Use-after-free in hci_cmd_work() on kevin at reboot (bluetooth related) |
|||||||||||||||||||||
Issue descriptionI have seen the following use-after free several times in a row on kevin. [ 695.765139] ================================================================== [ 695.772569] BUG: KASAN: out-of-bounds in hci_cmd_work+0x27c/0x3b4 [bluetooth] at addr ffffffc09dd53870 [ 695.781895] Read of size 2 by task kworker/u13:6/383 [ 695.786871] ============================================================================= [ 695.795055] BUG skbuff_head_cache (Not tainted): kasan: bad access detected [ 695.802022] ----------------------------------------------------------------------------- [ 695.802022] [ 695.811679] Disabling lock debugging due to kernel taint [ 695.817026] INFO: Allocated in __alloc_skb+0x6c/0x240 age=38 cpu=3 pid=522 [ 695.823929] alloc_debug_processing+0x124/0x178 [ 695.828483] ___slab_alloc.constprop.61+0x528/0x608 [ 695.833382] __slab_alloc.isra.57.constprop.60+0x44/0x54 [ 695.838715] kmem_cache_alloc+0xcc/0x254 [ 695.842661] __alloc_skb+0x6c/0x240 [ 695.846173] alloc_skb_with_frags+0x98/0x274 [ 695.850467] sock_alloc_send_pskb+0x294/0x31c [ 695.854846] unix_stream_sendmsg+0x20c/0x3c8 [ 695.859143] sock_sendmsg+0x70/0x8c [ 695.862649] ___sys_sendmsg+0x2a0/0x364 [ 695.866503] __sys_sendmsg+0x60/0xa4 [ 695.870105] compat_SyS_sendmsg+0x34/0x40 [ 695.874137] el0_svc_naked+0x24/0x28 [ 695.877741] INFO: Freed in __kfree_skb+0xb0/0xbc age=100 cpu=3 pid=522 [ 695.884295] free_debug_processing+0x264/0x370 [ 695.888767] __slab_free+0x84/0x40c [ 695.892263] kmem_cache_free+0x1b8/0x290 [ 695.896191] __kfree_skb+0xb0/0xbc [ 695.899602] consume_skb+0x164/0x178 [ 695.903191] unix_stream_read_generic+0x970/0xb50 [ 695.907901] unix_stream_recvmsg+0x6c/0x8c [ 695.912009] sock_recvmsg+0x70/0x84 [ 695.915509] ___sys_recvmsg+0x150/0x264 [ 695.919358] __sys_recvmsg+0x60/0xa4 [ 695.922950] compat_SyS_recvmsg+0x34/0x40 [ 695.926976] el0_svc_naked+0x24/0x28 [ 695.930565] INFO: Slab 0xffffffbdc277d400 objects=28 used=20 fp=0xffffffc09dd52d00 flags=0x4080 [ 695.939265] INFO: Object 0xffffffc09dd53840 @offset=14400 fp=0xffffffc09dd50d80 [ 695.939265] [ 695.939265] [ 695.948062] Bytes b4 ffffffc09dd53830: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 695.957544] Object ffffffc09dd53840: 80 0d d5 9d c0 ff ff ff 80 1f d5 9d c0 ff ff ff ................ [ 695.966854] Object ffffffc09dd53850: 00 00 00 00 00 00 00 00 00 07 9a c1 c0 ff ff ff ................ [ 695.976160] Object ffffffc09dd53860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 695.985468] Object ffffffc09dd53870: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 ................ [ 695.994768] Object ffffffc09dd53880: 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 '............... [ 696.004077] Object ffffffc09dd53890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 696.013385] Object ffffffc09dd538a0: 28 2a ba 00 c0 ff ff ff 00 00 00 00 00 00 00 00 (*.............. [ 696.022692] Object ffffffc09dd538b0: 00 00 00 00 00 00 00 00 cd 00 00 00 00 00 00 00 ................ [ 696.031999] Object ffffffc09dd538c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 696.041305] Object ffffffc09dd538d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 696.050613] Object ffffffc09dd538e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 696.059918] Object ffffffc09dd538f0: 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ff ff ................ [ 696.069226] Object ffffffc09dd53900: cd 00 00 00 80 02 00 00 80 68 a0 9d c0 ff ff ff .........h...... [ 696.078536] Object ffffffc09dd53910: 80 68 a0 9d c0 ff ff ff 00 05 00 00 01 00 00 00 .h.............. [ 696.087841] Redzone ffffffc09dd53920: cc cc cc cc cc cc cc cc ........ [ 696.096537] Padding ffffffc09dd53a60: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 696.105934] Padding ffffffc09dd53a70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 696.115335] CPU: 1 PID: 383 Comm: kworker/u13:6 Tainted: G B 4.4.96 #664 [ 696.123171] Hardware name: Google Kevin (DT) [ 696.127574] Workqueue: hci0 hci_cmd_work [bluetooth] [ 696.132564] Call trace: [ 696.135031] [<ffffffc00020a584>] dump_backtrace+0x0/0x190 [ 696.140441] [<ffffffc00020a854>] show_stack+0x20/0x28 [ 696.145512] [<ffffffc0005d0aa4>] dump_stack+0xa4/0xcc [ 696.150572] [<ffffffc0003beecc>] print_trailer+0x158/0x168 [ 696.156067] [<ffffffc0003bf070>] object_err+0x4c/0x5c [ 696.161128] [<ffffffc0003c4f30>] kasan_report+0x348/0x514 [ 696.166534] [<ffffffc0003c3f54>] __asan_load2+0x78/0x80 [ 696.171859] [<ffffffbffc19c6e8>] hci_cmd_work+0x27c/0x3b4 [bluetooth] [ 696.178313] [<ffffffc000248cec>] process_one_work+0x3dc/0x6b8 [ 696.184071] [<ffffffc00024a264>] worker_thread+0x4e0/0x678 [ 696.189563] [<ffffffc0002510f0>] kthread+0x18c/0x1a0 [ 696.194546] [<ffffffc0002045d0>] ret_from_fork+0x10/0x40 [ 696.199863] Memory state around the buggy address: [ 696.204664] ffffffc09dd53700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 696.211893] ffffffc09dd53780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 696.219117] >ffffffc09dd53800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 696.226342] ^ [ 696.233483] ffffffc09dd53880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 696.240712] ffffffc09dd53900: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 696.247938] ================================================================== [ 696.255472] Bluetooth: COND LE cmd (0xffff) is already 0 (chg 0), skip transition to 0 [ 696.263970] Bluetooth: COND no more cmd in queue. This is with v4.4.96-12069-g542de8ed5956.
,
Dec 4 2017
Also observed on eve.
,
Dec 4 2017
,
Dec 14 2017
Just got a long series of nearly the same error on soraka, same kernel branch and very recent commit, less than one week ago 4.4.104-12291-g8ba350f8efef
Just the start of the series:
[ 35.325382] Bluetooth: RFCOMM socket layer initialized
[ 35.428517] Bluetooth: RFCOMM ver 1.11
[ 35.726202] ==================================================================
[ 35.735695] BUG: KASAN: use-after-free in hci_cmd_work+0x251/0x3a7 [bluetooth] at addr ffff880144b57cf0
[ 35.747645] Read of size 2 by task kworker/u9:4/342
[ 35.810275] =============================================================================
[ 35.820114] BUG skbuff_head_cache (Tainted: G U ): kasan: bad access detected
[ 35.846722] -----------------------------------------------------------------------------
[ 35.857918] Disabling lock debugging due to kernel taint
[ 35.911044] INFO: Allocated in __alloc_skb+0x5d/0x2be age=186 cpu=0 pid=339
[ 35.976161] kmem_cache_alloc+0x5ba/0x893
[ 35.981157] __alloc_skb+0x5d/0x2be
[ 35.985245] alloc_skb_with_frags+0x7d/0x2b8
[ 35.991088] sock_alloc_send_pskb+0x2f2/0x469
[ 35.997089] unix_stream_sendmsg+0x292/0x7dc
[ 36.002120] sock_sendmsg+0x6b/0x7d
[ 36.011603] ___sys_sendmsg+0x5ad/0x69c
[ 36.047619] __sys_sendmsg+0xa7/0xfa
[ 36.112212] SyS_sendmsg+0x19/0x1b
[ 36.212895] entry_SYSCALL_64_fastpath+0x1c/0x8f
[ 36.227435] INFO: Freed in __kfree_skb+0x94/0x97 age=13 cpu=3 pid=527
[ 36.235279] kmem_cache_free+0xf2/0x52c
[ 36.240466] __kfree_skb+0x94/0x97
[ 36.244416] consume_skb+0xeb/0xf2
[ 36.248385] skb_free_datagram+0x15/0x20
[ 36.252993] unix_dgram_recvmsg+0x640/0x672
[ 36.313567] sock_recvmsg_nosec+0x49/0x52
[ 36.322835] sock_recvmsg+0x36/0x3f
[ 36.414199] ___sys_recvmsg+0x3d6/0x5ad
[ 36.449962] SyS_recvmsg+0xb6/0x109
[ 36.478642] entry_SYSCALL_64_fastpath+0x1c/0x8f
[ 36.484034] INFO: Slab 0xffffea000512d500 objects=28 used=0 fp=0xffff880144b56880 flags=0x8000000000004080
[ 36.496572] INFO: Object 0xffff880144b57cc0 @offset=15552 fp=0xffff880144b57600
[ 36.515089] Bytes b4 ffff880144b57cb0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 36.615724] Object ffff880144b57cc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.644005] Object ffff880144b57cd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.716388] Object ffff880144b57ce0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.730572] Object ffff880144b57cf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.741879] Object ffff880144b57d00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.753725] Object ffff880144b57d10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.817043] Object ffff880144b57d20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.852431] Object ffff880144b57d30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.863230] Object ffff880144b57d40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.917656] Object ffff880144b57d50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.981805] Object ffff880144b57d60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 36.993202] Object ffff880144b57d70: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 37.005105] Object ffff880144b57d80: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 37.018411] Object ffff880144b57d90: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
[ 37.118429] Redzone ffff880144b57da0: bb bb bb bb bb bb bb bb ........
[ 37.219526] Padding ffff880144b57ee0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 37.233234] Padding ffff880144b57ef0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 37.245600] CPU: 1 PID: 342 Comm: kworker/u9:4 Tainted: G BU 4.4.104-12291-g8ba350f8efef #14
[ 37.320100] Workqueue: hci0 hci_cmd_work [bluetooth]
[ 37.328726] ffff880144b54010 96e0ba4cfe490a08 ffff88015753fc98 ffffffff83a676a4
[ 37.455700] ffff88015a70eac0 ffff880144b57cc0 ffff88015753fcc8 ffffffff83803aca
[ 37.489643] ffff88015a70eac0 ffffea000512d500 ffff880144b57cc0 ffffffff843c287b
[ 37.499113] Call Trace:
[ 37.502899] [<ffffffff83a676a4>] dump_stack+0x4d/0x63
[ 37.508982] [<ffffffff83803aca>] print_trailer+0x125/0x12e
[ 37.521331] [<ffffffff83803de4>] object_err+0x36/0x3d
[ 37.621878] [<ffffffff83808286>] kasan_report+0x33b/0x4da
[ 37.649050] [<ffffffffc05e435d>] ? hci_cmd_work+0x251/0x3a7 [bluetooth]
[ 37.722200] [<ffffffff83807727>] __asan_load2+0x69/0x6b
[ 37.735299] [<ffffffffc05e435d>] hci_cmd_work+0x251/0x3a7 [bluetooth]
[ 37.743195] [<ffffffff837857c7>] worker_thread+0xa4a/0xde7
[ 37.750334] [<ffffffff83784d7d>] ? queue_work_on+0x24/0x24
[ 37.758026] [<ffffffff836b1a65>] kthread+0x184/0x194
[ 37.823177] [<ffffffff836b18e1>] ? flush_kthread_worker+0xb5/0xb5
[ 37.831404] [<ffffffff841f0b2f>] ret_from_fork+0x3f/0x70
[ 37.857959] [<ffffffff836b18e1>] ? flush_kthread_worker+0xb5/0xb5
[ 37.865159] Memory state around the buggy address:
[ 37.870715] ffff880144b57b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 37.923891] ffff880144b57c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 37.986539] >ffff880144b57c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 37.995915] ^
[ 38.004389] ffff880144b57d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.013052] ffff880144b57d80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[ 38.024549] ==================================================================
[ 38.059949] Bluetooth: COND LE cmd (0xffff) is already 0 (chg 0), skip transition to 0
[ 38.125097] Bluetooth: COND call queue_work.
[ 38.225764] Bluetooth: Failed to start discovery: status 0x1f
[ 38.353197] DEBUG: tsm_vte: unhandled DA: 4 0 -1 -1...
