syzbot


BUG: unable to handle kernel paging request in lock_sock_nested

Status: auto-closed as invalid on 2022/02/16 22:16
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+3ea58ce4ad976e46ca65@syzkaller.appspotmail.com
First crash: 1418d, last: 977d
Discussions (1)
Title Replies (including bot) Last reply
BUG: unable to handle kernel paging request in lock_sock_nested 0 (1) 2020/08/05 16:09
Similar bugs (12)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in lock_sock_nested bluetooth C done done 203 1d19h 286d 0/27 upstream: reported C repro on 2023/09/11 07:52
linux-5.15 general protection fault in lock_sock_nested origin:upstream missing-backport syz 35 1h42m 80d 0/3 upstream: reported syz repro on 2024/04/04 13:25
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 4 1136d 1255d 0/1 auto-closed as invalid on 2021/09/11 11:51
linux-6.1 general protection fault in lock_sock_nested 32 1d20h 70d 0/3 upstream: reported on 2024/04/14 08:46
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 14 655d 1319d 0/1 auto-obsoleted due to no activity on 2023/01/05 15:59
linux-4.19 KASAN: wild-memory-access Write in lock_sock_nested 2 1242d 1311d 0/1 auto-closed as invalid on 2021/05/28 14:35
linux-4.14 general protection fault in lock_sock_nested 4 1142d 1360d 0/1 auto-closed as invalid on 2021/09/04 19:35
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 471 480d 1793d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 331 520d 1887d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams C inconclusive done 1856 390d 1999d 0/27 auto-obsoleted due to no activity on 2023/08/23 09:06
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested bluetooth syz unreliable done 23 972d 1412d 0/27 auto-obsoleted due to no activity on 2022/09/29 10:19
upstream KASAN: global-out-of-bounds Read in lock_sock_nested bluetooth 2 1359d 1300d 0/27 auto-closed as invalid on 2021/01/31 05:04

Sample crash report:
BUG: unable to handle page fault for address: fffffbfff34f1c2f
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffe5067 P4D 23ffe5067 PUD 23ffe4067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 26284 Comm: syz-executor.2 Not tainted 5.15.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xdb/0x180 mm/kasan/generic.c:189
Code: 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 <80> 38 00 74 f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c
RSP: 0018:ffffc9000f22f5f8 EFLAGS: 00010096
RAX: fffffbfff34f1c2f RBX: fffffbfff34f1c30 RCX: ffffffff815b0e9a
RDX: fffffbfff34f1c30 RSI: 0000000000000008 RDI: ffffffff9a78e178
RBP: fffffbfff34f1c2f R08: 0000000000000000 R09: ffffffff9a78e17f
R10: fffffbfff34f1c2f R11: 0000000000000016 R12: ffff88803ed80ac0
R13: ffff88803ed80000 R14: ffff88803ed809f8 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff34f1c2f CR3: 000000002487b000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 __lock_acquire+0x101a/0x54a0 kernel/locking/lockdep.c:4985
 lock_acquire kernel/locking/lockdep.c:5625 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:368 [inline]
 lock_sock_nested+0x40/0x120 net/core/sock.c:3183
 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1528
 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:622
 l2cap_conn_del+0x3c0/0x7b0 net/bluetooth/l2cap_core.c:1898
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8177 [inline]
 l2cap_disconn_cfm+0x95/0xd0 net/bluetooth/l2cap_core.c:8170
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1518 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
 hci_dev_do_close+0x57d/0x1130 net/bluetooth/hci_core.c:1793
 hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4029
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
 __fput+0x288/0x9f0 fs/file_table.c:280
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xbae/0x2a30 kernel/exit.c:825
 do_group_exit+0x125/0x310 kernel/exit.c:922
 get_signal+0x47f/0x2160 kernel/signal.c:2868
 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f01057e9739
Code: Unable to access opcode bytes at RIP 0x7f01057e970f.
RSP: 002b:00007f0102d60218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f01058edf88 RCX: 00007f01057e9739
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f01058edf88
RBP: 00007f01058edf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f01058edf8c
R13: 00007ffc53a835ef R14: 00007f0102d60300 R15: 0000000000022000
Modules linked in:
CR2: fffffbfff34f1c2f
---[ end trace 23f79cf7a13a9fe2 ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xdb/0x180 mm/kasan/generic.c:189
Code: 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 <80> 38 00 74 f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c
RSP: 0018:ffffc9000f22f5f8 EFLAGS: 00010096
RAX: fffffbfff34f1c2f RBX: fffffbfff34f1c30 RCX: ffffffff815b0e9a
RDX: fffffbfff34f1c30 RSI: 0000000000000008 RDI: ffffffff9a78e178
RBP: fffffbfff34f1c2f R08: 0000000000000000 R09: ffffffff9a78e17f
R10: fffffbfff34f1c2f R11: 0000000000000016 R12: ffff88803ed80ac0
R13: ffff88803ed80000 R14: ffff88803ed809f8 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff34f1c2f CR3: 000000002487b000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0:	80 38 00             	cmpb   $0x0,(%rax)
   3:	74 f2                	je     0xfffffff7
   5:	48 89 c2             	mov    %rax,%rdx
   8:	b8 01 00 00 00       	mov    $0x1,%eax
   d:	48 85 d2             	test   %rdx,%rdx
  10:	75 56                	jne    0x68
  12:	5b                   	pop    %rbx
  13:	5d                   	pop    %rbp
  14:	41 5c                	pop    %r12
  16:	c3                   	retq
  17:	48 85 d2             	test   %rdx,%rdx
  1a:	74 5e                	je     0x7a
  1c:	48 01 ea             	add    %rbp,%rdx
  1f:	eb 09                	jmp    0x2a
  21:	48 83 c0 01          	add    $0x1,%rax
  25:	48 39 d0             	cmp    %rdx,%rax
  28:	74 50                	je     0x7a
* 2a:	80 38 00             	cmpb   $0x0,(%rax) <-- trapping instruction
  2d:	74 f2                	je     0x21
  2f:	eb d4                	jmp    0x5
  31:	41 bc 08 00 00 00    	mov    $0x8,%r12d
  37:	48 89 ea             	mov    %rbp,%rdx
  3a:	45 29 dc             	sub    %r11d,%r12d
  3d:	4d                   	rex.WRB
  3e:	8d                   	.byte 0x8d
  3f:	1c                   	.byte 0x1c

