BUG: unable to handle kernel paging request in lock_sock

BUG: unable to handle kernel paging request in lock_sock_nested
Status: upstream: reported on 2020/08/05 16:09
Reported-by: syzbot+3ea58ce4ad976e46ca65@syzkaller.appspotmail.com
First crash: 258d, last: 9h50m

similar bugs (8):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	BUG: unable to handle kernel paging request in lock_sock_nested				2	15d	96d	0/1	upstream: reported on 2021/01/15 05:46
linux-4.19	KASAN: wild-memory-access Write in lock_sock_nested				2	82d	151d	0/1	upstream: reported on 2020/11/20 18:06
linux-4.14	general protection fault in lock_sock_nested				3	80d	201d	0/1	upstream: reported on 2020/10/01 19:05
linux-4.19	KASAN: use-after-free Read in lock_sock_nested	C			198	1d11h	634d	0/1	upstream: reported C repro on 2019/07/26 21:27
linux-4.14	KASAN: use-after-free Read in lock_sock_nested	C		inconclusive	259	20h52m	728d	0/1	upstream: reported C repro on 2019/04/24 06:28
upstream	KASAN: use-after-free Read in lock_sock_nested	C	inconclusive	done	1323	13h10m	839d	0/22	upstream: reported C repro on 2019/01/02 10:41
upstream	KASAN: slab-out-of-bounds Read in lock_sock_nested	syz	unreliable		16	20d	252d	0/22	upstream: reported syz repro on 2020/08/11 16:59
linux-4.19	KASAN: slab-out-of-bounds Read in lock_sock_nested				3	54d	159d	0/1	upstream: reported on 2020/11/12 16:53

Sample crash report:

BUG: unable to handle page fault for address: fffffbfff353f732
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffe9067 P4D 23ffe9067 PUD 23ffe8067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 9718 Comm: kworker/1:6 Not tainted 5.12.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:177 [inline]
RIP: 0010:kasan_check_range+0x80/0x2f0 mm/kasan/generic.c:186
Code: 00 00 fc ff df 4d 01 ea 4d 89 d6 4d 29 ce 49 83 fe 10 7f 30 4d 85 f6 0f 84 ae 01 00 00 4c 89 cb 4c 29 d3 0f 1f 80 00 00 00 00 <45> 0f b6 19 45 84 db 0f 85 f3 01 00 00 49 ff c1 48 ff c3 75 eb e9
RSP: 0018:ffffc9000cd475b0 EFLAGS: 00010097
RAX: 00000000015a6401 RBX: ffffffffffffffff RCX: ffffffff81607e57
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff9a9fb990
RBP: ffffc9000cd47970 R08: dffffc0000000000 R09: fffffbfff353f732
R10: fffffbfff353f733 R11: 0000000000000000 R12: 1ffffffff353f732
R13: dffffc0000000001 R14: 0000000000000001 R15: ffff888023a826f0
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff353f732 CR3: 0000000019994000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 __lock_acquire+0xe17/0x6040 kernel/locking/lockdep.c:4871
 lock_acquire+0x17f/0x720 kernel/locking/lockdep.c:5511
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 lock_sock_nested+0x48/0x110 net/core/sock.c:3057
 l2cap_sock_teardown_cb+0x76/0x360 net/bluetooth/l2cap_sock.c:1520
 l2cap_chan_del+0xaf/0x610 net/bluetooth/l2cap_core.c:618
 l2cap_chan_timeout+0x12c/0x280 net/bluetooth/l2cap_core.c:436
 process_one_work+0x833/0x10c0 kernel/workqueue.c:2275
 worker_thread+0xac1/0x1300 kernel/workqueue.c:2421
 kthread+0x39a/0x3c0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
CR2: fffffbfff353f732
---[ end trace cc7d397893cacf8e ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:177 [inline]
RIP: 0010:kasan_check_range+0x80/0x2f0 mm/kasan/generic.c:186
Code: 00 00 fc ff df 4d 01 ea 4d 89 d6 4d 29 ce 49 83 fe 10 7f 30 4d 85 f6 0f 84 ae 01 00 00 4c 89 cb 4c 29 d3 0f 1f 80 00 00 00 00 <45> 0f b6 19 45 84 db 0f 85 f3 01 00 00 49 ff c1 48 ff c3 75 eb e9
RSP: 0018:ffffc9000cd475b0 EFLAGS: 00010097
RAX: 00000000015a6401 RBX: ffffffffffffffff RCX: ffffffff81607e57
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff9a9fb990
RBP: ffffc9000cd47970 R08: dffffc0000000000 R09: fffffbfff353f732
R10: fffffbfff353f733 R11: 0000000000000000 R12: 1ffffffff353f732
R13: dffffc0000000001 R14: 0000000000000001 R15: ffff888023a826f0
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff353f732 CR3: 0000000019994000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (32):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Title
ci-upstream-kasan-gce-smack-root	2021/04/20 22:24	upstream	7af08140	c0ced557	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-kasan-gce-selinux-root	2021/01/31 14:19	upstream	6642d600	fc9fd31e	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-qemu-upstream-386	2021/03/02 23:08	upstream	7a7fd0de	e5b64d68	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-qemu-upstream-386	2021/01/30 09:10	upstream	0e9bcda5	fc9fd31e	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-this-kasan-gce	2021/03/07 13:28	net	9270bbe2	75506d9c	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-this-kasan-gce	2021/03/01 20:30	net	447621e3	183afb6c	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce	2021/04/04 16:39	net-next	428e68e1	6a81331a	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce	2021/04/03 01:11	net-next	bd78980b	6a81331a	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce	2021/04/02 13:58	net-next	bd78980b	6a81331a	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce	2021/03/22 17:04	net-next	a1e6f641	bea32f74	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce	2021/02/19 21:29	net-next	38b5133a	f689d40a	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce	2021/02/04 04:47	net-next	32d1bbb1	624dad51	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-linux-next-kasan-gce-root	2021/01/27 23:32	linux-next	bc085f8f	eefc07f2	.config	log	report	info	BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-kasan-gce-root	2020/08/15 06:34	upstream	b923f124	424dd8e7	.config	log	report
ci-upstream-kasan-gce-root	2020/08/13 00:08	upstream	fb893de3	bc15f7db	.config	log	report
ci-upstream-net-this-kasan-gce	2020/09/21 12:18	net	e1b81391	9e1fa68e	.config	log	report	info
ci-upstream-net-this-kasan-gce	2020/09/07 12:00	net	4ddcaf1e	abf9ba4f	.config	log	report
ci-upstream-net-this-kasan-gce	2020/08/16 11:22	net	4ca0d9ac	424dd8e7	.config	log	report
ci-upstream-net-this-kasan-gce	2020/08/16 04:04	net	4ca0d9ac	424dd8e7	.config	log	report
ci-upstream-net-this-kasan-gce	2020/08/05 15:20	net	ac3a0c84	b7129355	.config	log	report
ci-upstream-net-kasan-gce	2020/12/29 12:18	net-next	3db1a3fa	8259d56c	.config	log	report	info
ci-upstream-net-kasan-gce	2020/11/12 21:06	net-next	e545f865	77a55c8e	.config	log	report	info
ci-upstream-net-kasan-gce	2020/09/29 22:29	net-next	28009571	5abc3f1a	.config	log	report	info
ci-upstream-net-kasan-gce	2020/09/22 19:41	net-next	92ec804f	3e8f6c27	.config	log	report	info
ci-upstream-net-kasan-gce	2020/09/11 07:39	net-next	9984c0bb	adfb8b4e	.config	log	report
ci-upstream-net-kasan-gce	2020/09/02 07:41	net-next	dc1a9bf2	abf9ba4f	.config	log	report
ci-upstream-net-kasan-gce	2020/09/01 20:10	net-next	10eb4667	d5a3ae1f	.config	log	report
ci-upstream-net-kasan-gce	2020/08/16 22:40	net-next	7fca4dee	424dd8e7	.config	log	report
ci-upstream-net-kasan-gce	2020/08/16 10:50	net-next	7fca4dee	424dd8e7	.config	log	report
ci-upstream-net-kasan-gce	2020/08/09 21:21	net-next	bfdd5aaa	70301872	.config	log	report
ci-upstream-net-kasan-gce	2020/08/08 12:56	net-next	bfdd5aaa	ff51e522	.config	log	report
ci-upstream-kmsan-gce-386	2021/03/21 03:51	https://github.com/google/kmsan.git master	29ad81a1	17810eae	.config	log	report	info	KMSAN: uninit-value in lock_sock_nested