Hi Sanan, On Tue, Sep 12, 2023 at 4:02 PM Sanan Hasanov <Sanan.Hasanov@xxxxxxx> wrote: > > Good day, dear maintainers, > > We found a bug using a modified kernel configuration file used by syzbot. > > We enhanced the coverage of the configuration file using our tool, klocalizer. > > Kernel Branch: 6.3.0-next-20230426 > Kernel Config: https://drive.google.com/file/d/19nzVDVMtaTo8fv7RMtXDGYQzeRnNpp-r/view?usp=sharing > Reproducer: https://drive.google.com/file/d/1vzoYO_aW6XQqR6NAaJqvacOcJy9J6R-0/view?usp=sharing > > Thank you! > > Best regards, > Sanan Hasanov > > ================================================================== > BUG: KASAN: slab-use-after-free in hci_conn_hash_flush+0x1fa/0x230 > Read of size 8 at addr ffff8880780da000 by task syz-executor.7/5990 > > CPU: 3 PID: 5990 Comm: syz-executor.7 Not tainted 6.3.0-next-20230426 #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0x178/0x260 > print_report+0xc1/0x5e0 > kasan_report+0xc0/0xf0 > hci_conn_hash_flush+0x1fa/0x230 > hci_dev_close_sync+0x5c2/0x1060 > hci_unregister_dev+0x1ce/0x4a0 > vhci_release+0x80/0xf0 > __fput+0x27c/0xa90 > task_work_run+0x168/0x260 > do_exit+0xbd9/0x2b20 > do_group_exit+0xd4/0x2a0 > __x64_sys_exit_group+0x3e/0x50 > do_syscall_64+0x39/0x80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7ff463e8edcd > Code: Unable to access opcode bytes at 0x7ff463e8eda3. > RSP: 002b:00007ffde1873c18 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 > RAX: ffffffffffffffda RBX: 00007ffde1874480 RCX: 00007ff463e8edcd > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 > RBP: 0000000000000003 R08: 0000000000000026 R09: 00007ffde1874480 > R10: 0000000000000026 R11: 0000000000000202 R12: 0000000000000000 > R13: 00007ff463eeba70 R14: 0000000000000002 R15: 00007ffde18744c0 > </TASK> > > Allocated by task 24391: > kasan_save_stack+0x22/0x40 > kasan_set_track+0x25/0x30 > __kasan_kmalloc+0x7c/0x90 > hci_conn_add+0xa5/0x1570 > hci_connect_sco+0x3e4/0xf50 > sco_sock_connect+0x2c0/0x9c0 > __sys_connect_file+0x153/0x1a0 > __sys_connect+0x165/0x1a0 > __x64_sys_connect+0x72/0xb0 > do_syscall_64+0x39/0x80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Freed by task 5990: > kasan_save_stack+0x22/0x40 > kasan_set_track+0x25/0x30 > kasan_save_free_info+0x2b/0x40 > ____kasan_slab_free+0x120/0x180 > __kmem_cache_free+0xcf/0x280 > device_release+0xa3/0x240 > kobject_put+0x175/0x270 > put_device+0x1f/0x30 > hci_conn_del+0x2df/0x860 > hci_conn_unlink+0x25b/0x3e0 > hci_conn_unlink+0x2ef/0x3e0 > hci_conn_hash_flush+0x18d/0x230 > hci_dev_close_sync+0x5c2/0x1060 > hci_unregister_dev+0x1ce/0x4a0 > vhci_release+0x80/0xf0 > __fput+0x27c/0xa90 > task_work_run+0x168/0x260 > do_exit+0xbd9/0x2b20 > do_group_exit+0xd4/0x2a0 > __x64_sys_exit_group+0x3e/0x50 > do_syscall_64+0x39/0x80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Last potentially related work creation: > kasan_save_stack+0x22/0x40 > __kasan_record_aux_stack+0x60/0x70 > insert_work+0x48/0x360 > __queue_work+0x5bc/0xfe0 > __queue_delayed_work+0x1c8/0x270 > queue_delayed_work_on+0x162/0x1c0 > sco_chan_del+0x1db/0x430 > __sco_sock_close+0x11f/0x640 > sco_sock_release+0x9f/0x2d0 > __sock_release+0xcd/0x290 > sock_close+0x1c/0x20 > __fput+0x27c/0xa90 > task_work_run+0x168/0x260 > get_signal+0x1cb/0x2460 > arch_do_signal_or_restart+0x79/0x5a0 > exit_to_user_mode_prepare+0x128/0x1e0 > syscall_exit_to_user_mode+0x1a/0x40 > do_syscall_64+0x46/0x80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > The buggy address belongs to the object at ffff8880780da000 > which belongs to the cache kmalloc-4k of size 4096 > The buggy address is located 0 bytes inside of > freed 4096-byte region [ffff8880780da000, ffff8880780db000) > > The buggy address belongs to the physical page: > page:00000000fca63b13 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x780da > head:00000000fca63b13 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > flags: 0xfffe0000010200(slab|head|node=0|zone=1|lastcpupid=0x3fff) > page_type: 0x1() > raw: 00fffe0000010200 ffff888100040900 ffffea000438c110 