syzbot


general protection fault in lock_sock_nested

Status: upstream: reported C repro on 2023/09/11 07:52
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+d3ccfb78a0dc16ffebe3@syzkaller.appspotmail.com
First crash: 271d, last: 1d10h
Cause bisection: introduced by (bisect log) :
commit 94d9ba9f9888b748d4abd2aa1547af56ae85f772
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed Aug 9 23:49:33 2023 +0000

  Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync

Crash: BUG: unable to handle kernel NULL pointer dereference in lock_sock_nested (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 181a42edddf51d5d9697ecdf365d72ebeab5afb0
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date: Wed Oct 11 09:57:31 2023 +0000

  Bluetooth: Make handle of hci_conn be unique

  
Discussions (3)
Title Replies (including bot) Last reply
[syzbot] Monthly bluetooth report (May 2024) 0 (1) 2024/05/10 08:47
[syzbot] Monthly bluetooth report (Apr 2024) 0 (1) 2024/04/08 12:51
[syzbot] [bluetooth?] general protection fault in lock_sock_nested 0 (2) 2023/12/25 11:40
Similar bugs (12)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 general protection fault in lock_sock_nested 1 2298d 2298d 0/3 auto-closed as invalid on 2019/02/22 12:39
linux-4.14 general protection fault in lock_sock_nested 4 1116d 1334d 0/1 auto-closed as invalid on 2021/09/04 19:35
linux-5.15 general protection fault in lock_sock_nested origin:upstream syz 25 6d05h 53d 0/3 upstream: reported syz repro on 2024/04/04 13:25
linux-6.1 general protection fault in lock_sock_nested 10 3d03h 43d 0/3 upstream: reported on 2024/04/14 08:46
upstream BUG: unable to handle kernel paging request in lock_sock_nested bluetooth 43 951d 1391d 0/26 auto-closed as invalid on 2022/02/16 22:16
linux-4.19 KASAN: wild-memory-access Write in lock_sock_nested 2 1215d 1284d 0/1 auto-closed as invalid on 2021/05/28 14:35
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 471 454d 1767d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 331 494d 1860d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams C inconclusive done 1856 363d 1972d 0/26 auto-obsoleted due to no activity on 2023/08/23 09:06
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 4 1109d 1228d 0/1 auto-closed as invalid on 2021/09/11 11:51
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested bluetooth syz unreliable done 23 945d 1385d 0/26 auto-obsoleted due to no activity on 2022/09/29 10:19
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 14 628d 1292d 0/1 auto-obsoleted due to no activity on 2023/01/05 15:59
Last patch testing requests (4)
Created Duration User Patch Repo Result
2024/01/31 17:29 28m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2023/11/21 16:14 19m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/11/21 15:12 23m retest repro net OK log
2023/09/11 11:44 22m hdanton@sina.com patch net OK log

Sample crash report:
Unable to handle kernel paging request at virtual address dfff80000000004b
KASAN: null-ptr-deref in range [0x0000000000000258-0x000000000000025f]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff80000000004b] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 6474 Comm: kworker/0:7 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: events l2cap_info_timeout
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lock_acquire+0x104/0x763c kernel/locking/lockdep.c:5005
lr : lock_acquire+0x248/0x73c kernel/locking/lockdep.c:5754
sp : ffff8000a09a7400
x29: ffff8000a09a76c0 x28: ffff80008a080b10 x27: ffff700014134ef0
x26: 1ffff00011dd60cc x25: 0000000000000000 x24: 0000000000000000
x23: ffff700014134ea8 x22: 0000000000000000 x21: 0000000000000000
x20: 0000000000000000 x19: 0000000000000258 x18: ffff8000a09a7240
x17: 000000000001dde7 x16: ffff80008ae89f60 x15: 0000000000000001
x14: 1fffe00018d81c1f x13: ffff8000a09a7540 x12: dfff800000000000
x11: ffff80008033724c x10: ffff80008eeb0664 x9 : 00000000000000f3
x8 : 000000000000004b x7 : ffff80008a080b10 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000258
Call trace:
 __lock_acquire+0x104/0x763c kernel/locking/lockdep.c:5005
 lock_acquire+0x248/0x73c kernel/locking/lockdep.c:5754
 lock_sock_nested+0x5c/0x11c net/core/sock.c:3535
 lock_sock include/net/sock.h:1673 [inline]
 l2cap_sock_ready_cb+0x4c/0x130 net/bluetooth/l2cap_sock.c:1604
 l2cap_chan_ready net/bluetooth/l2cap_core.c:1229 [inline]
 l2cap_conn_start+0x6e0/0xe10 net/bluetooth/l2cap_core.c:1479
 l2cap_info_timeout+0x68/0xb8 net/bluetooth/l2cap_core.c:1641
 process_one_work+0x7b8/0x15d4 kernel/workqueue.c:3267
 process_scheduled_works kernel/workqueue.c:3348 [inline]
 worker_thread+0x938/0xef4 kernel/workqueue.c:3429
 kthread+0x288/0x310 kernel/kthread.c:388
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: d00760e8 b9430108 34000208 d343fe68 (386c6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	d00760e8 	adrp	x8, 0xec1e000
   4:	b9430108 	ldr	w8, [x8, #768]
   8:	34000208 	cbz	w8, 0x48
   c:	d343fe68 	lsr	x8, x19, #3
* 10:	386c6908 	ldrb	w8, [x8, x12] <-- trapping instruction