[ 40.612654] capability: warning: `main' uses 32-bit capabilities (legacy support in use)
[ 41.511744] audit: type=1400 audit(1513219233.347:8): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.546810] audit: type=1400 audit(1513219233.383:9): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.647131] audit: type=1400 audit(1513219233.483:10): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.679056] audit: type=1400 audit(1513219233.515:11): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.702856] audit: type=1400 audit(1513219233.539:12): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.726267] audit: type=1400 audit(1513219233.562:13): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.748411] audit: type=1400 audit(1513219233.584:14): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.772062] audit: type=1400 audit(1513219233.608:15): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.848256] audit: type=1400 audit(1513219233.684:16): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 41.879426] audit: type=1400 audit(1513219233.715:17): avc: denied { dac_read_search } for pid=1802 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
[ 44.021136] r8152 2-2.3:1.0 eth0: carrier on
[ 44.028257] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 48.482342] ==================================================================
[ 48.532138] BUG: KASAN: use-after-free in hci_cmd_work+0x251/0x3a7 [bluetooth] at addr ffff8800474e5d70
[ 48.543966] Read of size 2 by task kworker/u9:2/338
[ 48.551036] =============================================================================
[ 48.582378] BUG skbuff_head_cache (Tainted: G BU ): kasan: bad access detected
[ 48.677090] -----------------------------------------------------------------------------
[ 48.707506] INFO: Allocated in __alloc_skb+0x5d/0x2be age=125 cpu=0 pid=0
[ 48.783056] kmem_cache_alloc+0x5ba/0x893
[ 48.788936] __alloc_skb+0x5d/0x2be
[ 48.793013] bt_skb_alloc+0x12/0x47 [btusb]
[ 48.797924] btusb_recv_intr+0x75/0x20a [btusb]
[ 48.803613] btusb_intr_complete+0xb5/0x182 [btusb]
[ 48.809549] __usb_hcd_giveback_urb+0x362/0x3b3
[ 48.877708] usb_hcd_giveback_urb+0x8a/0x163
[ 48.883438] xhci_irq+0x4d17/0x4da7
[ 48.908256] xhci_msi_irq+0x11/0x13
[ 48.912332] handle_irq_event_percpu+0x12a/0x344
[ 48.917729] handle_irq_event+0x59/0x89
[ 48.983803] handle_edge_irq+0x14c/0x198
[ 49.030743] handle_irq+0x174/0x185
[ 49.034904] do_IRQ+0x56/0xc5
[ 49.039148] ret_from_intr+0x0/0x14
[ 49.043196] cpuidle_enter+0x17/0x19
[ 49.048054] INFO: Freed in __kfree_skb+0x94/0x97 age=566 cpu=2 pid=338
[ 49.055795] kmem_cache_free+0xf2/0x52c
[ 49.078512] __kfree_skb+0x94/0x97
[ 49.082449] kfree_skb+0x49/0x4c
[ 49.086229] hci_cmd_work+0x248/0x3a7 [bluetooth]
[ 49.184476] worker_thread+0xa4a/0xde7
[ 49.278993] kthread+0x184/0x194
[ 49.284805] ret_from_fork+0x3f/0x70
[ 49.288944] INFO: Slab 0xffffea00011d3900 objects=28 used=6 fp=0xffff8800474e5200 flags=0x4000000000004080
[ 49.300149] INFO: Object 0xffff8800474e5d40 @offset=7488 fp=0xffff8800474e4fc0
[ 49.311361] Bytes b4 ffff8800474e5d30: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 49.386073] Object ffff8800474e5d40: 28 2c cf 4c 00 88 ff ff 28 2c cf 4c 00 88 ff ff (,.L....(,.L....
[ 49.486288] Object ffff8800474e5d50: 50 71 ac bc e1 08 00 15 00 00 00 00 00 00 00 00 Pq..............
[ 49.535900] Object ffff8800474e5d60: 00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 ................
[ 49.547206] Object ffff8800474e5d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 49.559578] Object ffff8800474e5d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 49.586929] Object ffff8800474e5d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 49.687048] Object ffff8800474e5da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 49.711259] Object ffff8800474e5db0: 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 ................
[ 49.786989] Object ffff8800474e5dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 49.799339] Object ffff8800474e5dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 49.811183] Object ffff8800474e5de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 49.881610] Object ffff8800474e5df0: 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ff ff ................
[ 49.912580] Object ffff8800474e5e00: 0b 00 00 00 c0 02 00 00 48 85 e8 33 01 88 ff ff ........H..3....
[ 49.923409] Object ffff8800474e5e10: 50 85 e8 33 01 88 ff ff 00 05 00 00 01 00 00 00 P..3............
