lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5e39dea3.TW47gIqKZtvFGmPP%lkp@intel.com>
Date:   Wed, 05 Feb 2020 05:14:11 +0800
From:   kernel test robot <lkp@...el.com>
To:     Manish Mandlik <mmandlik@...gle.com>
Cc:     LKP <lkp@...ts.01.org>, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, linux-bluetooth@...r.kernel.org,
        Marcel Holtmann <marcel@...tmann.org>, philip.li@...el.com
Subject: 6c08fc896b ("Bluetooth: Fix refcount use-after-free issue"):
  WARNING: bad unlock balance detected!

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

commit 6c08fc896b60893c5d673764b0668015d76df462
Author:     Manish Mandlik <mmandlik@...gle.com>
AuthorDate: Tue Jan 28 10:54:14 2020 -0800
Commit:     Marcel Holtmann <marcel@...tmann.org>
CommitDate: Wed Jan 29 04:53:12 2020 +0100

    Bluetooth: Fix refcount use-after-free issue
    
    There is no lock preventing both l2cap_sock_release() and
    chan->ops->close() from running at the same time.
    
    If we consider Thread A running l2cap_chan_timeout() and Thread B running
    l2cap_sock_release(), expected behavior is:
      A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
      A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
      B::l2cap_sock_release()->sock_orphan()
      B::l2cap_sock_release()->l2cap_sock_kill()
    
    where,
    sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks
    socket as SOCK_ZAPPED.
    
    In l2cap_sock_kill(), there is an "if-statement" that checks if both
    sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL
    and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is
    satisfied.
    
    In the race condition, following occurs:
      A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
      B::l2cap_sock_release()->sock_orphan()
      B::l2cap_sock_release()->l2cap_sock_kill()
      A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
    
    In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and
    A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug.
    
    Similar condition occurs at other places where teardown/sock_kill is
    happening:
      l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb()
      l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill()
    
      l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb()
      l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill()
    
      l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb()
      l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill()
    
      l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb()
      l2cap_sock_cleanup_listen()->l2cap_sock_kill()
    
    Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on
    l2cap channel to ensure that the socket is killed only after marked as
    zapped and orphan.
    
    Signed-off-by: Manish Mandlik <mmandlik@...gle.com>
    Signed-off-by: Marcel Holtmann <marcel@...tmann.org>

151129df2f  Bluetooth: SMP: Fix SALT value in some comments
6c08fc896b  Bluetooth: Fix refcount use-after-free issue
+---------------------------------------------+------------+------------+
|                                             | 151129df2f | 6c08fc896b |
+---------------------------------------------+------------+------------+
| boot_successes                              | 51         | 8          |
| boot_failures                               | 0          | 10         |
| WARNING:bad_unlock_balance_detected         | 0          | 10         |
| BUG:unable_to_handle_page_fault_for_address | 0          | 10         |
| Oops:#[##]                                  | 0          | 10         |
| EIP:print_unlock_imbalance_bug              | 0          | 10         |
| Kernel_panic-not_syncing:Fatal_exception    | 0          | 10         |
+---------------------------------------------+------------+------------+

If you fix the issue, kindly add following tag
Reported-by: kernel test robot <lkp@...el.com>

[   54.004083] Unable to find swap-space signature
[main] 10092 iterations. [F:7038 S:2998 HI:1021 STALLED:1]
errno out of range after doing getgid: 1024:Unknown error 1024
[   85.817054] 
[   85.822921] =====================================
[   85.823598] WARNING: bad unlock balance detected!
[   85.824267] 5.5.0-rc7-01832-g6c08fc896b608 #1 Not tainted
[   85.825061] -------------------------------------
[   85.825784] trinity-c1/1057 is trying to release lock (
[   85.826475] BUG: unable to handle page fault for address: 6b6b6ea7
[   85.828073] #PF: supervisor read access in kernel mode
[   85.828800] #PF: error_code(0x0000) - not-present page
[   85.829694] *pde = 00000000 
[   85.830127] Oops: 0000 [#1] PREEMPT SMP
[   85.830689] CPU: 1 PID: 1057 Comm: trinity-c1 Not tainted 5.5.0-rc7-01832-g6c08fc896b608 #1
[   85.831841] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   85.833030] EIP: print_unlock_imbalance_bug+0x6a/0xd0
[   85.833783] Code: 87 40 01 00 e8 97 ed ff ff 68 a4 2b 06 c2 e8 78 40 01 00 8d 83 e0 04 00 00 ff b3 b0 03 00 00 50 68 d0 2b 06 c2 e8 61 40 01 00 <8b> 57 0c 8b 07 e8 21 27 00 00 68 69 29 06 c2 e8 4d 40 01 00 83 c4
[   85.836363] EAX: 0000002b EBX: f10581c0 ECX: 00000000 EDX: 00000282
[   85.837253] ESI: c19589e8 EDI: 6b6b6e9b EBP: f10b3dd4 ESP: f10b3dac
[   85.838154] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010046
[   85.839116] CR0: 80050033 CR2: 6b6b6ea7 CR3: 024b1000 CR4: 00340690
[   85.840001] DR0: b6cb9000 DR1: b627f000 DR2: 00000000 DR3: 00000000
[   85.840885] DR6: fffe0ff0 DR7: 00000600
[   85.849534] Call Trace:
[   85.849924]  lock_release+0x13c/0x3d0
[   85.850457]  ? l2cap_sock_release+0x98/0xc0
[   85.851053]  ? l2cap_sock_release+0x98/0xc0
[   85.851627]  __mutex_unlock_slowpath+0x2f/0x290
[   85.852273]  ? sk_destruct+0x47/0x50
[   85.852807]  mutex_unlock+0x10/0x20
[   85.853277]  l2cap_sock_release+0x98/0xc0
[   85.853641]  __sock_release+0x29/0xb0
[   85.853971]  sock_close+0x10/0x20
[   85.854272]  __fput+0xfe/0x1e0
[   85.854551]  ____fput+0xd/0x10
[   85.854829]  task_work_run+0x77/0xa0
[   85.855192]  do_exit+0x418/0xa30
[   85.855492]  do_group_exit+0x8f/0x90
[   85.855848]  get_signal+0x8e5/0x950
[   85.856194]  do_signal+0x1c/0xc0
[   85.856499]  ? process_cpu_nsleep+0x17/0x20
[   85.856874]  ? sys_clock_nanosleep_time32+0xc9/0x110
[   85.857333]  exit_to_usermode_loop+0x33/0xa0
[   85.857714]  do_int80_syscall_32+0xbd/0x100
[   85.858089]  entry_INT80_32+0x114/0x119
[   85.858434] EIP: 0x809b132
[   85.858686] Code: Bad RIP value.
[   85.858982] EAX: fffffdfe EBX: 00000002 ECX: 00000001 EDX: 00000004
[   85.859535] ESI: 00000004 EDI: 7e7e7e7e EBP: fffffff8 ESP: bfa85108
[   85.860088] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[   85.860687] Modules linked in:
[   85.860981] CR2: 000000006b6b6ea7
[   85.861298] ---[ end trace 3165464af4bfb57a ]---
[   85.861712] EIP: print_unlock_imbalance_bug+0x6a/0xd0

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start b645d5179112cd9a93922bd2c25473f9f0351dbd d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 --
git bisect  bad f924b4c373687bf05c2f856598a64a3a8bfdb399  # 02:18  B      3     8    0   0  Merge 'clk/clk-amlogic' into devel-hourly-2020013022
git bisect good 0aa84350de083fda6878b3c11da2f346182684da  # 02:18  G     12     0    0   0  Merge 'arm-soc/ti/k3-dt2' into devel-hourly-2020013022
git bisect  bad d458e22978565e2291722cd0481be7b91aaec3a6  # 02:18  B      5     7    0   0  Merge 'peterz-queue/x86/misc' into devel-hourly-2020013022
git bisect  bad 88e053051630e64efbe0acd97889ce08923f2c75  # 02:18  B      2    10    0   0  Merge 'kdave-btrfs-devel/for-next-20200129' into devel-hourly-2020013022
git bisect  bad f129fc7122c73596a006176928934a0382f7f855  # 02:18  B      2    10    0   0  Merge 'bluetooth-next/master' into devel-hourly-2020013022
git bisect good 48aabbcf240c8ae6abfd139b1049f227f9817621  # 02:18  G     13     0    0   0  Merge 'iommu/x86/amd' into devel-hourly-2020013022
git bisect  bad 6c08fc896b60893c5d673764b0668015d76df462  # 02:18  B      2    10    0   0  Bluetooth: Fix refcount use-after-free issue
git bisect good 151129df2f4ac29e55be6d3a7be91d0979f71a55  # 02:19  G     39     0    0   0  Bluetooth: SMP: Fix SALT value in some comments
# first bad commit: [6c08fc896b60893c5d673764b0668015d76df462] Bluetooth: Fix refcount use-after-free issue
git bisect good 151129df2f4ac29e55be6d3a7be91d0979f71a55  # 02:19  G     39     0    0   0  Bluetooth: SMP: Fix SALT value in some comments
# extra tests with debug options
# extra tests on revert first bad commit
git bisect good 983086bfa9c8bcf3bc7eb6904e7c4f5fb64dc33c  # 05:13  G     14     0    1   1  Revert "Bluetooth: Fix refcount use-after-free issue"
# good: [983086bfa9c8bcf3bc7eb6904e7c4f5fb64dc33c] Revert "Bluetooth: Fix refcount use-after-free issue"

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Download attachment "dmesg-openwrt-vm-openwrt-36:20200131184514:i386-randconfig-e003-20200129:5.5.0-rc7-01832-g6c08fc896b608:1.gz" of type "application/gzip" (17569 bytes)

View attachment "reproduce-openwrt-vm-openwrt-36:20200131184514:i386-randconfig-e003-20200129:5.5.0-rc7-01832-g6c08fc896b608:1" of type "text/plain" (936 bytes)

Download attachment "b645d5179112cd9a93922bd2c25473f9f0351dbd:gcc-7:i386-randconfig-e003-20200129:WARNING:bad_unlock_balance_detected.xz" of type "application/x-xz" (7040 bytes)

View attachment "config-5.5.0-rc7-01832-g6c08fc896b608" of type "text/plain" (150998 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