| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | 0 (1) | 2024/10/21 08:46 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | 0 (1) | 2024/10/21 08:46 |
kobject: kobject_add_internal failed for hci4:201 with -EEXIST, don't try to register things with the same name in the same directory. Bluetooth: hci4: failed to register connection device ================================================================== BUG: KASAN: slab-use-after-free in l2cap_sock_new_connection_cb+0x1f9/0x2b0 net/bluetooth/l2cap_sock.c:1497 Read of size 8 at addr ffff8880487cd588 by task kworker/u9:1/14723 CPU: 0 UID: 0 PID: 14723 Comm: kworker/u9:1 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci4 hci_rx_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xb4/0x290 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 l2cap_sock_new_connection_cb+0x1f9/0x2b0 net/bluetooth/l2cap_sock.c:1497 l2cap_connect_cfm+0x37a/0x1040 net/bluetooth/l2cap_core.c:7262 hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2052 le_conn_complete_evt+0xcd3/0x1220 net/bluetooth/hci_event.c:5779 hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5805 hci_event_func net/bluetooth/hci_event.c:7483 [inline] hci_event_packet+0x7a5/0x1270 net/bluetooth/hci_event.c:7538 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4020 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 14723: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xe7/0x220 net/core/sock.c:2198 sk_alloc+0x3a/0x370 net/core/sock.c:2254 bt_sock_alloc+0x3b/0x310 net/bluetooth/af_bluetooth.c:148 l2cap_sock_alloc net/bluetooth/l2cap_sock.c:1891 [inline] l2cap_sock_new_connection_cb+0xe2/0x2b0 net/bluetooth/l2cap_sock.c:1482 l2cap_connect_cfm+0x37a/0x1040 net/bluetooth/l2cap_core.c:7262 hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2052 le_conn_complete_evt+0xcd3/0x1220 net/bluetooth/hci_event.c:5779 hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5805 hci_event_func net/bluetooth/hci_event.c:7483 [inline] hci_event_packet+0x7a5/0x1270 net/bluetooth/hci_event.c:7538 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4020 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 19331: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x193/0x440 mm/slub.c:4841 sk_prot_free net/core/sock.c:2237 [inline] __sk_destruct+0x4e1/0x660 net/core/sock.c:2332 l2cap_sock_cleanup_listen+0xda/0x3e0 net/bluetooth/l2cap_sock.c:1462 l2cap_sock_release+0x5d/0x1d0 net/bluetooth/l2cap_sock.c:1425 __sock_release net/socket.c:647 [inline] sock_close+0xc3/0x240 net/socket.c:1391 __fput+0x44c/0xa70 fs/file_table.c:465 task_work_run+0x1d4/0x260 kernel/task_work.c:227 get_signal+0x11c5/0x1310 kernel/signal.c:2807 arch_do_signal_or_restart+0x95/0x780 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x8b/0x120 kernel/entry/common.c:218 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8880487cd000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1416 bytes inside of freed 2048-byte region [ffff8880487cd000, ffff8880487cd800) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x487c8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801a042000 ffffea00015a8e00 dead000000000002 raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88801a042000 ffffea00015a8e00 dead000000000002 head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea000121f201 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10252, tgid 10252 (syz-executor), ts 614267498765, free_ts 613780614906 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1d8/0x230 mm/page_alloc.c:1718 prep_new_page mm/page_alloc.c:1726 [inline] get_page_from_freelist+0x21ce/0x22b0 mm/page_alloc.c:3688 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4970 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2301 alloc_slab_page mm/slub.c:2450 [inline] allocate_slab+0x8a/0x3b0 mm/slub.c:2618 new_slab mm/slub.c:2672 [inline] ___slab_alloc+0xbfc/0x1480 mm/slub.c:3858 __slab_alloc mm/slub.c:3948 [inline] __slab_alloc_node mm/slub.c:4023 [inline] slab_alloc_node mm/slub.c:4184 [inline] __do_kmalloc_node mm/slub.c:4326 [inline] __kmalloc_node_track_caller_noprof+0x2f8/0x4e0 mm/slub.c:4346 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:599 pskb_expand_head+0x18f/0x1290 net/core/skbuff.c:2247 netlink_trim+0x1d5/0x2e0 net/netlink/af_netlink.c:1295 netlink_broadcast_filtered+0x80/0x1140 net/netlink/af_netlink.c:1501 nlmsg_multicast_filtered include/net/netlink.h:1129 [inline] nlmsg_multicast include/net/netlink.h:1148 [inline] nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2577 __dev_notify_flags+0xf4/0x2e0 net/core/dev.c:9389 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9422 dev_change_flags+0x130/0x260 net/core/dev_api.c:68 devinet_ioctl+0xbb4/0x1b50 net/ipv4/devinet.c:1200 page last free pid 10673 tgid 10670 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1262 [inline] __free_frozen_pages+0xb0e/0xcd0 mm/page_alloc.c:2725 discard_slab mm/slub.c:2716 [inline] __put_partials+0x161/0x1c0 mm/slub.c:3185 put_cpu_partial+0x17c/0x250 mm/slub.c:3260 __slab_free+0x2f7/0x400 mm/slub.c:4512 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4147 [inline] slab_alloc_node mm/slub.c:4196 [inline] kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4203 ptlock_alloc+0x20/0x70 mm/memory.c:7354 ptlock_init include/linux/mm.h:3074 [inline] pagetable_pte_ctor include/linux/mm.h:3122 [inline] __pte_alloc_one_noprof include/asm-generic/pgalloc.h:73 [inline] pte_alloc_one+0x6d/0x160 arch/x86/mm/pgtable.c:17 __pte_alloc+0x25/0x160 mm/memory.c:430 do_anonymous_page mm/memory.c:4968 [inline] do_pte_missing mm/memory.c:4158 [inline] handle_pte_fault mm/memory.c:5997 [inline] __handle_mm_fault+0x49e9/0x5380 mm/memory.c:6140 handle_mm_fault+0x3f6/0x8c0 mm/memory.c:6309 do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1388 handle_page_fault arch/x86/mm/fault.c:1480 [inline] exc_page_fault+0x68/0x110 arch/x86/mm/fault.c:1538 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 Memory state around the buggy address: ffff8880487cd480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880487cd500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880487cd580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880487cd600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880487cd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/05/14 23:35 | upstream | 9f35e33144ae | a4fa04ef | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/04/16 14:53 | upstream | 1a1d569a75f3 | 23b969b7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/03/01 09:38 | upstream | 7a5668899f54 | 1e7a43e1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/02/27 09:13 | upstream | 5394eea10651 | 6a8fcbc4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/02/20 00:00 | upstream | 6537cfb395f3 | cbd8edab | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/02/17 05:02 | upstream | 0ad2507d5d93 | 40a34ec9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/02/16 08:37 | upstream | 496659003dac | 40a34ec9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/02/10 09:55 | upstream | a64dcfb451e2 | ef44b750 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/01/18 18:41 | upstream | 595523945be0 | f2cb035c | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/01/06 22:08 | upstream | 5428dc1906dd | f3558dbf | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/12/29 09:52 | upstream | 059dd502b263 | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/12/27 02:52 | upstream | d6ef8b40d075 | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/26 12:17 | upstream | 2c22dc1ee3a1 | 11dbc254 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/15 13:04 | upstream | cfaaa7d010d1 | f6ede3a3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/15 08:40 | upstream | cfaaa7d010d1 | f6ede3a3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/14 23:56 | upstream | 0a9b9d17f3a7 | 77f3eeb7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/14 19:54 | upstream | 0a9b9d17f3a7 | 77f3eeb7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/14 04:27 | upstream | f1b785f4c787 | a8c99394 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/10/18 19:40 | upstream | 4d939780b705 | cd6fc0a3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/10/15 19:08 | upstream | eca631b8fe80 | 14943bb8 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/18 19:41 | upstream | adc218676eef | e7bb5d6e | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | |||
| 2025/02/15 01:57 | upstream | 04f41cbf03ec | 40a34ec9 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/02/11 09:29 | linux-next | df5d6180169a | 43f51a00 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/02/09 21:28 | linux-next | ed58d103e6da | ef44b750 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/01/03 18:21 | linux-next | 8155b4ef3466 | f3558dbf | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/03/20 20:28 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 8571575d6b29 | 62330552 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2025/02/13 03:16 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 2014c95afece | b27c2402 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/12/30 03:51 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 573067a5a685 | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/12/22 10:49 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 573067a5a685 | d7f584ee | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/12/05 15:43 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 7b1d1d4cfac0 | 6e50d07b | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/15 17:20 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 887407160d72 | f6ede3a3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/15 13:19 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 887407160d72 | f6ede3a3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/14 21:34 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 887407160d72 | 77f3eeb7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/11/02 07:31 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 5283dc78f4da | f00eed24 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb | ||
| 2024/10/25 18:27 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 7678c1b2735a | 65e8686b | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb |