On Thu, Aug 5, 2021 at 2:28 PM LinMa wrote: > > > > As to that UAF, feel free to let us know once you have a reproducer > > for it, > > > then fix to it can be prepared. > > > > > > Hillf > > > > Alright, I will try my best to at least understand the UAF issue first. > > > > Hi Lin, could you help me about the UAF? > > > > Sure, sorry for the delay > > Check this: https://www.openwall.com/lists/oss-security/2021/06/08/2 > Hi Hillf, Hi Lin, Sorry for the delay, my infrastructure is small, can't do fast build. So, I have tried to comprehend and test the UAF bug. But I couldn't reproduce it on my machine. However, I found another warning. Here I want to tell the detailed story again: I found the deadlock warning at 5.14.0-rc3 with commit hash c7d102232649226a69dddd58a4942cf13cff4f7c ("Merge tag 'net-5.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net"). After I reported the deadlock warning, Hillf Danton asked me to revert this commit hash and test again: e305509e678b3a4af2b3cfd410f409f7cdaabb52 ("Bluetooth: use correct lock to prevent UAF of hdev object") After I reverted that commit, the deadlock warning is gone. That's good. See the original report here: https://lore.kernel.org/lkml/2c40741c-8c8f-a105-1846-aa1ed15a6c7e@gnuweeb.org/ But reverting your commit may lead to UAF bug come back. So I CC'ed you the other day. Now I am at 5.14.0-rc3 51207ee38ab65db86554655300a912e8c661525e ("Revert "Bluetooth: use correct lock to prevent UAF of hdev object"") this is my local revert commit. And then I tried to reproduce the UAF bug as the link you sent explains. But I couldn't reproduce it. I found another warning while playing around with the POC. Here is the warning I found: I attached full kernel log (dmesg.txt) and kernel config (config) for further reading. Any instruction what should I do next? ------------[ cut here ]------------ WARNING: CPU: 2 PID: 7538 at kernel/workqueue.c:1419 __queue_work+0x641/0x700 Modules linked in: hci_uart btqca rfcomm xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter nf_tables nfnetlink bridge stp llc bfq cmac algif_hash algif_skcipher af_alg bnep dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_intel_sdw_acpi snd_hda_codec uvcvideo btusb kvm_amd btrtl snd_hda_core btbcm videobuf2_vmalloc btintel videobuf2_memops snd_hwdep videobuf2_v4l2 bluetooth snd_pcm videobuf2_common ecdh_generic ecc videodev kvm snd_seq_midi snd_seq_midi_event snd_rawmidi mc acer_wmi snd_seq input_leds sparse_keymap wmi_bmof serio_raw snd_seq_device snd_timer snd soundcore ccp mac_hid fam15h_power k10temp sch_fq_codel msr ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear amdgpu iommu_v2 gpu_sched radeon rtsx_pci_sdmmc hid_generic i2c_algo_bit drm_ttm_helper ttm drm_kms_helper crct10dif_pclmul crc32_pclmul ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops cec aesni_intel rc_core crypto_simd usbhid cryptd psmouse sdhci_pci r8169 drm rtsx_pci ahci cqhci hid libahci i2c_piix4 xhci_pci sdhci xhci_pci_renesas realtek wmi video CPU: 2 PID: 7538 Comm: kworker/2:4 Not tainted 5.14.0-rc3-bluetea-test-uaf-00250-g51207ee38ab6 #7 Hardware name: Acer Aspire ES1-421/OLVIA_BE, BIOS V1.05 07/02/2015 Workqueue: events hci_cmd_timeout [bluetooth] RIP: 0010:__queue_work+0x641/0x700 Code: fc ff ff 65 8b 05 ff cb ef 7e a9 00 01 ff 00 75 19 65 4c 8b 2c 25 00 fe 01 00 49 8d 7d 2c e8 66 e1 3a 00 41 f6 45 2c 20 75 25 <0f> 0b 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 0b e9 d9 fc RSP: 0018:ffff88818f9f7cd0 EFLAGS: 00010006 RAX: 0000000000000000 RBX: ffff8882acd3ca00 RCX: ffffffff8112322c RDX: dffffc0000000000 RSI: ffff8881a367d800 RDI: ffff8882acd3ca08 RBP: ffff88817dc58b30 R08: ffffffff8112f432 R09: ffff88817dc58b37 R10: ffffed102fb8b166 R11: 0000000000000001 R12: ffff8881a367d800 R13: ffff88810a4bcd40 R14: ffff8881a367d9c0 R15: ffff8882acd3ca00 FS: 0000000000000000(0000) GS:ffff8882acd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9e368b5000 CR3: 0000000192fd2000 CR4: 00000000000406e0 Call Trace: queue_work_on+0xa0/0xb0 process_one_work+0x4ce/0x980 ? pwq_dec_nr_in_flight+0x110/0x110 ? rwlock_bug.part.0+0x60/0x60 worker_thread+0x2d4/0x6e0 ? process_one_work+0x980/0x980 kthread+0x1e0/0x210 ? set_kthread_struct+0x80/0x80 ret_from_fork+0x1f/0x30 irq event stamp: 5516 hardirqs last enabled at (5515): [] console_unlock+0x64f/0x760 hardirqs last disabled at (5516): [] queue_work_on+0x71/0xb0 softirqs last enabled at (5476): [] __irq_exit_rcu+0xea/0x110 softirqs last disabled at (5471): [] __irq_exit_rcu+0xea/0x110 ---[ end trace 1a078bc16f4fbed1 ]--- Regards, -- Ammar