main.c:3855 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/drivers/net/ethernet/intel/e1000/e1000_main.c:3801) __napi_poll (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./arch/x86/include/asm/bitops.h:207 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./arch/x86/include/asm/bitops.h:239 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./include/asm-generic/bitops/instrumented-non-atomic.h:142 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/dev.c:6497) net_rx_action (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/dev.c:6639 /home/sungwoo/fuzzbt/v6.1-rc2-bzimage/net/core/dev.c:6667) __do_softirq (/home/sungwoo/fuzzbt/v6.1-rc2-bzimage/./arch/x86/include/asm/current.h:?) The buggy address belongs to the object at ffff88800f6ef800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 680 bytes inside of 1024-byte region [ffff88800f6ef800, ffff88800f6efc00) The buggy address belongs to the physical page: page:00000000b954ec57 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xf6ec head:00000000b954ec57 order:2 compound_mapcount:0 compound_pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0010200 ffffea0000864c00 dead000000000003 ffff888005841dc0 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800f6ef980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800f6efa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88800f6efa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800f6efb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800f6efb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
