Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

Commit Message

Sungwoo Kim May 26, 2023, 8:40 a.m. UTC

l2cap_sock_release(sk) frees sk. However, it's children are still alive
and points to the parent's address that is invalid.
To fix this, l2cap_sock_release(sk) also cleans sk's children.

==================================================================
BUG: KASAN: use-after-free in l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650
Read of size 8 at addr ffff888104617aa8 by task kworker/u3:0/276

CPU: 0 PID: 276 Comm: kworker/u3:0 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #59
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci2 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x72/0x95 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:306 [inline]
 print_report+0x175/0x478 mm/kasan/report.c:417
 kasan_report+0xb1/0x130 mm/kasan/report.c:517
 l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650
 l2cap_chan_ready+0x10e/0x1e0 net/bluetooth/l2cap_core.c:1386
 l2cap_config_req+0x753/0x9f0 net/bluetooth/l2cap_core.c:4480
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5739 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:6509 [inline]
 l2cap_recv_frame+0xe2e/0x43c0 net/bluetooth/l2cap_core.c:7788
 l2cap_recv_acldata+0x6ed/0x7e0 net/bluetooth/l2cap_core.c:8506
 hci_acldata_packet net/bluetooth/hci_core.c:3813 [inline]
 hci_rx_work+0x66e/0xbc0 net/bluetooth/hci_core.c:4048
 process_one_work+0x4ea/0x8e0 kernel/workqueue.c:2289
 worker_thread+0x364/0x8e0 kernel/workqueue.c:2436
 kthread+0x1b9/0x200 kernel/kthread.c:376
 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
 </TASK>

Allocated by task 288:
 kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:968 [inline]
 __kmalloc+0x5a/0x140 mm/slab_common.c:981
 kmalloc include/linux/slab.h:584 [inline]
 sk_prot_alloc+0x113/0x1f0 net/core/sock.c:2040
 sk_alloc+0x36/0x3c0 net/core/sock.c:2093
 l2cap_sock_alloc.constprop.0+0x39/0x1c0 net/bluetooth/l2cap_sock.c:1852
 l2cap_sock_create+0x10d/0x220 net/bluetooth/l2cap_sock.c:1898
 bt_sock_create+0x183/0x290 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x226/0x380 net/socket.c:1518
 sock_create net/socket.c:1569 [inline]
 __sys_socket_create net/socket.c:1606 [inline]
 __sys_socket_create net/socket.c:1591 [inline]
 __sys_socket+0x112/0x200 net/socket.c:1639
 __do_sys_socket net/socket.c:1652 [inline]
 __se_sys_socket net/socket.c:1650 [inline]
 __x64_sys_socket+0x40/0x50 net/socket.c:1650
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Freed by task 288:
 kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:523
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free mm/kasan/common.c:200 [inline]
 __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook mm/slub.c:1807 [inline]
 slab_free mm/slub.c:3787 [inline]
 __kmem_cache_free+0x88/0x1f0 mm/slub.c:3800
 sk_prot_free net/core/sock.c:2076 [inline]
 __sk_destruct+0x347/0x430 net/core/sock.c:2168
 sk_destruct+0x9c/0xb0 net/core/sock.c:2183
 __sk_free+0x82/0x220 net/core/sock.c:2194
 sk_free+0x7c/0xa0 net/core/sock.c:2205
 sock_put include/net/sock.h:1991 [inline]
 l2cap_sock_kill+0x256/0x2b0 net/bluetooth/l2cap_sock.c:1257
 l2cap_sock_release+0x1a7/0x220 net/bluetooth/l2cap_sock.c:1428
 __sock_release+0x80/0x150 net/socket.c:650
 sock_close+0x19/0x30 net/socket.c:1368
 __fput+0x17a/0x5c0 fs/file_table.c:320
 task_work_run+0x132/0x1c0 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x113/0x120 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:296
 do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

The buggy address belongs to the object at ffff888104617800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 680 bytes inside of
 1024-byte region [ffff888104617800, ffff888104617c00)

The buggy address belongs to the physical page:
page:00000000dbca6a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888104614000 pfn:0x104614
head:00000000dbca6a80 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 ffff888100041dc0 ffffea0004212c10 ffffea0004234b10
raw: ffff888104614000 0000000000080002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888104617980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888104617a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888104617a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff888104617b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888104617b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Ack: This bug is found by FuzzBT with a modified Syzkaller. Other
contributors are Ruoyu Wu and Hui Peng.
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
 net/bluetooth/l2cap_sock.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

bluez.test.bot@gmail.com May 26, 2023, 9:30 a.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=751281

