syzbot


general protection fault in lock_sock_nested

Status: upstream: reported C repro on 2023/09/11 07:52
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+d3ccfb78a0dc16ffebe3@syzkaller.appspotmail.com
First crash: 177d, last: 2d20h
Cause bisection: introduced by (bisect log) :
commit 94d9ba9f9888b748d4abd2aa1547af56ae85f772
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed Aug 9 23:49:33 2023 +0000

  Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync

Crash: BUG: unable to handle kernel NULL pointer dereference in lock_sock_nested (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 181a42edddf51d5d9697ecdf365d72ebeab5afb0
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date: Wed Oct 11 09:57:31 2023 +0000

  Bluetooth: Make handle of hci_conn be unique

  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bluetooth?] general protection fault in lock_sock_nested 0 (2) 2023/12/25 11:40
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 general protection fault in lock_sock_nested 1 2204d 2204d 0/3 auto-closed as invalid on 2019/02/22 12:39
linux-4.14 general protection fault in lock_sock_nested 4 1022d 1240d 0/1 auto-closed as invalid on 2021/09/04 19:35
upstream BUG: unable to handle kernel paging request in lock_sock_nested bluetooth 43 857d 1297d 0/26 auto-closed as invalid on 2022/02/16 22:16
linux-4.19 KASAN: wild-memory-access Write in lock_sock_nested 2 1121d 1190d 0/1 auto-closed as invalid on 2021/05/28 14:35
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 471 360d 1673d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 331 400d 1767d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams C inconclusive done 1856 269d 1878d 0/26 auto-obsoleted due to no activity on 2023/08/23 09:06
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 4 1015d 1135d 0/1 auto-closed as invalid on 2021/09/11 11:51
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested bluetooth syz unreliable done 23 851d 1291d 0/26 auto-obsoleted due to no activity on 2022/09/29 10:19
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 14 534d 1198d 0/1 auto-obsoleted due to no activity on 2023/01/05 15:59
Last patch testing requests (4)
Created Duration User Patch Repo Result
2024/01/31 17:29 28m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2023/11/21 16:14 19m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/11/21 15:12 23m retest repro net OK log
2023/09/11 11:44 22m hdanton@sina.com patch net OK log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000026: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000130-0x0000000000000137]
CPU: 0 PID: 918 Comm: kworker/0:2 Not tainted 6.5.0-syzkaller-04011-gae074e2b2fd4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events l2cap_info_timeout
RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5012
Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 a1 14 23 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 a9 3e 90 0f 84 96 0d 00
RSP: 0018:ffffc90004c8f8e8 EFLAGS: 00010002
RAX: ffff8880206d8000 RBX: 1ffff92000991f4d RCX: 0000000000000026
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000130
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000130 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0da069df50 CR3: 000000007a80d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 lock_acquire kernel/locking/lockdep.c:5761 [inline]
 lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
 lock_sock_nested+0x3a/0xf0 net/core/sock.c:3505
 lock_sock include/net/sock.h:1722 [inline]
 l2cap_sock_ready_cb+0x41/0x160 net/bluetooth/l2cap_sock.c:1630
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1365 [inline]
 l2cap_conn_start+0x15c/0xa40 net/bluetooth/l2cap_core.c:1640
 process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2600
 worker_thread+0x687/0x1110 kernel/workqueue.c:2751
 kthread+0x33a/0x430 kernel/kthread.c:389
 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5012
Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 a1 14 23 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 a9 3e 90 0f 84 96 0d 00
RSP: 0018:ffffc90004c8f8e8 EFLAGS: 00010002
RAX: ffff8880206d8000 RBX: 1ffff92000991f4d RCX: 0000000000000026
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000130
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000130 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0da069df50 CR3: 000000007a80d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	45 85 c9             	test   %r9d,%r9d
   3:	0f 84 cc 0e 00 00    	je     0xed5
   9:	44 8b 05 a1 14 23 0b 	mov    0xb2314a1(%rip),%r8d        # 0xb2314b1
  10:	45 85 c0             	test   %r8d,%r8d
  13:	0f 84 be 0d 00 00    	je     0xdd7
  19:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  20:	fc ff df
  23:	4c 89 d1             	mov    %r10,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
* 2a:	80 3c 11 00          	cmpb   $0x0,(%rcx,%rdx,1) <-- trapping instruction
  2e:	0f 85 e8 40 00 00    	jne    0x411c
  34:	49 81 3a a0 a9 3e 90 	cmpq   $0xffffffff903ea9a0,(%r10)
  3b:	0f                   	.byte 0xf
  3c:	84                   	.byte 0x84
  3d:	96                   	xchg   %eax,%esi
  3e:	0d                   	.byte 0xd

Crashes (52):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/02 18:09 net ae074e2b2fd4 696ea0d2 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/14 08:27 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 249eb8f39efb 6388bc36 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/10/25 22:57 upstream 4f82870119a4 72e794c4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in lock_sock_nested
2023/10/22 22:36 upstream fe3cfe869d5e 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/21 03:15 upstream c3200081020d 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/19 18:47 upstream dd72f9c7e512 42e1d524 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2023/10/17 02:04 upstream 58720809f527 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/16 15:35 upstream 58720809f527 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in lock_sock_nested
2023/10/15 18:09 upstream 9a3dad63edbe 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2023/10/14 12:26 upstream 727fb8376504 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/11 15:37 upstream 1c8b86a3799f 83165b57 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/08 23:08 upstream b9ddbb0cde2a 5e837c76 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/07 12:30 upstream 82714078aee4 5e837c76 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/03 01:04 upstream 8f1b4600373f 50b20e75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/10/01 18:09 upstream e402b08634b3 8e26a358 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/09/30 22:18 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/09/21 14:53 upstream 42dc814987c1 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/09/20 05:39 upstream 2cf0f7156238 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root general protection fault in lock_sock_nested
2023/08/30 21:17 upstream 6c1b980a7e79 84803932 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2023/09/19 21:43 upstream 2cf0f7156238 0b6a67ac .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in lock_sock_nested
2023/10/16 15:29 upstream 58720809f527 f757a323 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in lock_sock_nested
2023/10/29 23:29 net c17cda15cc86 3c418d72 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/15 14:53 net 2f3389c73832 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/12 16:46 net 50e492143374 fc170927 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/08 23:21 net 66cf7435a269 5e837c76 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/03 05:35 net 6a70e5cbedaf 50b20e75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/09/02 10:53 net ae074e2b2fd4 696ea0d2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/02/21 13:41 net-next 2f3bfa8e30b5 3af7dd65 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2023/10/21 01:37 net-next 86a0348de985 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/10/18 03:48 net-next 7713ec844756 342b9c55 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/10/06 20:05 net-next 1a4890878241 ea12a918 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/10/04 22:07 net-next 20f7cce7cf18 b7d7ff54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/10/01 17:58 net-next 66ac08a7385f 8e26a358 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/30 11:26 net-next 7c7dd1d64910 8e26a358 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/28 13:55 net-next d387e34fec40 c2ab1e5d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/22 10:58 net-next e9cbc89067cc 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/16 07:03 net-next 4fa5ce3e3a10 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/16 02:51 net-next 4fa5ce3e3a10 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/15 04:50 net-next 59bb1d698028 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/10 07:54 net-next 73be7fb14e83 6654cf89 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/10 02:43 net-next 73be7fb14e83 6654cf89 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/05 13:05 net-next bd6c11bc43c4 8bc9053e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/01 13:02 net-next bd6c11bc43c4 696ea0d2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/08/31 10:12 net-next bd6c11bc43c4 84803932 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/10/03 23:07 linux-next c9f2baaa18b5 65faba36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in lock_sock_nested
2023/09/10 04:46 linux-next af3c30d33476 6654cf89 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in lock_sock_nested
2024/01/15 14:23 upstream 052d534373b7 2a7bcc7f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 UBSAN: array-index-out-of-bounds in lock_sock_nested
2023/11/24 21:55 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/11/07 15:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c 83211397 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/11/01 07:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c 69904c9f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/10/30 22:23 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c b5729d82 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/09/30 11:38 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2e530aeb342b 8e26a358 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
* Struck through repros no longer work on HEAD.