Crashes (43):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/09/18 11:20 upstream 4357f03d6611 70b76c1d .config console log report info ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in lock_sock_nested
2021/05/02 01:17 upstream d2b6f8a17919 77e2b668 .config console log report info ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in lock_sock_nested
2021/04/20 22:24 upstream 7af08140979a c0ced557 .config console log report info ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in lock_sock_nested
2021/01/31 14:19 upstream 6642d600b541 fc9fd31e .config console log report info ci-upstream-kasan-gce-selinux-root BUG: unable to handle kernel paging request in lock_sock_nested
2021/03/02 23:08 upstream 7a7fd0de4a98 e5b64d68 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in lock_sock_nested
2021/01/30 09:10 upstream 0e9bcda5d286 fc9fd31e .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in lock_sock_nested
2021/10/19 22:15 net-old 04ee2752a5a9 466b7db1 .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/10/12 02:11 net-old 732b74d64704 838e7e2c .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/04/30 17:56 net-old bbd6f0a94813 77e2b668 .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/03/07 13:28 net-old 9270bbe258c8 75506d9c .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/03/01 20:30 net-old 447621e373bd 183afb6c .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/09/17 00:17 net-next-old 52583c8d8b12 aae492f2 .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/06/07 00:47 net-next-old 1a42624aecba 500c2339 .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/05/15 20:41 net-next-old 77091933e453 93f844de .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/04/04 16:39 net-next-old 428e68e1a85a 6a81331a .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/04/03 01:11 net-next-old bd78980be1a6 6a81331a .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/04/02 13:58 net-next-old bd78980be1a6 6a81331a .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/03/22 17:04 net-next-old a1e6f641e307 bea32f74 .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/02/19 21:29 net-next-old 38b5133ad607 f689d40a .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/02/04 04:47 net-next-old 32d1bbb1d609 624dad51 .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in lock_sock_nested
2021/01/27 23:32 linux-next bc085f8fc88f eefc07f2 .config console log report info ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in lock_sock_nested
2021/08/02 13:35 upstream c500bee1c5b2 6c236867 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: global-out-of-bounds Read in lock_sock_nested
2021/07/13 23:42 upstream 40226a3d96ef fa0594c3 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in lock_sock_nested
2021/07/06 13:25 upstream 3dbdb38e2869 6c4484eb .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: array-index-out-of-bounds in lock_sock_nested
2020/08/15 06:34 upstream b923f1247b72 424dd8e7 .config console log report ci-upstream-kasan-gce-root
2020/08/13 00:08 upstream fb893de323e2 bc15f7db .config console log report ci-upstream-kasan-gce-root
2020/09/21 12:18 net-old e1b81391421b 9e1fa68e .config console log report info ci-upstream-net-this-kasan-gce
2020/09/07 12:00 net-old 4ddcaf1ebb5e abf9ba4f .config console log report ci-upstream-net-this-kasan-gce
2020/08/16 11:22 net-old 4ca0d9ac3fd8 424dd8e7 .config console log report ci-upstream-net-this-kasan-gce
2020/08/16 04:04 net-old 4ca0d9ac3fd8 424dd8e7 .config console log report ci-upstream-net-this-kasan-gce
2020/08/05 15:20 net-old ac3a0c847296 b7129355 .config console log report ci-upstream-net-this-kasan-gce
2020/12/29 12:18 net-next-old 3db1a3fa9880 8259d56c .config console log report info ci-upstream-net-kasan-gce
2020/11/12 21:06 net-next-old e545f8657393 77a55c8e .config console log report info ci-upstream-net-kasan-gce
2020/09/29 22:29 net-next-old 280095713ce2 5abc3f1a .config console log report info ci-upstream-net-kasan-gce
2020/09/22 19:41 net-next-old 92ec804f3dbf 3e8f6c27 .config console log report info ci-upstream-net-kasan-gce
2020/09/11 07:39 net-next-old 9984c0bb22dc adfb8b4e .config console log report ci-upstream-net-kasan-gce
2020/09/02 07:41 net-next-old dc1a9bf2c816 abf9ba4f .config console log report ci-upstream-net-kasan-gce
2020/09/01 20:10 net-next-old 10eb46679460 d5a3ae1f .config console log report ci-upstream-net-kasan-gce
2020/08/16 22:40 net-next-old 7fca4dee610d 424dd8e7 .config console log report ci-upstream-net-kasan-gce
2020/08/16 10:50 net-next-old 7fca4dee610d 424dd8e7 .config console log report ci-upstream-net-kasan-gce
2020/08/09 21:21 net-next-old bfdd5aaa54b0 70301872 .config console log report ci-upstream-net-kasan-gce
2020/08/08 12:56 net-next-old bfdd5aaa54b0 ff51e522 .config console log report ci-upstream-net-kasan-gce
2021/03/21 03:51 https://github.com/google/kmsan.git master 29ad81a1074a 17810eae .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in lock_sock_nested
* Struck through repros no longer work on HEAD.