Hello Greg,
During Syzkaller reproducer testing on 5.4.y (5.4.118-rc1) the following
crash occurred:
BUG: KASAN: use-after-free in hci_send_acl
https://syzkaller.appspot.com/bug?extid=98228e7407314d2d4ba2
We cherry-pick'd upstream commit 5c4c8c95 to 5.4.y and the crash no
longer occurs (rebooted 10 times with the fix commit - no failures).
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5c4c8c9544099bb9043a10a5318130a943e32fc3
The cherry-pick of upstream commit 5c4c8c95 was clean.
[ 104.800617] BUG: KASAN: use-after-free in hci_send_acl+0x947/0xa30
[ 104.802209] Read of size 8 at addr ffff8881023fed18 by task
kworker/u9:2/16208
[ 104.803769]
[ 104.804141] CPU: 1 PID: 16208 Comm: kworker/u9:2 Not tainted
5.4.118-rc1-syzk #1
[ 104.805738] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS ?-20190213_084539-x86-ol7-builder-03.us.oracle.com-1.oci.el7
04/01/2014
[ 104.809735] Workqueue: hci0 hci_rx_work
[ 104.811394] Call Trace:
[ 104.825804] dump_stack+0xd4/0x119
[ 104.827555] ? hci_send_acl+0x947/0xa30
[ 104.828424] print_address_description.constprop.6+0x20/0x220
[ 104.829745] ? hci_send_acl+0x947/0xa30
[ 104.830610] ? hci_send_acl+0x947/0xa30
[ 104.831480] __kasan_report.cold.9+0x37/0x77
[ 104.832581] ? hci_send_acl+0x947/0xa30
[ 104.833420] kasan_report+0x14/0x20
[ 104.834206] __asan_report_load8_noabort+0x14/0x20
[ 104.835145] hci_send_acl+0x947/0xa30
[ 104.835867] ? __kmalloc_reserve.isra.54+0xf0/0xf0
[ 104.836813] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 104.839089] l2cap_send_cmd+0x726/0x960
[ 104.840753] l2cap_send_move_chan_cfm_icid+0xae/0x110
[ 104.843036] ? l2cap_send_move_chan_rsp+0x1a0/0x1a0
[ 104.845255] ? l2cap_get_chan_by_scid+0x158/0x1c0
[ 104.847264] l2cap_sig_channel+0x2f3f/0x3cf0
[ 104.849131] ? l2cap_config_rsp+0x1220/0x1220
[ 104.850955] ? probe_sched_wakeup+0x7e/0x90
[ 104.852778] ? ttwu_do_wakeup+0x35a/0x4f0
[ 104.854493] ? hci_cmd_status_evt+0x4ec0/0x4ec0
[ 104.856410] ? __kasan_check_write+0x14/0x20
[ 104.858381] ? _raw_spin_lock_irqsave+0x8e/0xf0
[ 104.860429] ? _raw_write_lock_irqsave+0xe0/0xe0
[ 104.862386] ? __kasan_check_write+0x14/0x20
[ 104.864200] ? __mutex_lock.isra.5+0x486/0xaf0
[ 104.866108] ? try_to_wake_up+0xe0/0x1640
[ 104.867786] ? ww_mutex_lock_interruptible+0xf0/0xf0
[ 104.870011] ? migrate_swap_stop+0x950/0x950
[ 104.871814] l2cap_recv_frame+0x6f7/0xc60
[ 104.873603] ? l2cap_sig_channel+0x3cf0/0x3cf0
[ 104.875575] ? __mutex_unlock_slowpath.isra.16+0x1db/0x310
[ 104.877998] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 104.880202] ? hci_conn_enter_active_mode+0x179/0x360
[ 104.882466] ? __ww_mutex_check_waiters+0x220/0x220
[ 104.884529] l2cap_recv_acldata+0x924/0xa50
[ 104.885994] hci_rx_work+0x824/0x970
