syzbot


general protection fault in lock_sock_nested

Status: upstream: reported on 2024/04/14 08:46
Reported-by: syzbot+8c1526bae66de4a558da@syzkaller.appspotmail.com
First crash: 65d, last: 22h30m
Similar bugs (14)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 general protection fault in lock_sock_nested 1 2320d 2320d 0/3 auto-closed as invalid on 2019/02/22 12:39
linux-4.14 general protection fault in lock_sock_nested 4 1138d 1356d 0/1 auto-closed as invalid on 2021/09/04 19:35
upstream general protection fault in lock_sock_nested bluetooth C done done 199 1d02h 281d 0/27 upstream: reported C repro on 2023/09/11 07:52
linux-5.15 general protection fault in lock_sock_nested origin:upstream missing-backport syz 29 1d00h 75d 0/3 upstream: reported syz repro on 2024/04/04 13:25
upstream BUG: unable to handle kernel paging request in lock_sock_nested bluetooth 43 973d 1413d 0/27 auto-closed as invalid on 2022/02/16 22:16
linux-4.19 KASAN: wild-memory-access Write in lock_sock_nested 2 1237d 1306d 0/1 auto-closed as invalid on 2021/05/28 14:35
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 471 476d 1789d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 331 516d 1882d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams C inconclusive done 1856 385d 1994d 0/27 auto-obsoleted due to no activity on 2023/08/23 09:06
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 4 1131d 1250d 0/1 auto-closed as invalid on 2021/09/11 11:51
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested bluetooth syz unreliable done 23 967d 1407d 0/27 auto-obsoleted due to no activity on 2022/09/29 10:19
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 14 650d 1314d 0/1 auto-obsoleted due to no activity on 2023/01/05 15:59
android-44 KASAN: use-after-free Read in lock_sock_nested C 40 2125d 1895d 0/2 public: reported C repro on 2019/04/11 08:44
android-49 KASAN: use-after-free Read in lock_sock_nested C 39 2127d 2320d 0/3 closed as invalid on 2019/03/07 05:41

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000026: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000130-0x0000000000000137]
CPU: 1 PID: 4459 Comm: kworker/1:18 Not tainted 6.1.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: events l2cap_info_timeout
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4919
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d b1 51 09 0d 00 0f 84 a8 14 00 00 83 3d 20 20 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 49 a6 77 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90014b17800 EFLAGS: 00010002
RAX: 0000000000000026 RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000130
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff888028f95940 R14: 0000000000000130 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffe8 CR3: 000000007497b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
 lock_sock_nested+0x44/0x100 net/core/sock.c:3485
 lock_sock include/net/sock.h:1748 [inline]
 l2cap_sock_ready_cb+0x43/0x130 net/bluetooth/l2cap_sock.c:1686
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1409 [inline]
 l2cap_conn_start+0x8c9/0x10a0 net/bluetooth/l2cap_core.c:1667
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4919
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d b1 51 09 0d 00 0f 84 a8 14 00 00 83 3d 20 20 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 49 a6 77 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90014b17800 EFLAGS: 00010002
RAX: 0000000000000026 RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000130
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff888028f95940 R14: 0000000000000130 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffe8 CR3: 000000007497b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	df 0f                	fisttps (%rdi)
   2:	b6 04                	mov    $0x4,%dh
   4:	10 84 c0 0f 85 fb 15 	adc    %al,0x15fb850f(%rax,%rax,8)
   b:	00 00                	add    %al,(%rax)
   d:	83 3d b1 51 09 0d 00 	cmpl   $0x0,0xd0951b1(%rip)        # 0xd0951c5
  14:	0f 84 a8 14 00 00    	je     0x14c2
  1a:	83 3d 20 20 95 0b 00 	cmpl   $0x0,0xb952020(%rip)        # 0xb952041
  21:	74 2b                	je     0x4e
  23:	4c 89 f0             	mov    %r14,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 10 00          	cmpb   $0x0,(%rax,%rdx,1) <-- trapping instruction
  2e:	74 12                	je     0x42
  30:	4c 89 f7             	mov    %r14,%rdi
  33:	e8 49 a6 77 00       	call   0x77a681
  38:	48                   	rex.W
  39:	ba 00 00 00 00       	mov    $0x0,%edx
  3e:	00 fc                	add    %bh,%ah

Crashes (31):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/17 05:55 linux-6.1.y eb44d83053d6 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/06/14 21:29 linux-6.1.y ae9f2a70d69e f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/06/14 19:54 linux-6.1.y ae9f2a70d69e f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/06/03 09:48 linux-6.1.y 88690811da69 0aba2352 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/06/03 09:48 linux-6.1.y 88690811da69 0aba2352 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/05/28 06:23 linux-6.1.y 88690811da69 f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/05/28 04:31 linux-6.1.y 88690811da69 f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/05/28 04:31 linux-6.1.y 88690811da69 f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/05/25 00:51 linux-6.1.y 4078fa637fcd a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/05/22 15:28 linux-6.1.y 4078fa637fcd 4d098039 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/05/21 15:17 linux-6.1.y 4078fa637fcd 4c0d3ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/05/10 15:25 linux-6.1.y 909ba1f1b414 f7c35481 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/04/14 08:45 linux-6.1.y cd5d98c0556c c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in lock_sock_nested
2024/06/18 01:15 linux-6.1.y eb44d83053d6 ce6011bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in lock_sock_nested
2024/06/17 14:39 linux-6.1.y eb44d83053d6 1f11cfd7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in lock_sock_nested
2024/06/17 13:18 linux-6.1.y eb44d83053d6 1f11cfd7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in lock_sock_nested
2024/06/13 03:36 linux-6.1.y ae9f2a70d69e 2aa5052f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in lock_sock_nested
2024/06/12 13:29 linux-6.1.y ae9f2a70d69e f815599d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in lock_sock_nested
2024/06/18 05:46 linux-6.1.y eb44d83053d6 ce6011bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in lock_sock_nested
2024/06/18 02:05 linux-6.1.y eb44d83053d6 ce6011bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/06/16 20:02 linux-6.1.y eb44d83053d6 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in lock_sock_nested
2024/06/10 16:18 linux-6.1.y 88690811da69 048c640a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in lock_sock_nested
2024/06/04 14:54 linux-6.1.y 88690811da69 11f2afa5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/06/03 15:15 linux-6.1.y 88690811da69 0aba2352 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/06/01 02:05 linux-6.1.y 88690811da69 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/06/01 02:05 linux-6.1.y 88690811da69 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/23 12:09 linux-6.1.y 4078fa637fcd 4c2072ee .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/17 11:28 linux-6.1.y 4078fa637fcd c2e07261 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/12 03:18 linux-6.1.y 909ba1f1b414 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/10 23:45 linux-6.1.y 909ba1f1b414 f7c35481 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/09 07:56 linux-6.1.y 909ba1f1b414 20bf80e1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
* Struck through repros no longer work on HEAD.