[ 49.988599] Redzone ffff8800474e5e20: cc cc cc cc cc cc cc cc ........
[ 50.037671] Padding ffff8800474e5f60: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 50.049241] Padding ffff8800474e5f70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 50.061227] CPU: 2 PID: 338 Comm: kworker/u9:2 Tainted: G BU 4.4.104-12291-g8ba350f8efef #14
[ 50.189202] Workqueue: hci0 hci_cmd_work [bluetooth]
[ 50.288039] ffff8800474e4010 d1a1bb7e786623fc ffff880158d87c98 ffffffff83a676a4
[ 50.297093] ffff88015a70eac0 ffff8800474e5d40 ffff880158d87cc8 ffffffff83803aca
[ 50.307030] ffff88015a70eac0 ffffea00011d3900 ffff8800474e5d40 ffffffff843c287b
[ 50.390370] Call Trace:
[ 50.393226] [<ffffffff83a676a4>] dump_stack+0x4d/0x63
[ 50.490565] [<ffffffff83803aca>] print_trailer+0x125/0x12e
[ 50.538947] [<ffffffff83803de4>] object_err+0x36/0x3d
[ 50.546044] [<ffffffff83808286>] kasan_report+0x33b/0x4da
[ 50.552553] [<ffffffffc05e435d>] ? hci_cmd_work+0x251/0x3a7 [bluetooth]
[ 50.560742] [<ffffffff83807727>] __asan_load2+0x69/0x6b
[ 50.591206] [<ffffffffc05e435d>] hci_cmd_work+0x251/0x3a7 [bluetooth]
[ 50.691433] [<ffffffff837857c7>] worker_thread+0xa4a/0xde7
[ 50.702382] [<ffffffff83784d7d>] ? queue_work_on+0x24/0x24
[ 50.789640] [<ffffffff836b1a65>] kthread+0x184/0x194
[ 50.795498] [<ffffffff836b18e1>] ? flush_kthread_worker+0xb5/0xb5
[ 50.803652] [<ffffffff841f0b2f>] ret_from_fork+0x3f/0x70
[ 50.810170] [<ffffffff836b18e1>] ? flush_kthread_worker+0xb5/0xb5
[ 50.892277] Memory state around the buggy address:
[ 50.915833] ffff8800474e5c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.924205] ffff8800474e5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.992933] >ffff8800474e5d00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 51.041158] ^
[ 51.050496] ffff8800474e5d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 51.060276] ffff8800474e5e00: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.093132] ==================================================================
[ 51.193853] Bluetooth: COND LE cmd (0x0000) is already 0 (chg 0), skip transition to 0
[ 51.292008] Bluetooth: COND call queue_work.
[ 51.297728] Bluetooth: Failed to start discovery: status 0x1f
[ 61.488945] Bluetooth: Failed to start discovery: status 0x0c
[ 71.474581] ==================================================================
[ 71.578753] BUG: KASAN: use-after-free in hci_cmd_work+0x251/0x3a7 [bluetooth] at addr ffff880152f3ed30
[ 71.606959] Read of size 2 by task kworker/u9:2/338
[ 71.613571] =============================================================================
[ 71.624142] BUG skbuff_head_cache (Tainted: G BU ): kasan: bad access detected
[ 71.679140] -----------------------------------------------------------------------------
[ 71.770415] INFO: Allocated in __alloc_skb+0x5d/0x2be age=91 cpu=0 pid=1312
[ 71.780012] kmem_cache_alloc+0x5ba/0x893
[ 71.789011] __alloc_skb+0x5d/0x2be
[ 71.857354] alloc_skb_with_frags+0x7d/0x2b8
[ 71.862576] sock_alloc_send_pskb+0x2f2/0x469
[ 71.868574] unix_stream_sendmsg+0x292/0x7dc
[ 71.874510] SYSC_sendto+0x1f8/0x259
[ 71.879217] SyS_sendto+0xe/0x10
[ 71.883001] entry_SYSCALL_64_fastpath+0x1c/0x8f
[ 71.957683] INFO: Freed in __kfree_skb+0x94/0x97 age=278 cpu=2 pid=1250
[ 71.976773] kmem_cache_free+0xf2/0x52c
[ 71.981250] __kfree_skb+0x94/0x97
[ 71.989843] consume_skb+0xeb/0xf2
[ 71.993779] unix_stream_read_generic+0xb76/0xd74
[ 72.081198] sock_recvmsg_nosec+0x49/0x52
[ 72.108522] sock_recvmsg+0x36/0x3f
[ 72.560532] ___sys_recvmsg+0x3d6/0x5ad
[ 72.564977] SyS_recvmsg+0xb6/0x109
[ 72.569017] entry_SYSCALL_64_fastpath+0x1c/0x8f
[ 72.574360] INFO: Slab 0xffffea00054bcf00 objects=28 used=5 fp=0xffff880152f3fa80 flags=0x8000000000004080
[ 72.585598] INFO: Object 0xffff880152f3ed00 @offset=11520 fp=0xffff880152f3c900
