Hello Greg,
During Syzkaller reproducer testing on 5.4.y (5.4.118-rc1) the following crash occurred:
BUG: KASAN: use-after-free in hci_send_acl https://syzkaller.appspot.com/bug?extid=98228e7407314d2d4ba2
We cherry-pick'd upstream commit 5c4c8c95 to 5.4.y and the crash no longer occurs (rebooted 10 times with the fix commit - no failures). https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
The cherry-pick of upstream commit 5c4c8c95 was clean.
[ 104.800617] BUG: KASAN: use-after-free in hci_send_acl+0x947/0xa30 [ 104.802209] Read of size 8 at addr ffff8881023fed18 by task kworker/u9:2/16208 [ 104.803769] [ 104.804141] CPU: 1 PID: 16208 Comm: kworker/u9:2 Not tainted 5.4.118-rc1-syzk #1 [ 104.805738] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190213_084539-x86-ol7-builder-03.us.oracle.com-1.oci.el7 04/01/2014 [ 104.809735] Workqueue: hci0 hci_rx_work [ 104.811394] Call Trace: [ 104.825804] dump_stack+0xd4/0x119 [ 104.827555] ? hci_send_acl+0x947/0xa30 [ 104.828424] print_address_description.constprop.6+0x20/0x220 [ 104.829745] ? hci_send_acl+0x947/0xa30 [ 104.830610] ? hci_send_acl+0x947/0xa30 [ 104.831480] __kasan_report.cold.9+0x37/0x77 [ 104.832581] ? hci_send_acl+0x947/0xa30 [ 104.833420] kasan_report+0x14/0x20 [ 104.834206] __asan_report_load8_noabort+0x14/0x20 [ 104.835145] hci_send_acl+0x947/0xa30 [ 104.835867] ? __kmalloc_reserve.isra.54+0xf0/0xf0 [ 104.836813] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 104.839089] l2cap_send_cmd+0x726/0x960 [ 104.840753] l2cap_send_move_chan_cfm_icid+0xae/0x110 [ 104.843036] ? l2cap_send_move_chan_rsp+0x1a0/0x1a0 [ 104.845255] ? l2cap_get_chan_by_scid+0x158/0x1c0 [ 104.847264] l2cap_sig_channel+0x2f3f/0x3cf0 [ 104.849131] ? l2cap_config_rsp+0x1220/0x1220 [ 104.850955] ? probe_sched_wakeup+0x7e/0x90 [ 104.852778] ? ttwu_do_wakeup+0x35a/0x4f0 [ 104.854493] ? hci_cmd_status_evt+0x4ec0/0x4ec0 [ 104.856410] ? __kasan_check_write+0x14/0x20 [ 104.858381] ? _raw_spin_lock_irqsave+0x8e/0xf0 [ 104.860429] ? _raw_write_lock_irqsave+0xe0/0xe0 [ 104.862386] ? __kasan_check_write+0x14/0x20 [ 104.864200] ? __mutex_lock.isra.5+0x486/0xaf0 [ 104.866108] ? try_to_wake_up+0xe0/0x1640 [ 104.867786] ? ww_mutex_lock_interruptible+0xf0/0xf0 [ 104.870011] ? migrate_swap_stop+0x950/0x950 [ 104.871814] l2cap_recv_frame+0x6f7/0xc60 [ 104.873603] ? l2cap_sig_channel+0x3cf0/0x3cf0 [ 104.875575] ? __mutex_unlock_slowpath.isra.16+0x1db/0x310 [ 104.877998] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 104.880202] ? hci_conn_enter_active_mode+0x179/0x360 [ 104.882466] ? __ww_mutex_check_waiters+0x220/0x220 [ 104.884529] l2cap_recv_acldata+0x924/0xa50 [ 104.885994] hci_rx_work+0x824/0x970 [ 104.887425] process_one_work+0x791/0x10b0 [ 104.889207] worker_thread+0x90/0xcf0 [ 104.890759] kthread+0x332/0x3f0 [ 104.892269] ? create_worker+0x5f0/0x5f0 [ 104.894132] ? kthread_parkme+0xb0/0xb0 [ 104.895774] ret_from_fork+0x22/0x40 [ 104.897513] [ 104.898224] Allocated by task 16208: [ 104.899856] save_stack+0x21/0x90 [ 104.901411] __kasan_kmalloc.constprop.11+0xc1/0xd0 [ 104.903538] kasan_kmalloc+0x9/0x10 [ 104.905124] kmem_cache_alloc_trace+0x113/0x270 [ 104.907061] hci_chan_create+0xb8/0x3e0 [ 104.908654] l2cap_conn_add.part.40+0x26/0xd50 [ 104.910623] l2cap_connect_cfm+0x9b3/0xfc0 [ 104.912532] hci_connect_cfm+0x9c/0x140 [ 104.914205] hci_event_packet+0x5f91/0xa150 [ 104.915981] hci_rx_work+0x48a/0x970 [ 104.917651] process_one_work+0x791/0x10b0 [ 104.919419] worker_thread+0x90/0xcf0 [ 104.921055] kthread+0x332/0x3f0 [ 104.922533] ret_from_fork+0x22/0x40 [ 104.924075] [ 104.924708] Freed by task 16208: [ 104.926182] save_stack+0x21/0x90 [ 104.927677] __kasan_slab_free+0x131/0x180 [ 104.929379] kasan_slab_free+0xe/0x10 [ 104.930990] kfree+0x98/0x270 [ 104.932194] hci_chan_del+0x161/0x210 [ 104.933805] amp_destroy_logical_link+0x29/0x60 [ 104.935817] hci_event_packet+0x1f56/0xa150 [ 104.937677] hci_rx_work+0x48a/0x970 [ 104.939162] process_one_work+0x791/0x10b0 [ 104.941092] worker_thread+0x90/0xcf0 [ 104.942816] kthread+0x332/0x3f0 [ 104.944241] ret_from_fork+0x22/0x40 [ 104.945839] [ 104.946554] The buggy address belongs to the object at ffff8881023fed00 [ 104.946554] which belongs to the cache kmalloc-64 of size 64 [ 104.951778] The buggy address is located 24 bytes inside of [ 104.951778] 64-byte region [ffff8881023fed00, ffff8881023fed40) [ 104.956948] The buggy address belongs to the page: [ 104.959184] page:ffffea000408ff80 refcount:1 mapcount:0 mapping:ffff888107c03600 index:0x0 [ 104.962973] flags: 0x17ffffc0000200(slab) [ 104.964724] raw: 0017ffffc0000200 ffffea0004125b00 0000000a00000009 ffff888107c03600 [ 104.968106] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 104.971453] page dumped because: kasan: bad access detected [ 104.973813] [ 104.974490] Memory state around the buggy address: [ 104.976750] ffff8881023fec00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 104.979901] ffff8881023fec80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 104.983056] >ffff8881023fed00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 104.986316] ^ [ 104.988049] ffff8881023fed80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 104.991889] ffff8881023fee00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 104.995247] ==================================================================
Thank you, George