| Message ID | 20241002190452.3405592-1-luiz.dentz@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] Bluetooth: SCO: Use disable_delayed_work_sync | expand |
#syz test On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > This makes use of disable_delayed_work_sync instead > cancel_delayed_work_sync as it not only cancel the ongoing work but also > disables new submit which is disarable since the object holding the work > is about to be freed. > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > since at that point it is useless to set a timer as the sk will be freed > there is nothing to be done in sco_sock_timeout. > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > --- > net/bluetooth/sco.c | 13 +------------ > 1 file changed, 1 insertion(+), 12 deletions(-) > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > index a5ac160c592e..2b1e66976068 100644 > --- a/net/bluetooth/sco.c > +++ b/net/bluetooth/sco.c > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > } > > /* Ensure no more work items will run before freeing conn. */ > - cancel_delayed_work_sync(&conn->timeout_work); > + disable_delayed_work_sync(&conn->timeout_work); > > hcon->sco_data = NULL; > kfree(conn); > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > case BT_CONNECTED: > case BT_CONFIG: > - if (sco_pi(sk)->conn->hcon) { > - sk->sk_state = BT_DISCONN; > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > - sco_conn_lock(sco_pi(sk)->conn); > - hci_conn_drop(sco_pi(sk)->conn->hcon); > - sco_pi(sk)->conn->hcon = NULL; > - sco_conn_unlock(sco_pi(sk)->conn); > - } else > - sco_chan_del(sk, ECONNRESET); > - break; > - > case BT_CONNECT2: > case BT_CONNECT: > case BT_DISCONN: > -- > 2.46.1 >
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff88807e2d5080 by task kworker/1:1/47
CPU: 1 UID: 0 PID: 47 Comm: kworker/1:1 Not tainted 6.12.0-rc1-syzkaller-ge32cde8d2bd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5759:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:500 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:531
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5760:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1259
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807e2d5000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff88807e2d5000, ffff88807e2d5800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e2d0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442000 ffffea0000a07800 dead000000000002
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442000 ffffea0000a07800 dead000000000002
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f8b401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4533, tgid 4533 (acpid), ts 19751533769, free_ts 17515017965
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
__netlink_create+0x65/0x260 net/netlink/af_netlink.c:646
netlink_create+0x3ab/0x560 net/netlink/af_netlink.c:704
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
free_contig_range+0x152/0x550 mm/page_alloc.c:6748
destroy_args+0x8a/0x840 mm/debug_vm_pgtable.c:1017
debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1397
do_one_initcall+0x24a/0x880 init/main.c:1269
do_initcall_level+0x157/0x210 init/main.c:1331
do_initcalls+0x3f/0x80 init/main.c:1347
kernel_init_freeable+0x435/0x5d0 init/main.c:1580
kernel_init+0x1d/0x2b0 init/main.c:1469
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff88807e2d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807e2d5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807e2d5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807e2d5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807e2d5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e32cde8d Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174f23d0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5997f8b13c390e73
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
#syz test On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > This makes use of disable_delayed_work_sync instead > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > disables new submit which is disarable since the object holding the work > > is about to be freed. > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > since at that point it is useless to set a timer as the sk will be freed > > there is nothing to be done in sco_sock_timeout. > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > --- > > net/bluetooth/sco.c | 13 +------------ > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > index a5ac160c592e..2b1e66976068 100644 > > --- a/net/bluetooth/sco.c > > +++ b/net/bluetooth/sco.c > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > } > > > > /* Ensure no more work items will run before freeing conn. */ > > - cancel_delayed_work_sync(&conn->timeout_work); > > + disable_delayed_work_sync(&conn->timeout_work); > > > > hcon->sco_data = NULL; > > kfree(conn); > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > case BT_CONNECTED: > > case BT_CONFIG: > > - if (sco_pi(sk)->conn->hcon) { > > - sk->sk_state = BT_DISCONN; > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > - sco_conn_lock(sco_pi(sk)->conn); > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > - sco_pi(sk)->conn->hcon = NULL; > > - sco_conn_unlock(sco_pi(sk)->conn); > > - } else > > - sco_chan_del(sk, ECONNRESET); > > - break; > > - > > case BT_CONNECT2: > > case BT_CONNECT: > > case BT_DISCONN: > > -- > > 2.46.1 > > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff8881436fb080 by task kworker/0:3/1150
CPU: 0 UID: 0 PID: 1150 Comm: kworker/0:3 Not tainted 6.12.0-rc1-syzkaller-ge32cde8d2bd7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5769:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:489 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:520
bt_sock_create+0x163/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x492/0x920 net/socket.c:1576
sock_create net/socket.c:1627 [inline]
__sys_socket_create net/socket.c:1664 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1711
__do_sys_socket net/socket.c:1725 [inline]
__se_sys_socket net/socket.c:1723 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1723
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5770:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1248
__sock_release net/socket.c:658 [inline]
sock_close+0xbe/0x240 net/socket.c:1426
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:228
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8881436fb000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff8881436fb000, ffff8881436fb800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1436f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff888015442000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea00050dbe01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2322085089, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4291
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
acpi_add_single_object+0xe5/0x1e00 drivers/acpi/scan.c:1876
acpi_bus_check_add+0x32b/0x980 drivers/acpi/scan.c:2181
acpi_ns_walk_namespace+0x296/0x4f0
acpi_walk_namespace+0xeb/0x130 drivers/acpi/acpica/nsxfeval.c:606
acpi_bus_scan+0x4c1/0x560 drivers/acpi/scan.c:2595
acpi_scan_init+0x267/0x730 drivers/acpi/scan.c:2747
acpi_init+0x159/0x240 drivers/acpi/bus.c:1466
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881436faf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881436fb000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881436fb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881436fb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881436fb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e32cde8d Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13299927980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5997f8b13c390e73
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=121f23d0580000
#syz test On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > This makes use of disable_delayed_work_sync instead > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > disables new submit which is disarable since the object holding the work > > > is about to be freed. > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > since at that point it is useless to set a timer as the sk will be freed > > > there is nothing to be done in sco_sock_timeout. > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > --- > > > net/bluetooth/sco.c | 13 +------------ > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > index a5ac160c592e..2b1e66976068 100644 > > > --- a/net/bluetooth/sco.c > > > +++ b/net/bluetooth/sco.c > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > } > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > hcon->sco_data = NULL; > > > kfree(conn); > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > case BT_CONNECTED: > > > case BT_CONFIG: > > > - if (sco_pi(sk)->conn->hcon) { > > > - sk->sk_state = BT_DISCONN; > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > - sco_conn_lock(sco_pi(sk)->conn); > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > - sco_pi(sk)->conn->hcon = NULL; > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > - } else > > > - sco_chan_del(sk, ECONNRESET); > > > - break; > > > - > > > case BT_CONNECT2: > > > case BT_CONNECT: > > > case BT_DISCONN: > > > -- > > > 2.46.1 > > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
#syz test On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > disables new submit which is disarable since the object holding the work > > > > is about to be freed. > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > since at that point it is useless to set a timer as the sk will be freed > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > --- > > > > net/bluetooth/sco.c | 13 +------------ > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > index a5ac160c592e..2b1e66976068 100644 > > > > --- a/net/bluetooth/sco.c > > > > +++ b/net/bluetooth/sco.c > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > } > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > hcon->sco_data = NULL; > > > > kfree(conn); > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > case BT_CONNECTED: > > > > case BT_CONFIG: > > > > - if (sco_pi(sk)->conn->hcon) { > > > > - sk->sk_state = BT_DISCONN; > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > - } else > > > > - sco_chan_del(sk, ECONNRESET); > > > > - break; > > > > - > > > > case BT_CONNECT2: > > > > case BT_CONNECT: > > > > case BT_DISCONN: > > > > -- > > > > 2.46.1 > > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
#syz test On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > disables new submit which is disarable since the object holding the work > > > > > is about to be freed. > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > --- > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > --- a/net/bluetooth/sco.c > > > > > +++ b/net/bluetooth/sco.c > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > } > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > hcon->sco_data = NULL; > > > > > kfree(conn); > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > case BT_CONNECTED: > > > > > case BT_CONFIG: > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > - sk->sk_state = BT_DISCONN; > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > - } else > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > - break; > > > > > - > > > > > case BT_CONNECT2: > > > > > case BT_CONNECT: > > > > > case BT_DISCONN: > > > > > -- > > > > > 2.46.1 > > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
#syz test On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > disables new submit which is disarable since the object holding the work > > > > > > is about to be freed. > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > --- > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > --- a/net/bluetooth/sco.c > > > > > > +++ b/net/bluetooth/sco.c > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > } > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > kfree(conn); > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > case BT_CONNECTED: > > > > > > case BT_CONFIG: > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > - } else > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > - break; > > > > > > - > > > > > > case BT_CONNECT2: > > > > > > case BT_CONNECT: > > > > > > case BT_DISCONN: > > > > > > -- > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_sock_timeout
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
Write of size 4 at addr ffff88802639a080 by task kworker/1:2/1808
CPU: 1 UID: 0 PID: 1808 Comm: kworker/1:2 Not tainted 6.12.0-rc1-syzkaller-00113-g8c245fe7dde3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 25:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4265 [inline]
__kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4284
kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
__alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 25:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kfree+0x1a0/0x440 mm/slub.c:4728
skb_kfree_head net/core/skbuff.c:1086 [inline]
skb_free_head net/core/skbuff.c:1098 [inline]
skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
consume_skb+0x9f/0xf0 net/core/skbuff.c:1436
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x765/0xaa0 drivers/net/netdevsim/dev.c:850
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff88802639a000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 128 bytes inside of
freed 4096-byte region [ffff88802639a000, ffff88802639b000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26398
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000098e601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5398, tgid 5398 (udevd), ts 123333990998, free_ts 123322335448
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path2_perm+0x3eb/0xbb0 security/tomoyo/file.c:923
tomoyo_path_rename+0x198/0x1e0 security/tomoyo/hooks.h:274
security_path_rename+0x266/0x4e0 security/security.c:2020
do_renameat2+0x94a/0x13f0 fs/namei.c:5157
__do_sys_rename fs/namei.c:5217 [inline]
__se_sys_rename fs/namei.c:5215 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5215
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
page last free pid 4548 tgid 4548 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4491
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
security_inode_getattr+0x130/0x330 security/security.c:2371
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_fstat fs/stat.c:229 [inline]
vfs_fstatat+0xe4/0x190 fs/stat.c:338
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888026399f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802639a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802639a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802639a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802639a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 8c245fe7 Merge tag 'net-6.12-rc2' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13156307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17377580580000
On Thu, Oct 3, 2024 at 3:44 PM syzbot <syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > KASAN: slab-use-after-free Write in sco_sock_timeout > > ================================================================== > BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] > BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] > BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline] > BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline] > BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline] > BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline] > BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92 > Write of size 4 at addr ffff88802639a080 by task kworker/1:2/1808 This really doesn't make much sense, it seems this is catching a UAF on sock_hold but the backtrace shows it was freed with skb_free, even if the memory was reclaimed and then reallocated that would just it more difficult to find out why this is happening. > CPU: 1 UID: 0 PID: 1808 Comm: kworker/1:2 Not tainted 6.12.0-rc1-syzkaller-00113-g8c245fe7dde3-dirty #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 > Workqueue: events sco_sock_timeout > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:377 [inline] > print_report+0x169/0x550 mm/kasan/report.c:488 > kasan_report+0x143/0x180 mm/kasan/report.c:601 > kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 > instrument_atomic_read_write include/linux/instrumented.h:96 [inline] > atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] > __refcount_add include/linux/refcount.h:184 [inline] > __refcount_inc include/linux/refcount.h:241 [inline] > refcount_inc include/linux/refcount.h:258 [inline] > sock_hold include/net/sock.h:781 [inline] > sco_sock_timeout+0x8b/0x270 net/bluetooth/sco.c:92 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f2/0x390 kernel/kthread.c:389 > ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > </TASK> > > Allocated by task 25: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:377 [inline] > __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 > kasan_kmalloc include/linux/kasan.h:257 [inline] > __do_kmalloc_node mm/slub.c:4265 [inline] > __kmalloc_node_track_caller_noprof+0x225/0x440 mm/slub.c:4284 > kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609 > __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678 > alloc_skb include/linux/skbuff.h:1322 [inline] > nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline] > nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline] > nsim_dev_trap_report_work+0x254/0xaa0 drivers/net/netdevsim/dev.c:850 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f2/0x390 kernel/kthread.c:389 > ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Freed by task 25: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 > poison_slab_object mm/kasan/common.c:247 [inline] > __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 > kasan_slab_free include/linux/kasan.h:230 [inline] > slab_free_hook mm/slub.c:2343 [inline] > slab_free mm/slub.c:4580 [inline] > kfree+0x1a0/0x440 mm/slub.c:4728 > skb_kfree_head net/core/skbuff.c:1086 [inline] > skb_free_head net/core/skbuff.c:1098 [inline] > skb_release_data+0x6a0/0x8a0 net/core/skbuff.c:1125 > skb_release_all net/core/skbuff.c:1190 [inline] > __kfree_skb net/core/skbuff.c:1204 [inline] > consume_skb+0x9f/0xf0 net/core/skbuff.c:1436 > nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline] > nsim_dev_trap_report_work+0x765/0xaa0 drivers/net/netdevsim/dev.c:850 > process_one_work kernel/workqueue.c:3229 [inline] > process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 > worker_thread+0x870/0xd30 kernel/workqueue.c:3391 > kthread+0x2f2/0x390 kernel/kthread.c:389 > ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > The buggy address belongs to the object at ffff88802639a000 > which belongs to the cache kmalloc-4k of size 4096 > The buggy address is located 128 bytes inside of > freed 4096-byte region [ffff88802639a000, ffff88802639b000) > > The buggy address belongs to the physical page: > page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26398 > head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000 > raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 > head: 00fff00000000040 ffff888015442140 dead000000000122 0000000000000000 > head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 > head: 00fff00000000003 ffffea000098e601 ffffffffffffffff 0000000000000000 > head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5398, tgid 5398 (udevd), ts 123333990998, free_ts 123322335448 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 > prep_new_page mm/page_alloc.c:1545 [inline] > get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457 > __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733 > alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 > alloc_slab_page+0x6a/0x120 mm/slub.c:2413 > allocate_slab+0x5a/0x2f0 mm/slub.c:2579 > new_slab mm/slub.c:2632 [inline] > ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819 > __slab_alloc+0x58/0xa0 mm/slub.c:3909 > __slab_alloc_node mm/slub.c:3962 [inline] > slab_alloc_node mm/slub.c:4123 [inline] > __do_kmalloc_node mm/slub.c:4264 [inline] > __kmalloc_noprof+0x25a/0x400 mm/slub.c:4277 > kmalloc_noprof include/linux/slab.h:882 [inline] > tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251 > tomoyo_get_realpath security/tomoyo/file.c:151 [inline] > tomoyo_path2_perm+0x3eb/0xbb0 security/tomoyo/file.c:923 > tomoyo_path_rename+0x198/0x1e0 security/tomoyo/hooks.h:274 > security_path_rename+0x266/0x4e0 security/security.c:2020 > do_renameat2+0x94a/0x13f0 fs/namei.c:5157 > __do_sys_rename fs/namei.c:5217 [inline] > __se_sys_rename fs/namei.c:5215 [inline] > __x64_sys_rename+0x82/0x90 fs/namei.c:5215 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > page last free pid 4548 tgid 4548 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > free_pages_prepare mm/page_alloc.c:1108 [inline] > free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638 > __slab_free+0x31b/0x3d0 mm/slub.c:4491 > qlink_free mm/kasan/quarantine.c:163 [inline] > qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 > kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 > __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 > kasan_slab_alloc include/linux/kasan.h:247 [inline] > slab_post_alloc_hook mm/slub.c:4086 [inline] > slab_alloc_node mm/slub.c:4135 [inline] > __do_kmalloc_node mm/slub.c:4264 [inline] > __kmalloc_noprof+0x1a6/0x400 mm/slub.c:4277 > kmalloc_noprof include/linux/slab.h:882 [inline] > tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251 > tomoyo_get_realpath security/tomoyo/file.c:151 [inline] > tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822 > security_inode_getattr+0x130/0x330 security/security.c:2371 > vfs_getattr+0x45/0x430 fs/stat.c:204 > vfs_fstat fs/stat.c:229 [inline] > vfs_fstatat+0xe4/0x190 fs/stat.c:338 > __do_sys_newfstatat fs/stat.c:505 [inline] > __se_sys_newfstatat fs/stat.c:499 [inline] > __x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Memory state around the buggy address: > ffff888026399f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88802639a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff88802639a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff88802639a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88802639a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > > Tested on: > > commit: 8c245fe7 Merge tag 'net-6.12-rc2' of git://git.kernel... > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13156307980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=d0ca089c3fc6b54e > dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > patch: https://syzkaller.appspot.com/x/patch.diff?x=17377580580000 >
#syz test On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > is about to be freed. > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > --- > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > } > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > kfree(conn); > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > case BT_CONFIG: > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > - } else > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > - break; > > > > > > > - > > > > > > > case BT_CONNECT2: > > > > > > > case BT_CONNECT: > > > > > > > case BT_DISCONN: > > > > > > > -- > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
#syz test On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > --- > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > } > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > kfree(conn); > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > case BT_CONFIG: > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > - } else > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > - break; > > > > > > > > - > > > > > > > > case BT_CONNECT2: > > > > > > > > case BT_CONNECT: > > > > > > > > case BT_DISCONN: > > > > > > > > -- > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
#syz test On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > --- > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > } > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > kfree(conn); > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > case BT_CONFIG: > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > - } else > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > - break; > > > > > > > > > - > > > > > > > > > case BT_CONNECT2: > > > > > > > > > case BT_CONNECT: > > > > > > > > > case BT_DISCONN: > > > > > > > > > -- > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
#syz test On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > --- > > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > > kfree(conn); > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > > case BT_CONFIG: > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > > - } else > > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > > - break; > > > > > > > > > > - > > > > > > > > > > case BT_CONNECT2: > > > > > > > > > > case BT_CONNECT: > > > > > > > > > > case BT_DISCONN: > > > > > > > > > > -- > > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
#syz test On Mon, Oct 7, 2024 at 4:54 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > --- > > > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > > > kfree(conn); > > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > > > case BT_CONFIG: > > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > > > - } else > > > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > > > - break; > > > > > > > > > > > - > > > > > > > > > > > case BT_CONNECT2: > > > > > > > > > > > case BT_CONNECT: > > > > > > > > > > > case BT_DISCONN: > > > > > > > > > > > -- > > > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in sco_conn_del
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:184 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:241 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:258 [inline]
BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:781 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_del+0xa5/0x310 net/bluetooth/sco.c:220
Write of size 4 at addr ffff88807bd72080 by task syz-executor.0/5406
CPU: 0 UID: 0 PID: 5406 Comm: syz-executor.0 Not tainted 6.12.0-rc4-syzkaller-gc2ee9f594da8-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
sock_hold include/net/sock.h:781 [inline]
sco_conn_del+0xa5/0x310 net/bluetooth/sco.c:220
hci_disconn_cfm include/net/bluetooth/hci_core.h:1975 [inline]
hci_conn_hash_flush+0x101/0x240 net/bluetooth/hci_conn.c:2592
hci_dev_close_sync+0x9ef/0x11a0 net/bluetooth/hci_sync.c:5195
hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
hci_unregister_dev+0x20b/0x510 net/bluetooth/hci_core.c:2698
vhci_release+0x80/0xd0 drivers/bluetooth/hci_vhci.c:664
__fput+0x241/0x880 fs/file_table.c:431
task_work_run+0x251/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f018087de69
Code: Unable to access opcode bytes at 0x7f018087de3f.
RSP: 002b:00007fffa31fb468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f018087de69
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 00007f01808ca45b R08: 00007fffa31f9207 R09: 000000000006d03d
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 000000000006d03d R14: 000000000006ccf5 R15: 0000000000000004
</TASK>
Allocated by task 5400:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
getname fs/namei.c:225 [inline]
__do_sys_unlink fs/namei.c:4581 [inline]
__se_sys_unlink fs/namei.c:4579 [inline]
__x64_sys_unlink+0x3a/0x50 fs/namei.c:4579
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5400:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kmem_cache_free+0x1a2/0x420 mm/slub.c:4681
do_unlinkat+0x7b0/0x830 fs/namei.c:4556
__do_sys_unlink fs/namei.c:4581 [inline]
__se_sys_unlink fs/namei.c:4579 [inline]
__x64_sys_unlink+0x47/0x50 fs/namei.c:4579
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807bd71100
which belongs to the cache names_cache of size 4096
The buggy address is located 3968 bytes inside of
freed 4096-byte region [ffff88807bd71100, ffff88807bd72100)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bd70
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff8880162f4780 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff8880162f4780 dead000000000122 0000000000000000
head: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001ef5c01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5400, tgid 5400 (udevd), ts 432009536360, free_ts 431999575653
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
vfs_fstatat+0x12c/0x190 fs/stat.c:340
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 4552 tgid 4552 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2677 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3145
put_cpu_partial+0x17c/0x250 mm/slub.c:3220
__slab_free+0x2ea/0x3d0 mm/slub.c:4449
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_noprof+0x1a6/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x740 security/tomoyo/file.c:822
security_inode_getattr+0x130/0x330 security/security.c:2373
vfs_getattr+0x45/0x430 fs/stat.c:204
vfs_fstat fs/stat.c:229 [inline]
vfs_fstatat+0xe4/0x190 fs/stat.c:338
__do_sys_newfstatat fs/stat.c:505 [inline]
__se_sys_newfstatat fs/stat.c:499 [inline]
__x64_sys_newfstatat+0x11d/0x1a0 fs/stat.c:499
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807bd71f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807bd72000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807bd72080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807bd72100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807bd72180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: c2ee9f59 KVM: selftests: Fix build on on non-x86 archi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103ff430580000
kernel config: https://syzkaller.appspot.com/x/.config?x=346c6d758171538d
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13264a5f980000
#syz test On Tue, Oct 22, 2024 at 12:44 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > #syz test > > On Mon, Oct 7, 2024 at 4:54 PM Luiz Augusto von Dentz > <luiz.dentz@gmail.com> wrote: > > > > #syz test > > > > On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz > > <luiz.dentz@gmail.com> wrote: > > > > > > #syz test > > > > > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > #syz test > > > > > > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > > > > <luiz.dentz@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com > > > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > > > > > > > > > > > --- > > > > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > > > > kfree(conn); > > > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > > > > case BT_CONFIG: > > > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > > > > - } else > > > > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > > > > - break; > > > > > > > > > > > > - > > > > > > > > > > > > case BT_CONNECT2: > > > > > > > > > > > > case BT_CONNECT: > > > > > > > > > > > > case BT_DISCONN: > > > > > > > > > > > > -- > > > > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index a5ac160c592e..2b1e66976068 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) } /* Ensure no more work items will run before freeing conn. */ - cancel_delayed_work_sync(&conn->timeout_work); + disable_delayed_work_sync(&conn->timeout_work); hcon->sco_data = NULL; kfree(conn); @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) case BT_CONNECTED: case BT_CONFIG: - if (sco_pi(sk)->conn->hcon) { - sk->sk_state = BT_DISCONN; - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); - sco_conn_lock(sco_pi(sk)->conn); - hci_conn_drop(sco_pi(sk)->conn->hcon); - sco_pi(sk)->conn->hcon = NULL; - sco_conn_unlock(sco_pi(sk)->conn); - } else - sco_chan_del(sk, ECONNRESET); - break; - case BT_CONNECT2: case BT_CONNECT: case BT_DISCONN: