syzbot


general protection fault in hci_release_dev

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+47c6d0efbb7fe2f7a5b8@syzkaller.appspotmail.com
Fix commit: e04480920d1e Bluetooth: defer cleanup of resources in hci_unregister_dev()
First crash: 384d, last: 359d

Cause bisection: introduced by (bisect log) :
commit 73333364afebb5e45807139bc79e6a6574c1874b
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon Jul 26 21:12:04 2021 +0000

  Bluetooth: defer cleanup of resources in hci_unregister_dev()

Crash: general protection fault in hci_release_dev (log)
Repro: C syz .config

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000023: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
CPU: 0 PID: 6535 Comm: syz-executor106 Not tainted 5.14.0-rc6-next-20210820-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:5762 [inline]
RIP: 0010:destroy_workqueue+0x2e/0x810 kernel/workqueue.c:4416
Code: 49 89 fe 41 55 41 54 55 53 48 83 ec 18 e8 9a c5 29 00 49 8d be 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 39 07 00 00 49 8b 9e 18 01 00 00 48 85 db 74 19
RSP: 0018:ffffc90002c9fa28 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000023 RSI: ffffffff814cb2f6 RDI: 0000000000000118
RBP: ffff888019721340 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81a46b48 R11: 0000000000000000 R12: ffff888019720000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcb4ab1a6c0 CR3: 00000000703da000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 hci_release_dev+0x125/0xb70 net/bluetooth/hci_core.c:4062
 bt_host_release+0x15/0x20 net/bluetooth/hci_sysfs.c:86
 device_release+0xa3/0x240 drivers/base/core.c:2195
 kobject_cleanup lib/kobject.c:705 [inline]
 kobject_release lib/kobject.c:736 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1d0/0x540 lib/kobject.c:753
 put_device+0x1b/0x30 drivers/base/core.c:3466
 hci_uart_tty_close+0x1e4/0x2a0 drivers/bluetooth/hci_ldisc.c:546
 tty_ldisc_close+0x114/0x1a0 drivers/tty/tty_ldisc.c:474
 tty_ldisc_kill+0x94/0x150 drivers/tty/tty_ldisc.c:629
 tty_ldisc_release+0xe3/0x2a0 drivers/tty/tty_ldisc.c:803
 tty_release_struct+0x24/0xf0 drivers/tty/tty_io.c:1706
 tty_release+0xc70/0x1200 drivers/tty/tty_io.c:1878
 __fput+0x288/0x9f0 fs/file_table.c:280
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xbae/0x2a30 kernel/exit.c:825
 do_group_exit+0x129/0x310 kernel/exit.c:922
 __do_sys_exit_group kernel/exit.c:933 [inline]
 __se_sys_exit_group kernel/exit.c:931 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:931
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43da49
Code: Unable to access opcode bytes at RIP 0x43da1f.
RSP: 002b:00007ffff8f5fe58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043da49
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ae230
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Modules linked in:
---[ end trace f0da897eafa18aaf ]---
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:5762 [inline]
RIP: 0010:destroy_workqueue+0x2e/0x810 kernel/workqueue.c:4416
Code: 49 89 fe 41 55 41 54 55 53 48 83 ec 18 e8 9a c5 29 00 49 8d be 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 39 07 00 00 49 8b 9e 18 01 00 00 48 85 db 74 19
RSP: 0018:ffffc90002c9fa28 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000023 RSI: ffffffff814cb2f6 RDI: 0000000000000118
RBP: ffff888019721340 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81a46b48 R11: 0000000000000000 R12: ffff888019720000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcd198cf000 CR3: 0000000070e54000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	49 89 fe             	mov    %rdi,%r14
   3:	41 55                	push   %r13
   5:	41 54                	push   %r12
   7:	55                   	push   %rbp
   8:	53                   	push   %rbx
   9:	48 83 ec 18          	sub    $0x18,%rsp
   d:	e8 9a c5 29 00       	callq  0x29c5ac
  12:	49 8d be 18 01 00 00 	lea    0x118(%r14),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 39 07 00 00    	jne    0x76d
  34:	49 8b 9e 18 01 00 00 	mov    0x118(%r14),%rbx
  3b:	48 85 db             	test   %rbx,%rbx
  3e:	74 19                	je     0x59

Crashes (41):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-linux-next-kasan-gce-root 2021/08/21 23:43 linux-next 86ed57fd8c93 b599f2fc .config log report syz C general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/16 21:31 linux-next b9011c7e671d 33c26cb7 .config log report syz C general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/15 06:09 linux-next 4b358aabb93a 2489ab88 .config log report syz C general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/10 17:51 linux-next 92d00774360d 6972b106 .config log report syz C general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/07/29 09:46 linux-next 5a4cee98ea75 9a4781d4 .config log report syz C general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/23 03:30 linux-next 86ed57fd8c93 b599f2fc .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/22 18:02 linux-next 86ed57fd8c93 b599f2fc .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/22 06:09 linux-next 86ed57fd8c93 b599f2fc .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/20 15:05 linux-next 86ed57fd8c93 b599f2fc .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/20 00:58 linux-next 33e65b1f975c b599f2fc .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/20 00:07 linux-next 33e65b1f975c b599f2fc .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/18 19:50 linux-next f26c3abc432a a2fe1cb5 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/18 18:25 linux-next f26c3abc432a a2fe1cb5 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/15 11:01 linux-next 4b358aabb93a 2489ab88 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/14 22:21 linux-next 4b358aabb93a 2489ab88 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/14 09:49 linux-next 4b358aabb93a 2489ab88 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/14 09:34 linux-next 4b358aabb93a 2489ab88 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/14 09:27 linux-next 4b358aabb93a 2489ab88 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/10 17:07 linux-next 92d00774360d 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/10 16:17 linux-next 92d00774360d 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 20:31 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 20:21 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 20:10 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 19:58 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 19:50 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 19:08 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 19:01 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 18:22 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 17:29 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/09 17:09 linux-next da454ebf578f 6972b106 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/06 14:22 linux-next 8d4b477da1a8 f9e341e3 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/06 14:11 linux-next 8d4b477da1a8 f9e341e3 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/04 02:12 linux-next 8d4b477da1a8 6c236867 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/03 22:27 linux-next 8d4b477da1a8 6c236867 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/03 15:56 linux-next 8d4b477da1a8 6c236867 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/08/01 22:10 linux-next 8d4b477da1a8 6c236867 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/07/29 06:05 linux-next 5a4cee98ea75 9a4781d4 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/07/29 05:08 linux-next 5a4cee98ea75 9a4781d4 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/07/29 04:26 linux-next 5a4cee98ea75 9a4781d4 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/07/29 04:16 linux-next 5a4cee98ea75 9a4781d4 .config log report info general protection fault in hci_release_dev
ci-upstream-linux-next-kasan-gce-root 2021/07/29 03:56 linux-next 5a4cee98ea75 9a4781d4 .config log report info general protection fault in hci_release_dev