syzbot

 sign-in | mailing list | source | docs
🐞 Open [961] 🐞 Fixed [3812] 🐞 Invalid [8186] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

BUG: unable to handle kernel paging request in lock_sock_nested
Status: auto-closed as invalid on 2022/02/16 22:16
Reported-by: syzbot+3ea58ce4ad976e46ca65@syzkaller.appspotmail.com
First crash: 661d, last: 221d
similar bugs (9):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 4 379d 498d 0/1 auto-closed as invalid on 2021/09/11 11:51
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 10 93d 562d 0/1 upstream: reported on 2020/11/12 16:53
linux-4.19 KASAN: wild-memory-access Write in lock_sock_nested 2 485d 554d 0/1 auto-closed as invalid on 2021/05/28 14:35
linux-4.14 general protection fault in lock_sock_nested 4 386d 604d 0/1 auto-closed as invalid on 2021/09/04 19:35
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 417 4d21h 1037d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 323 22d 1130d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested C inconclusive done 1825 45d 1242d 0/22 upstream: reported C repro on 2019/01/02 10:41
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested syz unreliable done 23 215d 655d 0/22 upstream: reported syz repro on 2020/08/11 16:59
upstream KASAN: global-out-of-bounds Read in lock_sock_nested 2 602d 543d 0/22 auto-closed as invalid on 2021/01/31 05:04

Sample crash report:
BUG: unable to handle page fault for address: fffffbfff34f1c2f
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffe5067 P4D 23ffe5067 PUD 23ffe4067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 26284 Comm: syz-executor.2 Not tainted 5.15.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xdb/0x180 mm/kasan/generic.c:189
Code: 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 <80> 38 00 74 f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c
RSP: 0018:ffffc9000f22f5f8 EFLAGS: 00010096
RAX: fffffbfff34f1c2f RBX: fffffbfff34f1c30 RCX: ffffffff815b0e9a
RDX: fffffbfff34f1c30 RSI: 0000000000000008 RDI: ffffffff9a78e178
RBP: fffffbfff34f1c2f R08: 0000000000000000 R09: ffffffff9a78e17f
R10: fffffbfff34f1c2f R11: 0000000000000016 R12: ffff88803ed80ac0
R13: ffff88803ed80000 R14: ffff88803ed809f8 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff34f1c2f CR3: 000000002487b000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 __lock_acquire+0x101a/0x54a0 kernel/locking/lockdep.c:4985
 lock_acquire kernel/locking/lockdep.c:5625 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:368 [inline]
 lock_sock_nested+0x40/0x120 net/core/sock.c:3183
 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1528
 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:622
 l2cap_conn_del+0x3c0/0x7b0 net/bluetooth/l2cap_core.c:1898
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8177 [inline]
 l2cap_disconn_cfm+0x95/0xd0 net/bluetooth/l2cap_core.c:8170
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1518 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
 hci_dev_do_close+0x57d/0x1130 net/bluetooth/hci_core.c:1793
 hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4029
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
 __fput+0x288/0x9f0 fs/file_table.c:280
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xbae/0x2a30 kernel/exit.c:825
 do_group_exit+0x125/0x310 kernel/exit.c:922
 get_signal+0x47f/0x2160 kernel/signal.c:2868
 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f01057e9739
Code: Unable to access opcode bytes at RIP 0x7f01057e970f.
RSP: 002b:00007f0102d60218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f01058edf88 RCX: 00007f01057e9739
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f01058edf88
RBP: 00007f01058edf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f01058edf8c
R13: 00007ffc53a835ef R14: 00007f0102d60300 R15: 0000000000022000
Modules linked in:
CR2: fffffbfff34f1c2f
---[ end trace 23f79cf7a13a9fe2 ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xdb/0x180 mm/kasan/generic.c:189
Code: 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 <80> 38 00 74 f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c
RSP: 0018:ffffc9000f22f5f8 EFLAGS: 00010096
RAX: fffffbfff34f1c2f RBX: fffffbfff34f1c30 RCX: ffffffff815b0e9a
RDX: fffffbfff34f1c30 RSI: 0000000000000008 RDI: ffffffff9a78e178
RBP: fffffbfff34f1c2f R08: 0000000000000000 R09: ffffffff9a78e17f
R10: fffffbfff34f1c2f R11: 0000000000000016 R12: ffff88803ed80ac0
R13: ffff88803ed80000 R14: ffff88803ed809f8 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff34f1c2f CR3: 000000002487b000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0:	80 38 00             	cmpb   $0x0,(%rax)
   3:	74 f2                	je     0xfffffff7
   5:	48 89 c2             	mov    %rax,%rdx
   8:	b8 01 00 00 00       	mov    $0x1,%eax
   d:	48 85 d2             	test   %rdx,%rdx
  10:	75 56                	jne    0x68
  12:	5b                   	pop    %rbx
  13:	5d                   	pop    %rbp
  14:	41 5c                	pop    %r12
  16:	c3                   	retq
  17:	48 85 d2             	test   %rdx,%rdx
  1a:	74 5e                	je     0x7a
  1c:	48 01 ea             	add    %rbp,%rdx
  1f:	eb 09                	jmp    0x2a
  21:	48 83 c0 01          	add    $0x1,%rax
  25:	48 39 d0             	cmp    %rdx,%rax
  28:	74 50                	je     0x7a
* 2a:	80 38 00             	cmpb   $0x0,(%rax) <-- trapping instruction
  2d:	74 f2                	je     0x21
  2f:	eb d4                	jmp    0x5
  31:	41 bc 08 00 00 00    	mov    $0x8,%r12d
  37:	48 89 ea             	mov    %rbp,%rdx
  3a:	45 29 dc             	sub    %r11d,%r12d
  3d:	4d                   	rex.WRB
  3e:	8d                   	.byte 0x8d
  3f:	1c                   	.byte 0x1c

Crashes (43):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2021/09/18 11:20 upstream 4357f03d6611 70b76c1d .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-kasan-gce-root 2021/05/02 01:17 upstream d2b6f8a17919 77e2b668 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-kasan-gce-smack-root 2021/04/20 22:24 upstream 7af08140979a c0ced557 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-kasan-gce-selinux-root 2021/01/31 14:19 upstream 6642d600b541 fc9fd31e .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-qemu-upstream-386 2021/03/02 23:08 upstream 7a7fd0de4a98 e5b64d68 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-qemu-upstream-386 2021/01/30 09:10 upstream 0e9bcda5d286 fc9fd31e .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-this-kasan-gce 2021/10/19 22:15 net 04ee2752a5a9 466b7db1 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-this-kasan-gce 2021/10/12 02:11 net 732b74d64704 838e7e2c .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-this-kasan-gce 2021/04/30 17:56 net bbd6f0a94813 77e2b668 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-this-kasan-gce 2021/03/07 13:28 net 9270bbe258c8 75506d9c .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-this-kasan-gce 2021/03/01 20:30 net 447621e373bd 183afb6c .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/09/17 00:17 net-next 52583c8d8b12 aae492f2 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/06/07 00:47 net-next 1a42624aecba 500c2339 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/05/15 20:41 net-next 77091933e453 93f844de .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/04/04 16:39 net-next 428e68e1a85a 6a81331a .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/04/03 01:11 net-next bd78980be1a6 6a81331a .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/04/02 13:58 net-next bd78980be1a6 6a81331a .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/03/22 17:04 net-next a1e6f641e307 bea32f74 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/02/19 21:29 net-next 38b5133ad607 f689d40a .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-net-kasan-gce 2021/02/04 04:47 net-next 32d1bbb1d609 624dad51 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-linux-next-kasan-gce-root 2021/01/27 23:32 linux-next bc085f8fc88f eefc07f2 .config log report info BUG: unable to handle kernel paging request in lock_sock_nested
ci-upstream-kasan-gce-smack-root 2021/08/02 13:35 upstream c500bee1c5b2 6c236867 .config log report info KASAN: global-out-of-bounds Read in lock_sock_nested
ci-upstream-kasan-gce-smack-root 2021/07/13 23:42 upstream 40226a3d96ef fa0594c3 .config log report info UBSAN: array-index-out-of-bounds in lock_sock_nested
ci-upstream-kasan-gce-selinux-root 2021/07/06 13:25 upstream 3dbdb38e2869 6c4484eb .config log report info UBSAN: array-index-out-of-bounds in lock_sock_nested
ci-upstream-kasan-gce-root 2020/08/15 06:34 upstream b923f1247b72 424dd8e7 .config log report
ci-upstream-kasan-gce-root 2020/08/13 00:08 upstream fb893de323e2 bc15f7db .config log report
ci-upstream-net-this-kasan-gce 2020/09/21 12:18 net e1b81391421b 9e1fa68e .config log report info
ci-upstream-net-this-kasan-gce 2020/09/07 12:00 net 4ddcaf1ebb5e abf9ba4f .config log report
ci-upstream-net-this-kasan-gce 2020/08/16 11:22 net 4ca0d9ac3fd8 424dd8e7 .config log report
ci-upstream-net-this-kasan-gce 2020/08/16 04:04 net 4ca0d9ac3fd8 424dd8e7 .config log report
ci-upstream-net-this-kasan-gce 2020/08/05 15:20 net ac3a0c847296 b7129355 .config log report
ci-upstream-net-kasan-gce 2020/12/29 12:18 net-next 3db1a3fa9880 8259d56c .config log report info
ci-upstream-net-kasan-gce 2020/11/12 21:06 net-next e545f8657393 77a55c8e .config log report info
ci-upstream-net-kasan-gce 2020/09/29 22:29 net-next 280095713ce2 5abc3f1a .config log report info
ci-upstream-net-kasan-gce 2020/09/22 19:41 net-next 92ec804f3dbf 3e8f6c27 .config log report info
ci-upstream-net-kasan-gce 2020/09/11 07:39 net-next 9984c0bb22dc adfb8b4e .config log report
ci-upstream-net-kasan-gce 2020/09/02 07:41 net-next dc1a9bf2c816 abf9ba4f .config log report
ci-upstream-net-kasan-gce 2020/09/01 20:10 net-next 10eb46679460 d5a3ae1f .config log report
ci-upstream-net-kasan-gce 2020/08/16 22:40 net-next 7fca4dee610d 424dd8e7 .config log report
ci-upstream-net-kasan-gce 2020/08/16 10:50 net-next 7fca4dee610d 424dd8e7 .config log report
ci-upstream-net-kasan-gce 2020/08/09 21:21 net-next bfdd5aaa54b0 70301872 .config log report
ci-upstream-net-kasan-gce 2020/08/08 12:56 net-next bfdd5aaa54b0 ff51e522 .config log report
ci-upstream-kmsan-gce-386 2021/03/21 03:51 https://github.com/google/kmsan.git master 29ad81a1074a 17810eae .config log report info KMSAN: uninit-value in lock_sock_nested