Issue 795183 link

Starred by 1 user
Issue metadata

Status:	Duplicate
Merged:	issue 782910
Owner:	█ dmitrygr@google.com Last visit 20 days ago
Closed:	Dec 2017
Cc:	josephsih@chromium.org █ mcchou@chromium.org █ djkurtz@chromium.org
Components:	OS>Kernel OS>Systems>Bluetooth
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Proj-hana
hana: KASAN: use-after-free in hci_cmd_work+0x280/0x408 [bluetooth]

Project Member Reported by drinkcat@chromium.org, Dec 15 2017
Issue description

hana with img-ddk 1.9 driver, KASAN enabled (build kernel with USE="kasan", img-ddk driver update should not matter here):
- https://uberchromegw.corp.google.com/i/chromiumos.tryserver/builders/release/builds/18358
- hana-release-tryjob/R65-10216.0.0-b18358

Running graphics_GLMark2 in the lab (I don't think the specific test matters here), I happened to spot this splat:

2017-12-15T04:30:26.253405+00:00 ERR kernel: [ 1857.051678] ==================================================================
2017-12-15T04:30:26.253426+00:00 ERR kernel: [ 1857.051768] BUG: KASAN: use-after-free in hci_cmd_work+0x280/0x408 [bluetooth] at addr ffffffc0831ac930
2017-12-15T04:30:26.253429+00:00 ERR kernel: [ 1857.051777] Read of size 2 by task kworker/u9:1/17465
2017-12-15T04:30:26.253431+00:00 ERR kernel: [ 1857.051784] =============================================================================
2017-12-15T04:30:26.253434+00:00 ERR kernel: [ 1857.051793] BUG skbuff_head_cache (Not tainted): kasan: bad access detected
2017-12-15T04:30:26.253435+00:00 ERR kernel: [ 1857.051800] -----------------------------------------------------------------------------
2017-12-15T04:30:26.253437+00:00 ERR kernel: [ 1857.051800] 
2017-12-15T04:30:26.253439+00:00 WARNING kernel: [ 1857.051809] Disabling lock debugging due to kernel taint
2017-12-15T04:30:26.253441+00:00 ERR kernel: [ 1857.051827] INFO: Allocated in __alloc_skb+0x6c/0x23c age=0 cpu=2 pid=14406
2017-12-15T04:30:26.253443+00:00 ERR kernel: [ 1857.051844] 	alloc_debug_processing+0x114/0x16c
2017-12-15T04:30:26.253445+00:00 ERR kernel: [ 1857.051854] 	___slab_alloc.constprop.56+0x678/0x78c
2017-12-15T04:30:26.253446+00:00 ERR kernel: [ 1857.051868] 	kmem_cache_alloc+0xc4/0x228
2017-12-15T04:30:26.253448+00:00 ERR kernel: [ 1857.051877] 	__alloc_skb+0x68/0x23c
2017-12-15T04:30:26.253450+00:00 ERR kernel: [ 1857.051986] 	hci_prepare_cmd+0x38/0x108 [bluetooth]
2017-12-15T04:30:26.253452+00:00 ERR kernel: [ 1857.052091] 	hci_req_add_ev+0x60/0xf8 [bluetooth]
2017-12-15T04:30:26.253454+00:00 ERR kernel: [ 1857.052196] 	hci_req_add+0x38/0x48 [bluetooth]
2017-12-15T04:30:26.253456+00:00 ERR kernel: [ 1857.052301] 	hci_req_add_le_scan_disable+0x44/0x70 [bluetooth]
2017-12-15T04:30:26.253458+00:00 ERR kernel: [ 1857.052406] 	active_scan+0x150/0x220 [bluetooth]
2017-12-15T04:30:26.253460+00:00 ERR kernel: [ 1857.052509] 	__hci_req_sync+0x98/0x2d4 [bluetooth]
2017-12-15T04:30:26.253462+00:00 ERR kernel: [ 1857.052518] 	compat_SyS_writev+0x9c/0x104
2017-12-15T04:30:26.253464+00:00 ERR kernel: [ 1857.052530] 	el0_svc_naked+0x20/0x28
2017-12-15T04:30:26.253465+00:00 ERR kernel: [ 1857.052541] INFO: Freed in __kfree_skb+0xe4/0xf0 age=1 cpu=2 pid=17465
2017-12-15T04:30:26.253467+00:00 ERR kernel: [ 1857.052550] 	free_debug_processing+0x248/0x328