Crashes (153):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/25 07:47 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c a10a183e .config console log report syz [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/23 21:12 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c 8f98448e .config console log report syz [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/18 05:36 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c c0f1611a .config console log report syz [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/10 19:37 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c f7c35481 .config console log report syz [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/28 13:08 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 07b455f9 .config console log report syz [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/17 12:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5d2afe8745b 18f6e127 .config console log report syz [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/11 22:51 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fec50db7033e 478efa7f .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2023/09/02 18:09 net ae074e2b2fd4 696ea0d2 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2023/10/14 08:27 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 249eb8f39efb 6388bc36 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/11 11:34 upstream f4345f05c0df 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2024/05/10 19:16 upstream 448b3fe5a0ea f7c35481 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2024/04/26 20:37 upstream c942a0cd3603 059e9963 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in lock_sock_nested
2023/10/25 22:57 upstream 4f82870119a4 72e794c4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in lock_sock_nested
2023/10/22 22:36 upstream fe3cfe869d5e 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in lock_sock_nested
2023/09/20 05:39 upstream 2cf0f7156238 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root general protection fault in lock_sock_nested
2024/04/16 19:13 upstream 96fca68c4fbf 2338035c .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in lock_sock_nested
2024/05/26 13:56 net 0b4f5add9fa5 a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/20 08:58 net 4b377b4868ef c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/20 05:24 net 4b377b4868ef c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/19 06:20 net 4b377b4868ef c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/17 15:00 net f6f25eebe05f a12e99e7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/13 01:53 net 1164057b3c00 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/12 21:16 net 1164057b3c00 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/12 17:10 net 1164057b3c00 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/09 23:17 net 6e7ffa180a53 de979bc2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/09 17:09 net 6e7ffa180a53 de979bc2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/06 04:30 net fa870b45b08a 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/05 06:14 net fa870b45b08a 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/04 17:40 net fa870b45b08a 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/04 12:27 net e0863634bf9f 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/04/29 10:02 net bef1e4c8c3e0 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/04/27 21:20 net b2ff42c6d3ab 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in lock_sock_nested
2024/05/26 17:20 net-next 66ad4829ddd0 a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2024/05/22 21:43 net-next 4b377b4868ef 4d098039 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2024/05/17 23:22 net-next 1b294a1f3561 a12e99e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2024/05/13 12:17 net-next cddd2dc6390b 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2024/05/12 02:13 net-next cddd2dc6390b 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2024/05/07 07:25 net-next 8c4e4798123f fa7a5cf0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce general protection fault in lock_sock_nested
2023/10/21 01:37 net-next 86a0348de985 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2023/09/10 07:54 net-next 73be7fb14e83 6654cf89 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in lock_sock_nested
2024/05/09 00:32 linux-next e7b4ef8fffac 20bf80e1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in lock_sock_nested
2024/04/24 07:58 upstream 9d1ddab261f3 21339d7b .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in lock_sock_nested
2024/01/15 14:23 upstream 052d534373b7 2a7bcc7f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 UBSAN: array-index-out-of-bounds in lock_sock_nested
2024/05/25 05:39 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/23 18:03 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c 8f98448e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/22 05:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c 1014eca7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/21 00:00 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/18 10:32 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/13 18:54 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/10 16:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c f7c35481 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/06 23:44 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 78186bd77b47 c035c6de .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/06 16:00 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 78186bd77b47 c035c6de .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/05 20:29 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 78186bd77b47 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/05 16:19 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 78186bd77b47 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/03 22:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 78186bd77b47 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/02 20:44 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 ddfc15a1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/02 18:32 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/02 05:16 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/05/01 06:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 9e0e6af1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/29 23:09 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/29 14:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/28 04:39 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/27 12:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
2024/04/26 01:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 8bdc0f22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in lock_sock_nested
* Struck through repros no longer work on HEAD.