[ 72.611063] Bytes b4 ffff880152f3ecf0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 72.622555] Object ffff880152f3ed00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.634096] Object ffff880152f3ed10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.685324] Object ffff880152f3ed20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.774463] Object ffff880152f3ed30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.785962] Object ffff880152f3ed40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.861955] Object ffff880152f3ed50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.873012] Object ffff880152f3ed60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.884823] Object ffff880152f3ed70: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.981204] Object ffff880152f3ed80: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 72.994598] Object ffff880152f3ed90: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 73.005392] Object ffff880152f3eda0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 73.087531] Object ffff880152f3edb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 73.113327] Object ffff880152f3edc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 73.124627] Object ffff880152f3edd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
[ 73.136929] Redzone ffff880152f3ede0: bb bb bb bb bb bb bb bb ........
[ 73.163298] Padding ffff880152f3ef20: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 73.174169] Padding ffff880152f3ef30: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 73.185036] CPU: 1 PID: 338 Comm: kworker/u9:2 Tainted: G BU 4.4.104-12291-g8ba350f8efef #14
[ 73.364068] Workqueue: hci0 hci_cmd_work [bluetooth]
[ 73.370898] ffff880152f3c010 d1a1bb7e786623fc ffff880158d87c98 ffffffff83a676a4
[ 73.381080] ffff88015a70eac0 ffff880152f3ed00 ffff880158d87cc8 ffffffff83803aca
[ 73.390825] ffff88015a70eac0 ffffea00054bcf00 ffff880152f3ed00 ffffffff843c287b
[ 73.491382] Call Trace:
[ 73.565056] [<ffffffff83a676a4>] dump_stack+0x4d/0x63
[ 73.590108] [<ffffffff83803aca>] print_trailer+0x125/0x12e
[ 73.614864] [<ffffffff83803de4>] object_err+0x36/0x3d
[ 73.620993] [<ffffffff83808286>] kasan_report+0x33b/0x4da
[ 73.628196] [<ffffffffc05e435d>] ? hci_cmd_work+0x251/0x3a7 [bluetooth]
[ 73.636784] [<ffffffff83807727>] __asan_load2+0x69/0x6b
[ 73.690504] [<ffffffffc05e435d>] hci_cmd_work+0x251/0x3a7 [bluetooth]
[ 73.778612] [<ffffffff837857c7>] worker_thread+0xa4a/0xde7
[ 73.791190] [<ffffffff83784d7d>] ? queue_work_on+0x24/0x24
[ 73.798143] [<ffffffff836b1a65>] kthread+0x184/0x194
[ 73.803993] [<ffffffff836b18e1>] ? flush_kthread_worker+0xb5/0xb5
[ 73.811143] [<ffffffff841f0b2f>] ret_from_fork+0x3f/0x70
[ 73.817392] [<ffffffff836b18e1>] ? flush_kthread_worker+0xb5/0xb5
[ 73.824544] Memory state around the buggy address:
[ 73.830089] ffff880152f3ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 73.838447] ffff880152f3ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 73.846806] >ffff880152f3ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.855155] ^
[ 73.860700] ffff880152f3ed80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 73.869389] ffff880152f3ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 73.878007] ==================================================================
[ 73.893173] Bluetooth: COND LE cmd (0xffff) is already 0 (chg 0), skip transition to 0
[ 73.985927] Bluetooth: COND call queue_work.
[ 73.992400] Bluetooth: Failed to start discovery: status 0x1f
etc.
,
Dec 14 2017
As a workaround, this disables bluetooth after reboot: mount -o remount,rw / printf 'blacklist btusb' > /etc/modprobe.d/no-bluetooth-autoload.conf There was another KASAN error with wifi, disabling wifi requires one more command: printf 'blacklist iwlwifi' > /etc/modprobe.d/no-wifi-autoload.conf printf manual > /etc/init/preload-network.override
,
Dec 15 2017
,
Dec 16 2017
With groeck@'s help, I could build a v4.4 kernel with kasan. I can reproduce "use-after-free" errors. But the errors occurred with another function instead of the hci_cmd_work() reported here. I am still investigating. Will update later.
