| Message ID | 20241118203337.2648476-1-luiz.dentz@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 4f562bec2bbf8068714098d21c8637c5c73393f8 |
| Headers | show |
| Series | [v5] Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/SubjectPrefix | success | Gitlint PASS |
| tedd_an/BuildKernel | success | BuildKernel PASS |
| tedd_an/CheckAllWarning | success | CheckAllWarning PASS |
| tedd_an/CheckSparse | success | CheckSparse PASS |
| tedd_an/BuildKernel32 | success | BuildKernel32 PASS |
| tedd_an/TestRunnerSetup | success | TestRunnerSetup PASS |
| tedd_an/TestRunner_l2cap-tester | success | TestRunner PASS |
| tedd_an/TestRunner_iso-tester | fail | TestRunner_iso-tester: WARNING: possible circular locking dependency detected |
| tedd_an/TestRunner_bnep-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mgmt-tester | success | TestRunner PASS |
| tedd_an/TestRunner_rfcomm-tester | success | TestRunner PASS |
| tedd_an/TestRunner_sco-tester | success | TestRunner PASS |
| tedd_an/TestRunner_ioctl-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mesh-tester | success | TestRunner PASS |
| tedd_an/TestRunner_smp-tester | success | TestRunner PASS |
| tedd_an/TestRunner_userchan-tester | success | TestRunner PASS |
#syz test On Mon, Nov 18, 2024 at 3:33 PM Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote: > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > This fixes the following crash: > > ================================================================== > BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 > Read of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54 > > CPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 > Workqueue: hci0 hci_cmd_sync_work > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:93 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 > print_address_description mm/kasan/report.c:377 [inline] > print_report+0x169/0x550 mm/kasan/report.c:488 > q kasan_report+0x143/0x180 mm/kasan/report.c:601 > set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 > hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328 > process_one_work kernel/workqueue.c:3231 [inline] > process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 > worker_thread+0x86d/0xd10 kernel/workqueue.c:3389 > kthread+0x2f0/0x390 kernel/kthread.c:389 > ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > </TASK> > > Allocated by task 5247: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:370 [inline] > __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 > kasan_kmalloc include/linux/kasan.h:211 [inline] > __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193 > kmalloc_noprof include/linux/slab.h:681 [inline] > kzalloc_noprof include/linux/slab.h:807 [inline] > mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 > mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 > set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394 > hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 > hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 > sock_sendmsg_nosec net/socket.c:730 [inline] > __sock_sendmsg+0x221/0x270 net/socket.c:745 > sock_write_iter+0x2dd/0x400 net/socket.c:1160 > new_sync_write fs/read_write.c:497 [inline] > vfs_write+0xa72/0xc90 fs/read_write.c:590 > ksys_write+0x1a0/0x2c0 fs/read_write.c:643 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Freed by task 5246: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 > poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 > __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 > kasan_slab_free include/linux/kasan.h:184 [inline] > slab_free_hook mm/slub.c:2256 [inline] > slab_free mm/slub.c:4477 [inline] > kfree+0x149/0x360 mm/slub.c:4598 > settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443 > mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 > __mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455 > hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191 > hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] > hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 > sock_do_ioctl+0x158/0x460 net/socket.c:1222 > sock_ioctl+0x629/0x8e0 net/socket.c:1341 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:907 [inline] > __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83gv > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Reported-by: syzbot+03d6270b6425df1605bf@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf > Fixes: 275f3f648702 ("Bluetooth: Fix not checking MGMT cmd pending queue") > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > --- > net/bluetooth/mgmt.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c > index 1f6d083682b8..e406eb8e4327 100644 > --- a/net/bluetooth/mgmt.c > +++ b/net/bluetooth/mgmt.c > @@ -1318,7 +1318,8 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) > struct mgmt_mode *cp; > > /* Make sure cmd still outstanding. */ > - if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) > + if (err == -ECANCELED || > + cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) > return; > > cp = cmd->param; > @@ -1351,7 +1352,13 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) > static int set_powered_sync(struct hci_dev *hdev, void *data) > { > struct mgmt_pending_cmd *cmd = data; > - struct mgmt_mode *cp = cmd->param; > + struct mgmt_mode *cp; > + > + /* Make sure cmd still outstanding. */ > + if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) > + return -ECANCELED; > + > + cp = cmd->param; > > BT_DBG("%s", hdev->name); > > -- > 2.47.0 >
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=910738 ---Test result--- Test Summary: CheckPatch PENDING 0.25 seconds GitLint PENDING 0.19 seconds SubjectPrefix PASS 0.11 seconds BuildKernel PASS 24.61 seconds CheckAllWarning PASS 27.40 seconds CheckSparse PASS 30.66 seconds BuildKernel32 PASS 24.85 seconds TestRunnerSetup PASS 437.88 seconds TestRunner_l2cap-tester PASS 22.38 seconds TestRunner_iso-tester FAIL 26.77 seconds TestRunner_bnep-tester PASS 4.83 seconds TestRunner_mgmt-tester PASS 119.03 seconds TestRunner_rfcomm-tester PASS 7.71 seconds TestRunner_sco-tester PASS 11.59 seconds TestRunner_ioctl-tester PASS 8.31 seconds TestRunner_mesh-tester PASS 6.15 seconds TestRunner_smp-tester PASS 7.03 seconds TestRunner_userchan-tester PASS 5.12 seconds IncrementalBuild PENDING 0.59 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: TestRunner_iso-tester - FAIL Desc: Run iso-tester with test-runner Output: WARNING: possible circular locking dependency detected Total: 124, Passed: 120 (96.8%), Failed: 0, Not Run: 4 ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: --- Regards, Linux Bluetooth
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+03d6270b6425df1605bf@syzkaller.appspotmail.com
Tested-by: syzbot+03d6270b6425df1605bf@syzkaller.appspotmail.com
Tested on:
commit: d7ef9eee Merge branch 'am65-cpsw-rx-dscp-prio-map'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=111eeac0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d9e1e43bf6b46a4d
dashboard link: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=120f4930580000
Note: testing is done by a robot and is best-effort only.
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Mon, 18 Nov 2024 15:33:37 -0500 you wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > This fixes the following crash: > > ================================================================== > BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 > Read of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54 > > [...] Here is the summary with links: - [v5] Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync https://git.kernel.org/bluetooth/bluetooth-next/c/4f562bec2bbf You are awesome, thank you!
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 1f6d083682b8..e406eb8e4327 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -1318,7 +1318,8 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) struct mgmt_mode *cp; /* Make sure cmd still outstanding. */ - if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) + if (err == -ECANCELED || + cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) return; cp = cmd->param; @@ -1351,7 +1352,13 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) static int set_powered_sync(struct hci_dev *hdev, void *data) { struct mgmt_pending_cmd *cmd = data; - struct mgmt_mode *cp = cmd->param; + struct mgmt_mode *cp; + + /* Make sure cmd still outstanding. */ + if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) + return -ECANCELED; + + cp = cmd->param; BT_DBG("%s", hdev->name);