syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [297]
🐞 Invalid [838]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: wild-memory-access Write in lock_sock_nested

Status: auto-closed as invalid on 2021/05/28 14:35
Reported-by: syzbot+cab4f05aade48f603f73@syzkaller.appspotmail.com
First crash: 1718d, last: 1649d
Similar bugs (16)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in lock_sock_nested bluetooth 17 43 1385d 1825d 0/29 auto-closed as invalid on 2022/02/16 22:16
linux-4.14 general protection fault in lock_sock_nested 2 4 1550d 1768d 0/1 auto-closed as invalid on 2021/09/04 19:35
linux-6.1 BUG: sleeping function called from invalid context in lock_sock_nested (2) origin:upstream missing-backport 24 C error 6 1d10h 163d 0/3 upstream: reported C repro on 2025/02/23 00:56
linux-4.19 KASAN: use-after-free Read in lock_sock_nested 23 C 471 888d 2201d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested 19 C inconclusive 331 928d 2295d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams 19 C inconclusive done 1856 797d 2406d 0/29 auto-obsoleted due to no activity on 2023/08/23 09:06
upstream general protection fault in lock_sock_nested bluetooth 19 C done done 3094 6h22m 693d 0/29 upstream: reported C repro on 2023/09/11 07:52
linux-5.15 general protection fault in lock_sock_nested missing-backport origin:upstream 8 C error 137 2d16h 487d 0/3 upstream: reported C repro on 2024/04/04 13:25
linux-6.1 BUG: sleeping function called from invalid context in lock_sock_nested 5 7 381d 401d 0/3 auto-obsoleted due to no activity on 2024/10/28 05:57
linux-4.14 BUG: unable to handle kernel paging request in lock_sock_nested 8 4 1543d 1663d 0/1 auto-closed as invalid on 2021/09/11 11:51
linux-6.1 general protection fault in lock_sock_nested origin:upstream 19 C 146 1d17h 477d 0/3 upstream: reported C repro on 2024/04/14 08:46
upstream KASAN: slab-out-of-bounds Read in lock_sock_nested bluetooth 17 syz unreliable done 23 1379d 1819d 0/29 auto-obsoleted due to no activity on 2022/09/29 10:19
linux-4.19 KASAN: slab-out-of-bounds Read in lock_sock_nested 23 14 1062d 1726d 0/1 auto-obsoleted due to no activity on 2023/01/05 15:59
linux-6.6 general protection fault in lock_sock_nested 2 7 12d 47d 0/2 upstream: reported on 2025/06/19 04:51
upstream BUG: sleeping function called from invalid context in lock_sock_nested (3) bluetooth 19 C inconclusive error 152 7d21h 448d 0/29 upstream: reported C repro on 2024/05/13 12:58
linux-5.15 BUG: sleeping function called from invalid context in lock_sock_nested missing-backport origin:upstream 19 C error 22 3d23h 401d 0/3 upstream: reported C repro on 2024/06/29 07:50

Sample crash report:
orangefs_mount: mount request failed with -4
orangefs_mount: mount request failed with -4
==================================================================
BUG: KASAN: wild-memory-access in atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
BUG: KASAN: wild-memory-access in __lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3307
Write of size 4 at addr 2d47963e1441980b by task syz-executor.1/15377

CPU: 1 PID: 15377 Comm: syz-executor.1 Not tainted 4.19.171-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 kasan_report_error.cold+0x15b/0x1b9 mm/kasan/report.c:352
 kasan_report+0x8f/0xa0 mm/kasan/report.c:412
 atomic_inc include/asm-generic/atomic-instrumented.h:109 [inline]
 __lock_acquire+0x251/0x3ff0 kernel/locking/lockdep.c:3307
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
 spin_lock_bh include/linux/spinlock.h:334 [inline]
 lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
 l2cap_sock_teardown_cb+0xa0/0x6d0 net/bluetooth/l2cap_sock.c:1340
 l2cap_chan_del+0xbc/0xa50 net/bluetooth/l2cap_core.c:599
 l2cap_conn_del+0x3a6/0x6e0 net/bluetooth/l2cap_core.c:1729
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7441 [inline]
 l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:7434
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1261 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1512
 hci_dev_do_close+0x659/0xf10 net/bluetooth/hci_core.c:1666
 hci_unregister_dev+0x18b/0x910 net/bluetooth/hci_core.c:3271
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
 __fput+0x2ce/0x890 fs/file_table.c:278
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xbed/0x2be0 kernel/exit.c:890
 do_group_exit+0x125/0x310 kernel/exit.c:993
 __do_sys_exit_group kernel/exit.c:1004 [inline]
 __se_sys_exit_group kernel/exit.c:1002 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:1002
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45e219
Code: Bad RIP value.
RSP: 002b:00007ffd78135838 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045e219
RDX: 0000000000417ab1 RSI: 00000000016b9df0 RDI: 0000000000000043
RBP: 00000000004c3d3e R08: 000000000000000b R09: 0000000000000000
R10: 00000000032b7940 R11: 0000000000000246 R12: 0000000000000722
R13: 0000000000000008 R14: 0000000000000032 R15: 00000000000bb610
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/28 14:34 linux-4.19.y c4ff839de17f eefc07f2 .config console log report info ci2-linux-4-19 KASAN: wild-memory-access Write in lock_sock_nested
2020/11/20 18:06 linux-4.19.y 2c746135a12e 68068804 .config console log report info ci2-linux-4-19
* Struck through repros no longer work on HEAD.