ffffea0001323210 > raw: 0000000000000000 ffff8880780da000 0000000100000001 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff8880780d9f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff8880780d9f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > >ffff8880780da000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff8880780da080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff8880780da100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > general protection fault, probably for non-canonical address 0xe0b5dc4c800002ec: 0000 [#1] PREEMPT SMP KASAN > KASAN: maybe wild-memory-access in range [0x05af026400001760-0x05af026400001767] > CPU: 3 PID: 5990 Comm: syz-executor.7 Tainted: G B 6.3.0-next-20230426 #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > RIP: 0010:__list_del_entry_valid+0x91/0x1b0 > Code: de 48 39 c2 0f 84 80 00 00 00 48 b8 22 01 00 00 00 00 ad de 48 39 c1 74 7f 48 b8 00 00 00 00 00 fc ff df 48 89 cf 48 c1 ef 03 <80> 3c 07 00 0f 85 e7 00 00 00 4c 8b 01 49 39 f0 75 6d 48 8d 7a 08 > RSP: 0018:ffffc9000d81fae0 EFLAGS: 00010213 > RAX: dffffc0000000000 RBX: ffff8880780da000 RCX: 05af026400001766 > RDX: ffff888046d06800 RSI: ffff8880780da000 RDI: 00b5e04c800002ec > RBP: ffff8880780da260 R08: 0000000000000001 R09: 0000000000000000 > R10: 0000000000000000 R11: ffffffff88e0008b R12: ffff8880780da008 > R13: ffff8880780da260 R14: dffffc0000000000 R15: ffff88805f51c000 > FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000055d74eb5c6a0 CR3: 000000010e5b2000 CR4: 0000000000350ee0 > Call Trace: > <TASK> > hci_conn_cleanup+0x15d/0x7e0 > hci_conn_del+0x2df/0x860 > hci_conn_hash_flush+0x195/0x230 > hci_dev_close_sync+0x5c2/0x1060 > hci_unregister_dev+0x1ce/0x4a0 > vhci_release+0x80/0xf0 > __fput+0x27c/0xa90 > task_work_run+0x168/0x260 > do_exit+0xbd9/0x2b20 > do_group_exit+0xd4/0x2a0 > __x64_sys_exit_group+0x3e/0x50 > do_syscall_64+0x39/0x80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7ff463e8edcd > Code: Unable to access opcode bytes at 0x7ff463e8eda3. > RSP: 002b:00007ffde1873c18 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 > RAX: ffffffffffffffda RBX: 00007ffde1874480 RCX: 00007ff463e8edcd > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 > RBP: 0000000000000003 R08: 0000000000000026 R09: 00007ffde1874480 > R10: 0000000000000026 R11: 0000000000000202 R12: 0000000000000000 > R13: 00007ff463eeba70 R14: 0000000000000002 R15: 00007ffde18744c0 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:__list_del_entry_valid+0x91/0x1b0 > Code: de 48 39 c2 0f 84 80 00 00 00 48 b8 22 01 00 00 00 00 ad de 48 39 c1 74 7f 48 b8 00 00 00 00 00 fc ff df 48 89 cf 48 c1 ef 03 <80> 3c 07 00 0f 85 e7 00 00 00 4c 8b 01 49 39 f0 75 6d 48 8d 7a 08 > RSP: 0018:ffffc9000d81fae0 EFLAGS: 00010213 > RAX: dffffc0000000000 RBX: ffff8880780da000 RCX: 05af026400001766 > RDX: ffff888046d06800 RSI: ffff8880780da000 RDI: 00b5e04c800002ec > RBP: ffff8880780da260 R08: 0000000000000001 R09: 0000000000000000 > R10: 0000000000000000 R11: ffffffff88e0008b R12: ffff8880780da008 > R13: ffff8880780da260 R14: dffffc0000000000 R15: ffff88805f51c000 > FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000055d74eb5c6a0 CR3: 000000010e5b2000 CR4: 0000000000350ee0 > ---------------- > Code disassembly (best guess), 1 bytes skipped: > 0: 48 39 c2 cmp %rax,%rdx > 3: 0f 84 80 00 00 00 je 0x89 > 9: 48 b8 22 01 00 00 00 movabs $0xdead000000000122,%rax > 10: 00 ad de > 13: 48 39 c1 cmp %rax,%rcx > 16: 74 7f je 0x97 > 18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax > 1f: fc ff df > 22: 48 89 cf mov %rcx,%rdi > 25: 48 c1 ef 03 shr $0x3,%rdi > * 29: 80 3c 07 00 cmpb $0x0,(%rdi,%rax,1) <-- trapping instruction > 2d: 0f 85 e7 00 00 00 jne 0x11a > 33: 4c 8b 01 mov (%rcx),%r8 > 36: 49 39 f0 cmp %rsi,%r8 > 39: 75 6d jne 0xa8 > 3b: 48 8d 7a 08 lea 0x8(%rdx),%rdi Are you guys checking if these bugs have not been fixed already, for example this one I suspect has been fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ac591cb4d83e1f2d4b4adb3c14b2c79764650a -- Luiz Augusto von Dentz