2017-12-15T04:30:26.253469+00:00 ERR kernel: [ 1857.052559] 	__slab_free+0x70/0x534
2017-12-15T04:30:26.253471+00:00 ERR kernel: [ 1857.052568] 	kmem_cache_free+0x1a0/0x244
2017-12-15T04:30:26.253473+00:00 ERR kernel: [ 1857.052576] 	__kfree_skb+0xe0/0xf0
2017-12-15T04:30:26.253475+00:00 ERR kernel: [ 1857.052587] 	kfree_skb+0x11c/0x130
2017-12-15T04:30:26.253476+00:00 ERR kernel: [ 1857.052651] 	hci_cmd_work+0x274/0x408 [bluetooth]
2017-12-15T04:30:26.253478+00:00 ERR kernel: [ 1857.052662] 	worker_thread+0xbd4/0x10e8
2017-12-15T04:30:26.253480+00:00 ERR kernel: [ 1857.052671] 	kthread+0x144/0x15c
2017-12-15T04:30:26.253482+00:00 ERR kernel: [ 1857.052680] 	ret_from_fork+0xc/0x50
2017-12-15T04:30:26.253484+00:00 ERR kernel: [ 1857.052688] INFO: Slab 0xffffffbdc30c6b00 objects=28 used=5 fp=0xffffffc0831af3c0 flags=0x4080
2017-12-15T04:30:26.253486+00:00 ERR kernel: [ 1857.052697] INFO: Object 0xffffffc0831ac900 @offset=2304 fp=0xffffffc0831ac480
2017-12-15T04:30:26.253488+00:00 ERR kernel: [ 1857.052697] 
2017-12-15T04:30:26.253490+00:00 ERR kernel: [ 1857.052708] Bytes b4 ffffffc0831ac8f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
2017-12-15T04:30:26.253492+00:00 ERR kernel: [ 1857.052718] Object ffffffc0831ac900: c0 f2 fc 83 c0 ff ff ff 40 d4 f4 2b c0 ff ff ff  ........@..+....
2017-12-15T04:30:26.253494+00:00 ERR kernel: [ 1857.052727] Object ffffffc0831ac910: 00 00 00 00 00 00 00 00 00 1e 84 45 c0 ff ff ff  ...........E....
2017-12-15T04:30:26.253496+00:00 ERR kernel: [ 1857.052735] Object ffffffc0831ac920: 00 00 00 00 00 00 00 00 40 1a 8c 45 c0 ff ff ff  ........@..E....
2017-12-15T04:30:26.253498+00:00 ERR kernel: [ 1857.052744] Object ffffffc0831ac930: 1e 27 0a 00 1e 27 0a 00 00 00 00 00 00 00 00 00  .'...'..........
2017-12-15T04:30:26.253500+00:00 ERR kernel: [ 1857.052752] Object ffffffc0831ac940: ea 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
2017-12-15T04:30:26.253503+00:00 ERR kernel: [ 1857.052761] Object ffffffc0831ac950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
2017-12-15T04:30:26.253505+00:00 ERR kernel: [ 1857.052769] Object ffffffc0831ac960: 14 1b 3a 00 c0 ff ff ff 00 00 00 00 00 00 00 00  ..:.............
2017-12-15T04:30:26.253507+00:00 ERR kernel: [ 1857.052778] Object ffffffc0831ac970: 00 00 00 00 00 00 00 00 3a 00 00 00 00 00 00 00  ........:.......
2017-12-15T04:30:26.253509+00:00 ERR kernel: [ 1857.052787] Object ffffffc0831ac980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
2017-12-15T04:30:26.253511+00:00 ERR kernel: [ 1857.052796] Object ffffffc0831ac990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
2017-12-15T04:30:26.253514+00:00 ERR kernel: [ 1857.052804] Object ffffffc0831ac9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
2017-12-15T04:30:26.253516+00:00 ERR kernel: [ 1857.052812] Object ffffffc0831ac9b0: 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 ff ff  ................
2017-12-15T04:30:26.253518+00:00 ERR kernel: [ 1857.052821] Object ffffffc0831ac9c0: 3a 00 00 00 c0 00 00 00 00 23 b1 27 c0 ff ff ff  :........#.'....
2017-12-15T04:30:26.253520+00:00 ERR kernel: [ 1857.052830] Object ffffffc0831ac9d0: 00 23 b1 27 c0 ff ff ff 00 03 00 00 01 00 00 00  .#.'............
2017-12-15T04:30:26.253522+00:00 ERR kernel: [ 1857.052838] Redzone ffffffc0831ac9e0: cc cc cc cc cc cc cc cc                          ........
