syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [297]
🐞 Invalid [838]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: wild-memory-access Write in lock_sock_nested

Status: auto-closed as invalid on 2021/05/28 14:35
Reported-by: syzbot+cab4f05aade48f603f73@syzkaller.appspotmail.com
First crash: 1529d, last: 1460d
Similar bugs (14)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in lock_sock_nested bluetooth 43 1196d 1636d 0/28 auto-closed as invalid on 2022/02/16 22:16
linux-4.14 general protection fault in lock_sock_nested 4 1361d 1579d 0/1 auto-closed as invalid on 2021/09/04 19:35
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 471 699d 2012d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 331 739d 2105d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams C inconclusive done 1856 608d 2217d 0/28 auto-obsoleted due to no activity on 2023/08/23 09:06
upstream general protection fault in lock_sock_nested bluetooth C done done 749 15h52m 504d 0/28 upstream: reported C repro on 2023/09/11 07:52
linux-5.15 general protection fault in lock_sock_nested missing-backport origin:upstream syz error 70 12h06m 298d 0/3 upstream: reported syz repro on 2024/04/04 13:25
linux-6.1 BUG: sleeping function called from invalid context in lock_sock_nested 7 191d 212d 0/3 auto-obsoleted due to no activity on 2024/10/28 05:57
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 4 1354d 1473d 0/1 auto-closed as invalid on 2021/09/11 11:51
linux-6.1 general protection fault in lock_sock_nested origin:upstream syz 89 2d07h 288d 0/3 upstream: reported syz repro on 2024/04/14 08:46
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested bluetooth syz unreliable done 23 1190d 1630d 0/28 auto-obsoleted due to no activity on 2022/09/29 10:19
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 14 873d 1537d 0/1 auto-obsoleted due to no activity on 2023/01/05 15:59
upstream BUG: sleeping function called from invalid context in lock_sock_nested (3) bluetooth C inconclusive 106 4d00h 259d 0/28 upstream: reported C repro on 2024/05/13 12:58
linux-5.15 BUG: sleeping function called from invalid context in lock_sock_nested origin:upstream missing-backport C error 22 26d 212d 0/3 upstream: reported C repro on 2024/06/29 07:50

Sample crash report:
orangefs_mount: mount request failed with -4
orangefs_mount: mount request failed with -4
==================================================================
BUG: KASAN: wild-memory-access in atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
BUG: KASAN: wild-memory-access in __lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3307
Write of size 4 at addr 2d47963e1441980b by task syz-executor.1/15377

CPU: 1 PID: 15377 Comm: syz-executor.1 Not tainted 4.19.171-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 kasan_report_error.cold+0x15b/0x1b9 mm/kasan/report.c:352
 kasan_report+0x8f/0xa0 mm/kasan/report.c:412
 atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
 __lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3307
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
 spin_lock_bh include/linux/spinlock.h:334 [inline]
 lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
 l2cap_sock_teardown_cb+0xa0/0x6d0 net/bluetooth/l2cap_sock.c:1340
 l2cap_chan_del+0xbc/0xa50 net/bluetooth/l2cap_core.c:599
 l2cap_conn_del+0x3a6/0x6e0 net/bluetooth/l2cap_core.c:1729
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7441 [inline]
 l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:7434
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1261 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1512
 hci_dev_do_close+0x659/0xf10 net/bluetooth/hci_core.c:1666
 hci_unregister_dev+0x18b/0x910 net/bluetooth/hci_core.c:3271
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
 __fput+0x2ce/0x890 fs/file_table.c:278
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xbed/0x2be0 kernel/exit.c:890
 do_group_exit+0x125/0x310 kernel/exit.c:993
 __do_sys_exit_group kernel/exit.c:1004 [inline]
 __se_sys_exit_group kernel/exit.c:1002 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:1002
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45e219
Code: Bad RIP value.
RSP: 002b:00007ffd78135838 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045e219
RDX: 0000000000417ab1 RSI: 00000000016b9df0 RDI: 0000000000000043
RBP: 00000000004c3d3e R08: 000000000000000b R09: 0000000000000000
R10: 00000000032b7940 R11: 0000000000000246 R12: 0000000000000722
R13: 0000000000000008 R14: 0000000000000032 R15: 00000000000bb610
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/28 14:34 linux-4.19.y c4ff839de17f eefc07f2 .config console log report info ci2-linux-4-19 KASAN: wild-memory-access Write in lock_sock_nested
2020/11/20 18:06 linux-4.19.y 2c746135a12e 68068804 .config console log report info ci2-linux-4-19
* Struck through repros no longer work on HEAD.