https://bugzilla.kernel.org/show_bug.cgi?id=215245 Bug ID: 215245 Summary: KASAN: slab-out-of-bounds in hci_event_packet+0x2d8c/0x4e90 [bluetooth] Product: Drivers Version: 2.5 Kernel Version: 4.19 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: high Priority: P1 Component: Bluetooth Assignee: linux-bluetooth@xxxxxxxxxxxxxxx Reporter: gouhao@xxxxxxxxxxxxx Regression: No Unknown ioctl -1072131215 Unknown ioctl -1073191904 Unknown ioctl 35123 Bluetooth: hci0: hardware error 0xff ================================================================== BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x2d8c/0x4e90 [bluetooth] Read of size 3 at addr ffff88817262a77f by task kworker/u17:1/222831 CPU: 1 PID: 222831 Comm: kworker/u17:1 Not tainted 4.19.90-2108.8.0.0106.up5.uel20.x86_64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: hci0 hci_rx_work [bluetooth] Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xab/0xee lib/dump_stack.c:118 print_address_description+0x65/0x270 mm/kasan/report.c:253 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x146/0x290 mm/kasan/report.c:409 hci_event_packet+0x2d8c/0x4e90 [bluetooth] hci_rx_work+0x288/0x510 [bluetooth] process_one_work+0x4ca/0x870 kernel/workqueue.c:2148 worker_thread+0x6e/0x790 kernel/workqueue.c:2303 kthread+0x1dd/0x200 kernel/kthread.c:275 ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:415 Allocated by task 222894: set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:553 slab_post_alloc_hook mm/slab.h:441 [inline] slab_alloc_node mm/slub.c:2740 [inline] __kmalloc_node_track_caller+0xcb/0x1a0 mm/slub.c:4364 __kmalloc_reserve.isra.50+0x37/0xa0 net/core/skbuff.c:137 __alloc_skb+0xd1/0x320 net/core/skbuff.c:205 vhci_write+0x70/0x265 [hci_vhci] call_write_iter include/linux/fs.h:1886 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x2f4/0x430 fs/read_write.c:487 vfs_write+0x10a/0x290 fs/read_write.c:549 ksys_write+0xb4/0x190 fs/read_write.c:599 do_syscall_64+0x96/0x410 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 221695: set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x130/0x180 mm/kasan/kasan.c:521 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1416 [inline] slab_free mm/slub.c:2989 [inline] kfree+0x7d/0x140 mm/slub.c:3950 drm_release+0xf3/0x140 [drm] __fput+0x198/0x3f0 fs/file_table.c:278 task_work_run+0xc0/0x100 kernel/task_work.c:135 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x121/0x130 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x359/0x410 arch/x86/entry/common.c:303 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88817262a580 The buggy address is located 511 bytes inside of The buggy address belongs to the page: page:ffffea0005c98a00 count:1 mapcount:0 mapping:ffff888107c0ec00 index:0x0 compound_mapcount: 0 flags: 0x17ffffc0008100(slab|head) raw: 0017ffffc0008100 ffffea000494cc00 0000000800000008 ffff888107c0ec00 raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88817262a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88817262a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88817262a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88817262a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88817262a880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Unknown ioctl -1072667619 Bluetooth: hci0: wrong event for mode 0 Unknown ioctl 19314 Unknown ioctl -1070571007 Unknown ioctl 1074304026 Unknown ioctl 19314 -- You may reply to this email to add a comment. You are receiving this mail because: You are the assignee for the bug.
