syzbot


KASAN: wild-memory-access Write in lock_sock_nested

Status: auto-closed as invalid on 2021/05/28 14:35
Reported-by: syzbot+cab4f05aade48f603f73@syzkaller.appspotmail.com
First crash: 1418d, last: 1349d
Similar bugs (14)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in lock_sock_nested bluetooth 43 1085d 1525d 0/28 auto-closed as invalid on 2022/02/16 22:16
linux-4.14 general protection fault in lock_sock_nested 4 1250d 1468d 0/1 auto-closed as invalid on 2021/09/04 19:35
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 471 587d 1901d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 331 628d 1994d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams C inconclusive done 1856 497d 2106d 0/28 auto-obsoleted due to no activity on 2023/08/23 09:06
upstream general protection fault in lock_sock_nested bluetooth C done done 331 6m 393d 0/28 upstream: reported C repro on 2023/09/11 07:52
linux-5.15 general protection fault in lock_sock_nested origin:upstream missing-backport syz error 39 33m 187d 0/3 upstream: reported syz repro on 2024/04/04 13:25
linux-6.1 BUG: sleeping function called from invalid context in lock_sock_nested 7 80d 101d 0/3 upstream: reported on 2024/06/29 07:54
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 4 1243d 1362d 0/1 auto-closed as invalid on 2021/09/11 11:51
linux-6.1 general protection fault in lock_sock_nested 51 6d23h 177d 0/3 upstream: reported on 2024/04/14 08:46
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested bluetooth syz unreliable done 23 1079d 1519d 0/28 auto-obsoleted due to no activity on 2022/09/29 10:19
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 14 762d 1426d 0/1 auto-obsoleted due to no activity on 2023/01/05 15:59
upstream BUG: sleeping function called from invalid context in lock_sock_nested (3) bluetooth C inconclusive 52 3d14h 148d 0/28 upstream: reported C repro on 2024/05/13 12:58
linux-5.15 BUG: sleeping function called from invalid context in lock_sock_nested origin:upstream C error 22 4d06h 101d 0/3 upstream: reported C repro on 2024/06/29 07:50

Sample crash report:
orangefs_mount: mount request failed with -4
orangefs_mount: mount request failed with -4
==================================================================
BUG: KASAN: wild-memory-access in atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
BUG: KASAN: wild-memory-access in __lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3307
Write of size 4 at addr 2d47963e1441980b by task syz-executor.1/15377

CPU: 1 PID: 15377 Comm: syz-executor.1 Not tainted 4.19.171-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 kasan_report_error.cold+0x15b/0x1b9 mm/kasan/report.c:352
 kasan_report+0x8f/0xa0 mm/kasan/report.c:412
 atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
 __lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3307
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
 spin_lock_bh include/linux/spinlock.h:334 [inline]
 lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
 l2cap_sock_teardown_cb+0xa0/0x6d0 net/bluetooth/l2cap_sock.c:1340
 l2cap_chan_del+0xbc/0xa50 net/bluetooth/l2cap_core.c:599
 l2cap_conn_del+0x3a6/0x6e0 net/bluetooth/l2cap_core.c:1729
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7441 [inline]
 l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:7434
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1261 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1512
 hci_dev_do_close+0x659/0xf10 net/bluetooth/hci_core.c:1666
 hci_unregister_dev+0x18b/0x910 net/bluetooth/hci_core.c:3271
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
 __fput+0x2ce/0x890 fs/file_table.c:278
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xbed/0x2be0 kernel/exit.c:890
 do_group_exit+0x125/0x310 kernel/exit.c:993
 __do_sys_exit_group kernel/exit.c:1004 [inline]
 __se_sys_exit_group kernel/exit.c:1002 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:1002
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45e219
Code: Bad RIP value.
RSP: 002b:00007ffd78135838 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045e219
RDX: 0000000000417ab1 RSI: 00000000016b9df0 RDI: 0000000000000043
RBP: 00000000004c3d3e R08: 000000000000000b R09: 0000000000000000
R10: 00000000032b7940 R11: 0000000000000246 R12: 0000000000000722
R13: 0000000000000008 R14: 0000000000000032 R15: 00000000000bb610
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/28 14:34 linux-4.19.y c4ff839de17f eefc07f2 .config console log report info ci2-linux-4-19 KASAN: wild-memory-access Write in lock_sock_nested
2020/11/20 18:06 linux-4.19.y 2c746135a12e 68068804 .config console log report info ci2-linux-4-19
* Struck through repros no longer work on HEAD.