syzbot

 sign-in | mailing list | source | docs
🐞 Open [994] Subsystems 🐞 Fixed [5244] 🐞 Invalid [12516] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in lock_sock_nested

Status: upstream: reported C repro on 2023/09/11 07:52
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+d3ccfb78a0dc16ffebe3@syzkaller.appspotmail.com
First crash: 240d, last: 13h35m
Cause bisection: introduced by (bisect log) :
commit 94d9ba9f9888b748d4abd2aa1547af56ae85f772
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed Aug 9 23:49:33 2023 +0000

  Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync

Crash: BUG: unable to handle kernel NULL pointer dereference in lock_sock_nested (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 181a42edddf51d5d9697ecdf365d72ebeab5afb0
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date: Wed Oct 11 09:57:31 2023 +0000

  Bluetooth: Make handle of hci_conn be unique

  
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] Monthly bluetooth report (Apr 2024) 0 (1) 2024/04/08 12:51
[syzbot] [bluetooth?] general protection fault in lock_sock_nested 0 (2) 2023/12/25 11:40
Similar bugs (12)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 general protection fault in lock_sock_nested 1 2267d 2267d 0/3 auto-closed as invalid on 2019/02/22 12:39
linux-4.14 general protection fault in lock_sock_nested 4 1085d 1303d 0/1 auto-closed as invalid on 2021/09/04 19:35
linux-5.15 general protection fault in lock_sock_nested origin:upstream syz 9 2d09h 22d 0/3 upstream: reported syz repro on 2024/04/04 13:25
linux-6.1 general protection fault in lock_sock_nested 1 13d 13d 0/3 upstream: reported on 2024/04/14 08:46
upstream BUG: unable to handle kernel paging request in lock_sock_nested bluetooth 43 920d 1360d 0/26 auto-closed as invalid on 2022/02/16 22:16
linux-4.19 KASAN: wild-memory-access Write in lock_sock_nested 2 1184d 1253d 0/1 auto-closed as invalid on 2021/05/28 14:35
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 471 423d 1736d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 331 463d 1830d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams C inconclusive done 1856 332d 1941d 0/26 auto-obsoleted due to no activity on 2023/08/23 09:06
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 4 1078d 1198d 0/1 auto-closed as invalid on 2021/09/11 11:51
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested bluetooth syz unreliable done 23 914d 1354d 0/26 auto-obsoleted due to no activity on 2022/09/29 10:19
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 14 597d 1261d 0/1 auto-obsoleted due to no activity on 2023/01/05 15:59
Last patch testing requests (4)
Created Duration User Patch Repo Result
2024/01/31 17:29 28m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2023/11/21 16:14 19m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/11/21 15:12 23m retest repro net OK log
2023/09/11 11:44 22m hdanton@sina.com patch net OK log

Sample crash report:
Unable to handle kernel paging request at virtual address dfff80000000004b
KASAN: null-ptr-deref in range [0x0000000000000258-0x000000000000025f]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff80000000004b] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 6335 Comm: kworker/1:3 Not tainted 6.9.0-rc3-syzkaller-gb5d2afe8745b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: events l2cap_info_timeout
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lock_acquire+0x104/0x763c kernel/locking/lockdep.c:5005
lr : lock_acquire+0x248/0x73c kernel/locking/lockdep.c:5754
sp : ffff800099df7400
x29: ffff800099df76c0 x28: ffff80008a0693bc x27: ffff7000133beef0
x26: 1ffff00011dd00cc x25: 0000000000000000 x24: 0000000000000000
x23: ffff7000133beea8 x22: 0000000000000000 x21: 0000000000000000
x20: 0000000000000000 x19: 0000000000000258 x18: ffff800099df7240
x17: 0000000000013482 x16: ffff80008ae71464 x15: 0000000000000001
x14: 1fffe0001b8ef61f x13: ffff800099df7540 x12: dfff800000000000
x11: ffff8000803378f4 x10: ffff80008ee80664 x9 : 00000000000000f3
x8 : 000000000000004b x7 : ffff80008a0693bc x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000258
Call trace:
 __lock_acquire+0x104/0x763c kernel/locking/lockdep.c:5005
 lock_acquire+0x248/0x73c kernel/locking/lockdep.c:5754
 lock_sock_nested+0x5c/0x11c net/core/sock.c:3535
 lock_sock include/net/sock.h:1671 [inline]
 l2cap_sock_ready_cb+0x4c/0x130 net/bluetooth/l2cap_sock.c:1615
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1229 [inline]
 l2cap_conn_start+0x6e0/0xe10 net/bluetooth/l2cap_core.c:1479
 l2cap_info_timeout+0x68/0xb8 net/bluetooth/l2cap_core.c:1641
 process_one_work+0x7b8/0x15d4 kernel/workqueue.c:3254
 process_scheduled_works kernel/workqueue.c:3335 [inline]
 worker_thread+0x938/0xef4 kernel/workqueue.c:3416
 kthread+0x288/0x310 kernel/kthread.c:388
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: d0075f68 b9426108 34000208 d343fe68 (386c6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	d0075f68 	adrp	x8, 0xebee000
   4:	b9426108 	ldr	w8, [x8, #608]
   8:	34000208 	cbz	w8, 0x48
   c:	d343fe68 	lsr	x8, x19, #3
* 10:	386c6908 	ldrb	w8, [x8, x12] <-- trapping instruction

Crashes (92):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/17 12:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5d2afe8745b 18f6e127 .config console log report syz [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/11 22:51 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fec50db7033e 478efa7f .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/09/02 18:09 net ae074e2b2fd4 696ea0d2 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/14 08:27 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 249eb8f39efb 6388bc36 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/26 20:37 upstream c942a0cd3603 059e9963 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2024/04/21 05:48 upstream 977b1ef51866 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2024/04/13 10:15 upstream fe46a7dd189e c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2024/04/02 02:37 upstream fe46a7dd189e 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2024/03/20 16:04 upstream fe46a7dd189e 5b7d42ae .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2023/10/25 22:57 upstream 4f82870119a4 72e794c4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in lock_sock_nested
2023/10/22 22:36 upstream fe3cfe869d5e 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/21 03:15 upstream c3200081020d 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/19 18:47 upstream dd72f9c7e512 42e1d524 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2023/10/17 02:04 upstream 58720809f527 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/16 15:35 upstream 58720809f527 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in lock_sock_nested
2023/10/15 18:09 upstream 9a3dad63edbe 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2023/09/20 05:39 upstream 2cf0f7156238 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root general protection fault in lock_sock_nested
2024/04/16 19:13 upstream 96fca68c4fbf 2338035c .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in lock_sock_nested
2024/04/11 17:43 upstream e8c39d0f57f3 3023abf0 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in lock_sock_nested
2023/10/16 15:29 upstream 58720809f527 f757a323 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in lock_sock_nested
2024/04/09 16:17 net f99c5f563c17 56086b24 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/04/08 12:12 net f99c5f563c17 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/29 23:29 net c17cda15cc86 3c418d72 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/15 14:53 net 2f3389c73832 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/03/30 00:50 net-next 237bb5f7f7f5 c52bcb23 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2024/03/25 03:24 net-next 237bb5f7f7f5 0ea90952 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2024/02/21 13:41 net-next 2f3bfa8e30b5 3af7dd65 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2023/10/21 01:37 net-next 86a0348de985 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/10/18 03:48 net-next 7713ec844756 342b9c55 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/10 07:54 net-next 73be7fb14e83 6654cf89 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/10/03 23:07 linux-next c9f2baaa18b5 65faba36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in lock_sock_nested
2024/04/24 07:58 upstream 9d1ddab261f3 21339d7b .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in lock_sock_nested
2024/01/15 14:23 upstream 052d534373b7 2a7bcc7f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 UBSAN: array-index-out-of-bounds in lock_sock_nested
2024/04/26 01:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 8bdc0f22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/25 00:29 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 8bdc0f22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/23 20:57 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/22 21:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/22 17:45 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/21 19:30 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/21 18:27 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/21 09:57 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/20 16:00 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/19 13:16 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5d2afe8745b af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/18 12:13 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5d2afe8745b af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/17 20:26 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5d2afe8745b bd38b692 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/15 18:04 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5d2afe8745b c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/15 15:14 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5d2afe8745b c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/13 07:25 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5d2afe8745b c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/12 08:48 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fec50db7033e 27de0a5c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/11 14:41 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fec50db7033e 478efa7f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/08 23:34 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 53df08b6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/07 16:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/07 11:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/06 23:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/06 21:21 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/03/30 06:07 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 c52bcb23 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/11/24 21:55 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/11/07 15:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c 83211397 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/11/01 07:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c 69904c9f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/10/30 22:23 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c b5729d82 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
* Struck through repros no longer work on HEAD.