syzbot


BUG: sleeping function called from invalid context in lock_sock_nested (3)

Status: upstream: reported syz repro on 2021/06/10 20:33
Reported-by: syzbot+0a12c5ce4f3771ea9d22@syzkaller.appspotmail.com
First crash: 387d, last: 13d
similar bugs (6):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: sleeping function called from invalid context in lock_sock_nested (2) C done 3909 294d 387d 1/1 fixed on 2021/10/12 13:38
upstream BUG: sleeping function called from invalid context in lock_sock_nested (2) C done error 19391 325d 861d 22/22 fixed on 2021/11/10 13:22
linux-4.14 BUG: sleeping function called from invalid context in lock_sock_nested 1 1096d 1096d 0/1 auto-closed as invalid on 2019/10/30 11:24
linux-4.14 BUG: sleeping function called from invalid context in lock_sock_nested (2) syz done 1 881d 941d 1/1 fixed on 2020/03/04 10:17
linux-4.19 BUG: sleeping function called from invalid context in lock_sock_nested syz done 1 911d 941d 1/1 fixed on 2020/02/05 13:33
upstream BUG: sleeping function called from invalid context in lock_sock_nested C 1232 865d 941d 16/22 fixed on 2020/02/18 14:31

Sample crash report:
Bluetooth: hci2 command 0x0419 tx timeout
Bluetooth: hci0 command 0x0419 tx timeout
Bluetooth: hci1 command 0x0419 tx timeout
Bluetooth: hci3 command 0x0419 tx timeout
Bluetooth: hci4 command 0x0419 tx timeout
BUG: sleeping function called from invalid context at net/core/sock.c:2787
in_atomic(): 1, irqs_disabled(): 0, pid: 7998, name: syz-executor.3
1 lock held by syz-executor.3/7998:
 #0:  (hci_sk_list.lock){++++}, at: [<ffffffff86679379>] hci_sock_dev_event+0x379/0x5e0 net/bluetooth/hci_sock.c:751
Preemption disabled at:
[<          (null)>]           (null)
CPU: 0 PID: 7998 Comm: syz-executor.3 Not tainted 4.14.243-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 ___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6038
 lock_sock_nested+0x31/0x100 net/core/sock.c:2787
 lock_sock include/net/sock.h:1471 [inline]
 hci_sock_dev_event+0x403/0x5e0 net/bluetooth/hci_sock.c:753
 hci_unregister_dev+0x232/0x8c0 net/bluetooth/hci_core.c:3212
 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:868
 do_group_exit+0x100/0x2e0 kernel/exit.c:965
 SYSC_exit_group kernel/exit.c:976 [inline]
 SyS_exit_group+0x19/0x20 kernel/exit.c:974
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x4665e9
RSP: 002b:00007ffc698f9278 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ffc698f9a38 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 0000000000000000 R08: 0000000000000025 R09: 00007ffc698f9a38
R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004bef74
R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000400538
IPVS: ftp: loaded support on port[0] = 21
chnl_net:caif_netlink_parms(): no params data found
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge_slave_0 entered promiscuous mode
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_1 entered promiscuous mode
bond0: Enslaving bond_slave_0 as an active interface with an up link
bond0: Enslaving bond_slave_1 as an active interface with an up link
IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
team0: Port device team_slave_0 added
IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
team0: Port device team_slave_1 added
batman_adv: batadv0: Adding interface: batadv_slave_0
batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
batman_adv: batadv0: Adding interface: batadv_slave_1
batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
device hsr_slave_0 entered promiscuous mode
device hsr_slave_1 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered forwarding state
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered forwarding state
IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
8021q: adding VLAN 0 to HW filter on device bond0
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
bridge0: port 1(bridge_slave_0) entered disabled state
bridge0: port 2(bridge_slave_1) entered disabled state
IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
8021q: adding VLAN 0 to HW filter on device team0
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
device veth0_vlan entered promiscuous mode
device veth1_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
device veth0_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
device veth1_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_0
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
Bluetooth: hci5 command 0x0409 tx timeout
Bluetooth: hci5 command 0x041b tx timeout
Bluetooth: hci5 command 0x040f tx timeout

