syzbot


INFO: trying to register non-static key in l2cap_chan_del

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com
Fix commit: 3af70b39fa2d Bluetooth: check for zapped sk before connecting
First crash: 911d, last: 692d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: use-after-free Read in lock_sock_nested (log)
Repro: syz .config
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 INFO: trying to register non-static key in l2cap_chan_del 3 802d 810d 0/1 auto-closed as invalid on 2021/03/22 10:27
Last patch testing requests:
Created Duration User Patch Repo Result
2020/08/28 16:31 9m coiby.xu@gmail.com https://github.com/coiby/linux.git syzbot8_test1 report log
2020/08/28 16:25 0m coiby.xu@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fb893de323e2d39f7a1f6df425703a2edbdf56ea error
2020/08/28 16:16 0m coiby.xu@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fb893de323e2d39f7a1f6df425703a2edbdf56ea error

Sample crash report:
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 6821 Comm: kworker/0:0 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 register_lock_class+0xf06/0x1520 kernel/locking/lockdep.c:893
 __lock_acquire+0xfa/0x2ab0 kernel/locking/lockdep.c:4305
 lock_acquire+0x160/0x730 kernel/locking/lockdep.c:5005
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 lock_sock_nested+0x43/0x110 net/core/sock.c:3048
 l2cap_sock_teardown_cb+0x72/0x3e0 net/bluetooth/l2cap_sock.c:1520
 l2cap_chan_del+0xa3/0x760 net/bluetooth/l2cap_core.c:618
 l2cap_chan_close+0x7bf/0xae0 net/bluetooth/l2cap_core.c:823
 l2cap_chan_timeout+0x125/0x1e0 net/bluetooth/l2cap_core.c:436
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:56 [inline]
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
BUG: KASAN: use-after-free in pv_hybrid_queued_unfair_trylock kernel/locking/qspinlock_paravirt.h:88 [inline]
BUG: KASAN: use-after-free in __pv_queued_spin_lock_slowpath+0x19d/0xc00 kernel/locking/qspinlock.c:443
Read of size 4 at addr ffff88809b2b9088 by task kworker/0:0/6821

CPU: 0 PID: 6821 Comm: kworker/0:0 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x620 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:183 [inline]
 check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:192
 instrument_atomic_read include/linux/instrumented.h:56 [inline]
 atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
 pv_hybrid_queued_unfair_trylock kernel/locking/qspinlock_paravirt.h:88 [inline]
 __pv_queued_spin_lock_slowpath+0x19d/0xc00 kernel/locking/qspinlock.c:443
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:656 [inline]
 queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:85 [inline]
 do_raw_spin_lock+0x5bf/0x800 kernel/locking/spinlock_debug.c:113
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 lock_sock_nested+0x43/0x110 net/core/sock.c:3048
 l2cap_sock_teardown_cb+0x72/0x3e0 net/bluetooth/l2cap_sock.c:1520
 l2cap_chan_del+0xa3/0x760 net/bluetooth/l2cap_core.c:618
 l2cap_chan_close+0x7bf/0xae0 net/bluetooth/l2cap_core.c:823
 l2cap_chan_timeout+0x125/0x1e0 net/bluetooth/l2cap_core.c:436
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 7587:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
 kmem_cache_alloc_trace+0x1f6/0x2f0 mm/slab.c:3550
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 l2cap_chan_create+0x4c/0x320 net/bluetooth/l2cap_core.c:450
 l2cap_sock_alloc+0x136/0x1d0 net/bluetooth/l2cap_sock.c:1805
 l2cap_sock_create+0x11f/0x550 net/bluetooth/l2cap_sock.c:1836
 bt_sock_create+0x15b/0x220 net/bluetooth/af_bluetooth.c:130
 __sock_create+0x5b3/0x8c0 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socket+0xde/0x2d0 net/socket.c:1520
 __do_sys_socket net/socket.c:1529 [inline]
 __se_sys_socket net/socket.c:1527 [inline]
 __x64_sys_socket+0x76/0x80 net/socket.c:1527
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 7587:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kfree+0x10a/0x220 mm/slab.c:3756
 l2cap_sock_release+0x154/0x190 net/bluetooth/l2cap_sock.c:1392
 __sock_release net/socket.c:596 [inline]
 sock_close+0xd8/0x260 net/socket.c:1277
 __fput+0x34f/0x7b0 fs/file_table.c:281
 task_work_run+0x137/0x1c0 kernel/task_work.c:135
 get_signal+0x15ab/0x1d30 kernel/signal.c:2547
 arch_do_signal+0x33/0x610 arch/x86/kernel/signal.c:811
 exit_to_user_mode_loop kernel/entry/common.c:135 [inline]
 exit_to_user_mode_prepare+0x8d/0x1c0 kernel/entry/common.c:166
 syscall_exit_to_user_mode+0x5e/0x1a0 kernel/entry/common.c:241
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88809b2b9000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 136 bytes inside of
 2048-byte region [ffff88809b2b9000, ffff88809b2b9800)
The buggy address belongs to the page:
page:000000009376a887 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9b2b9
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000269d408 ffffea00027df348 ffff8880aa440800
raw: 0000000000000000 ffff88809b2b9000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809b2b8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809b2b9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809b2b9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88809b2b9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809b2b9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2021/03/12 03:23 upstream f78d76e72a46 bc15f7db .config console log report syz
ci-upstream-kasan-gce-smack-root 2021/01/13 17:37 upstream e609571b5ffa bc15f7db .config console log report syz
* Struck through repros no longer work on HEAD.
Crashes (73):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2020/08/13 07:48 upstream fb893de323e2 bc15f7db .config console log report syz
ci-upstream-kasan-gce-smack-root 2020/08/07 12:24 upstream d6efb3ac3e6c cb436c69 .config console log report syz
ci-upstream-net-this-kasan-gce 2020/10/04 20:34 net 1f7e877c2051 5ef9c291 .config console log report syz
ci-upstream-net-this-kasan-gce 2020/08/10 05:21 net 7c7ab580db49 70301872 .config console log report syz
ci-upstream-net-kasan-gce 2020/08/05 18:08 net-next 4c900a6b4e05 b7129355 .config console log report syz
ci-upstream-kasan-gce-selinux-root 2020/12/14 15:04 upstream 2c85ebc57b3e 97183ed7 .config console log report info
ci-upstream-kasan-gce-selinux-root 2020/12/14 13:49 upstream 2c85ebc57b3e b22a7ec3 .config console log report info
ci-qemu-upstream 2020/09/12 11:36 upstream 729e3d091984 21d289c2 .config console log report
ci-qemu-upstream 2020/09/09 06:29 upstream fffe3ae0ee84 0ea7a887 .config console log report
ci-upstream-kasan-gce-root 2020/09/02 08:00 upstream b765a32a2e91 abf9ba4f .config console log report
ci-upstream-kasan-gce-smack-root 2020/09/01 07:48 upstream b51594df17d0 d5a3ae1f .config console log report
ci-upstream-kasan-gce-root 2020/08/19 00:58 upstream 18445bf405cb e1c29030 .config console log report
ci-upstream-kasan-gce-selinux-root 2020/08/05 15:22 upstream 442489c21923 b7129355 .config console log report
ci-upstream-net-this-kasan-gce 2020/11/26 23:48 net cbf3d60329c4 1d2b823e .config console log report info
ci-upstream-net-this-kasan-gce 2020/11/07 08:46 net bf3e76289cd2 64069d48 .config console log report info
ci-upstream-net-this-kasan-gce 2020/10/12 07:17 net 874fb9e2ca94 4a77ae0b .config console log report info
ci-upstream-net-this-kasan-gce 2020/09/09 19:27 net 843d926b003e 0ea7a887 .config console log report
ci-upstream-net-this-kasan-gce 2020/09/09 02:35 net 19162fd4063a abf9ba4f .config console log report
ci-upstream-net-this-kasan-gce 2020/09/06 14:54 net 94cc242a067a abf9ba4f .config console log report
ci-upstream-net-this-kasan-gce 2020/09/01 12:02 net bb8872a1e6bc d5a3ae1f .config console log report
ci-upstream-net-this-kasan-gce 2020/09/01 00:57 net bb8872a1e6bc d5a3ae1f .config console log report
ci-upstream-net-this-kasan-gce 2020/08/30 01:23 net c8146fe292a7 d5a3ae1f .config console log report
ci-upstream-net-this-kasan-gce 2020/08/29 22:05 net c8146fe292a7 d5a3ae1f .config console log report
ci-upstream-net-this-kasan-gce 2020/08/29 06:04 net 5438dd45831e d5a3ae1f .config console log report
ci-upstream-net-this-kasan-gce 2020/08/27 05:16 net 2e1ec861a605 318430cb .config console log report
ci-upstream-net-this-kasan-gce 2020/08/15 16:39 net 4ca0d9ac3fd8 424dd8e7 .config console log report
ci-upstream-net-this-kasan-gce 2020/08/13 03:36 net 06a7a37be55e bc15f7db .config console log report
ci-upstream-net-this-kasan-gce 2020/08/12 03:04 net 633f5b6bca9b bb3e5fe6 .config console log report
ci-upstream-net-this-kasan-gce 2020/08/10 17:53 net 7c7ab580db49 7adc7b65 .config console log report
ci-upstream-net-this-kasan-gce 2020/08/10 07:55 net 7c7ab580db49 70301872 .config console log report
ci-upstream-net-this-kasan-gce 2020/08/07 15:43 net 8912fd6a61d7 cb436c69 .config console log report
ci-upstream-net-kasan-gce 2020/12/04 20:49 net-next 55fd59b003f6 20366b87 .config console log report info
ci-upstream-net-kasan-gce 2020/11/22 20:51 net-next f9e425e99b07 0d27f508 .config console log report info
ci-upstream-net-kasan-gce 2020/11/18 15:46 net-next 6997faa997ba 09323409 .config console log report info
ci-upstream-net-kasan-gce 2020/11/14 12:30 net-next 774626fa440e 1bf9a662 .config console log report info
ci-upstream-net-kasan-gce 2020/11/12 10:03 net-next e545f8657393 cca87986 .config console log report info
ci-upstream-net-kasan-gce 2020/11/07 22:22 net-next ae0d0bb29b31 64069d48 .config console log report info
ci-upstream-net-kasan-gce 2020/09/28 05:09 net-next 090bc03bc938 5dd8aee8 .config console log report info
ci-upstream-net-kasan-gce 2020/09/27 17:53 net-next 435be28b0789 5dd8aee8 .config console log report info
ci-upstream-net-kasan-gce 2020/09/26 00:15 net-next aafe8853f5e2 4a006f63 .config console log report info
ci-upstream-net-kasan-gce 2020/09/24 22:15 net-next 1a26e88d534b 54289b08 .config console log report info
ci-upstream-net-kasan-gce 2020/09/12 17:26 net-next 5a6bd84f8154 ce441f06 .config console log report
ci-upstream-net-kasan-gce 2020/09/09 01:27 net-next 4349abdb409b abf9ba4f .config console log report
ci-upstream-net-kasan-gce 2020/09/07 16:00 net-next 02a20d4fef3d abf9ba4f .config console log report
ci-upstream-net-kasan-gce 2020/09/06 09:18 net-next 447a851bdb1a abf9ba4f .config console log report
ci-upstream-net-kasan-gce 2020/09/06 05:31 net-next 447a851bdb1a abf9ba4f .config console log report
ci-upstream-net-kasan-gce 2020/08/31 04:07 net-next 0f091e43310f d5a3ae1f .config console log report
ci-upstream-net-kasan-gce 2020/08/30 21:24 net-next 0f091e43310f d5a3ae1f .config console log report
ci-upstream-net-kasan-gce 2020/08/30 09:34 net-next 0f091e43310f d5a3ae1f .config console log report
ci-upstream-net-kasan-gce 2020/08/28 09:48 net-next 50aba46c234e 816e0689 .config console log report
ci-upstream-net-kasan-gce 2020/08/27 11:46 net-next f09665811b14 816e0689 .config console log report
ci-upstream-net-kasan-gce 2020/08/26 00:53 net-next fdf1923bf9f7 344da168 .config console log report
ci-upstream-net-kasan-gce 2020/08/24 23:57 net-next 7611cbb900b4 67b599d1 .config console log report
ci-upstream-net-kasan-gce 2020/08/23 20:38 net-next d7223aa58671 cef5ae68 .config console log report
ci-upstream-net-kasan-gce 2020/08/16 19:39 net-next 7fca4dee610d 424dd8e7 .config console log report
ci-upstream-net-kasan-gce 2020/08/16 05:39 net-next 7fca4dee610d 424dd8e7 .config console log report
ci-upstream-net-kasan-gce 2020/08/15 02:46 net-next 7fca4dee610d 424dd8e7 .config console log report
ci-upstream-net-kasan-gce 2020/08/14 18:01 net-next a1d21081a60d 424dd8e7 .config console log report
ci-upstream-net-kasan-gce 2020/08/14 14:34 net-next a1d21081a60d 424dd8e7 .config console log report
ci-upstream-net-kasan-gce 2020/08/14 00:13 net-next bfdd5aaa54b0 54ce1ed6 .config console log report
ci-upstream-net-kasan-gce 2020/08/13 17:26 net-next bfdd5aaa54b0 bc15f7db .config console log report
ci-upstream-net-kasan-gce 2020/08/13 08:12 net-next bfdd5aaa54b0 bc15f7db .config console log report
ci-upstream-net-kasan-gce 2020/08/12 22:45 net-next bfdd5aaa54b0 bc15f7db .config console log report
ci-upstream-net-kasan-gce 2020/08/10 22:37 net-next bfdd5aaa54b0 7adc7b65 .config console log report
ci-upstream-net-kasan-gce 2020/08/08 20:06 net-next bfdd5aaa54b0 f721e4a0 .config console log report
ci-upstream-linux-next-kasan-gce-root 2020/11/13 01:44 linux-next 6dd65e60af98 16fca0c8 .config console log report info
ci-upstream-linux-next-kasan-gce-root 2020/10/02 18:39 linux-next 2172e358cd17 4969d6ca .config console log report info
ci-upstream-linux-next-kasan-gce-root 2020/09/12 14:32 linux-next d5b2251d63b5 ce441f06 .config console log report
ci-upstream-linux-next-kasan-gce-root 2020/09/10 23:26 linux-next 7ce53e3a447b 409809d8 .config console log report
ci-upstream-linux-next-kasan-gce-root 2020/08/17 20:52 linux-next 0f1fa5848ab3 424dd8e7 .config console log report
ci-upstream-linux-next-kasan-gce-root 2020/08/17 03:58 linux-next 0f1fa5848ab3 424dd8e7 .config console log report
* Struck through repros no longer work on HEAD.