[moderation] [bluetooth?] general protection fault in hci_release_dev (2)
0 views
Skip to first unread message
syzbot
Jun 17, 2024, 1:04:31 PM (9 days ago) Jun 17
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2ccbdf43d5e7 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14831b36980000
kernel config: https://syzkaller.appspot.com/x/.config?x=81c0d76ceef02b39
dashboard link: https://syzkaller.appspot.com/bug?extid=0ce488284454781b7dcb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
CC: [johan....@gmail.com linux-b...@vger.kernel.org linux-...@vger.kernel.org luiz....@gmail.com mar...@holtmann.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-2ccbdf43.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/13cdb5bfbafa/vmlinux-2ccbdf43.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7a14f5d07f81/bzImage-2ccbdf43.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ce488...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xfcfffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xe800000000000018-0xe80000000000001f]
CPU: 2 PID: 10286 Comm: syz-executor.1 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__lock_acquire+0xe3e/0x3b30 kernel/locking/lockdep.c:5005
Code: 11 00 00 39 05 33 a6 1f 12 0f 82 be 05 00 00 ba 01 00 00 00 e9 e4 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 82 1f 00 00 49 81 3c 24 e0 1d e3 92 0f 84 98 f2
RSP: 0018:ffffc90002b378f0 EFLAGS: 00010806
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 1d00000000000003 RSI: ffff8880204a2440 RDI: e800000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe2cb97 R11: 0000000000000001 R12: e800000000000018
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88802c200000(0000) knlGS:0000000000000000
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020011000 CR3: 000000005cc26000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
put_pwq_unlocked kernel/workqueue.c:1662 [inline]
put_pwq_unlocked kernel/workqueue.c:1655 [inline]
destroy_workqueue+0x5df/0xaa0 kernel/workqueue.c:5851
hci_release_dev+0x14e/0x660 net/bluetooth/hci_core.c:2795
bt_host_release+0x6a/0xb0 net/bluetooth/hci_sysfs.c:94
device_release+0xa1/0x240 drivers/base/core.c:2581
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1fa/0x5b0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3829
vhci_release+0x87/0x100 drivers/bluetooth/hci_vhci.c:667
__fput+0x408/0xbb0 fs/file_table.c:422
task_work_run+0x14e/0x250 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa9b/0x2ba0 kernel/exit.c:874
do_group_exit+0xd3/0x2a0 kernel/exit.c:1023
__do_sys_exit_group kernel/exit.c:1034 [inline]
__se_sys_exit_group kernel/exit.c:1032 [inline]
__ia32_sys_exit_group+0x3e/0x50 kernel/exit.c:1032
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf7308579
Code: Unable to access opcode bytes at 0xf730854f.
RSP: 002b:00000000ff92a3cc EFLAGS: 00000282 ORIG_RAX: 00000000000000fc
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000ff92a4d0
RDX: 00000000f7334997 RSI: 0000000000000000 RDI: 00000000f73af159
RBP: 00000000ff92a428 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xe3e/0x3b30 kernel/locking/lockdep.c:5005
Code: 11 00 00 39 05 33 a6 1f 12 0f 82 be 05 00 00 ba 01 00 00 00 e9 e4 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 82 1f 00 00 49 81 3c 24 e0 1d e3 92 0f 84 98 f2
RSP: 0018:ffffc90002b378f0 EFLAGS: 00010806
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 1d00000000000003 RSI: ffff8880204a2440 RDI: e800000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe2cb97 R11: 0000000000000001 R12: e800000000000018
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88802c200000(0000) knlGS:0000000000000000
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020011000 CR3: 000000005cc26000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 11 00 adc %eax,(%rax)
2: 00 39 add %bh,(%rcx)
4: 05 33 a6 1f 12 add $0x121fa633,%eax
9: 0f 82 be 05 00 00 jb 0x5cd
f: ba 01 00 00 00 mov $0x1,%edx
14: e9 e4 00 00 00 jmp 0xfd
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 4c 89 e2 mov %r12,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 82 1f 00 00 jne 0x1fb6
34: 49 81 3c 24 e0 1d e3 cmpq $0xffffffff92e31de0,(%r12)
3b: 92
3c: 0f .byte 0xf
3d: 84 .byte 0x84
3e: 98 cwtl
3f: f2 repnz
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 2ccbdf43d5e7 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14831b36980000
kernel config: https://syzkaller.appspot.com/x/.config?x=81c0d76ceef02b39
dashboard link: https://syzkaller.appspot.com/bug?extid=0ce488284454781b7dcb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
CC: [johan....@gmail.com linux-b...@vger.kernel.org linux-...@vger.kernel.org luiz....@gmail.com mar...@holtmann.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-2ccbdf43.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/13cdb5bfbafa/vmlinux-2ccbdf43.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7a14f5d07f81/bzImage-2ccbdf43.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ce488...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xfcfffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xe800000000000018-0xe80000000000001f]
CPU: 2 PID: 10286 Comm: syz-executor.1 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__lock_acquire+0xe3e/0x3b30 kernel/locking/lockdep.c:5005
Code: 11 00 00 39 05 33 a6 1f 12 0f 82 be 05 00 00 ba 01 00 00 00 e9 e4 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 82 1f 00 00 49 81 3c 24 e0 1d e3 92 0f 84 98 f2
RSP: 0018:ffffc90002b378f0 EFLAGS: 00010806
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 1d00000000000003 RSI: ffff8880204a2440 RDI: e800000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe2cb97 R11: 0000000000000001 R12: e800000000000018
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88802c200000(0000) knlGS:0000000000000000
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020011000 CR3: 000000005cc26000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
put_pwq_unlocked kernel/workqueue.c:1662 [inline]
put_pwq_unlocked kernel/workqueue.c:1655 [inline]
destroy_workqueue+0x5df/0xaa0 kernel/workqueue.c:5851
hci_release_dev+0x14e/0x660 net/bluetooth/hci_core.c:2795
bt_host_release+0x6a/0xb0 net/bluetooth/hci_sysfs.c:94
device_release+0xa1/0x240 drivers/base/core.c:2581
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1fa/0x5b0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3829
vhci_release+0x87/0x100 drivers/bluetooth/hci_vhci.c:667
__fput+0x408/0xbb0 fs/file_table.c:422
task_work_run+0x14e/0x250 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa9b/0x2ba0 kernel/exit.c:874
do_group_exit+0xd3/0x2a0 kernel/exit.c:1023
__do_sys_exit_group kernel/exit.c:1034 [inline]
__se_sys_exit_group kernel/exit.c:1032 [inline]
__ia32_sys_exit_group+0x3e/0x50 kernel/exit.c:1032
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf7308579
Code: Unable to access opcode bytes at 0xf730854f.
RSP: 002b:00000000ff92a3cc EFLAGS: 00000282 ORIG_RAX: 00000000000000fc
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000ff92a4d0
RDX: 00000000f7334997 RSI: 0000000000000000 RDI: 00000000f73af159
RBP: 00000000ff92a428 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xe3e/0x3b30 kernel/locking/lockdep.c:5005
Code: 11 00 00 39 05 33 a6 1f 12 0f 82 be 05 00 00 ba 01 00 00 00 e9 e4 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 82 1f 00 00 49 81 3c 24 e0 1d e3 92 0f 84 98 f2
RSP: 0018:ffffc90002b378f0 EFLAGS: 00010806
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 1d00000000000003 RSI: ffff8880204a2440 RDI: e800000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe2cb97 R11: 0000000000000001 R12: e800000000000018
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88802c200000(0000) knlGS:0000000000000000
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020011000 CR3: 000000005cc26000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 11 00 adc %eax,(%rax)
2: 00 39 add %bh,(%rcx)
4: 05 33 a6 1f 12 add $0x121fa633,%eax
9: 0f 82 be 05 00 00 jb 0x5cd
f: ba 01 00 00 00 mov $0x1,%edx
14: e9 e4 00 00 00 jmp 0xfd
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 4c 89 e2 mov %r12,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 82 1f 00 00 jne 0x1fb6
34: 49 81 3c 24 e0 1d e3 cmpq $0xffffffff92e31de0,(%r12)
3b: 92
3c: 0f .byte 0xf
3d: 84 .byte 0x84
3e: 98 cwtl
3f: f2 repnz
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages