Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)

From: syzbot
Date: Sun Sep 08 2024 - 04:52:09 EST

Next message: Tali Perry: "Re: [PATCH v2 6/7] i2c: npcm: use i2c frequency table"
Previous message: Christophe JAILLET: "[PATCH] regulator: da9211: Constify struct regulator_desc"
In reply to: Hillf Danton: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Next in thread: Hillf Danton: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in hci_send_acl

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 UID: 0 PID: 7269 Comm: kworker/u9:8 Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci2 hci_rx_work
RIP: 0010:hci_send_acl+0x35/0xd30 net/bluetooth/hci_core.c:3230
Code: 41 55 41 54 55 49 8d 6f 18 53 48 89 f3 48 83 ec 70 89 14 24 e8 1c 18 83 f7 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 bc 0b 00 00 49 8b 47 18 48 8d b8 e0 0f 00 00 48
RSP: 0018:ffffc9000ae676e0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff888030adc500 RCX: ffffffff8a1303d4
RDX: 0000000000000003 RSI: ffffffff8a08b834 RDI: 0000000000000000
RBP: 0000000000000018 R08: 0000000000000001 R09: 0000000000000080
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888011da0000
R13: 0000000000000002 R14: ffffc9000ae67880 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 00000000781ba000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
l2cap_send_cmd+0x6e5/0x920 net/bluetooth/l2cap_core.c:973
l2cap_connect.constprop.0+0x6f7/0x1270 net/bluetooth/l2cap_core.c:4038
l2cap_connect_req net/bluetooth/l2cap_core.c:4084 [inline]
l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4776 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5547 [inline]
l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6829
l2cap_recv_acldata+0xd58/0xfd0 net/bluetooth/l2cap_core.c:7528
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hci_send_acl+0x35/0xd30 net/bluetooth/hci_core.c:3230
Code: 41 55 41 54 55 49 8d 6f 18 53 48 89 f3 48 83 ec 70 89 14 24 e8 1c 18 83 f7 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 bc 0b 00 00 49 8b 47 18 48 8d b8 e0 0f 00 00 48
RSP: 0018:ffffc9000ae676e0 EFLAGS: 00010206

RAX: dffffc0000000000 RBX: ffff888030adc500 RCX: ffffffff8a1303d4
RDX: 0000000000000003 RSI: ffffffff8a08b834 RDI: 0000000000000000
RBP: 0000000000000018 R08: 0000000000000001 R09: 0000000000000080
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888011da0000
R13: 0000000000000002 R14: ffffc9000ae67880 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 00000000781ba000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 41 55 push %r13
2: 41 54 push %r12
4: 55 push %rbp
5: 49 8d 6f 18 lea 0x18(%r15),%rbp
9: 53 push %rbx
a: 48 89 f3 mov %rsi,%rbx
d: 48 83 ec 70 sub $0x70,%rsp
11: 89 14 24 mov %edx,(%rsp)
14: e8 1c 18 83 f7 call 0xf7831835
19: 48 89 ea mov %rbp,%rdx
1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
23: fc ff df
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 bc 0b 00 00 jne 0xbf0
34: 49 8b 47 18 mov 0x18(%r15),%rax
38: 48 8d b8 e0 0f 00 00 lea 0xfe0(%rax),%rdi
3f: 48 rex.W

Tested on:

commit: d1f2d51b Merge tag 'clk-fixes-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f51ffb980000
kernel config: https://syzkaller.appspot.com/x/.config?x=57042fe37c7ee7c2
dashboard link: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11651ffb980000

Next message: Tali Perry: "Re: [PATCH v2 6/7] i2c: npcm: use i2c frequency table"
Previous message: Christophe JAILLET: "[PATCH] regulator: da9211: Constify struct regulator_desc"
In reply to: Hillf Danton: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Next in thread: Hillf Danton: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]