---Test result---

Test Summary:
CheckPatch                    FAIL      0.99 seconds
GitLint                       FAIL      0.61 seconds
SubjectPrefix                 PASS      0.10 seconds
BuildKernel                   FAIL      30.16 seconds
CheckAllWarning               FAIL      33.19 seconds
CheckSparse                   FAIL      36.21 seconds
CheckSmatch                   FAIL      102.03 seconds
BuildKernel32                 FAIL      28.81 seconds
TestRunnerSetup               FAIL      494.82 seconds
TestRunner_l2cap-tester       FAIL      0.12 seconds
TestRunner_iso-tester         FAIL      0.13 seconds
TestRunner_bnep-tester        FAIL      0.12 seconds
TestRunner_mgmt-tester        FAIL      0.13 seconds
TestRunner_rfcomm-tester      FAIL      0.13 seconds
TestRunner_sco-tester         FAIL      0.13 seconds
TestRunner_ioctl-tester       FAIL      0.12 seconds
TestRunner_mesh-tester        FAIL      0.12 seconds
TestRunner_smp-tester         FAIL      0.12 seconds
TestRunner_userchan-tester    FAIL      0.13 seconds
IncrementalBuild              FAIL      26.61 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
WARNING: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#79: 
CPU: 0 PID: 276 Comm: kworker/u3:0 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #59

total: 0 errors, 1 warnings, 0 checks, 9 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13256604.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
8: B1 Line exceeds max length (92>80): "BUG: KASAN: use-after-free in l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650"
11: B1 Line exceeds max length (82>80): "CPU: 0 PID: 276 Comm: kworker/u3:0 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #59"
100: B1 Line exceeds max length (106>80): "page:00000000dbca6a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888104614000 pfn:0x104614"
101: B1 Line exceeds max length (89>80): "head:00000000dbca6a80 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0"
##############################
Test: BuildKernel - FAIL
Desc: Build Kernel for Bluetooth
Output:

net/bluetooth/l2cap_sock.c: In function ‘l2cap_sock_release’:
net/bluetooth/l2cap_sock.c:1418:2: error: implicit declaration of function ‘l2cap_sock_cleanup_listen’; did you mean ‘l2cap_sock_listen’? [-Werror=implicit-function-declaration]
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
      |  l2cap_sock_listen
net/bluetooth/l2cap_sock.c: At top level:
net/bluetooth/l2cap_sock.c:1436:13: warning: conflicting types for ‘l2cap_sock_cleanup_listen’
 1436 | static void l2cap_sock_cleanup_listen(struct sock *parent)
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/l2cap_sock.c:1436:13: error: static declaration of ‘l2cap_sock_cleanup_listen’ follows non-static declaration
net/bluetooth/l2cap_sock.c:1418:2: note: previous implicit declaration of ‘l2cap_sock_cleanup_listen’ was here
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:252: net/bluetooth/l2cap_sock.o] Error 1
make[2]: *** [scripts/Makefile.build:494: net/bluetooth] Error 2
make[1]: *** [scripts/Makefile.build:494: net] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:2025: .] Error 2
##############################
Test: CheckAllWarning - FAIL
Desc: Run linux kernel with all warning enabled
Output:

net/bluetooth/l2cap_sock.c: In function ‘l2cap_sock_release’:
net/bluetooth/l2cap_sock.c:1418:2: error: implicit declaration of function ‘l2cap_sock_cleanup_listen’; did you mean ‘l2cap_sock_listen’? [-Werror=implicit-function-declaration]
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
      |  l2cap_sock_listen
net/bluetooth/l2cap_sock.c: At top level:
net/bluetooth/l2cap_sock.c:1436:13: warning: conflicting types for ‘l2cap_sock_cleanup_listen’
 1436 | static void l2cap_sock_cleanup_listen(struct sock *parent)
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/l2cap_sock.c:1436:13: error: static declaration of ‘l2cap_sock_cleanup_listen’ follows non-static declaration
net/bluetooth/l2cap_sock.c:1418:2: note: previous implicit declaration of ‘l2cap_sock_cleanup_listen’ was here
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:252: net/bluetooth/l2cap_sock.o] Error 1
make[2]: *** [scripts/Makefile.build:494: net/bluetooth] Error 2
make[1]: *** [scripts/Makefile.build:494: net] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:2025: .] Error 2
##############################
Test: CheckSparse - FAIL
Desc: Run sparse tool with linux kernel
Output:

net/bluetooth/af_bluetooth.c:178:25: warning: context imbalance in 'bt_accept_enqueue' - different lock contexts for basic block
drivers/bluetooth/hci_ag6xx.c:257:24: warning: restricted __le32 degrades to integer
drivers/bluetooth/hci_mrvl.c:170:23: warning: restricted __le16 degrades to integer
drivers/bluetooth/hci_mrvl.c:203:23: warning: restricted __le16 degrades to integer
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
./include/net/bluetooth/hci.h:2647:47: warning: array of flexible structures
./include/net/bluetooth/hci.h:2733:43: warning: array of flexible structures
drivers/bluetooth/btmtksdio.c:557:63: warning: Using plain integer as NULL pointer
drivers/bluetooth/btmtksdio.c:579:55: warning: Using plain integer as NULL pointer
drivers/bluetooth/btmtksdio.c:611:63: warning: Using plain integer as NULL pointer
drivers/bluetooth/btmtksdio.c:624:63: warning: Using plain integer as NULL pointer
net/bluetooth/l2cap_sock.c: In function ‘l2cap_sock_release’:
net/bluetooth/l2cap_sock.c:1418:2: error: implicit declaration of function ‘l2cap_sock_cleanup_listen’; did you mean ‘l2cap_sock_listen’? [-Werror=implicit-function-declaration]
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
      |  l2cap_sock_listen
net/bluetooth/l2cap_sock.c: At top level:
net/bluetooth/l2cap_sock.c:1436:13: warning: conflicting types for ‘l2cap_sock_cleanup_listen’
 1436 | static void l2cap_sock_cleanup_listen(struct sock *parent)
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/l2cap_sock.c:1436:13: error: static declaration of ‘l2cap_sock_cleanup_listen’ follows non-static declaration
net/bluetooth/l2cap_sock.c:1418:2: note: previous implicit declaration of ‘l2cap_sock_cleanup_listen’ was here
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:252: net/bluetooth/l2cap_sock.o] Error 1
make[2]: *** [scripts/Makefile.build:494: net/bluetooth] Error 2
make[1]: *** [scripts/Makefile.build:494: net] Error 2
make[1]: *** Waiting for unfinished jobs....
drivers/bluetooth/hci_nokia.c:284:23: warning: incorrect type in assignment (different base types)
drivers/bluetooth/hci_nokia.c:284:23:    expected unsigned short [usertype] baud
drivers/bluetooth/hci_nokia.c:284:23:    got restricted __le16 [usertype]
drivers/bluetooth/hci_nokia.c:287:26: warning: incorrect type in assignment (different base types)
drivers/bluetooth/hci_nokia.c:287:26:    expected unsigned short [usertype] sys_clk
drivers/bluetooth/hci_nokia.c:287:26:    got restricted __le16 [usertype]
make: *** [Makefile:2025: .] Error 2
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:

net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
./include/net/bluetooth/hci.h:2647:47: warning: array of flexible structures
./include/net/bluetooth/hci.h:2733:43: warning: array of flexible structures
net/bluetooth/l2cap_sock.c: In function ‘l2cap_sock_release’:
net/bluetooth/l2cap_sock.c:1418:2: error: implicit declaration of function ‘l2cap_sock_cleanup_listen’; did you mean ‘l2cap_sock_listen’? [-Werror=implicit-function-declaration]
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
      |  l2cap_sock_listen
net/bluetooth/l2cap_sock.c: At top level:
net/bluetooth/l2cap_sock.c:1436:13: warning: conflicting types for ‘l2cap_sock_cleanup_listen’
 1436 | static void l2cap_sock_cleanup_listen(struct sock *parent)
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/l2cap_sock.c:1436:13: error: static declaration of ‘l2cap_sock_cleanup_listen’ follows non-static declaration
net/bluetooth/l2cap_sock.c:1418:2: note: previous implicit declaration of ‘l2cap_sock_cleanup_listen’ was here
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:252: net/bluetooth/l2cap_sock.o] Error 1
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [scripts/Makefile.build:494: net/bluetooth] Error 2
make[1]: *** [scripts/Makefile.build:494: net] Error 2
make: *** [Makefile:2025: .] Error 2
##############################
Test: BuildKernel32 - FAIL
Desc: Build 32bit Kernel for Bluetooth
Output:

net/bluetooth/l2cap_sock.c: In function ‘l2cap_sock_release’:
net/bluetooth/l2cap_sock.c:1418:2: error: implicit declaration of function ‘l2cap_sock_cleanup_listen’; did you mean ‘l2cap_sock_listen’? [-Werror=implicit-function-declaration]
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
      |  l2cap_sock_listen
net/bluetooth/l2cap_sock.c: At top level:
net/bluetooth/l2cap_sock.c:1436:13: warning: conflicting types for ‘l2cap_sock_cleanup_listen’
 1436 | static void l2cap_sock_cleanup_listen(struct sock *parent)
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/l2cap_sock.c:1436:13: error: static declaration of ‘l2cap_sock_cleanup_listen’ follows non-static declaration
net/bluetooth/l2cap_sock.c:1418:2: note: previous implicit declaration of ‘l2cap_sock_cleanup_listen’ was here
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:252: net/bluetooth/l2cap_sock.o] Error 1
make[2]: *** [scripts/Makefile.build:494: net/bluetooth] Error 2
make[1]: *** [scripts/Makefile.build:494: net] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:2025: .] Error 2
##############################
Test: TestRunnerSetup - FAIL
Desc: Setup kernel and bluez for test-runner
Output:
Kernel: 
net/bluetooth/l2cap_sock.c: In function ‘l2cap_sock_release’:
net/bluetooth/l2cap_sock.c:1418:2: error: implicit declaration of function ‘l2cap_sock_cleanup_listen’; did you mean ‘l2cap_sock_listen’? [-Werror=implicit-function-declaration]
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
      |  l2cap_sock_listen
net/bluetooth/l2cap_sock.c: At top level:
net/bluetooth/l2cap_sock.c:1436:13: warning: conflicting types for ‘l2cap_sock_cleanup_listen’
 1436 | static void l2cap_sock_cleanup_listen(struct sock *parent)
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/l2cap_sock.c:1436:13: error: static declaration of ‘l2cap_sock_cleanup_listen’ follows non-static declaration
net/bluetooth/l2cap_sock.c:1418:2: note: previous implicit declaration of ‘l2cap_sock_cleanup_listen’ was here
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:252: net/bluetooth/l2cap_sock.o] Error 1
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [scripts/Makefile.build:494: net/bluetooth] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [scripts/Makefile.build:494: net] Error 2
make: *** [Makefile:2025: .] Error 2
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_bnep-tester - FAIL
Desc: Run bnep-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_rfcomm-tester - FAIL
Desc: Run rfcomm-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_ioctl-tester - FAIL
Desc: Run ioctl-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_smp-tester - FAIL
Desc: Run smp-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_userchan-tester - FAIL
Desc: Run userchan-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: IncrementalBuild - FAIL
Desc: Incremental build with the patches in the series
Output:
Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

net/bluetooth/l2cap_sock.c: In function ‘l2cap_sock_release’:
net/bluetooth/l2cap_sock.c:1418:2: error: implicit declaration of function ‘l2cap_sock_cleanup_listen’; did you mean ‘l2cap_sock_listen’? [-Werror=implicit-function-declaration]
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
      |  l2cap_sock_listen
net/bluetooth/l2cap_sock.c: At top level:
net/bluetooth/l2cap_sock.c:1436:13: warning: conflicting types for ‘l2cap_sock_cleanup_listen’
 1436 | static void l2cap_sock_cleanup_listen(struct sock *parent)
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/l2cap_sock.c:1436:13: error: static declaration of ‘l2cap_sock_cleanup_listen’ follows non-static declaration
net/bluetooth/l2cap_sock.c:1418:2: note: previous implicit declaration of ‘l2cap_sock_cleanup_listen’ was here
 1418 |  l2cap_sock_cleanup_listen(sk);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:252: net/bluetooth/l2cap_sock.o] Error 1
make[2]: *** [scripts/Makefile.build:494: net/bluetooth] Error 2
make[1]: *** [scripts/Makefile.build:494: net] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:2025: .] Error 2


---
Regards,
Linux Bluetooth

kernel test robot May 26, 2023, 12:01 p.m. UTC | #2

Hi Sungwoo,

kernel test robot noticed the following build errors:

[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master linus/master v6.4-rc3 next-20230525]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Sungwoo-Kim/Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_sock_ready_cb/20230526-164241
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link:    https://lore.kernel.org/r/20230526084038.2199788-1-iam%40sung-woo.kim
patch subject: [PATCH] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
config: powerpc-allmodconfig (https://download.01.org/0day-ci/archive/20230526/202305261912.mKLcy6Fw-lkp@intel.com/config)
compiler: powerpc-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
        mkdir -p ~/bin
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/c0c02b1afbe2667fe21aed47375c4e0d45713f38
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Sungwoo-Kim/Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_sock_ready_cb/20230526-164241
        git checkout c0c02b1afbe2667fe21aed47375c4e0d45713f38
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 ~/bin/make.cross W=1 O=build_dir ARCH=powerpc olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 ~/bin/make.cross W=1 O=build_dir ARCH=powerpc SHELL=/bin/bash net/bluetooth/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202305261912.mKLcy6Fw-lkp@intel.com/

All error/warnings (new ones prefixed by >>):

   net/bluetooth/l2cap_sock.c: In function 'l2cap_sock_release':
>> net/bluetooth/l2cap_sock.c:1418:9: error: implicit declaration of function 'l2cap_sock_cleanup_listen'; did you mean 'l2cap_sock_listen'? [-Werror=implicit-function-declaration]
    1418 |         l2cap_sock_cleanup_listen(sk);
         |         ^~~~~~~~~~~~~~~~~~~~~~~~~
         |         l2cap_sock_listen
   net/bluetooth/l2cap_sock.c: At top level:
>> net/bluetooth/l2cap_sock.c:1436:13: warning: conflicting types for 'l2cap_sock_cleanup_listen'; have 'void(struct sock *)'
    1436 | static void l2cap_sock_cleanup_listen(struct sock *parent)
         |             ^~~~~~~~~~~~~~~~~~~~~~~~~
>> net/bluetooth/l2cap_sock.c:1436:13: error: static declaration of 'l2cap_sock_cleanup_listen' follows non-static declaration
   net/bluetooth/l2cap_sock.c:1418:9: note: previous implicit declaration of 'l2cap_sock_cleanup_listen' with type 'void(struct sock *)'
    1418 |         l2cap_sock_cleanup_listen(sk);
         |         ^~~~~~~~~~~~~~~~~~~~~~~~~
   cc1: some warnings being treated as errors


vim +1418 net/bluetooth/l2cap_sock.c

  1406	
  1407	static int l2cap_sock_release(struct socket *sock)
  1408	{
  1409		struct sock *sk = sock->sk;
  1410		int err;
  1411		struct l2cap_chan *chan;
  1412	
  1413		BT_DBG("sock %p, sk %p", sock, sk);
  1414	
  1415		if (!sk)
  1416			return 0;
  1417	
> 1418		l2cap_sock_cleanup_listen(sk);
  1419		bt_sock_unlink(&l2cap_sk_list, sk);
  1420	
  1421		err = l2cap_sock_shutdown(sock, SHUT_RDWR);
  1422		chan = l2cap_pi(sk)->chan;
  1423	
  1424		l2cap_chan_hold(chan);
  1425		l2cap_chan_lock(chan);
  1426	
  1427		sock_orphan(sk);
  1428		l2cap_sock_kill(sk);
  1429	
  1430		l2cap_chan_unlock(chan);
  1431		l2cap_chan_put(chan);
  1432	
  1433		return err;
  1434	}
  1435	
> 1436	static void l2cap_sock_cleanup_listen(struct sock *parent)
  1437	{
  1438		struct sock *sk;
  1439	
  1440		BT_DBG("parent %p state %s", parent,
  1441		       state_to_string(parent->sk_state));
  1442	
  1443		/* Close not yet accepted channels */
  1444		while ((sk = bt_accept_dequeue(parent, NULL))) {
  1445			struct l2cap_chan *chan = l2cap_pi(sk)->chan;
  1446	
  1447			BT_DBG("child chan %p state %s", chan,
  1448			       state_to_string(chan->state));
  1449	
  1450			l2cap_chan_hold(chan);
  1451			l2cap_chan_lock(chan);
  1452	
  1453			__clear_chan_timer(chan);
  1454			l2cap_chan_close(chan, ECONNRESET);
  1455			l2cap_sock_kill(sk);
  1456	
  1457			l2cap_chan_unlock(chan);
  1458			l2cap_chan_put(chan);
  1459		}
  1460	}
  1461

Patch

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index eebe25610..ddd940a46 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1414,7 +1414,8 @@  static int l2cap_sock_release(struct socket *sock)
 
 	if (!sk)
 		return 0;
-
+
+	l2cap_sock_cleanup_listen(sk);
 	bt_sock_unlink(&l2cap_sk_list, sk);
 
 	err = l2cap_sock_shutdown(sock, SHUT_RDWR);