general protection fault in bt_accept_unlink
14 views
Skip to first unread message
syzbot
Aug 5, 2020, 12:09:23 PM8/5/20
to da...@davemloft.net, johan....@gmail.com, ku...@kernel.org, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, mar...@holtmann.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=1639b284900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2
dashboard link: https://syzkaller.appspot.com/bug?extid=a9c8613ce9eafbd86441
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a9c861...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xf777682000003777: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xbbbb61000001bbb8-0xbbbb61000001bbbf]
CPU: 0 PID: 9028 Comm: kworker/0:6 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
RIP: 0010:__list_del_entry_valid+0x81/0xef lib/list_debug.c:51
Code: 0f 84 df 00 00 00 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 e0 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 97 00 00 00 49 8d 7d
RSP: 0018:ffffc900091afb18 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffff8880a71664b8 RCX: ffffffff8724984f
RDX: 17776c2000003777 RSI: ffffffff8717d437 RDI: ffff8880a71664c0
RBP: ffff8880a71664b8 R08: 0000000000000001 R09: ffff8880a7166067
R10: 0000000000000009 R11: 00000000000ccae8 R12: bbbb61000001bbbb
R13: bb60000000bbbbbb R14: 00000060000000bb R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000ca8660 CR3: 000000009115f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:132 [inline]
list_del_init include/linux/list.h:204 [inline]
bt_accept_unlink+0x26/0x280 net/bluetooth/af_bluetooth.c:187
l2cap_sock_teardown_cb+0x197/0x400 net/bluetooth/l2cap_sock.c:1544
l2cap_chan_del+0xad/0x1300 net/bluetooth/l2cap_core.c:618
l2cap_chan_close+0x118/0xb10 net/bluetooth/l2cap_core.c:824
l2cap_chan_timeout+0x173/0x450 net/bluetooth/l2cap_core.c:436
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:291
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Modules linked in:
---[ end trace 89227449b8393688 ]---
RIP: 0010:__list_del_entry_valid+0x81/0xef lib/list_debug.c:51
Code: 0f 84 df 00 00 00 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 e0 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 97 00 00 00 49 8d 7d
RSP: 0018:ffffc900091afb18 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffff8880a71664b8 RCX: ffffffff8724984f
RDX: 17776c2000003777 RSI: ffffffff8717d437 RDI: ffff8880a71664c0
RBP: ffff8880a71664b8 R08: 0000000000000001 R09: ffff8880a7166067
R10: 0000000000000009 R11: 00000000000ccae8 R12: bbbb61000001bbbb
R13: bb60000000bbbbbb R14: 00000060000000bb R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000ca8660 CR3: 000000009d89f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=1639b284900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2
dashboard link: https://syzkaller.appspot.com/bug?extid=a9c8613ce9eafbd86441
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a9c861...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xf777682000003777: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xbbbb61000001bbb8-0xbbbb61000001bbbf]
CPU: 0 PID: 9028 Comm: kworker/0:6 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
RIP: 0010:__list_del_entry_valid+0x81/0xef lib/list_debug.c:51
Code: 0f 84 df 00 00 00 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 e0 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 97 00 00 00 49 8d 7d
RSP: 0018:ffffc900091afb18 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffff8880a71664b8 RCX: ffffffff8724984f
RDX: 17776c2000003777 RSI: ffffffff8717d437 RDI: ffff8880a71664c0
RBP: ffff8880a71664b8 R08: 0000000000000001 R09: ffff8880a7166067
R10: 0000000000000009 R11: 00000000000ccae8 R12: bbbb61000001bbbb
R13: bb60000000bbbbbb R14: 00000060000000bb R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000ca8660 CR3: 000000009115f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:132 [inline]
list_del_init include/linux/list.h:204 [inline]
bt_accept_unlink+0x26/0x280 net/bluetooth/af_bluetooth.c:187
l2cap_sock_teardown_cb+0x197/0x400 net/bluetooth/l2cap_sock.c:1544
l2cap_chan_del+0xad/0x1300 net/bluetooth/l2cap_core.c:618
l2cap_chan_close+0x118/0xb10 net/bluetooth/l2cap_core.c:824
l2cap_chan_timeout+0x173/0x450 net/bluetooth/l2cap_core.c:436
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:291
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Modules linked in:
---[ end trace 89227449b8393688 ]---
RIP: 0010:__list_del_entry_valid+0x81/0xef lib/list_debug.c:51
Code: 0f 84 df 00 00 00 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 e0 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 97 00 00 00 49 8d 7d
RSP: 0018:ffffc900091afb18 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffff8880a71664b8 RCX: ffffffff8724984f
RDX: 17776c2000003777 RSI: ffffffff8717d437 RDI: ffff8880a71664c0
RBP: ffff8880a71664b8 R08: 0000000000000001 R09: ffff8880a7166067
R10: 0000000000000009 R11: 00000000000ccae8 R12: bbbb61000001bbbb
R13: bb60000000bbbbbb R14: 00000060000000bb R15: 0000000000000005
FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000ca8660 CR3: 000000009d89f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Hillf Danton
Aug 5, 2020, 11:16:18 PM8/5/20
to syzbot, da...@davemloft.net, johan....@gmail.com, ku...@kernel.org, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, mar...@holtmann.org, net...@vger.kernel.org, syzkall...@googlegroups.com, Markus Elfring, Hillf Danton
Wed, 05 Aug 2020 09:09:21 -0700
unlinking the accepted one in order to make the unlink safe.
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -167,6 +167,7 @@ void bt_accept_enqueue(struct sock *pare
list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
bt_sk(sk)->parent = parent;
+ sock_hold(parent);
if (bh)
bh_unlock_sock(sk);
@@ -186,6 +187,7 @@ void bt_accept_unlink(struct sock *sk)
list_del_init(&bt_sk(sk)->accept_q);
sk_acceptq_removed(bt_sk(sk)->parent);
+ sock_put(bt_sk(sk)->parent);
bt_sk(sk)->parent = NULL;
sock_put(sk);
}
syzbot
Dec 3, 2020, 10:20:20 AM12/3/20
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages