Hi Lihong, > In the case we set or free the global value listen_chan in > different threads, we can encounter the UAF problems because > the method is not protected by any lock, add one to avoid > this bug. > > BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 > net/bluetooth/l2cap_core.c:730 > Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 > > CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS Google 01/01/2011 > Workqueue: events do_enable_set > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x1fb/0x318 lib/dump_stack.c:118 > print_address_description+0x74/0x5c0 mm/kasan/report.c:374 > __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 > kasan_report+0x26/0x50 mm/kasan/common.c:641 > __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 > l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 > do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 > process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 > worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 > kthread+0x332/0x350 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Allocated by task 2870: > save_stack mm/kasan/common.c:72 [inline] > set_track mm/kasan/common.c:80 [inline] > __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 > kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 > kmalloc include/linux/slab.h:555 [inline] > kzalloc include/linux/slab.h:669 [inline] > l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 > chan_create net/bluetooth/6lowpan.c:640 [inline] > bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] > do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 > process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 > worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 > kthread+0x332/0x350 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 2870: > save_stack mm/kasan/common.c:72 [inline] > set_track mm/kasan/common.c:80 [inline] > kasan_set_free_info mm/kasan/common.c:337 [inline] > __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 > kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 > __cache_free mm/slab.c:3426 [inline] > kfree+0x10d/0x220 mm/slab.c:3757 > l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] > kref_put include/linux/kref.h:65 [inline] > l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 > do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 > process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 > worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 > kthread+0x332/0x350 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > The buggy address belongs to the object at ffff888096950000 > which belongs to the cache kmalloc-2k of size 2048 > The buggy address is located 0 bytes inside of > 2048-byte region [ffff888096950000, ffff888096950800) > The buggy address belongs to the page: > page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 > flags: 0xfffe0000000200(slab) > raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 > raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > Reported-by: syzbot+96414aa0033c363d8458@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Lihong Kou <koulihong@xxxxxxxxxx> > --- > net/bluetooth/6lowpan.c | 5 +++++ > 1 file changed, 5 insertions(+) patch has been applied to bluetooth-next tree. Regards Marcel