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2022/06/19 07:25 linux-4.14.y 84bae26850e3 6972b106 .config log report syz
ci2-linux-4-14 2022/05/20 07:03 linux-4.14.y dffb5c6ff09c 6972b106 .config log report syz
ci2-linux-4-14 2022/04/20 06:32 linux-4.14.y 74766a973637 6972b106 .config log report syz
ci2-linux-4-14 2022/03/20 21:54 linux-4.14.y eb045674aab3 6972b106 .config log report syz
ci2-linux-4-14 2022/02/18 21:10 linux-4.14.y a35d65bedfbc 6972b106 .config log report syz
ci2-linux-4-14 2022/01/12 15:21 linux-4.14.y 4ba8e26127c3 6972b106 .config log report syz
ci2-linux-4-14 2021/12/13 14:59 linux-4.14.y c01d4d1b885d 6972b106 .config log report syz
ci2-linux-4-14 2021/11/13 12:36 linux-4.14.y 5f9f3b0057d5 6972b106 .config log report syz
ci2-linux-4-14 2021/10/14 12:14 linux-4.14.y ed99bf0e81b5 6972b106 .config log report syz
ci2-linux-4-14 2021/09/14 11:46 linux-4.14.y f96eb53cbd76 6972b106 .config log report syz
Crashes (144):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2021/08/12 03:54 linux-4.14.y 46914f96189b 6972b106 .config log report syz BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/04 00:07 linux-4.14.y ce4d1565392b 6c236867 .config log report syz BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/02 17:14 linux-4.14.y ce4d1565392b 6c236867 .config log report syz BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/02 15:54 linux-4.14.y ce4d1565392b 6c236867 .config log report syz BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/06/18 02:51 linux-4.14.y cfb41ef9deb1 aba2b2fb .config log report syz BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/06/14 02:07 linux-4.14.y 3d3abdc8ebd3 1ba81399 .config log report syz BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2022/01/19 20:45 linux-4.14.y 4ba8e26127c3 5da9499f .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/15 11:06 linux-4.14.y 46914f96189b 2489ab88 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/14 18:15 linux-4.14.y 46914f96189b 2489ab88 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/14 14:11 linux-4.14.y 46914f96189b 2489ab88 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/12 10:30 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/12 06:20 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/12 01:07 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/11 23:09 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/11 04:37 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/11 03:07 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/11 01:06 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/10 12:46 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/10 10:15 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/09 04:41 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/08 22:21 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/08 20:07 linux-4.14.y 46914f96189b 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/08 03:21 linux-4.14.y 94cb1fed447a 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/07 23:22 linux-4.14.y 94cb1fed447a 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/07 10:15 linux-4.14.y 94cb1fed447a 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/07 02:26 linux-4.14.y 94cb1fed447a 6972b106 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/05 13:06 linux-4.14.y 94cb1fed447a 7f7bb950 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/03 12:58 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/03 11:14 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/03 08:34 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/03 07:32 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/02 02:02 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/01 19:27 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/08/01 02:42 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/31 22:14 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/31 20:40 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/31 07:55 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/31 01:41 linux-4.14.y ce4d1565392b 6c236867 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/30 01:10 linux-4.14.y ce4d1565392b 8a799410 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/29 14:49 linux-4.14.y ce4d1565392b b44001ce .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/28 08:50 linux-4.14.y 964f3712e6a7 17d6ab15 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/28 07:08 linux-4.14.y 964f3712e6a7 17d6ab15 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/27 00:40 linux-4.14.y 964f3712e6a7 fd511809 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/26 20:34 linux-4.14.y 964f3712e6a7 fd511809 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/26 15:40 linux-4.14.y 964f3712e6a7 fd511809 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/26 02:41 linux-4.14.y 964f3712e6a7 4d1b57d4 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/25 04:31 linux-4.14.y 964f3712e6a7 4d1b57d4 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/24 19:45 linux-4.14.y 964f3712e6a7 4d1b57d4 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/24 06:00 linux-4.14.y 964f3712e6a7 bc5f1d88 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/24 02:18 linux-4.14.y 964f3712e6a7 bc5f1d88 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/07/21 11:27 linux-4.14.y 964f3712e6a7 1b201b48 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested
ci2-linux-4-14 2021/06/10 20:33 linux-4.14.y 3d3abdc8ebd3 1ba81399 .config log report info BUG: sleeping function called from invalid context in lock_sock_nested