2017-12-15T04:30:26.253524+00:00 ERR kernel: [ 1857.052847] Padding ffffffc0831acb20: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
2017-12-15T04:30:26.253526+00:00 ERR kernel: [ 1857.052857] Padding ffffffc0831acb30: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
2017-12-15T04:30:26.253528+00:00 WARNING kernel: [ 1857.052868] CPU: 2 PID: 17465 Comm: kworker/u9:1 Tainted: G    B          3.18.0-16378-g3eac9c1e6590-dirty #1
2017-12-15T04:30:26.253530+00:00 WARNING kernel: [ 1857.052875] Hardware name: Mediatek Hana rev0 board (DT)
2017-12-15T04:30:26.253532+00:00 WARNING kernel: [ 1857.052941] Workqueue: hci0 hci_cmd_work [bluetooth]
2017-12-15T04:30:26.253534+00:00 EMERG kernel: [ 1857.052950] Call trace:
2017-12-15T04:30:26.253536+00:00 WARNING kernel: [ 1857.052959] [<ffffffc0003b6084>] dump_backtrace+0x0/0x190
2017-12-15T04:30:26.253538+00:00 WARNING kernel: [ 1857.052968] [<ffffffc0003b6348>] show_stack+0x1c/0x28
2017-12-15T04:30:26.253540+00:00 WARNING kernel: [ 1857.052978] [<ffffffc000c8a8c8>] dump_stack+0xa0/0xf8
2017-12-15T04:30:26.253542+00:00 WARNING kernel: [ 1857.052989] [<ffffffc0004f7184>] print_trailer+0x140/0x154
2017-12-15T04:30:26.253543+00:00 WARNING kernel: [ 1857.052998] [<ffffffc0004f7328>] object_err+0x48/0x5c
2017-12-15T04:30:26.253545+00:00 WARNING kernel: [ 1857.053007] [<ffffffc0004fb6d0>] kasan_report+0x334/0x504
2017-12-15T04:30:26.253547+00:00 WARNING kernel: [ 1857.053015] [<ffffffc0004faa24>] __asan_load2+0x74/0x80
2017-12-15T04:30:26.253549+00:00 WARNING kernel: [ 1857.053080] [<ffffffbffc2fd29c>] hci_cmd_work+0x27c/0x408 [bluetooth]
2017-12-15T04:30:26.253551+00:00 WARNING kernel: [ 1857.053090] [<ffffffc00020b6b0>] worker_thread+0xbd4/0x10e8
2017-12-15T04:30:26.253553+00:00 WARNING kernel: [ 1857.053099] [<ffffffc0003f53b8>] kthread+0x144/0x15c
2017-12-15T04:30:26.253555+00:00 ERR kernel: [ 1857.053105] Memory state around the buggy address:
2017-12-15T04:30:26.253557+00:00 ERR kernel: [ 1857.053114]  ffffffc0831ac800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
2017-12-15T04:30:26.253559+00:00 ERR kernel: [ 1857.053122]  ffffffc0831ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
2017-12-15T04:30:26.253561+00:00 ERR kernel: [ 1857.053131] >ffffffc0831ac900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017-12-15T04:30:26.253563+00:00 ERR kernel: [ 1857.053138]                                      ^
2017-12-15T04:30:26.253565+00:00 ERR kernel: [ 1857.053146]  ffffffc0831ac980: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
2017-12-15T04:30:26.253567+00:00 ERR kernel: [ 1857.053154]  ffffffc0831aca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
2017-12-15T04:30:26.253568+00:00 ERR kernel: [ 1857.053160] ==================================================================
2017-12-15T04:30:26.253570+00:00 INFO kernel: [ 1857.053396] Bluetooth:   COND LE cmd (0x271e) is already 0 (chg 0), skip transition to 0
2017-12-15T04:30:26.253572+00:00 INFO kernel: [ 1857.053407] Bluetooth:   COND call queue_work.
Comment 1 by mcchou@chromium.org, Dec 15 2017

Mergedinto: 782910
Status: Duplicate (was: Available)
►
Issue 795183 link

Issue metadata

hana: KASAN: use-after-free in hci_cmd_work+0x280/0x408 [bluetooth]

Issue description

Comment 1 by mcchou@chromium.org, Dec 15 2017

Comment 1 Deleted

Sign in to add a comment