,
Dec 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/efecc2e9c0dd197948cb9714a2beb3312fe783e0 commit efecc2e9c0dd197948cb9714a2beb3312fe783e0 Author: Joseph Hwang <josephsih@chromium.org> Date: Tue Dec 19 06:55:10 2017 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> [modify] https://crrev.com/efecc2e9c0dd197948cb9714a2beb3312fe783e0/net/bluetooth/hci_core.c
,
Dec 19 2017
,
Dec 19 2017
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 19 2017
Hi groeck@, could you help see whether the 'use-after-free' is gone? Thanks!
,
Dec 19 2017
This needs to be backported to kernel 3.18 too (at least), see issue 795183 that was duped into this.
,
Dec 19 2017
How bad is the user impact with this bug in place? Confirmed that this is a regression? We're far along in M64 and I'd like to be sure we need the merge. Thanks
,
Dec 19 2017
#11: I don't see the problem anymore on eve, where it used to be quite common.
,
Dec 19 2017
,
Dec 19 2017
,
Dec 19 2017
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/759ad18fe788b842e19637a1b53b88999ec07210 commit 759ad18fe788b842e19637a1b53b88999ec07210 Author: Joseph Hwang <josephsih@chromium.org> Date: Wed Dec 20 03:49:28 2017 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> (cherry picked from commit efecc2e9c0dd197948cb9714a2beb3312fe783e0) [modify] https://crrev.com/759ad18fe788b842e19637a1b53b88999ec07210/net/bluetooth/hci_core.c
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f558529c6ade7dbbcb7d0fc01fa84be7e4ab1ca4 commit f558529c6ade7dbbcb7d0fc01fa84be7e4ab1ca4 Author: Joseph Hwang <josephsih@chromium.org> Date: Wed Dec 20 03:49:22 2017 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> (cherry picked from commit efecc2e9c0dd197948cb9714a2beb3312fe783e0) [modify] https://crrev.com/f558529c6ade7dbbcb7d0fc01fa84be7e4ab1ca4/net/bluetooth/hci_core.c
,
Dec 20 2017
M64: Awaiting merge outcome for M63 prior to review/approval.
,
Dec 20 2017
Trying to answer #13: This is a use-after-free. The fix should be applied, period. We can make all assumptions we want, but effectively there is no means to _guarantee_ that there is no impact for this class of bugs. Sure, we can _assume_ (or rather hope) that there is little or no impact, as long as the memory address being accessed is still mapped into kernel memory. I personally refuse to make such assumptions, as it often turns out to be wrong. On the other side, we _can_ make a prediction of the impact or risk of this specific fix, which is effectively zero.
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/85249c2e9703f128213eba849af9984a941b33ff commit 85249c2e9703f128213eba849af9984a941b33ff Author: Joseph Hwang <josephsih@chromium.org> Date: Wed Dec 20 20:54:00 2017 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> (cherry picked from commit efecc2e9c0dd197948cb9714a2beb3312fe783e0) [modify] https://crrev.com/85249c2e9703f128213eba849af9984a941b33ff/net/bluetooth/hci_core.c
,
Dec 20 2017
Disregard comment #20 re:M63. Re: #21. If that case does happen what's the impact to the user?
,
Dec 20 2017
Re #23. If the case does happen, kernel will crash due to access invalid memory, and that leads to reboot.
,
Dec 21 2017
Approving merge to M64 Chrome OS.
,
Dec 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7c40d5b5ae436eb2ee5b20a275ed5b866bc45a8f commit 7c40d5b5ae436eb2ee5b20a275ed5b866bc45a8f Author: Joseph Hwang <josephsih@chromium.org> Date: Thu Dec 21 23:19:43 2017 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> (cherry picked from commit efecc2e9c0dd197948cb9714a2beb3312fe783e0) Reviewed-on: https://chromium-review.googlesource.com/841482 Commit-Queue: Miao-chen Chou <mcchou@chromium.org> Tested-by: Miao-chen Chou <mcchou@chromium.org> [modify] https://crrev.com/7c40d5b5ae436eb2ee5b20a275ed5b866bc45a8f/net/bluetooth/hci_core.c
,
Dec 21 2017
Can we also have M63 merge request reviewed? Thanks.
,
Dec 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b57bc9a873105f5cd3fc00b3801350b27ceb70f5 commit b57bc9a873105f5cd3fc00b3801350b27ceb70f5 Author: Joseph Hwang <josephsih@chromium.org> Date: Thu Dec 21 23:24:14 2017 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> (cherry picked from commit efecc2e9c0dd197948cb9714a2beb3312fe783e0) (cherry picked from commit 759ad18fe788b842e19637a1b53b88999ec07210) Reviewed-on: https://chromium-review.googlesource.com/841503 Commit-Queue: Miao-chen Chou <mcchou@chromium.org> Tested-by: Miao-chen Chou <mcchou@chromium.org> [modify] https://crrev.com/b57bc9a873105f5cd3fc00b3801350b27ceb70f5/net/bluetooth/hci_core.c
,
Dec 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/94006fdaa7647640827a0f35177f17e2e36b1e49 commit 94006fdaa7647640827a0f35177f17e2e36b1e49 Author: Joseph Hwang <josephsih@chromium.org> Date: Thu Dec 21 23:24:27 2017 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> (cherry picked from commit efecc2e9c0dd197948cb9714a2beb3312fe783e0) (cherry picked from commit f558529c6ade7dbbcb7d0fc01fa84be7e4ab1ca4) Reviewed-on: https://chromium-review.googlesource.com/841483 Commit-Queue: Miao-chen Chou <mcchou@chromium.org> Tested-by: Miao-chen Chou <mcchou@chromium.org> [modify] https://crrev.com/94006fdaa7647640827a0f35177f17e2e36b1e49/net/bluetooth/hci_core.c
,
Dec 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/808c4f25e16f3a666d55845f1e1630f8f433c277 commit 808c4f25e16f3a666d55845f1e1630f8f433c277 Author: Joseph Hwang <josephsih@chromium.org> Date: Thu Dec 21 23:24:21 2017 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> (cherry picked from commit efecc2e9c0dd197948cb9714a2beb3312fe783e0) (cherry picked from commit 85249c2e9703f128213eba849af9984a941b33ff) Reviewed-on: https://chromium-review.googlesource.com/841502 Commit-Queue: Miao-chen Chou <mcchou@chromium.org> Tested-by: Miao-chen Chou <mcchou@chromium.org> [modify] https://crrev.com/808c4f25e16f3a666d55845f1e1630f8f433c277/net/bluetooth/hci_core.c
,
Jan 2 2018
,
Jan 2 2018
Merge approved for M63
,
Jan 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5af576abdf5f4367af69e29cdd5914a174be633a commit 5af576abdf5f4367af69e29cdd5914a174be633a Author: Joseph Hwang <josephsih@chromium.org> Date: Tue Jan 02 22:42:25 2018 CHROMIUM: bluetooth: fix use-after-free error This patch fixed a use-after-free error. The statement to print the opcode of current command should be executed before the skb is freed. BUG=chromium:782910 TEST=Verify with the following steps. Step 1: Build a KASAN kernel for a chromebook, say eve, without this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. We would see the following use-after-free error. ERR kernel: [ 524.812008] BUG: KASAN: use-after-free in hci_reset_dev Step 2: Build a KASAN kernel for a chromebook, say eve, with this patch. (cr) $ USE="kasan" FEATURES="noclean" cros_workon_make --board=eve --install chromeos-kernel-4_4 Use bluetoothctl to start discovery with "scan on" and then "scan off" after a few seconds. Verify that there is no more use-after-free error in dmesg. Change-Id: I37c06f00cf31375bac0e3176c31ad131fa53667b Signed-off-by: Joseph Hwang <josephsih@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/827042 Commit-Ready: Shyh-In Hwang <josephsih@chromium.org> Tested-by: Shyh-In Hwang <josephsih@chromium.org> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> (cherry picked from commit efecc2e9c0dd197948cb9714a2beb3312fe783e0) Reviewed-on: https://chromium-review.googlesource.com/834628 Commit-Queue: Miao-chen Chou <mcchou@chromium.org> Tested-by: Miao-chen Chou <mcchou@chromium.org> [modify] https://crrev.com/5af576abdf5f4367af69e29cdd5914a174be633a/net/bluetooth/hci_core.c
,
Feb 12 2018
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 12 2018
I think this is as merged as it's gonna get. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Nov 8 2017