[ 104.887425] process_one_work+0x791/0x10b0
[ 104.889207] worker_thread+0x90/0xcf0
[ 104.890759] kthread+0x332/0x3f0
[ 104.892269] ? create_worker+0x5f0/0x5f0
[ 104.894132] ? kthread_parkme+0xb0/0xb0
[ 104.895774] ret_from_fork+0x22/0x40
[ 104.897513]
[ 104.898224] Allocated by task 16208:
[ 104.899856] save_stack+0x21/0x90
[ 104.901411] __kasan_kmalloc.constprop.11+0xc1/0xd0
[ 104.903538] kasan_kmalloc+0x9/0x10
[ 104.905124] kmem_cache_alloc_trace+0x113/0x270
[ 104.907061] hci_chan_create+0xb8/0x3e0
[ 104.908654] l2cap_conn_add.part.40+0x26/0xd50
[ 104.910623] l2cap_connect_cfm+0x9b3/0xfc0
[ 104.912532] hci_connect_cfm+0x9c/0x140
[ 104.914205] hci_event_packet+0x5f91/0xa150
[ 104.915981] hci_rx_work+0x48a/0x970
[ 104.917651] process_one_work+0x791/0x10b0
[ 104.919419] worker_thread+0x90/0xcf0
[ 104.921055] kthread+0x332/0x3f0
[ 104.922533] ret_from_fork+0x22/0x40
[ 104.924075]
[ 104.924708] Freed by task 16208:
[ 104.926182] save_stack+0x21/0x90
[ 104.927677] __kasan_slab_free+0x131/0x180
[ 104.929379] kasan_slab_free+0xe/0x10
[ 104.930990] kfree+0x98/0x270
[ 104.932194] hci_chan_del+0x161/0x210
[ 104.933805] amp_destroy_logical_link+0x29/0x60
[ 104.935817] hci_event_packet+0x1f56/0xa150
[ 104.937677] hci_rx_work+0x48a/0x970
[ 104.939162] process_one_work+0x791/0x10b0
[ 104.941092] worker_thread+0x90/0xcf0
[ 104.942816] kthread+0x332/0x3f0
[ 104.944241] ret_from_fork+0x22/0x40
[ 104.945839]
[ 104.946554] The buggy address belongs to the object at ffff8881023fed00
[ 104.946554] which belongs to the cache kmalloc-64 of size 64
[ 104.951778] The buggy address is located 24 bytes inside of
[ 104.951778] 64-byte region [ffff8881023fed00, ffff8881023fed40)
[ 104.956948] The buggy address belongs to the page:
[ 104.959184] page:ffffea000408ff80 refcount:1 mapcount:0
mapping:ffff888107c03600 index:0x0
[ 104.962973] flags: 0x17ffffc0000200(slab)
[ 104.964724] raw: 0017ffffc0000200 ffffea0004125b00 0000000a00000009
ffff888107c03600
[ 104.968106] raw: 0000000000000000 0000000080200020 00000001ffffffff
0000000000000000
[ 104.971453] page dumped because: kasan: bad access detected
[ 104.973813]
[ 104.974490] Memory state around the buggy address:
[ 104.976750] ffff8881023fec00: fb fb fb fb fb fb fb fb fc fc fc fc fc
fc fc fc
[ 104.979901] ffff8881023fec80: fb fb fb fb fb fb fb fb fc fc fc fc fc
fc fc fc
[ 104.983056] >ffff8881023fed00: fb fb fb fb fb fb fb fb fc fc fc fc fc
fc fc fc
[ 104.986316] ^
[ 104.988049] ffff8881023fed80: fb fb fb fb fb fb fb fb fc fc fc fc fc
fc fc fc
[ 104.991889] ffff8881023fee00: fb fb fb fb fb fb fb fb fc fc fc fc fc
fc fc fc
[ 104.995247]
==================================================================
Thank you,
George
